IndexWhat is Computer ForensicsObjective of Computer ForensicsWhy Computer ForensicsHistory of Computer ForensicsHow it approachesSteps of InvestigationWhat not to do during InvestigationComputer Forensics Techniques
IndexAnti-ForensicsComputer Forensics ToolsAdvantages of Computer ForensicsDisadvantages of Computer ForensicsConclusions
What is Computer ForensicsComputer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded
Objective of ComputerForensicsUsually to provide digital evidence of aspecific or general activity
Why Computer Forensics?- Employee internet abuse- Unauthorized disclosure of corporate information anddata- Industrial espionage- Damage assessment- Criminal fraud and deception cases- More general criminal cases- and countless others!
History of Computer Forensics Bankruptcy in Enron in December 2001 Hundreds of employees were left jobless while some executives seemed to benefit from the companys collapse. The United States Congress decided to investigate and A specialized detective force began to search through hundreds of Enron employee computers using computer forensics.
How it approaches?-Secure the subject system (from tampering during theoperation)-Take a copy of hard drive (if applicable)-Identify and recovery all files (including those deleted)- Access/copy hidden, protected and temporary files-Study special areas on the drive (eg: residue frompreviously deleted files)- Investigate data/settings from installedapplications/programs
How it approaches….cont-Assess the system as a whole, including its structure- Consider general factors relating to the users activity- Create detailed report. Throughout the investigation, itis important to stress that a full audit log of youractivities should be maintained.
Steps of Investigation Secure the computer system to ensure that the equipment and data are safe Find every file on the computer system Recover as much deleted information as possible using applications Reveal the contents of all hidden files with programs designed to detect the presence of hidden data Decrypt and access protected files
Cont… Analyze special areas of the computers disks Document every step of the procedure Be prepared to testify in court as an expert witness in computer forensics
What should not be doneduring investigation?-Avoid changing date/time stamps (of files for example)or changing data itself-Overwriting of unallocated space (which can happen onre-boot for example). Study dont change is a usefulcatch-phrase.
Anti-Forensics : The Nightmare Programmers design anti-forensic tools to make it hard or impossible to retrieve information during an investigation Dozens of ways people can hide information
Anti-Forensics…..contd. Some programs can fool computers by changing the information in files headers Programs can divide files up into small sections and hide each section at the end of other files Programs called packers can insert executable files into other kinds of files Encryption is another way to hide data Changing the metadata attached to files Some computer applications will erase data if an unauthorized user tries to access the system
Computer Forensics Tools Disk imaging software Software or hardware write tools Hashing tools File recovery programs Programs to preserve information in RAM Encryption decoding software Password cracking software
Advantages of Computer Forensics Ability to search through a massive amount of data Quickly Thoroughly In any language
Disadvantages ofComputer Forensics Digital evidence accepted into court must prove that there is no tampering all evidence must be fully accounted for computer forensic specialists must have complete knowledge of legal requirements, evidence handling and storage and documentation procedures
Disadvantages of Computer Forensics Costs producing electronic records & preserving them is extremely costly Presents the potential for exposing privileged documents Legal practitioners must have extensive computer knowledge
ConclusionWith computers becoming more and moreinvolved in our everyday lives, bothprofessionally and socially, there is a need forcomputer forensics. This field will enable crucialelectronic evidence to be found, whether it waslost, deleted, damaged, or hidden, and used toprosecute individuals that believe they havesuccessfully beaten the system.
Thank YouIt’s nice to be important but it is more important to be nice