Module 5

Understanding
computer Forensics
By Dr. Shashikala
Objective
• Introduction
• Historical background of cyber forensics
• Digital forensics
• The need for computer forensics
• Cyber forensics and Digital evidence
• Digital Forensics life cycle
• Chain of custody concept
• Network forensics
What is Computer Forensics?
Definition: Involves obtaining and analyzing digital
information, often as evidence in civil, criminal, or
administrative cases
Computer forensics:
• Investigates data that can be retrieved from a computer’s
hard disk or other storage media
• Task of recovering data that users have hidden or deleted
and using it as evidence
• Evidence can be inculpatory (“incriminating”) or
exculpatory

3
 Computer Forensics Versus
Other Related Disciplines
• Network forensics
• Yields information about how a perpetrator or an attacker
gained access to a network
• Data recovery
• Recovering information that was deleted by mistake, or lost
during a power surge or server crash
• Typically you know what you’re looking for

4
Computer Forensics Versus Other
Related Disciplines (continued)
• Disaster recovery
• Uses computer forensics techniques to retrieve
information their clients have lost

Investigators often work as a team to make

computers and networks secure in an organization

5
Historical background of cyber forensics
Computer Forensics: A Brief History
• By the 1970s, electronic crimes were increasing,
especially in the financial sector
• Most law enforcement officers didn’t know enough about
computers to ask the right questions
• Or to preserve evidence for trial
1980s
– PCs gained popularity and
different OSs emerged
– Disk Operating System (DOS)
was available
– Forensics tools were simple,
and most were generated by
government agencies

7
A Brief History (1980s)
• Mid-1980s
• Xtree Gold appeared on the market
• Recognized file types and retrieved lost or deleted files
• Norton DiskEdit soon followed
• And became the best tool for finding deleted file

1987 Apple Mac SE -

A Macintosh with an
external EasyDrive hard
disk with 60 MB of storage

8
A Brief History (1990s)
• Tools for computer forensics were available
• International Association of Computer Investigative Specialists
(IACIS)
• Training on software for forensics investigations
• IRS created search-warrant programs
• ExpertWitness for the Macintosh
• First commercial GUI software for computer forensics
• Created by ASR Data
• ExpertWitness for the Macintosh
• Recovers deleted files and fragments of deleted files
• Large hard disks posed problems for investigators
• Other software
• iLook
• AccessData Forensic Toolkit (FTK)
9
• Information security experts consider “cyber law compliance” as one of the many aspects of “techno –legal
information security.” They advise organization formulate an appropriate plan of action to company with
cyber laws as a part of the IS Practice. This association of cyber law into the information security domain has
gained additional importance due to some amendments that have been made to ITA 2000. Typical types of
data requested for a digital forensics examination by the law enforcement agencies include: investigation into
electronic mail (E-Mail) usage, website history, cell phone usage, cellular and vice over internet protocol
(VOIP) phone usage, file activity history, file creation or deletion, chat history, account login/ logout record
and more
 Understanding Case Law

• Technology is evolving at a very rapid pace

• Existing laws and statutes cannot keep up
• Case law used when statutes or regulations don’t exist
• Case law allows legal counsel to use previous cases
similar to the current one
• Because the laws don’t yet exist
• Each case is evaluated on its own merit and issues
• Computer Crime & Intellectual Property document at US DoJ:
http://www.cybercrime.gov/ssmanual/index.html

11
 Digital forensics
• Digital forensics is the application of analysis techniques to the reliable and unbiased collection, analysis,
interpretation and presentation of digital evidence.

• The term computer forensics, however, is generally considered to be related to the use of analytical and investigative
tech- inquest to identity, collect, examine and preserve evidence/information which is magnetically stored or
encoded.

• The objectives of “cyber forensics” is to provide digital evidence of a specific or general activity.

