ComputerComputerForensicsForensicsYogesh E. Sonawaneyogesh.dfe@gmail.com
CYBERCRIMES
REAL-WORLD & VIRTUAL-WORLDCurrent approaches evolved todeal with real-world crimeCybercrime occurs in a virtual-world and ...
EXAMPLE : THEFTReal-world theft:Possession of property shifts completelyfrom A to B, i.e., A had it now B has itTheft in V...
Think beforeThink beforeyou Clickyou Click
What is Computer Crime“Unlawful acts wherein the computer is either a tool or atarget or both".Two aspects:•Computer as a ...
TYPES OF COMPUTERCRIME HACKINGHacking in simple terms means illegal intrusion intoa computer system without the permissio...
 FORGED DOCUMENTSTo create fake documents such as, fake academiccertificates, mark sheets etc. CREDIT CARD FRAUDCredit c...
 PHISHINGIn the field of computer security, phishing is the criminallyfraudulent process of attempting to acquire sensiti...
WHAT IS DIGITAL EVIDENCE? Digital Evidence is any information of probativevalue that is either stored or transmitted in a...
ELECTRONIC RECORDElectronic record - is that which is generated, stored,sent or received by electronic means and includesd...
CHALLENGES FOR INVESTIGATINGAGENCIES Difficulty in collection of evidenceFragility of Computer dataFear of destruction ...
COMPUTER FORENSICS Definition:Identification, Extraction, Documentation, andPreservation of computer media for evidentia...
COMPUTER FORENSICS Methodology:Acquire the evidence without altering or damagingthe original.Authenticate that the reco...
COMPUTER FORENSICS-STEPSIdentificationSeizureAuthenticationAcquisitionAnalysisPresentationPreservationScene of CrimeForens...
What to carry?Camera Note or Sketch Pads– Blank CDs, DVDs, PenDrives, Hash Calculator,Write-Blocker, Cross-Overcable etc.S...
How to secure the crime scene? The entire work area, office, or cubicle is apotential crime scene, not just the computer ...
How to secure the crime scene?Continued…. Disconnect the power supply. Else there can be aloss of files to hard drive cra...
Computer Forensic Steps - Scene of Crime Backup Volatile data in RAM / Router etc. Photograph / Video the scene of incid...
Questions to be asked the Sceneof crime• Login Details : User Name/s and Password/s• Encryption• Files of interest• E-mail...
WHY PRECAUTIONSREQUIRED ? The integrity of data is essential for making itpresentable in court of law with in acceptable ...
Computer Forensic Steps - Scene of Crime Identification Seizure Acquisition
Exhibits Seized
Identification
IdentificationFront Side ofCPU Cabinet orCase or ChasisBack Side ofCPU Cabinet orCase or ChasisThe CPU
Identification Continued….Internal Hard Disk
Identification Continued….External Hard Disk
Identification Continued….FloppyCD/DVD
Identification Continued….Mobile PhonesSIM Card Memory Cards
Identification Continued….SkimmerCredit Cards
Identification Continued….Dongle andPen Drives
Identification Continued….
Identification Continued….
Identification Continued….
Seizure
What is Seizure?Definition :-Seizure is the process of capturing the suspectcomputer or storage media for evidencecollecti...
 The case related reference documents should also beseized from the crime scene.For Example - In case of Economical Crim...
Labeling
Labeling
Labeling
Labeling
Labeling
Packaging and Transportation Properly document and label the evidencebefore packaging. Use anti-static wrap or bubble wr...
Labeling
Packaging and Transportation While transporting, place thecomputer securely on thefloor of the vehicle where theride is s...
Dealing with the SuspectedMobile Phone• At the time of seizing mobile phone, itscomponents like Battery, SIM card(s),Memor...
Guidelines from Forensics Continued…. If CPU Cabinet is seized from the crime scene, bring onlyhard disks for analysis. N...
Acquisition&Authentication
Precautions while Acquisition• Use of Write Blocker devices: Thumbscrew FAST BLOC Tablue• Need of Write Blocker
Acquisition & Authentication Making Forensic Duplicate copy of the Suspect Storagemedia is Acquisition. A Forensic Dupli...
Acquisition & Authentication Using Software Tool requires a hardware writeblocker at source end e.g. FASTBloc FE / Tablue...
Laboratory Work Authentication Analysis Presentation Preservation
Authentication : Hash ValueHow to verify the integrity of Forensic Duplicate?It is also known as, “Message Digest” or “Fin...
