Developed by: 1)Nilam Radadiya
• Topics to be covered
– Need of Computer Forensics
– Working with Computer Forensics
– Tool of Computer Forensics
– Cyber Crime
– Types of Cyber Crime
– Computer Forensics Methodology
– Skills Required For Computer Forensics
– Advantages & Disadvantages
• What is Computer Forensics?
– Computer forensics involves the preservation, identification,
extraction, documentation, and interpretation of computer media
for evidentiary and/or root cause analysis.
– Evidence might be required for a wide range of computer crimes
– Multiple methods of
• Discovering data on computer system
• Recovering deleted, encrypted, or damaged file information
• Monitoring live activity
• Detecting violations of corporate policy
– Information collected assists in arrests, prosecution, termination
of employment, and preventing future illegal activity
History for computer Forensics
• First crimes cases involving computers, mainly financial fraud
• Financial investigators and courts realize that in some cases all the
records and evidences were only on computers.
• Norton Utilities, “Un-erase” tool created
• Association of Certified Fraud Examiners began to seek training in
what became computer forensics
• SEARCH High Tech Crimes training created
• Regular classes began to be taught to Federal agents in California
and at FLETC in Georgia
• HTCIA formed in Southern California
• FBI Magnetic Media Program created. Later it become Computer
Analysis and Response Team (CART)
• Acces Data – Cyber Forensic Company formed
• Creation of IACIS, the International Association of Computer
• First Seized Computer Evidence Recovery Specialists (SCERS)
• First International Conference on Computer Evidence held
History for computer Forensics(conti)
History for computer Forensics(conti)
• International Organization on Computer Evidence (IOCE) formed
• The G8 countries in Moscow declared that “Law enforcement
personnel must be trained and equipped to address high-tech
• In March G8 appointed IICE to create international principles,
guidelines and procedures relating to digital evidence
• INTERPOL Forensic Science Symposium
• FBI CART case load exceeds 2000 cases, examining 17 terabytes
• First FBI Regional Computer Forensic Laboratory established
Who Needs Computer Forensics?
• the computer has invaded our very existence, become
a part of our lives, and is an integral part of almost every
case — from complex litigation and class actions to contract
disputes. Computer crimes are crimes in which computers
are used as a tool to facilitate or enable an illegal activity,
or have been a target of criminal activity.
• Computer forensics services can be used by anyone
who thinks a crime or breach of policy or a wrong has been
done. They may also be utilized by someone who is
defending or protecting themselves or another party and
are looking for evidence to prove or disprove the
commitment of a crime or breach of information.
Computer Forensic Requirements
• Operation Systems
– Windows 3.1/95/98/ME/NT/2000/2003/XP
– Familiarity with most popular software packages
such as Office
• Forensic Tools
– Familiarity with computer forensic techniques and the software
packages that could be used
There are five basic step to the computer forensics
1)Preparation(of the investigator,not the data)
• The investigator must be properly trained to
perform the specific kind of investigation that is at
hand .Tools that are used to generate reports for
court should be validated.
• Computer Forensicsmain aim is to find out the
evidence of the crime which is legal.for a person to
be a successful computer forensics professional
the basic thing that comes to mind is that he
himself should step into the shoes of the computer
criminal and analyze the case at that perticular
• More over it is required for the person to gain
access to system vai unauthorized way in order to
determine how the ciminal might have penetrated
Collection of Data:
Evidence from computer systems
It can be user created file:address book,email files,audio/video
file,internet bookmark,documents,text,spread sheets,database files
It can be user protected files hidden files,steganography,encrypted
files,password protected files, compressed files,renamed files
It can be computer created files backup files,cookies,histroy
Evidence can be also obtain from deleted files,free space,boot
records, hidden partitions,reserved area, computer date and time
Collection of Data Continue….
Evidence from other devices
Smart cards and biometric scanner
Digital cameras:images,video,sound,data and time
Evidence can be also obtain from telephones,
scanner,printer,pagers,servers,switches,hubs,routersa and modems
Examination mean to examine the collection data
What they should want to say?
How they relates with the crime?
There are many steps in carrying out the entire procedureof
computer forensics,but human inteligence really matters a lot.the
capasity of the human analysis and intelligent detection of the
system can not be comparized.there are steps that should be
followed in analysis of computer forensics.
First step:- if the computer system is in a network or over an
internet then first step of computer forensics analyst is to find out
the computer system which was used in commiting the crime.
Next step:- is the discovery of the information that is usually in the
form of the files.these files includes the normal files over the
system or even deleted files.
Once the anaysis is complete, a report is
generated the report may be the written
report or oral testimony, or combination of
both.there are many core differences
between computer and physical
forensics.the physical forensics focus on
identification and individualization.
While computer forensics focus on the
finding the evidence and analyzing
it.therefore it is more difficult to a physical
crime scene investigation than the physical
There are main three tools are used in computer forensics
A disassembler is a computer programe that translates machine
language into assembly language-the inverse opration to that of an
Assembly language source code generally permits the use of
symbolic constant and programmer comments.these are usually
removed from the assembled machine code by the assembler.if so a
disassembler oprating on the machine code would produce
disassembly lacking these constant and comments.
The dissembled output becomes more difficult for a human to
interprete than the original source code.