• Because of the rise of cybercrimes, a new branch of investigation has been developed to help law enforcement trace
and find proof of illegal activity using computers. This is computer forensics and much of their techniques involved
some form of data recovery, it is also known as digital forensics.
• In general, the role of digital forensics is to:
• Uncover and document evidence and leads.
• Corroborate evidence discovered in other ways
• Assist in showing a pattern of events (data mining has an application here).
• Connect attack and victim computers
• Revel an end-to-end path of events leading to a compromise attempt, successful or not.
• Extract data that may be hidden, deleted or otherwise not directly available;
• The typical scenarios involved are:
• Employee internet abuse
• Data leak /data breach-unauthorized discloser of corporate information and data (accidental and
intentional);
• Industrial espionage (corporate “spying” activities)
• Damages assessment Criminal fraud and deception cases
• Criminal cases (many criminals simply store information on computers, intentionally or unwittingly) and
countless others;
• Copyright violation
• Using digital forensics technique, one can;
• Corroborate and clarity evidence otherwise discovered
• Generate investigative leads for following up and verification in other ways
• Provide help to verify an intrusion hypothesis.
• Eliminate incorrect assumptions.
The Need for Computer Forensics
• Computer forensic experts can go through a suspected cybercriminal’s hard drive – be it on a computer or a
mobile device – and find deleted and hidden files that serve as evidence of illegal activity.
• Much of what computer forensics does is related to data recovery. Data recovery programs used in businesses
and personal computers, such as DataNumen Data Recovery and DataNumen SQL Recovery, are also widely
used for law enforcement.
• The media, on which clues related to cybercrime reside, would vary from case to case.

• There are many challengers for the forensics investigator because storage devices are getting miniaturized
due to advances in electronics technology; for examples, external storage devices such as mini hard disks
(pen drives) are available in amazing shapes.

• For a person to be considered as “identifiable person, “he/she must always have the physics custody of a
piece of evidence.

• Practically speaking, this means that a police offer or detective will take charge piece of evidence, document
its collection and hand it over to an evidence clear for storage.
Cyber forensics and Digital Evidence
• Cyber forensics can be divided into domains:
1. Computer forensics;
2. Network forensics;

• Many securities are possible through computer networks, therefore, “network forensics” assumes importance
in the context of cybercrime.

• As compared to the “physical” evidence, digital evidence” is different in nature because it has some unique
characteristics.

• First of all, digital evidence is much easier to change/manipulate! Second, “perfect” digital copies can be
made without harming Original. At the same the integrity of digital evidence can be proven. Another subtle
aspects (of digital evidence) is that is usually in the form of the “image.

• Understanding the uniqueness of digital evidence is important for appreciating the phase involved in a digital
forensics investigation and maintaining the “chain of custody”
• Computer system have the followings:

1. Logical file system that consists of

 Film system : It includes files, volumes, directories and folders, file allocation table(FAT) as in the
older version of windows OS, clusters, partitions , sectors
 Random access memory
 Physical storage media: It is magnetic force microscopy that cab be used to recover data from
overwritten area.
a. Slack space : It is a space allocated to the file but it is not actually used due to internal fragmentation and
b. Unallocated spaces

2. User created files: It consist of address books, audio/video files, calendars, database
files, spread sheets, e-mails, internet bookmarks, documents and text files.
3. Computer created files: It consists of backup, cookies, configuration files, history
files, log files, swap files, system files, temporary files, etc.,
4. Computer network : It consists of the application layer, transport layer, network layer
and data link layer
The rules of evidence
• According to the “Indian evidence act 1872,” “evidence” means and includes:
1. All statements which the court permits or requires to be made before it by witnesses, in relation to matters of fact under inquiry are called oral
evidence.
2. All documents that are produced for the inspection of the court are called documentary evidence.

• It is only logical that the process used in the case of digital evidence mimic the process that is used for paper evidence.
As each step requires the use of tools or knowledge, the process must be documented able and repeatable. The process
itself must be understandable to the members of the court.
• Acquisition of digital evidence is both a legal and technical problems. In fact, these two aspects are irrevocably
related. The law specific what can be seized, under what conditions, from whom and from where. It requires to
determine what particular piece of digital evidence is required for examination, that is, it a particular file or a word
processing document or an executable program, etc. it may also require examination to determine where a particular
piece of evidence is physically located.
• Is the file on a local hard drive or is it on a sever located in another legal in short, it may be necessary to show a
technical basis for obtaining the legal authority to search? Likewise, it may require technical skills to actually
accomplish the search product of this phase is usually raw media, devoid of meaning or usefulness.
• There are number of contexts involved in actually identifying a piece of digital evidence:

1. Physical context
2. Logical context
3. Legal context

Physical Context Logical Context Legal Context

Media

Data
Information
Evidence
• Digital evidence originates from a number of sources such as seized computer
hard drives and backup media, real-time E-mail messages, chat room logs, internet
service provider records, webpages, digital network traffic, local and virtual
databases, digital directories, wireless devices, memory cards, digital cameras, etc.
digital forensics examiners must consider the trustworthiness of this digital data.
• Many vendors provide technology solutions to extract this digital data from these
device and networks.
• Once the extraction of the digital evidence has been accomplished, protecting the
digital integrity becomes paramount concern for investigators, prosecutors and
those accused.
• Following are some guidelines for the (digital) evidence collection phase :

