Computer Forensics: A Brief
Scientific process of
preserving, identifying, extracting, documenting, and
interpreting data on computer
The field of computer forensics began to evolve
more than 30 years ago in the United States.
With the growth of the Internet and increasing usage
of technology devices connected to the
Internet, computer crimes are increasing at a great
the medium of
•Illegal access to a system or
•Illegal transmission of data
•Data deletion, damage, alteration
•Serious hindrance to computer
•Incriminating information stored
•Information that unleashes
Tools for Computer Forensics
• List of processes
•Process to port mapping
•Executable file analysis
Mobile Device forensics
Network Forensics is the capture, recording, and analysis of network
events in order to discover the source of security attacks or other
1"Catch-it-as-you-can" systems, in which all packets passing through a
certain traffic point are captured and written to storage with analysis
being done subsequently in batch mode. This approach requires large
amounts of storage, usually involving a RAID system.
2"Stop, look and listen" systems, in which each packet is analyzed in a
rudimentary way in memory and only certain information saved for
future analysis. This approach requires less storage but may require a
faster processor to keep up with incoming traffic.
Forensic study of databases
Currently many database software tools are in general
not reliable and precise enough to be used for forensic
Mobile Device forensics
Using such things as cell phones, digital
cameras, psp’s, and I pods to find stored evidence.
Mobile devices can be used to save several types of
personal information like contacts, photos, calendar
Therefore it can be supposed that these devices will
play an important role in forensics.
Computer Forensic Companies
ACR Data Recovery, Inc.
Burgess Consulting and
Center for Computer
Digital Mountain, Inc.
Global Digital Forensics
ManTech Security &
When is it used?
In legal cases, computer forensic techniques are frequently
used to analyze computer systems belonging to defendants
(in criminal cases) or litigants (in civil cases).
To recover data in the event of a hardware or software
To analyze a computer system after a break-in, for
example, to determine how the attacker gained access and
what the attacker did.
To gather evidence against an employee that an
organization wishes to terminate.
To gain information about how computer systems work for
the purpose of debugging, performance optimization, or
How it is Preformed
There are Five basic steps to the computer forensics
1. Preparation (of the investigator, not the data)
2. Collection (the data)
The Investigator must have the proper training or the specific
operations of the investigation.
Tools that are used to generate reports for court should be
There are many tools that are used in the field and the
investigator needs determine the proper tool to be used based on
An interview with the user can yield valuable information about
the system configuration, applications, encryption keys and
In an investigation in which the owner of the digital evidence has
not given consent to have his or her media examined special care
must be taken to ensure that the forensic specialist has the legal
authority to seize, copy, and examine the data. Sometimes
authority stems from a search warrant.
Collection sources include computers, cell
phones, digital cameras, hard drives, CD-ROM, and
USB memory devices
Other sources include settings of digital
thermometers, black boxes inside automobiles, RFID
tags, and web pages
Special care must be taken when handling computer
evidence. Most digital information is easily
changed, and once changed it is usually impossible to
detect that a change has taken place
Imaging computer media using a write blocking tool
to ensure that no data is added to the suspect device.
Establish and maintain the chain of custody.
Documenting everything that has been done.
Only use tools and methods that have been tested and
evaluated to validate their accuracy and reliability.
Computer evidence represented by physical items such
as chips, boards, central processing units, storage
media, monitors, and printers can be described easily
and correctly as a unique form of physical evidence
Forensic laboratories have detailed plans describing
acceptable methods for handling physical evidence
Evidence, while stored in these physical items, is latent
and exists only in a metaphysical electronic form
Procedures and techniques are software and hardware
solutions to specific forensic problems
Procedures and techniques
Procedures are step by step instructions
A laboratory may require that examinations be
conducted, if possible and practical, on copies of the
Digital evidence can be duplicated exactly to create a
copy that is true and accurate
Examiner must make a decision as to how to
implement this principle on a case-by-case basis.
All digital evidence must be analyzed to determine the type
of information that is stored upon it
Specialty tools are used that can display information
Analysis tools include: AccessData's FTK, Guidance
Software's EnCase, Technology Pathways' ProDiscover, Dr.
Golden Richard III's file carving tool Scalpel, and Brian
Carrier's Sleuth Kit
Typical forensic analysis includes a manual review of
material on the media, reviewing the Windows registry for
suspect information, discovering and cracking
passwords, keyword searches for topics related to the
crime, and extracting e-mail and pictures for review
Once the analysis is complete, a report is generated.
This report may be a written report, oral testimony, or
some combination of the two.
What tools are needed and what
do they do?
Mathematically creates a unique signature for the contents
of one, multiple or all files on a given storage device
Signatures such as these are used to identify whether or not
the contents of one or more computer files have changed
This forensics tool relies upon 128 bit accuracy and can
easily be run from a floppy diskette to benchmark the files
on a specific storage device
Bench marking can help computer specialists isolate
problems and deal with computer incidents after they
occur ( such as altered evidence and modifications )
Hardware & Software
A Forensic Machine
Forensic Examination (GUI )
Forensic Examination ( DOS
External Image Device
Includes USB, firewire, media reader, removable hard
drive bays, internal write blocker, cd/dvd
burner, floppy drive, connections for labtops, and lots
Type: FRED-Digital Intelligence
Devices that allow acquisition of information on a
drive without creating the possibility of accidentally
damaging the drive contents
They do this by allowing read commands to pass but
by blocking write commands, hence their name
Types: Fast Block, Fire Fly, Tableau, My Key, and USB
Printer- to produce professional looking reports and good
Digital Camera and several Memory Cards
DVD’S- for achieving case
Hard Drives- several big ones
Electrical Wire Labels- used to label connections of cables
to hard drives for easy reconnection after removing hard
drive to Image
Tool Kit- containing a screw driver with many
heads, needle nose pliers, tweezers, flashlight, ect….
Process of recovering passwords from data that has
been stored in or transmitted by a computer system
Types: Revelation, Password Recovery Toolkit, and
Advanced Password Recovery Toolkit
Neo Trace Pro (to help trace emails)
Visual Route (to help trace emails)
Quick View Plus
A family owned and operated agency
Specialize in Private Investigators and Private
Detectives, Background Investigators, Process
Servers, Security Consultants, Security
Guards, Technology and Computer Related Firms