Definition

 What is Computer Forensics??

 Computer forensics involves the preservation,
identification, extraction, documentation, and
interpretation of computer media for evidentiary
and/or root cause analysis.
 Evidence might be required for a wide range of
computer crimes and misuses
 Multiple methods of
 Discovering data on computer system
 Recovering deleted, encrypted, or damaged file
information
 Monitoring live activity
 Detecting violations of corporate policy
 Information collected assists in arrests,
prosecution, termination of employment, and
preventing future illegal activity
Definition (cont)
 What Constitutes Digital Evidence?
 Any information being subject to human
intervention or not, that can be extracted from
a computer.
 Must be in human-readable format or capable
of being interpreted by a person with expertise
in the subject.
 Computer Forensics Examples
 Recovering thousands of deleted emails
 Performing investigation post employment
termination
 Recovering evidence post formatting hard
drive
 Performing investigation after multiple
users had taken over the system
Reasons For Evidence
 Wide range of computer crimes and misuses
 Non-Business Environment: evidence collected by
Federal, State and local authorities for crimes relating
to:
 Theft of trade secrets
 Fraud
 Extortion
 Industrial espionage
 Position of pornography
 SPAM investigations
 Virus/Trojan distribution
 Homicide investigations
 Intellectual property breaches
 Unauthorized use of personal information
 Forgery
 Perjury
Reasons For Evidence (cont)
 Computer related crime and violations
include a range of activities including:
 Business Environment:
 Theft of or destruction of intellectual property
 Unauthorized activity
 Tracking internet browsing habits
 Reconstructing Events
 Inferring intentions
 Selling company bandwidth
 Wrongful dismissal claims
 Sexual harassment
 Software Piracy
Who Uses Computer
Forensics?
 Criminal Prosecutors
 Rely on evidence obtained from a computer to
prosecute suspects and use as evidence
 Civil Litigations
 Personal and business data discovered on a
computer can be used in fraud, divorce,
harassment, or discrimination cases
 Insurance Companies
 Evidence discovered on computer can be
used to mollify costs (fraud, worker’s
compensation, arson, etc)
 Private Corporations
 Obtained evidence from employee computers can
be used as evidence in harassment, fraud, and
embezzlement cases
Who Uses Computer
Forensics? (cont)
 Law Enforcement Officials
 Rely on computer forensics to backup search
warrants and post-seizure handling
 Individual/Private Citizens
 Obtain the services of professional computer
forensic specialists to support claims of
harassment, abuse, or wrongful termination
from employment
Handling Evidence
 Admissibility of Evidence
 Legal rules which determine whether potential
evidence can be considered by a court
 Must be obtained in a manner which ensures the
authenticity and validity and that no tampering
had taken place
 No possible evidence is damaged,
destroyed, or otherwise compromised by
the procedures used to search the computer
 Preventing viruses from being introduced to
a computer during the analysis process
 Extracted / relevant evidence is properly
handled and protected from later
mechanical
or electromagnetic damage
Initiating An Investigation
 DO NOT begin by exploring files on
system randomly
 Establish evidence custodian - start a
detailed journal with the date and time
and date/information discovered
 If possible, designate suspected
equipment as “off-limits” to normal
activity. This includes back-ups, remotely
or locally scheduled
house-keeping, and configuration
changes
 Collect email, DNS, and other network
service logs
Incidence Response
 Identify, designate, or become evidence
custodian
 Review any existing journal of what has
been done to system already and/or how
intrusion was detected
 Begin new or maintain existing journal
 Install monitoring tools (sniffers, port
detectors, etc.)
 Without rebooting or affecting running
processes, perform a copy of physical disk
 Capture network information
Computer Forensic
Requirements
 Hardware
 Familiarity with all internal and external
devices/components of a computer
 Thorough understanding of hard drives and
settings
 Understanding motherboards and the various
chipsets used
 Power connections
 Memory
 BIOS
 Understanding how the BIOS works
 Familiarity with the various settings and
limitations of the BIOS
Computer Forensic
Requirements
 Operation Systems (cont)

 Windows 3.1/95/98/ME/NT/2000/2003/XP
 DOS
 UNIX
 LINUX
 VAX/VMS
 Software
 Familiarity with most popular software packages
such as Office
 Forensic Tools
 Familiarity with computer forensic techniques
and the software packages that could be used
Types of electronic devices or MEDIA
that may contain digital evidence

 Personal computer, laptop  Personal Data Assistants

 External hard drives (USB
connection)
 DVD, CD, floppy disks
 Flash drives (thumb, USB)
 Memory sticks
 Digital cameras
 SD Cards
(PDAs, iPods, Palm)
 Cellular phones
 MP3 Players
 Smart Phones
(Blackberry/iPhone/Android)
 iPads, tablets
 Many unusual pieces of media
Other Items of Evidence at Scene

 Computer media relevant to crime

 Documents surrounding computer
 Documents in the printer, scanner, trash
 Web camera (usually on top of monitor)
 PDA, cell phones with charger/data cable
 Related software
 Related cables / power cords / chargers
Thank you