1. Adhere to your site’s security policy and engage the appropriate incident handling and law enforcement
personal
2. Capture a picture of the system as accurately as possible
3. Keep detailed notes with dates and times. If possible, generate an automatic transcript (e.g., on Unix
systems the “script “program can be used; however, the output file generate should not be given to media as
that is a part of the evidence.)
4. Note the difference between the system clock and coordinated universal time (UTC) for each throughout the
world have adopted UTC or local time is used (since 1972 over 40 countries throughout the world have
UTC as their office time sources).
5. Be prepared to testify (perhaps years later) outlining all actions you look and at what times. Detailed
notes will be vital.
6. Remove external avenues for change
7. When confronted with a choice between collection and analysis you should do collection first and
analysis later.
8. Needless to say, your producer should be implementable. As with my aspects for an incident response
policy, procedures should be tested to ensure feasibility, particularly, in a crisis. If possible, procedure
should be automated for reason of speed and accuracy. Being methodical always helps.
9. For each device a systematic approach should be adopted to follow the guidelines laid down in
your collection procedure, speed will often be critical; therefore, where there are a number of device
requiring examination, it may be appropriate to spread the work among your team to collect the
evidence in parallel.
10. Proceed from the volatile to the less volatiles; order of volatility is as following;
 Register, cache,
 Routing table, address resolution protocol (ARP) cache, process table, kernel statistics, memory;
 Temporary file systems
 Disk
 Remote logging and monitoring data that is relevant to the system in question;
 Physical configuration and network topology;
11. You should make a bit-level copy of the systems media. If you wish to do forensics
analysis you should make a bit level copy of your evidence copy for that purpose, as
your analysis will almost certainly alter file times. Try to avoid doing forensics on the
evidence copy.
Digital Forensics life cycle
• The digital forensics process is shown in the following
figure. Forensic life cycle phases are:
• 1. Preparation and identification
2. Collection and recording
3. Storing and transporting
4. Examination/investigation
5. Analysis, interpretation, and attribution
6. Reporting
7. Testifying
1. Preparing for the Evidence and
Identifying the Evidence
• In order to be processed and analysed, evidence must first be
identified. It might be possible that the evidence may be
overlooked and not identified at all. A sequence of events in a
computer might include interactions between:
• Different files
• Files and file systems
• Processes and files
• Log files
• In case of a network, the interactions can be between
devices in the organization or across the globe (Internet). If
the evidence is never identified as relevant, it may never be
collected and processed.
2. Collecting and Recording Digital
Evidence
• Digital evidence can be collected from many sources. The obvious sources can
be:
• Mobile phone
• Digital cameras
• Hard drives
• CDs
• USB memory devices
• Non-obvious sources can be:
• Digital thermometer settings
• Black boxes inside automobiles
• RFID tags
• Proper care should be taken while handling digital evidence as it can be
changed easily. Once changed, the evidence cannot be analysed further. A
cryptographic hash can be calculated for the evidence file and later checked if
there were any changes made to the file or not. Sometimes important evidence
might reside in the volatile memory. Gathering volatile data requires special
technical skills.
3. Storing and Transporting Digital
Evidence
• Some guidelines for handling of digital evidence:
• Image computer-media using a write-blocking tool to ensure that no data is added to the suspect device
• Establish and maintain the chain of custody
• Document everything that has been done
• Only use tools and methods that have been tested and evaluated to validate their accuracy and
reliability
• Care should be taken that evidence does not go anywhere without properly being
traced. Things that can go wrong in storage include:
• Decay over time (natural or unnatural)
• Environmental changes (direct or indirect)
• Fires
• Floods
• Loss of power to batteries and other media preserving mechanisms
• Sometimes evidence must be transported from place to place either physically or
through a network. Care should be taken that the evidence is not changed while in
transit. Analysis is generally done on the copy of real evidence. If there is any
dispute over the copy, the real can be produced in court.
4. Examining/Investigating Digital
Evidence
• Forensics specialist should ensure that he/she has proper legal authority to seize,
copy and examine the data. As a general rule, one should not examine digital
information unless one has the legal authority to do so. Forensic investigation
performed on data at rest (hard disk) is called dead analysis.
• Many current attacks leave no trace on the computer’s hard drive. The attacker
only exploits the information in the computer’s main memory. Performing forensic
investigation on main memory is called live analysis. Sometimes the decryption
key might be available only in RAM. Turning off the system will erase the
decryption key. The process of creating and exact duplicate of the original
evidence is called imaging. Some tools which can create entire hard drive images
are:
• DCFLdd
• Iximager
• Guymager
• The original drive is moved to secure storage to prevent tampering. The imaging
process is verified by using the SHA-1 or any other hashing algorithms.
5. Analysis, Interpretation and
Attribution
• In digital forensics, only a few sequences of events might produce evidence. But the
possible number of sequences is very huge. The digital evidence must be analyzed to
determine the type of information stored on it. Examples of forensics tools:
• Forensics Tool Kit (FTK)
• EnCase
• Scalpel (file carving tool)
• The Sleuth Kit (TSK)
• Autopsy
• Forensic analysis includes the following activities:
• Manual review of data on the media
• Windows registry inspection
• Discovering and cracking passwords
• Performing keyword searches related to crime
• Extracting emails and images
• Types of digital analysis:
• Media analysis
• Media management analysis
• File system analysis
• Application analysis
• Network analysis
• Image analysis
• Video analysis
6. Reporting