Analysis
Current and Emerging Cyber Forensic Tools of Law Enforcement
Analysis ProcessThe Process of searching for crime relevant dataand extract it.The analyst has to search data inDeleted Fi...
Analysis Process Continued….Why is Slack Space Important?Unallocated Space(New Drive)Allocated SpaceUnallocated Space(Afte...
Analysis Process Continued….• “Keyword Search” is one of the most importantsteps of analysis.• The keywords should be list...
Documentation & Preservation• Report writing & preparation of notes• Store the Magnetic Storage Media in a securearea.– Co...
Prevention Of Computer CrimeSafe Computing Tips Do not reveal personal information to unknownpeople or websites. Create ...
Safe Online Banking Keep your passwords/PIN codes safe and memorize them. Check that the online banking website is secur...
Tips for Safe Social Networking Don’t reveal too much information about yourself online. Add people as friends to your s...
Computer  forensics
Upcoming SlideShare
Loading in...5
×

Computer forensics

782
-1

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
782
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
25
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • The key steps in Computer forensics include the following: 1. Identification – Involves recognizing an incident from indicators and determining its type and accordingly identifying the evidence relevant to the crime. This focuses on identifying and locating potential evidence, possibly within unconventional locations. 2.Seizure – It is the process of capturing the suspect computer for evidence collection. Systematic procedure is needed for seizure to avoid loss of digital evidence. Construct detailed documentation for analysis. 3.Authentication -Validating the seized and acquired evidence to make sure that the integrity of evidence is not compromised. 4.Acquisition – record the physical scene and duplicate digital evidence using standardized and accepted procedures. 5. Analysis –Determine significance, reconstruct fragments of data and draw conclusions based on evidence found. It may take several iterations of examination and analysis to support a crime theory. The distinction of analysis is that it may not require high technical skills to perform and thus more people can work on this case. 6. Presentation – summarize and provide explanation of conclusions. This should be written in a layperson’s terms using abstracted terminology. All abstracted terminology should reference the specific details. 7. Preservation –This includes preventing people from using the digital device or allowing other electromagnetic devices to be used within an affected radius. Should follow a proper chain of custody. F rom the moment the evidence is collected, every transfer of evidence from person to person be documented and that it be provable that nobody else could have accessed that evidence. It is best to keep the number of transfers as low as possible.
  • Computer forensics

    1. 1. ComputerComputerForensicsForensicsYogesh E. Sonawaneyogesh.dfe@gmail.com
    2. 2. CYBERCRIMES
    3. 3. REAL-WORLD & VIRTUAL-WORLDCurrent approaches evolved todeal with real-world crimeCybercrime occurs in a virtual-world and therefore presentsdifferent issues
    4. 4. EXAMPLE : THEFTReal-world theft:Possession of property shifts completelyfrom A to B, i.e., A had it now B has itTheft in Virtual-world (Cyber-theft):Property is copied, so A “has” it and so does B
    5. 5. Think beforeThink beforeyou Clickyou Click
    6. 6. What is Computer Crime“Unlawful acts wherein the computer is either a tool or atarget or both".Two aspects:•Computer as a tool to commit crimeChild porn, Threatening email, identity theft,sexual harassment, defamation, phishing.•Computer itself becomes target of crimeViruses, worms, software piracy, hacking.
    7. 7. TYPES OF COMPUTERCRIME HACKINGHacking in simple terms means illegal intrusion intoa computer system without the permission of thecomputer owner/user. SOFTWARE PIRACYAn unauthorized copying of software. PORNOGRAPHYComputer pornography covers pornographicwebsites, pornographic magazines produced usingcomputers (to publish and print the material) and theInternet (to download and transmit pornographicpictures, photos.
    8. 8.  FORGED DOCUMENTSTo create fake documents such as, fake academiccertificates, mark sheets etc. CREDIT CARD FRAUDCredit card fraud is a wide-ranging term for theft andfraud committed using a credit card or any similarpayment mechanism as a fraudulent source of funds in atransaction. Computer STALKINGUse of the e-mail, Internet to harass or threaten anindividual.CONT… TYPES OF COMPUTERCRIME
    9. 9.  PHISHINGIn the field of computer security, phishing is the criminallyfraudulent process of attempting to acquire sensitive informationsuch as usernames, passwords and credit card details bymasquerading as a trustworthy entity in an electroniccommunication. Computer DEFAMATIONThis occurs when defamation takes place with the help ofcomputers and / or the Internet.e.g. Mr. X publishes defamatory matter about Ms. Y on a website orsends e-mails containing defamatory information to Ms. Y’sfriends.CONT… TYPES OF COMPUTERCRIME
    10. 10. WHAT IS DIGITAL EVIDENCE? Digital Evidence is any information of probativevalue that is either stored or transmitted in a binaryform. Digital Evidence includes computer evidence, digitalaudio recorder, digital video recorder, mobilephones, pen drives, CD, DVD etc.
