Computer forensics 1


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Computer forensics 1

  1. 1. Computer Forensics Developed by: 1)Nilam Radadiya
  2. 2. Index • Topics to be covered – Introduction – History – Need of Computer Forensics – Working with Computer Forensics – Tool of Computer Forensics – Cyber Crime – Types of Cyber Crime – Heaking – Virus – Computer Forensics Methodology – Skills Required For Computer Forensics Application – Advantages & Disadvantages
  3. 3. Definition • What is Computer Forensics? – Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis. – Evidence might be required for a wide range of computer crimes and misuses – Multiple methods of • Discovering data on computer system • Recovering deleted, encrypted, or damaged file information • Monitoring live activity • Detecting violations of corporate policy – Information collected assists in arrests, prosecution, termination of employment, and preventing future illegal activity
  4. 4. History for computer Forensics • 1970 • First crimes cases involving computers, mainly financial fraud • 1980 • Financial investigators and courts realize that in some cases all the records and evidences were only on computers. • Norton Utilities, “Un-erase” tool created • Association of Certified Fraud Examiners began to seek training in what became computer forensics • SEARCH High Tech Crimes training created • Regular classes began to be taught to Federal agents in California and at FLETC in Georgia • HTCIA formed in Southern California
  5. 5. • 1984 • FBI Magnetic Media Program created. Later it become Computer Analysis and Response Team (CART) • 1987 • Acces Data – Cyber Forensic Company formed • 1988 • Creation of IACIS, the International Association of Computer Investigative Specialists • First Seized Computer Evidence Recovery Specialists (SCERS) classes held • 1993 • First International Conference on Computer Evidence held History for computer Forensics(conti)
  6. 6. History for computer Forensics(conti) • 1995 • International Organization on Computer Evidence (IOCE) formed • 1997 • The G8 countries in Moscow declared that “Law enforcement personnel must be trained and equipped to address high-tech crimes”. • 1998 • In March G8 appointed IICE to create international principles, guidelines and procedures relating to digital evidence • 1998 • INTERPOL Forensic Science Symposium • 1999 • FBI CART case load exceeds 2000 cases, examining 17 terabytes of data • 2000 • First FBI Regional Computer Forensic Laboratory established
  7. 7. Who Needs Computer Forensics? • the computer has invaded our very existence, become a part of our lives, and is an integral part of almost every case — from complex litigation and class actions to contract disputes. Computer crimes are crimes in which computers are used as a tool to facilitate or enable an illegal activity, or have been a target of criminal activity. • Computer forensics services can be used by anyone who thinks a crime or breach of policy or a wrong has been done. They may also be utilized by someone who is defending or protecting themselves or another party and are looking for evidence to prove or disprove the commitment of a crime or breach of information.
  8. 8. Computer Forensic Requirements • Operation Systems – Windows 3.1/95/98/ME/NT/2000/2003/XP – DOS – UNIX – LINUX – VAX/VMS • Software – Familiarity with most popular software packages such as Office • Forensic Tools – Familiarity with computer forensic techniques and the software packages that could be used
  9. 9. There are five basic step to the computer forensics 1)Preparation(of the investigator,not the data) 2)Collection(the data) 3)Examination 4)Analysis 5)Reporting Working:
  10. 10. • The investigator must be properly trained to perform the specific kind of investigation that is at hand .Tools that are used to generate reports for court should be validated. • Computer Forensicsmain aim is to find out the evidence of the crime which is legal.for a person to be a successful computer forensics professional the basic thing that comes to mind is that he himself should step into the shoes of the computer criminal and analyze the case at that perticular time. • More over it is required for the person to gain access to system vai unauthorized way in order to determine how the ciminal might have penetrated the system. Preparation:
  11. 11. Collection of Data:  Evidence from computer systems It can be user created file:address book,email files,audio/video file,internet bookmark,documents,text,spread sheets,database files It can be user protected files hidden files,steganography,encrypted files,password protected files, compressed files,renamed files It can be computer created files backup files,cookies,histroy files,temporary files Evidence can be also obtain from deleted files,free space,boot records, hidden partitions,reserved area, computer date and time
  12. 12. Collection of Data Continue….  Evidence from other devices Smart cards and biometric scanner Digital cameras:images,video,sound,data and time Answering machines Evidence can be also obtain from telephones, scanner,printer,pagers,servers,switches,hubs,routersa and modems
  13. 13. Examination: Examination mean to examine the collection data What they should want to say? How they relates with the crime?
  14. 14. Analysis:- There are many steps in carrying out the entire procedureof computer forensics,but human inteligence really matters a lot.the capasity of the human analysis and intelligent detection of the system can not be comparized.there are steps that should be followed in analysis of computer forensics. First step:- if the computer system is in a network or over an internet then first step of computer forensics analyst is to find out the computer system which was used in commiting the crime. Next step:- is the discovery of the information that is usually in the form of the files.these files includes the normal files over the system or even deleted files.
  15. 15. Reporting:- Once the anaysis is complete, a report is generated the report may be the written report or oral testimony, or combination of both.there are many core differences between computer and physical forensics.the physical forensics focus on identification and individualization. While computer forensics focus on the finding the evidence and analyzing it.therefore it is more difficult to a physical crime scene investigation than the physical forensics processes
  16. 16. Tools: There are main three tools are used in computer forensics 1)Disasseembler 2)disk analyzer 3)Hex editor
  17. 17. Dissembler: A disassembler is a computer programe that translates machine language into assembly language-the inverse opration to that of an assembler. Assembly language source code generally permits the use of symbolic constant and programmer comments.these are usually removed from the assembled machine code by the assembler.if so a disassembler oprating on the machine code would produce disassembly lacking these constant and comments. The dissembled output becomes more difficult for a human to interprete than the original source code.