Disk analyzer is a useful freeware
windows 95/98/me/NT utility that
allows computer owners to analyze
hard disk space.it is easy to use and
fast.with the few clicks of your mouse
you can make analysis of selected
drive or directory.
1)Makes analysis of selected drive or directory
3)Sort items by size,type,date/time
A Hex Editor(Or binary or byte
editor is a type of computer
program that allows a user to
manipulate binary computer files
Hex Editor that were designed to
edit sector data from floppy or hard
disk were sometimes called sector
editors or disk editors.in most hex
editor application the data of
computer file is represented as
hexadecimal values grouped in two
8 byte and one group of 16 ASCII
• The internet in India is growing rapidly. It has given rise to new
opportunities in every field we can think of – be it entertainment,
business, sports or education. There are two sides to a coin.
Internet also has its own disadvantages. One of the major
disadvantages is Cybercrime – illegal activitiy committed on the
internet. The internet, along with its advantages, has also
exposed us to security risks that come with connecting to a large
network. Computers today are being misused for illegal activities
like e-mail tracing, credit card fraud, software piracy and so on,
which invade our privacy and offend our senses. Criminal
activities in the cyberspace are on the rise.
• Here the definition by Nandini Ramprasad i.
"The modern thief can steal more with a computer than with a
gun. Tomorrow's terrorist may be able to do more damage with a
keyboard than with a bomb".
• – National Research Council, "Computers at Risk", 1991.
What is this Cyber crime? We read about it in newspapers
very often. Let's look at the dictionary definition of
Cybercrime: "It is a criminal activity committed on the
internet. This is a broad term that describes everything
from electronic cracking to denial of service attacks that
cause electronic commerce sites to lose money".
Types of Cyber Crime
The act of gaining unauthorized access to a computer system or
network and in some cases making unauthorized use of this
access. Hacking is also the act by which other forms of cyber-crime
(e.g., fraud, terrorism, etc.) are committed. Hacking in simple
terms means illegal intrusion into a computer system without the
permission of the computer owner/user.
• VIRUS DISSEMINATION
Malicious software that attaches itself to other software.
(virus, worms, Trojan Horse, Time bomb, Logic Bomb, Rabbit and
Bacterium are the malicious soft wares)
• SOFTWARE PRIVACY
Theft of software through the illegal copying of genuine programs
or the counterfeiting and distribution of products intended to pass
for the original. Retail revenue losses world wide are ever
increasing due to this crime
Can be done in various ways such as end user copying, hard disk
loading, Counterfeiting, Illegal downloads from the internet etc
• IRC CRIME
Internet Relay Chat (IRC) servers have chat rooms in which
people from anywhere the world can come together and chat with
each other Criminals use it for meeting coconspirators. Hackers
use it for discussing their exploits / sharing the techniques
Pedophiles use chat rooms to allure small children.
• CREDIT CARD FRAUD
You simply have to type credit card number into www page off the
online transaction If electronic transactions are not secured the
credit card numbers can be stolen by the hackers who can misuse
this card by impersonating the credit card owner.
It is technique of pulling out confidential information from the
bank/financial institutional account holders by deceptive means.
• Computer hacking is broadly defined as intentionally
accesses a computer without authorization or exceeds
authorized access. Various state and federal laws govern
• The word "hacking" has two definitions. The first definition
refers to the hobby/profession of working with computers.
The second definition refers to breaking into computer
systems. While the first definition is older and is still used
by many computer enthusiasts (who refer to cyber-
criminals as "crackers"), the second definition is much more
commonly used. In particular, the web pages here refer to
"hackers" simply because our web-server logs show that
every one who reaches these pages are using the second
definition as part of their search criteria.
• A computer virus is a computer program that can replicate itself
and spread from one computer to another.
• A Virus is a small program that embeds itself into other programs.
When those other programs are executed, the virus is also
executed, and attempts to copy itself into more programs. In this
way, it spreads in a manner similar to a biological virus. viruses,
by definition, can "infect" any executable code. Accordingly, they
are found on floppy and hard disk boot sectors, executable
programs, macro languages and executable electronic mail
• viruses can be found using a Virus Scanner or a Virus Wall. Some
software products are also available to remove them with a
minimum of harm to the "infected" files.
• Some viruses are self-modifying, in order to make detection more
difficult. Such viruses are called polymorphic (many shapes).
Computer Forensics Methodology
1)Shut Down the Computer.
2)Document and Hardware Configuration of The System.
3)Transport the Computer System to A Secure Location.
4)Make Bit Stream Back ups of Hard Disks and FloppyDisks.
5)Mathematically Verify Data on All Storage Devices.
6)Document the System Date and Time.
7)Make a List of Key Search Words.
8)Evaluate the Windows Swap File.
9)Evaluate Unallocated Space(ErasedFiles).
10)Search Files, File Slack and Unallocated Space for Key
11)Document File Names,Dates and Times.
12)Identify File, Program and Storage Anomalies.(error)
13)Evaluate Program Functionality.
14)Document Your Findings.
Skills Required for Computer
• Programming or computer related experience
• Broad understanding of operating systems and applications
• Strong analytical skills
• Strong computer science fundamentals
• Strongs system administrative skills
• Knowledge of the latest intruder tools
• Knowledge of cryptography and steganography
• Strong understanding of the rules of evidence and evidence
• Ability to be an expert witness in a court of law