Introduction to computer

Forensics
• Computer forensics, also referred to as computer
forensic analysis, electronic discovery, electronic
evidence discovery, digital discovery, data
recovery, data discovery, computer analysis, and
Computer examination, is the process of
methodically examining computer media (hard
disks, diskettes, tapes, etc.) for evidence.
• A thorough analysis by a skilled examiner can
result in the reconstruction of the activities of a
computer user.
• In other words, computer forensics is the
collection, preservation, analysis, and
presentation of computer-related evidence.
• Computer evidence can be useful in criminal
cases, civil disputes, and human
resources/employment proceedings.
• Computer forensics, although employing some
software for data recovery, is a much more
complex undertaking.
• In computer forensics, the goal is to retrieve the
data and interpret information as much as
possible.
• The process of acquiring and analysing digital
evidence is crucial to the success of prosecuting
a cyber criminal
• To effectively combat cyber crime, greater emphasis
must be placed on the forensic methods and the
following subject matter:
• Computer crime
• The computer forensic objective
• The computer forensic priority
• The accuracy versus speed conflict
• The need for computer forensics
• The double tier approach
• Requirements for the double tier approach
• The computer forensics specialist
 Computer Crime
• Computers can be involved in a wide variety of crimes
including white-collar crimes, violent crimes such as murder
and terrorism, counterintelligence (organized activity of an
intelligence service designed to block an enemy's sources of
information), economic espionage(unauthorised and usually
criminal access to confidential systems and information for
the purposes of gaining a commercial or political advantage.)
etc
• A person can sit in the comfort of his home or a remote site
and hack into a bank and transfer millions of dollars to a
fictitious account, in essence robbing the bank, without the
threat of being gunned down while escaping.
 Role of Computer in a crime
• A computer can play one of three roles in a computer
crime.
1. A computer can be the target of the crime,
2. it can be the instrument of the crime, or
3. it can serve as an evidence, a repository storing
valuable information about the crime
• For example, a hacker may use the computer as the tool
to break into another computer and steal files, then
store them on the computer.
• It can also serve as a file cabinet storing critical evidence
• Applying information about how the computer
was used in the crime also helps when searching
the system for evidence.
• If the computer was used to hack into a network
password file, the investigator will know to look
for password cracking software and password
files.
• If the computer was the target of the crime,
such as an intrusion, audit logs and unfamiliar
programs should be checked.
• Knowing how the computer was used will help
narrow down the evidence collection process
 The Computer Forensic Objective
• The objective of the Computer Forensic is to
recover, analyze, and present computer-based
material in such a way that it is useable as
evidence in a court of law.
• The key phrase here is useable as evidence in
a court of law.
• It is essential that none of the equipment or
procedures used during the examination of
the computer obviate this.
 The Forensic Priority
• In contrast to all other areas of computing,
where speed is the main concern, in
computer forensics the absolute priority is
accuracy.
• Completing the work as efficiently as possible,
and as fast as possible not at the cost of
accuracy.
 Accuracy versus speed
• Time is a precious resource.
• In order to meet the stringent deadlines,
people tend to follow some shortcut methods
to attain results.
• But, computer forensics must follow strict
guidelines since data integrity and security are
of prime importance.
 The Computer Forensic Specialist
• A computer forensics specialist is the person
who is responsible for carrying out computer
forensics procedures.
• The computer forensics specialist will take
several careful steps to identify and retrieve
the evidence
1. Protect the computer system.
2. Discover all files on the system.
3. Recover all (or as much as possible) of
discovered deleted files.
4. Reveal (to the extent possible) the contents of
hidden files.
5. Access the contents of protected or encrypted
files.
6. Analyze all possibly relevant data found in
special (and typically in accessible) areas of a
disk.
7. Provide expert consultation and/or testimony,
as required
 Who Can Use Computer Forensic
Evidence?
• Many types of criminal and civil proceedings can and do make
use of evidence revealed by computer forensics specialists:
1. Criminal Prosecutors use computer evidence in a variety of
crimes - homicides, financial fraud, drug and embezzlement
(theft or misappropriation of funds placed in one's trust or
belonging to one's employer.)
2. Civil proceedings can readily make use of personal and
business records found on computer systems that bear on
fraud, divorce, discrimination, and harassment cases.
Insurance companies may be able to mitigate costs by using
discovered computer evidence of possible fraud in accident,
arson, and workman’s compensation cases.
3. Corporations often hire computer forensics
specialists to find evidence relating to
harassment cases, theft or misappropriation
of trade secrets, and other
internal/confidential information.
4. Individuals sometimes hire computer
forensics specialists in support of possible
claims of wrongful termination, harassment
cases, or age discrimination.
 Choosing a computer Forensics Specialist
for a criminal case
• Many people claim to be computer forensic
experts.
• Carefully choose and hire experts who have
undergone certified trainings and have relevant
experience in the field.
• They must bear the pressure of all types of
enquiries and cross-examinations.
 COMPUTER FORENSICS ASSISTANCE TO HUMAN
RESOURCES/EMPLOYMENT PROCEEDINGS