  18. 18. Disk Analyzer: Disk analyzer is a useful freeware windows 95/98/me/NT utility that allows computer owners to analyze hard disk is easy to use and fast.with the few clicks of your mouse you can make analysis of selected drive or directory. 1)Makes analysis of selected drive or directory 2)Display summary 3)Sort items by size,type,date/time 4)Finds Duplicates 5)Display graphs 6)Prints Reports
  19. 19. Hex Editor: A Hex Editor(Or binary or byte editor is a type of computer program that allows a user to manipulate binary computer files Hex Editor that were designed to edit sector data from floppy or hard disk were sometimes called sector editors or disk most hex editor application the data of computer file is represented as hexadecimal values grouped in two 8 byte and one group of 16 ASCII characters,nonprintable characters.
  20. 20. Cyber Crime • Definition • The internet in India is growing rapidly. It has given rise to new opportunities in every field we can think of – be it entertainment, business, sports or education. There are two sides to a coin. Internet also has its own disadvantages. One of the major disadvantages is Cybercrime – illegal activitiy committed on the internet. The internet, along with its advantages, has also exposed us to security risks that come with connecting to a large network. Computers today are being misused for illegal activities like e-mail tracing, credit card fraud, software piracy and so on, which invade our privacy and offend our senses. Criminal activities in the cyberspace are on the rise. • Here the definition by Nandini Ramprasad i. "The modern thief can steal more with a computer than with a gun. Tomorrow's terrorist may be able to do more damage with a keyboard than with a bomb".
  21. 21. • – National Research Council, "Computers at Risk", 1991. What is this Cyber crime? We read about it in newspapers very often. Let's look at the dictionary definition of Cybercrime: "It is a criminal activity committed on the internet. This is a broad term that describes everything from electronic cracking to denial of service attacks that cause electronic commerce sites to lose money".
  22. 22. Types of Cyber Crime • HACKING The act of gaining unauthorized access to a computer system or network and in some cases making unauthorized use of this access. Hacking is also the act by which other forms of cyber-crime (e.g., fraud, terrorism, etc.) are committed. Hacking in simple terms means illegal intrusion into a computer system without the permission of the computer owner/user. • VIRUS DISSEMINATION Malicious software that attaches itself to other software. (virus, worms, Trojan Horse, Time bomb, Logic Bomb, Rabbit and Bacterium are the malicious soft wares) • SOFTWARE PRIVACY Theft of software through the illegal copying of genuine programs or the counterfeiting and distribution of products intended to pass for the original. Retail revenue losses world wide are ever increasing due to this crime Can be done in various ways such as end user copying, hard disk loading, Counterfeiting, Illegal downloads from the internet etc
  23. 23. • IRC CRIME Internet Relay Chat (IRC) servers have chat rooms in which people from anywhere the world can come together and chat with each other Criminals use it for meeting coconspirators. Hackers use it for discussing their exploits / sharing the techniques Pedophiles use chat rooms to allure small children. • CREDIT CARD FRAUD You simply have to type credit card number into www page off the vendor for online transaction If electronic transactions are not secured the credit card numbers can be stolen by the hackers who can misuse this card by impersonating the credit card owner. • PHISHING It is technique of pulling out confidential information from the bank/financial institutional account holders by deceptive means.
  24. 24. Hacking • Computer hacking is broadly defined as intentionally accesses a computer without authorization or exceeds authorized access. Various state and federal laws govern computer hacking. • The word "hacking" has two definitions. The first definition refers to the hobby/profession of working with computers. The second definition refers to breaking into computer systems. While the first definition is older and is still used by many computer enthusiasts (who refer to cyber- criminals as "crackers"), the second definition is much more commonly used. In particular, the web pages here refer to "hackers" simply because our web-server logs show that every one who reaches these pages are using the second definition as part of their search criteria.
  25. 25. Virus • A computer virus is a computer program that can replicate itself and spread from one computer to another. • A Virus is a small program that embeds itself into other programs. When those other programs are executed, the virus is also executed, and attempts to copy itself into more programs. In this way, it spreads in a manner similar to a biological virus. viruses, by definition, can "infect" any executable code. Accordingly, they are found on floppy and hard disk boot sectors, executable programs, macro languages and executable electronic mail attachments. • viruses can be found using a Virus Scanner or a Virus Wall. Some software products are also available to remove them with a minimum of harm to the "infected" files. • Some viruses are self-modifying, in order to make detection more difficult. Such viruses are called polymorphic (many shapes).
  26. 26. Computer Forensics Methodology 1)Shut Down the Computer. 2)Document and Hardware Configuration of The System. 3)Transport the Computer System to A Secure Location. 4)Make Bit Stream Back ups of Hard Disks and FloppyDisks. 5)Mathematically Verify Data on All Storage Devices. 6)Document the System Date and Time. 7)Make a List of Key Search Words.
  27. 27. 8)Evaluate the Windows Swap File. 9)Evaluate Unallocated Space(ErasedFiles). 10)Search Files, File Slack and Unallocated Space for Key Words. 11)Document File Names,Dates and Times. 12)Identify File, Program and Storage Anomalies.(error) 13)Evaluate Program Functionality. 14)Document Your Findings.
  28. 28. Skills Required for Computer Forensics • Programming or computer related experience • Broad understanding of operating systems and applications • Strong analytical skills • Strong computer science fundamentals • Strongs system administrative skills • Knowledge of the latest intruder tools • Knowledge of cryptography and steganography • Strong understanding of the rules of evidence and evidence handling • Ability to be an expert witness in a court of law
  29. 29. Conclusion
  30. 30. Thank You