The presentation contains: Concept of Forensic, Need & Purpose of Forensic Computer Forensic, Role of IT for Forensic, Data Collection / Mining Tools, Data Analysis & Reporting, Fraud Detection & Auditing

2. Security Technology Forum - CSI Security Technology forum will operate to provide a knowledge sharing forum and also provide a platform for research in emerging technology in the area of Security for Members of CSI. Vision is to make India safe and secure by use of technology. Mission is to enable Indian technology professionals to understand world class security technology by effectively developing and sharing knowledge assets and best practices.

3. Contents of the Interaction Concept of Forensic Need & Purpose of Forensic Computer Forensic Role of IT for Forensic Data Collection / Mining Tools Data Analysis & Reporting Fraud Detection & Auditing

4. Forensics – Forensic Science Forensic science (often shortened to forensics) is the application of a broad spectrum of sciences to answer questions of interest to a legal system. This may be in relation to a crime or a civil action. Besides its relevance to a legal system, more generally forensics encompasses the accepted scholarly or scientific methodology and norms under which the facts regarding an event, or an artifact, or some other physical item (such as a corpse) are ascertained as being the case. In that regard the concept is related to the notion of authentication, whereby an interest outside of a legal form exists in determining whether an object is what it purports to be, or is alleged as being.

5. Computer Forensic The goal of computer forensics is to explain the current state of a digital artifact. The term digital artifact can include a computer system, a storage medium (such as a hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image) or even a sequence of packets moving over a computer network. The field of computer forensics also has sub branches within it such as firewall forensics, network forensics, database forensics and mobile device forensics.

6. Simplified Understanding Forensic = Postmortem Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis Recovering Information the naked eye can no longer see.

7. Need for Computer Forensic Techniques Evidence might be required for a wide range of computer crimes and misuses. The Need for deploying Computer forensic can be In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases). To recover data in the event of a hardware or software failure. To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did. To gather evidence against an employee that an organization wishes to terminate. To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering.

8. Reasons For Evidence Wide range of computer crimes and misuses Non-Business Environment: evidence collected by Federal, State and local authorities for crimes relating to: Theft of trade secrets Fraud Extortion Industrial espionage Position of pornography SPAM investigations Virus/Trojan distribution Homicide investigations Intellectual property breaches Unauthorized use of personal information Forgery Perjury

9. Reasons For Evidence (cont) Computer related crime and violations include a range of activities including: Business Environment: Theft of or destruction of intellectual property Unauthorized activity Tracking internet browsing habits Reconstructing Events Inferring intentions Selling company bandwidth Wrongful dismissal claims Sexual harassment Software Piracy

10. Who Uses Computer Forensics? Criminal Prosecutors Rely on evidence obtained from a computer to prosecute suspects and use as evidence Civil Litigations Personal and business data discovered on a computer can be used in fraud, divorce, harassment, or discrimination cases Insurance Companies Evidence discovered on computer can be used to mollify costs (fraud, worker’s compensation, arson, etc) Private Corporations Obtained evidence from employee computers can be used as evidence in harassment, fraud, and embezzlement cases

11. Steps Of Computer Forensics According to many professionals, Computer Forensics is a four (4) step process Acquisition Physically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices Identification This step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites

12. Steps Of Computer Forensics (cont) According to many professionals, Computer Forensics is a four (4) step process Evaluation Evaluating the information/data recovered to determine if and how it could be used again the suspect for employment termination or prosecution in court Presentation This step involves the presentation of evidence discovered in a manner which is understood by lawyers, non-technically staff/management, and suitable as evidence as determined by United States and internal laws

13. Handling Information Information and data being sought after and collected in the investigation must be properly handled Volatile Information Network Information Communication between system and the network Active Processes Programs and daemons currently active on the system Logged-on Users Users/employees currently using system Open Files Libraries in use; hidden files; Trojans (rootkit) loaded in system

14. Handling Information (cont) Non-Volatile Information configuration settings system files registry settings that are available after reboot Accessed through drive mappings from system This information should investigated and reviewed from a backup copy

15. Anti-Forensics Software that limits and/or corrupts evidence that could be collected by an investigator Performs data hiding and distortion (HPA & Logic Bombs) Exploits limitations of known and used forensic tools Works both on Windows and LINUX based systems In place prior to or post system acquisition

16. Evidence Processing Guidelines Steps of processing evidence Step 1: Shut down the computer Considerations must be given to volatile information Prevents remote access to machine and destruction of evidence (manual or ant-forensic software) Step 2: Document the Hardware Configuration of The System Note everything about the computer configuration prior to re-locating

17. Evidence Processing Guidelines (cont) Step 3: Transport the Computer System to A Secure Location Do not leave the computer unattended unless it is locked in a secure location Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks Step 5: Mathematically Authenticate Data on All Storage Devices Must be able to prove that you did not alter any of the evidence after the computer came into your possession Step 6: Document the System Date and Time Step 7: Make a List of Key Search Words Step 8: Evaluate the Windows Swap File

18. Evidence Processing Guidelines (cont) Step 9: Evaluate File Slack File slack is a data storage area of which most computer users are unaware; a source of significant security leakage. Step 10: Evaluate Unallocated Space (Erased Files) Step 11: Search Files, File Slack and Unallocated Space for Key Words Step 12: Document File Names, Dates and Times Step 13: Identify File, Program and Storage Anomalies Step 14: Evaluate Program Functionality Step 15: Document Your Findings Step 16: Retain Copies of Software Used

19. Methods deployed Discovering Data on Computer System Recovering deleted, encrypted, or damaged file information Monitoring live activity Detecting violations of corporate policy

20. Fraud A fraud is an intentional deception made for personal gain or to damage another individual. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and is also a civil law violation. Many hoaxes are fraudulent, although those not made for personal gain are not technically frauds. Defrauding people of money is presumably the most common type of fraud

23. It is estimated that there has been accelerated growth in economic misappropriation;

24. Corporate fraud swing to theft of intellectual property and IT- related incidents;

25. About 42 per cent of the cases in India, it was possible to make recoveries from the perpetrator;

27. High staff turnover, implanting of personnel are the most recurrent cause of exposure to fraud;

28. Imperative effect of globalization;

29. Increased merger and acquisition between companies. CONTINUED……

31. Reacting appropriately to situations where chances of fraud or corruption allegations are found to be high;

32. Providing appropriate training and promulgating relevant codes of conduct to ensure employees and contractors are aware of their responsibilities in combating fraud and corruption; and

34. Build chain of events;

35. Document significant Facts;

36. Model scenarios.Review existing control system Identify week points regarding information system and e-surveillance. Identify origins and causes of loss Assess fraud risk Develop recommendations for follow-up actions Design compatible business process and policies Training to develop immune with contemporary environment

37. Software for Analysis & Audit of Commercial Data

40. Thank You CA Ashwin Dedhia Director , Solutions MAIA Intelligence