• Computer forensics analysis is becoming

increasingly useful to businesses.
• Computers can contain evidence in many
types of human resources proceedings,
including harassment suits, allegations of
discrimination, and wrongful termination
claims. Evidence can be found in electronic
mail systems, on network servers, and on
individual employee’s computers.
 Employer Safeguard Program

• Before terminating an employee, hire a

computer forensic expert to create a
replication of the data on employee’s system.
• If not, then data must be collected on what an
employee is up to: For ex: -what websites
were visited, what files were downloaded, if
any attempts were made to destroy evidence
etc.
 COMPUTER FORENSICS SERVICES

• The computer forensic expert must be

successfully able to perform complex
evidence recovery procedures using his skills
and expertise.
• 1. Data Seizure
- Obtaining data from concerned parties for the
purpose of investigation and seizing it.
– Courts allow forensic experts to inspect and copy
required documents from the seized data.
• 2. Data duplication and preservation
– 2 concerns need to be addressed in the event of
seizure. The data that is seized must not be altered
and the seizure must not burden the responding
party.
– These concerns can be addressed by replicating the
data and letting the organization to resume it
business quickly.
3. Data Recovery
- The forensic expert must be able to safely
recover the data/evidence that is inaccessible.
- Use of proprietary tools and his understanding
of advanced technologies.
• 4. Document Searches
– The forensic expert must be able to efficiently search
for a required document from a large document
repository.
– Speed and accuracy of search can make the process
less complicated.