    11. 11. ELECTRONIC RECORDElectronic record - is that which is generated, stored,sent or received by electronic means and includesdata, image or sound.
    12. 12. CHALLENGES FOR INVESTIGATINGAGENCIES Difficulty in collection of evidenceFragility of Computer dataFear of destruction of vital dataVast volume to be examinedDiversity of hardware & Software.Admissibility in the courts.
    13. 13. COMPUTER FORENSICS Definition:Identification, Extraction, Documentation, andPreservation of computer media for evidentiaryand/or root cause analysis using well-definedmethodologies and procedures.
    14. 14. COMPUTER FORENSICS Methodology:Acquire the evidence without altering or damagingthe original.Authenticate that the recovered evidence is thesame as the original seized.Analyze the data without modifying it.
    15. 15. COMPUTER FORENSICS-STEPSIdentificationSeizureAuthenticationAcquisitionAnalysisPresentationPreservationScene of CrimeForensics Lab
    16. 16. What to carry?Camera Note or Sketch Pads– Blank CDs, DVDs, PenDrives, Hash Calculator,Write-Blocker, Cross-Overcable etc.Sealing Material –Labels, Pens, MarkersStorage Containers –Anti Static Bags, PlasticBubble WrapSoftware / Hardware foronsite virtual data retrievaland imaging
    17. 17. How to secure the crime scene? The entire work area, office, or cubicle is apotential crime scene, not just the computer itself. No one should be allowed to touch the computer,to include shutting the computer down or exitingfrom any programs/files in use at the time orremove anything from the scene.
    18. 18. How to secure the crime scene?Continued…. Disconnect the power supply. Else there can be aloss of files to hard drive crash. If required access system to take backup ofvolatile data
    19. 19. Computer Forensic Steps - Scene of Crime Backup Volatile data in RAM / Router etc. Photograph / Video the scene of incidence / crime Identifying Digital storage media Draw Network Topology
    20. 20. Questions to be asked the Sceneof crime• Login Details : User Name/s and Password/s• Encryption• Files of interest• E-mail accounts• Internet service provider(s)• Off site storage• Hidden storage devices
    21. 21. WHY PRECAUTIONSREQUIRED ? The integrity of data is essential for making itpresentable in court of law with in acceptable limitsof law. The active data recovered can give us vital links. The deleted data too can be recovered and used forreconstruction of events. Certain damaged media too can be read/viewed.
    22. 22. Computer Forensic Steps - Scene of Crime Identification Seizure Acquisition
    23. 23. Exhibits Seized
    24. 24. Identification
    25. 25. IdentificationFront Side ofCPU Cabinet orCase or ChasisBack Side ofCPU Cabinet orCase or ChasisThe CPU
    26. 26. Identification Continued….Internal Hard Disk
    27. 27. Identification Continued….External Hard Disk
    28. 28. Identification Continued….FloppyCD/DVD
    29. 29. Identification Continued….Mobile PhonesSIM Card Memory Cards
    30. 30. Identification Continued….SkimmerCredit Cards
    31. 31. Identification Continued….Dongle andPen Drives
    32. 32. Identification Continued….
    33. 33. Identification Continued….
    34. 34. Identification Continued….
    35. 35. Seizure
    36. 36. What is Seizure?Definition :-Seizure is the process of capturing the suspectcomputer or storage media for evidencecollection.
    37. 37.  The case related reference documents should also beseized from the crime scene.For Example - In case of Economical Crime look for Account BookDetails, Passbook details, Bank Transaction Details,ATM Credit/Debit Card Details. In case of Forged Documents look for referencedocuments such as, Academic Certificates,Bill Receipts, Passport, Legal Property Papers etc. If video files or picture image files of a particularperson are to traced, then provide the photographs ofthe same for identification.Seizure
    38. 38. Labeling
    39. 39. Labeling
    40. 40. Labeling
    41. 41. Labeling
    42. 42. Labeling
    43. 43. Packaging and Transportation Properly document and label the evidencebefore packaging. Use anti-static wrap or bubble wrap formagnetic media. Avoid folding, bending or scratching thecomputer media such as diskettes, CDs,removable media etc.