• After the analysis is done, a report is generated. The report may be in oral
form or in written form or both. The report contains all the details about the
evidence in analysis, interpretation, and attribution steps. As a result of the
findings in this phase, it should be possible to confirm or discard the
allegations. Some of the general elements in the report are:
• Identity of the report agency
• Case identifier or submission number
• Case investigator
• Identity of the submitter
• Date of receipt
• Date of report
• Descriptive list of items submitted for examination
• Identity and signature of the examiner
• Brief description of steps taken during examination
• Results / conclusions
7. Testifying
• This phase involves presentation and cross-examination of expert witnesses. An
expert witness can testify in the form of:
• Testimony is based on sufficient facts or data
• Testimony is the product of reliable principles and methods
• Witness has applied principles and methods reliably to the facts of the case
•
• Experts with inadequate knowledge are sometimes chastised by the court.
Precautions to be taken when collecting digital evidence are:
• No action taken by law enforcement agencies or their agents should change the
evidence
• When a person to access the original data held on a computer, the person must be
competent to do so
• An audit trial or other record of all processes applied to digital evidence should be
created and preserved
• The person in-charge of the investigation has overall responsibility for ensuring that the
law and these are adhered to
Chain of custody concept
• A chain of custody is the process of validating how many kinds of evidence have been
gathered, tracked and protected on the way to a court of law.
• It is essential to get in the habit of protecting all evidence equally so that they will hold up in
court.
• Forensic investigation professional know that if you do not have a chain of custody, the
evidence is worthless. They learn to deal with everything as if it would go to litigation.
• In other word’s there is a reliable information to suggest that the party offering the evidence
can demonstrate that the piece of evidence is actually, in fact, what the party claims it to be and
can further demonstrate its origin and the handling of the evidence because it was acquired.
• A chain of custody begins when an item of relevant evidence is collected, and the chain is
maintained until the evidence is disposed off.
• The chain of custody assumes continuous accountability. This accountability is important
because, if not properly maintained, an item (of evidence) may be inadmissible is court.
Network Forensics Overview
• Network forensics
• Systematic tracking of incoming and outgoing traffic
• To ascertain how an attack was carried out or how an event occurred on a network
• Intruders leave trail behind
• Determine the cause of the abnormal traffic
• Internal bug
• Attackers
Securing a Network
• Layered network defense strategy
• Sets up layers of protection to hide the most valuable data at the innermost
part of the network
• Defense in depth (DiD)
• Similar approach developed by the NSA
• Modes of protection
• People (hiring and treatment)
• Technology (firewalls, IDSs, etc.)
• Operations (patches, updates)
Securing a Network (continued)
• Testing networks is as important as testing servers
• You need to be up to date on the latest methods intruders use to
infiltrate networks
• As well as methods internal employees use to sabotage networks
Developing Standard Procedures for
Network Forensics
• Long, tedious process
• Standard procedure
• Always use a standard installation image for systems on a network
• Close any way in after an attack
• Attempt to retrieve all volatile data
• Acquire all compromised drives
• Compare files on the forensic image to the original installation image
Developing Standard Procedures for
Network Forensics (continued)
• Computer forensics
• Work from the image to find what has changed
• Network forensics
• Restore drives to understand attack
• Work on an isolated system
• Prevents malware from affecting other systems
Reviewing Network Logs
• Record ingoing and outgoing traffic
• Network servers
• Routers
• Firewalls
• Tcpdump tool for examining network traffic
• Can generate top 10 lists
• Can identify patterns
• Attacks might include other companies
• Do not reveal information discovered about other
companies