Computer-Forensics Unit 2
Computer-Forensics Unit 2
Forensics
• Computer forensics, also referred to as computer
forensic analysis, electronic discovery, electronic
evidence discovery, digital discovery, data
recovery, data discovery, computer analysis, and
Computer examination, is the process of
methodically examining computer media (hard
disks, diskettes, tapes, etc.) for evidence.
• A thorough analysis by a skilled examiner can
result in the reconstruction of the activities of a
computer user.
• In other words, computer forensics is the
collection, preservation, analysis, and
presentation of computer-related evidence.
• Computer evidence can be useful in criminal
cases, civil disputes, and human
resources/employment proceedings.
• Computer forensics, although employing some
software for data recovery, is a much more
complex undertaking.
• In computer forensics, the goal is to retrieve the
data and interpret information as much as
possible.
• The process of acquiring and analysing digital
evidence is crucial to the success of prosecuting
a cyber criminal
• To effectively combat cyber crime, greater emphasis
must be placed on the forensic methods and the
following subject matter:
• Computer crime
• The computer forensic objective
• The computer forensic priority
• The accuracy versus speed conflict
• The need for computer forensics
• The double tier approach
• Requirements for the double tier approach
• The computer forensics specialist
Computer Crime
• Computers can be involved in a wide variety of crimes
including white-collar crimes, violent crimes such as murder
and terrorism, counterintelligence (organized activity of an
intelligence service designed to block an enemy's sources of
information), economic espionage(unauthorised and usually
criminal access to confidential systems and information for
the purposes of gaining a commercial or political advantage.)
etc
• A person can sit in the comfort of his home or a remote site
and hack into a bank and transfer millions of dollars to a
fictitious account, in essence robbing the bank, without the
threat of being gunned down while escaping.
Role of Computer in a crime
• A computer can play one of three roles in a computer
crime.
1. A computer can be the target of the crime,
2. it can be the instrument of the crime, or
3. it can serve as an evidence, a repository storing
valuable information about the crime
• For example, a hacker may use the computer as the tool
to break into another computer and steal files, then
store them on the computer.
• It can also serve as a file cabinet storing critical evidence
• Applying information about how the computer
was used in the crime also helps when searching
the system for evidence.
• If the computer was used to hack into a network
password file, the investigator will know to look
for password cracking software and password
files.
• If the computer was the target of the crime,
such as an intrusion, audit logs and unfamiliar
programs should be checked.
• Knowing how the computer was used will help
narrow down the evidence collection process
The Computer Forensic Objective
• The objective of the Computer Forensic is to
recover, analyze, and present computer-based
material in such a way that it is useable as
evidence in a court of law.
• The key phrase here is useable as evidence in
a court of law.
• It is essential that none of the equipment or
procedures used during the examination of
the computer obviate this.
The Forensic Priority
• In contrast to all other areas of computing,
where speed is the main concern, in
computer forensics the absolute priority is
accuracy.
• Completing the work as efficiently as possible,
and as fast as possible not at the cost of
accuracy.
Accuracy versus speed
• Time is a precious resource.
• In order to meet the stringent deadlines,
people tend to follow some shortcut methods
to attain results.
• But, computer forensics must follow strict
guidelines since data integrity and security are
of prime importance.
The Computer Forensic Specialist
• A computer forensics specialist is the person
who is responsible for carrying out computer
forensics procedures.
• The computer forensics specialist will take
several careful steps to identify and retrieve
the evidence
1. Protect the computer system.
2. Discover all files on the system.
3. Recover all (or as much as possible) of
discovered deleted files.
4. Reveal (to the extent possible) the contents of
hidden files.
5. Access the contents of protected or encrypted
files.
6. Analyze all possibly relevant data found in
special (and typically in accessible) areas of a
disk.
7. Provide expert consultation and/or testimony,
as required
Who Can Use Computer Forensic
Evidence?
• Many types of criminal and civil proceedings can and do make
use of evidence revealed by computer forensics specialists:
1. Criminal Prosecutors use computer evidence in a variety of
crimes - homicides, financial fraud, drug and embezzlement
(theft or misappropriation of funds placed in one's trust or
belonging to one's employer.)
2. Civil proceedings can readily make use of personal and
business records found on computer systems that bear on
fraud, divorce, discrimination, and harassment cases.
Insurance companies may be able to mitigate costs by using
discovered computer evidence of possible fraud in accident,
arson, and workman’s compensation cases.
3. Corporations often hire computer forensics
specialists to find evidence relating to
harassment cases, theft or misappropriation
of trade secrets, and other
internal/confidential information.
4. Individuals sometimes hire computer
forensics specialists in support of possible
claims of wrongful termination, harassment
cases, or age discrimination.
Choosing a computer Forensics Specialist
for a criminal case
• Many people claim to be computer forensic
experts.