    44. 44. Labeling
    45. 45. Packaging and Transportation While transporting, place thecomputer securely on thefloor of the vehicle where theride is smooth. Avoid radio transmissions, electromagneticemissions, moisturein the vicinity ofdigital evidence.
    46. 46. Dealing with the SuspectedMobile Phone• At the time of seizing mobile phone, itscomponents like Battery, SIM card(s),Memory card(s) should be removed.• The User Manualsshould also be seizedfrom the scene,if present.
    47. 47. Guidelines from Forensics Continued…. If CPU Cabinet is seized from the crime scene, bring onlyhard disks for analysis. Not to bring CPU cabinet. Printer, Scanner, Monitor, Keyboard, Mouse etc. shouldnot be seized Only digital storage media like Hard Disk, Pen Drive,Floppies, CDs, DVDs, Mobile Phone etc. are analyzed.If an exhibit is a hard disk then needs to provide a blankhard disk with more(double) capacity.
    48. 48. Acquisition&Authentication
    49. 49. Precautions while Acquisition• Use of Write Blocker devices: Thumbscrew FAST BLOC Tablue• Need of Write Blocker
    50. 50. Acquisition & Authentication Making Forensic Duplicate copy of the Suspect Storagemedia is Acquisition. A Forensic Duplicate is a file that contains every bit ofinformation from the source disk.Two Ways Using Software Using Hardware
    51. 51. Acquisition & Authentication Using Software Tool requires a hardware writeblocker at source end e.g. FASTBloc FE / Tablue andSoftware EnCase, FTK Imager used to for Acquisition Using Hardware Tool has inbuilt write blocker andgives better speed for acquisition e.g. TD2, Talon, SOLO,Dossier by LogiCube etc.
    52. 52. Laboratory Work Authentication Analysis Presentation Preservation
    53. 53. Authentication : Hash ValueHow to verify the integrity of Forensic Duplicate?It is also known as, “Message Digest” or “Fingerprint”, isbasically a digital signature.The checksum is created by applying algorithm to the file.The checksum for each file is unique to that file.E.g. 4a24e1e50622c52122406b77e8438c5a (MD5)
    54. 54. Analysis
    55. 55. Current and Emerging Cyber Forensic Tools of Law Enforcement
    56. 56. Analysis ProcessThe Process of searching for crime relevant dataand extract it.The analyst has to search data inDeleted Files Slack SpaceUnallocated Space Free SpaceLog Entries Registry EntriesSystem Files Printer Spool FilesCookies Keywords
    57. 57. Analysis Process Continued….Why is Slack Space Important?Unallocated Space(New Drive)Allocated SpaceUnallocated Space(After File deletion)Allocated Space(Reallocated, new file)Slack SpaceWhy isn’t this also slack space?
    58. 58. Analysis Process Continued….• “Keyword Search” is one of the most importantsteps of analysis.• The keywords should be listed for getting betterand sorted search results. These keywordsshould be case-relevant.
    59. 59. Documentation & Preservation• Report writing & preparation of notes• Store the Magnetic Storage Media in a securearea.– Cool– Dry– Away from:GeneratorsMagnets
    60. 60. Prevention Of Computer CrimeSafe Computing Tips Do not reveal personal information to unknownpeople or websites. Create hard to guess passwords and keep themprivate & change them regularly. Use anti-virus and update them regularly. Back up your important files regularly. Never reveal your true identity while chatting.
    61. 61. Safe Online Banking Keep your passwords/PIN codes safe and memorize them. Check that the online banking website is secure. Logout immediately after you have completed yourtransaction. Do not respond to emails asking for your personal information.When in doubt, call the institution that claims to have sent thisemail. Read privacy and policy statements before any transaction. Check your account statements to ensure that no unauthorizedtransaction has taken place.
    62. 62. Tips for Safe Social Networking Don’t reveal too much information about yourself online. Add people as friends to your site only if you know thempersonally. Delete inappropriate messages from your profile. Do not post information about your friends as youmay put them at risk. What you post online is not private. It can be seenby everyone.
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×