• 5. Media Conversion
– Some investigations require data that is stored on old
and unreadable devices.
– The forensic expert must be capable of accessing this
data, convert it to readable form and store it on new
storage media.
• 6. Expert Witness Services
– The forensic experts must be capable of clearly
explaining the complex procedures used for
evidence collection.
– Convince the Jury by making them understand
how the data was collected and what it contains.
 Computer Evidence Service Options
• The forensic experts must provide various levels of service:
– Standard Service--forensics experts should be able to work on your
case during normal business hours until your critical electronic
evidence is found.
– On-site service--computer forensics experts should be able to travel
to your location to perform complete computer evidence services
– Emergency service--After receiving the computer storage media, your
computer forensics experts should be able to give your case the
highest priority in their laboratories. They should be able to work on
it without interruption until your evidence objectives are met
– Priority service
– Weekend service
 Other Miscellaneous Services
• Recover data that you thought was lost
forever.
• Advise on how to keep data and information
safe from theft or accidental loss.
• Examine a computer to know what its user is
doing
• Sweep your office for listening devices
• High-Tech investigations
 BENEFITS OF PROFESSIONAL FORENSICS
METHODOLOGY
• Experience on a wide range of computer
hardware and software.
– The experts know all possible formats in which
data can exist (both old and new)
– They can quickly discover what places must be
searched and additional information sources.
• Protection of evidence is critical. A knowledgeable
computer forensics professional will ensure that a
subject computer system is carefully handled to
ensure that:
1. No possible evidence is damaged, destroyed, or
otherwise compromised by the procedures used to
investigate the computer
2. No possible computer virus is introduced to a
subject computer during the analysis process
3. Extracted and possibly relevant evidence is
properly handled and protected from later physical
or electromagnetic damage
4. A continuing chain of custody is established
and maintained
5. Business operations are affected for a limited
amount of time.
6. Any information that is inadvertently
acquired during a forensic exploration is
ethically and legally respected and not
revealed to others.
Chain of custody in cyber forensics
- Sequence of procedures carried out on the
evidence collected to maintain its authenticity
 Steps taken by Computer Forensics
specialists
• The computer forensics specialist needs to
complete an Evidence Identification and
Retrieval Checklist (as shown in Table F1.1 in
Appendix F).
• He or she should take several careful steps to
identify and attempt to retrieve possible
evidence that may exist on a subject’s
computer system.
 Types of Computer
Forensics Technology
• Cyber Forensic Technology
– Computer forensics
– Network forensics: Deals with examining the
interconnected computer networks and collecting
evidence that is stored across the distributed
networks.
Military Computer Forensic Technology
• Real-time tracking of malicious activity is difficult
especially when the information is intentionally hidden
or destroyed.
• The cyber forensic technologies used by information
directorate were quite new and untested.
• So the directorate entered into a partnership with
National Institute of Justice under the guidance of
National Law Enforcement and Corrections Technology
Center, to test the new methods and tools.
• Under this partnership, the Computer Forensic
Experiment (CFX 2000) was conducted.
• CFX 2000 is an integrated forensic analysis
framework.
• It defines a paradigm for transition of the
cyber forensics from military R and D labs into
the hands of law.
• The hypothesis that was formulated was:
It is possible to determine the motives,
intent, identity and location of criminals.
• Tools in CFX 2000 consisted of COTS softwares
and some R and D prototypes.
• CFX also made use of SI-FI integration
environment. ( Synthesizing Information from
Forensics Investigation)
• SI-FI uses Digital Evidence Bags (DEB), which
are secure and tamper proof containers for
storing digital evidences.
• They can only be opened by authorized users
for examinations.
• After analysis of the evidences collected, the
experts concluded that the hypothesis holds
good.
 Types of Law Enforcement Computer
Forensic Technology
• Computer tools and technologies are valuable
resources for the purpose of law enforcement.
– Evidence collection
– Evidence preservation
– Evidence analysis
Several training and certification programs are
available that teach the use of these tools and
techniques.
1. Preservation of Evidence
• Need for evidence preservation
• SafeBack software is a widely accepted mirror
image backup software.
• Used to create evidence grade backups of
hard disk drives on Intel computer systems.
• Difficult to tamper the images created using
SafeBack.
Primary Uses
• Used to create evidence-grade backups of hard
disk drives on Intel-based computer systems.
• Used to exactly restore archived SafeBack
images to another computer hard disk drive of
equal or larger storage capacity.
• Used as an evidence preservation tool in law
enforcement and civil litigation matters.
• Used as an intelligence gathering tool by military
agencies.
Program Features and Benefits-safeback

• DOS based utility.