• Carefully choose and hire experts who have
undergone certified trainings and have relevant
experience in the field.
• They must bear the pressure of all types of
enquiries and cross-examinations.
COMPUTER FORENSICS ASSISTANCE TO HUMAN
RESOURCES/EMPLOYMENT PROCEEDINGS
• 5. Media Conversion
– Some investigations require data that is stored on old
and unreadable devices.
– The forensic expert must be capable of accessing this
data, convert it to readable form and store it on new
storage media.
• 6. Expert Witness Services
– The forensic experts must be capable of clearly
explaining the complex procedures used for
evidence collection.
– Convince the Jury by making them understand
how the data was collected and what it contains.
Computer Evidence Service Options
• The forensic experts must provide various levels of service:
– Standard Service--forensics experts should be able to work on your
case during normal business hours until your critical electronic
evidence is found.
– On-site service--computer forensics experts should be able to travel
to your location to perform complete computer evidence services
– Emergency service--After receiving the computer storage media, your
computer forensics experts should be able to give your case the
highest priority in their laboratories. They should be able to work on
it without interruption until your evidence objectives are met
– Priority service
– Weekend service
Other Miscellaneous Services
• Recover data that you thought was lost
forever.
• Advise on how to keep data and information
safe from theft or accidental loss.
• Examine a computer to know what its user is
doing
• Sweep your office for listening devices
• High-Tech investigations
BENEFITS OF PROFESSIONAL FORENSICS
METHODOLOGY
• Experience on a wide range of computer
hardware and software.
– The experts know all possible formats in which
data can exist (both old and new)
– They can quickly discover what places must be
searched and additional information sources.
• Protection of evidence is critical. A knowledgeable
computer forensics professional will ensure that a
subject computer system is carefully handled to
ensure that:
1. No possible evidence is damaged, destroyed, or
otherwise compromised by the procedures used to
investigate the computer
2. No possible computer virus is introduced to a
subject computer during the analysis process
3. Extracted and possibly relevant evidence is
properly handled and protected from later physical
or electromagnetic damage
4. A continuing chain of custody is established
and maintained
5. Business operations are affected for a limited
amount of time.
6. Any information that is inadvertently
acquired during a forensic exploration is
ethically and legally respected and not
revealed to others.
Chain of custody in cyber forensics
- Sequence of procedures carried out on the
evidence collected to maintain its authenticity
Steps taken by Computer Forensics
specialists
• The computer forensics specialist needs to
complete an Evidence Identification and
Retrieval Checklist (as shown in Table F1.1 in
Appendix F).
• He or she should take several careful steps to
identify and attempt to retrieve possible
evidence that may exist on a subject’s
computer system.
Types of Computer
Forensics Technology
• Cyber Forensic Technology
– Computer forensics
– Network forensics: Deals with examining the
interconnected computer networks and collecting
evidence that is stored across the distributed
networks.
Military Computer Forensic Technology
• Real-time tracking of malicious activity is difficult
especially when the information is intentionally hidden
or destroyed.
• The cyber forensic technologies used by information
directorate were quite new and untested.
• So the directorate entered into a partnership with
National Institute of Justice under the guidance of
National Law Enforcement and Corrections Technology
Center, to test the new methods and tools.
• Under this partnership, the Computer Forensic
Experiment (CFX 2000) was conducted.
• CFX 2000 is an integrated forensic analysis
framework.
• It defines a paradigm for transition of the
cyber forensics from military R and D labs into
the hands of law.
• The hypothesis that was formulated was:
It is possible to determine the motives,
intent, identity and location of criminals.
• Tools in CFX 2000 consisted of COTS softwares
and some R and D prototypes.
• CFX also made use of SI-FI integration
environment. ( Synthesizing Information from
Forensics Investigation)
• SI-FI uses Digital Evidence Bags (DEB), which
are secure and tamper proof containers for
storing digital evidences.
• They can only be opened by authorized users
for examinations.
• After analysis of the evidences collected, the
experts concluded that the hypothesis holds
good.
Types of Law Enforcement Computer
Forensic Technology
• Computer tools and technologies are valuable
resources for the purpose of law enforcement.
– Evidence collection
– Evidence preservation
– Evidence analysis
Several training and certification programs are
available that teach the use of these tools and
techniques.
1. Preservation of Evidence
• Need for evidence preservation
• SafeBack software is a widely accepted mirror
image backup software.
• Used to create evidence grade backups of
hard disk drives on Intel computer systems.
• Difficult to tamper the images created using
SafeBack.
Primary Uses
• Used to create evidence-grade backups of hard
disk drives on Intel-based computer systems.
• Used to exactly restore archived SafeBack
images to another computer hard disk drive of
equal or larger storage capacity.
• Used as an evidence preservation tool in law
enforcement and civil litigation matters.
• Used as an intelligence gathering tool by military
agencies.
Program Features and Benefits-safeback