Your SlideShare is downloading. ×
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply



Published on

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Acquisition physically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices. Identification This step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites. Evaluation Evaluating the information/data recovered to determine if and how it could be used again the suspect for employment termination or prosecution in court. Presentation This step involves the presentation of evidence discovered in a manner which is understood by lawyers, non-technically staff/management, and suitable as evidence as determined by United States and internal laws
  • 2.  To human eyes, data usually contains known forms, like images, e-mail, sounds, and text. Most Internet data naturally includes gratuitous headers, too. These are media exploited using new controversial logical encodings: steganography and marking. Steganography: The art of storing information in such a way that the existence of the information is hidden.  Watermarking: Hiding data within data Information can be hidden in almost any file format. File formats with more room for compression are best • Image files (JPEG, GIF) • Sound files (MP3, WAV) • Video files (MPG, AVI) The hidden information may be encrypted, but not necessarily.  Hard Drive/File System manipulation Slack Space is the space between the logical end and the physical end of file and is called the file slack
  • 3. • Steganalysis - the art of detecting and decoding hidden data. •Hiding information within electronic media requires alterations of the media properties that may introduce some form of degradation or unusual characteristics. • The pattern of degradation or the unusual characteristic of a specific type of steganography method is called a signature. • Steganalysis software can be trained to look for a signature.
  • 4. •Human Observation •Software analysis •Disk analysis utilities •Statistical Analysis •Frequency scanning
  • 5. Recovery of watermarked data is extremely hard. Currently, there are very few methods to recover hidden, encrypted data. Data hidden on disk is much easier to find. Once found, if unencrypted, it is already recovered Deleted data can be reconstructed (even on hard drives that have been magnetically wiped) Check swap files for passwords and encryption keys which are stored in the clear (unencrypted) Software Tools • Scan for and reconstruct deleted data • Break encryption
  • 6. The "network" in "network forensics" != "computer" •Network here means "relating to packets" or "network traffic" Definition of forensics ( •Relating to, used in, or appropriate for courts of law or for public discussion or argumentation. •Of, relating to, or used in debate or argument; rhetorical. •Relating to the use of science or technology in the investigation and establishment of facts or evidence in a court of law: a forensic laboratory. Many claim to perform network forensics,but most of these practitioners are probably just capturing packets •These guidelines will elevate your game to forensic levels Forensics helps with "patch and proceed" or "pursue and prosecute"
  • 7. It has an ability to search through a massive amount of data Quickly Easily Thoroughly In any language
  • 8. Digital evidence accepted into court Must prove that there is no tampering. All evidence must be fully accounted for. Computer forensic specialists must have complete knowledge of legal requirements, evidence handling and storage and documentation procedures Costs. Producing electronic records & preserving them is extremely costly. Presents the potential for exposing privileged documents. Legal practitioners must have extensive computer knowledge.
  • 10. With computers becoming more and more involved in our everyday lives, both professionally and socially, there is a need for computer forensics. This field will enable crucial electronic evidence to be found, whether it was lost, deleted, damaged, or hidden and used to prosecute individuals that belive they have succecessfully beaten the system.