• Provides a detailed audit trail of the backup
process.
• Makes use of 2 separate implementations of
SHA256 algorithm to ensure the integrity of the
data.
• Checks for possible data hiding when sector
cyclic redundancy checks (CRCs) do not match
on the target hard disk drive.
• Accurately copies all areas of the hard disk drive.
• Allows for the backup process to be made via the
printer port.
• SafeBack image files can be stored as one large
file or separate files of fixed sizes. This feature is
helpful in making copies for archive on CDs.
• Does not compress relevant data to avoid legal
arguments that the original computer evidence
was altered through data compression or
software translation.
• Copies and restores multiple partitions
containing one or more operating systems.
• Makes copies in either physical or logical mode.
• Can be used to accurately copy and restore
most hard disk drives including Windows NT,
Windows 2000, and Windows XP configured
drives.
• SafeBack compresses unused and unformatted
sections of the hard disk drive to increase
processing speeds.
2. Trojan Horse Programs
• It is important for the forensic expert to
demonstrate to the training participants the
need to protect the computer evidence.
• Use of programs that will harm the data and
operating systems.
• Such malwares can be used to destroy the
evidence, copy sensitive information such as
passwords and network ids.
3. Computer Forensic Documentation
• Documenting the methodologies used in
evidence collection, preservation and the
corresponding findings is important.
• Helps in security risk assessment and
presenting the findings in the court of law.
4. Data Hiding Techniques
• Data and information can easily be hidden.
• It is important to realize the importance of
detecting hidden data.
• Tools for identifying hidden data.
 Anadisk: Diskette Analysis Tool
• It is used to identify data storage anomalies on
floppy diskettes.
• Turns your PC into a sophisticated diskette
analysis tool.
• Primary Uses:
– To review the floppy diskette for storage
anomalies.
– Duplication of diskettes that are abnormal or
involve storage defects.
• Editing diskettes at a physical sector level.
• Search for all data present in traditional and
non traditional storage areas.
• Formatting diskettes in non-traditional ways
for training purposes and to illustrate data
hiding techniques.
Features and Benefits
• DOS based utility.
• Keyword searches can be conducted at a very
low level, on disks that have been formatted.
• Allows custom formatting of diskettes with
extra tracks and sectors.
• Supports all DOS formats and non DOS formats
such as Apple Mac and Unix.
• Copy almost any diskette including copy
protected ones.
COPYQM Plus: Diskette Duplication
Software.
Uses:
• Used to create one or more copies of the
master diskette.
• Used to password protect the contents of the
entire disk contents.
• Can be used to create self-extracting
executable programs that can be used to
duplicate disks.
E-commerce investigations
• Net Threat Analyzer (New Technology Inc.) is a tool
that can be used to track the browsing activities
and email activities of computer users.
• It analyses the disk drives and other storage areas
which are beyond the reach of general computer
users.
• It uses data filtering tools to collect browsing
related data.
• It flags suspicious sites related to drugs, bombs etc.
Text search techniques
• New Technology Inc. also developed
specialized tools for text search.
• Text Search Plus is a widely accepted tool for
searching for a keyword or pattern in files, file
slack, unallocated space etc.
• It is the most efficient search tool used by
forensic experts.
Primary Uses
• Used to find occurrences of words or strings in
files stored in all possible locations in a
computer.
• Used by internal audits to identify violations of
organization policy.
• Used to collect computer related evidence in
corporate, civil and criminal investigations.
• Used to find embedded text in word
documents.
Features and benefits
• DOS based utility.
• Small in size, less than 60 kb. Can easily fit in floppy
disk.
• Searches all possible locations in one fast operation.
• Offers logical and physical search options.
• User defined search configuration.
• Alerts for graphic files.
• Most widely used tool by law enforcement agencies
and corporate organisations.
Fuzzy logic tools to identify
unknown text
• New Technology Inc. also developed tools
based on fuzzy logic, for identifying unknown
strings of text.
• Traditional search tools require keywords to
be given for search.
• Filter_G software is an example.
Filter_G: Intelligent Forensic Filter
• Primary Uses
• Features and Benefits
Disk Structure
• The training participants must be given full
understanding of the detailed structure of
different types of disks.
• Helps them to identify hidden the data quickly.
Data Encryption
• The training participants must be trained on
how data can be encrypted and it can be
recovered.
• Also, they must learn softwares used to
recover passwords.
Matching a diskette to a computer
• Net Technology Inc. has developed tools to
identify the diskette that was used to copy or
modify the data on the computer system.
• Data Compression
• Erased files
• Internet abuse identification and detection