The key steps in Computer forensics include the following: 1. Identification – Involves recognizing an incident from indicators and determining its type and accordingly identifying the evidence relevant to the crime. This focuses on identifying and locating potential evidence, possibly within unconventional locations. 2.Seizure – It is the process of capturing the suspect computer for evidence collection. Systematic procedure is needed for seizure to avoid loss of digital evidence. Construct detailed documentation for analysis. 3.Authentication -Validating the seized and acquired evidence to make sure that the integrity of evidence is not compromised. 4.Acquisition – record the physical scene and duplicate digital evidence using standardized and accepted procedures. 5. Analysis –Determine significance, reconstruct fragments of data and draw conclusions based on evidence found. It may take several iterations of examination and analysis to support a crime theory. The distinction of analysis is that it may not require high technical skills to perform and thus more people can work on this case. 6. Presentation – summarize and provide explanation of conclusions. This should be written in a layperson’s terms using abstracted terminology. All abstracted terminology should reference the specific details. 7. Preservation –This includes preventing people from using the digital device or allowing other electromagnetic devices to be used within an affected radius. Should follow a proper chain of custody. F rom the moment the evidence is collected, every transfer of evidence from person to person be documented and that it be provable that nobody else could have accessed that evidence. It is best to keep the number of transfers as low as possible.
ComputerComputerForensicsForensicsYogesh E. Sonawaneyogesh.firstname.lastname@example.org
What is Computer Crime“Unlawful acts wherein the computer is either a tool or atarget or both".Two aspects:•Computer as a tool to commit crimeChild porn, Threatening email, identity theft,sexual harassment, defamation, phishing.•Computer itself becomes target of crimeViruses, worms, software piracy, hacking.
TYPES OF COMPUTERCRIME HACKINGHacking in simple terms means illegal intrusion intoa computer system without the permission of thecomputer owner/user. SOFTWARE PIRACYAn unauthorized copying of software. PORNOGRAPHYComputer pornography covers pornographicwebsites, pornographic magazines produced usingcomputers (to publish and print the material) and theInternet (to download and transmit pornographicpictures, photos.
FORGED DOCUMENTSTo create fake documents such as, fake academiccertificates, mark sheets etc. CREDIT CARD FRAUDCredit card fraud is a wide-ranging term for theft andfraud committed using a credit card or any similarpayment mechanism as a fraudulent source of funds in atransaction. Computer STALKINGUse of the e-mail, Internet to harass or threaten anindividual.CONT… TYPES OF COMPUTERCRIME
PHISHINGIn the field of computer security, phishing is the criminallyfraudulent process of attempting to acquire sensitive informationsuch as usernames, passwords and credit card details bymasquerading as a trustworthy entity in an electroniccommunication. Computer DEFAMATIONThis occurs when defamation takes place with the help ofcomputers and / or the Internet.e.g. Mr. X publishes defamatory matter about Ms. Y on a website orsends e-mails containing defamatory information to Ms. Y’sfriends.CONT… TYPES OF COMPUTERCRIME
WHAT IS DIGITAL EVIDENCE? Digital Evidence is any information of probativevalue that is either stored or transmitted in a binaryform. Digital Evidence includes computer evidence, digitalaudio recorder, digital video recorder, mobilephones, pen drives, CD, DVD etc.
ELECTRONIC RECORDElectronic record - is that which is generated, stored,sent or received by electronic means and includesdata, image or sound.
CHALLENGES FOR INVESTIGATINGAGENCIES Difficulty in collection of evidenceFragility of Computer dataFear of destruction of vital dataVast volume to be examinedDiversity of hardware & Software.Admissibility in the courts.
COMPUTER FORENSICS Definition:Identification, Extraction, Documentation, andPreservation of computer media for evidentiaryand/or root cause analysis using well-definedmethodologies and procedures.
COMPUTER FORENSICS Methodology:Acquire the evidence without altering or damagingthe original.Authenticate that the recovered evidence is thesame as the original seized.Analyze the data without modifying it.
COMPUTER FORENSICS-STEPSIdentificationSeizureAuthenticationAcquisitionAnalysisPresentationPreservationScene of CrimeForensics Lab
What to carry?Camera Note or Sketch Pads– Blank CDs, DVDs, PenDrives, Hash Calculator,Write-Blocker, Cross-Overcable etc.Sealing Material –Labels, Pens, MarkersStorage Containers –Anti Static Bags, PlasticBubble WrapSoftware / Hardware foronsite virtual data retrievaland imaging
How to secure the crime scene? The entire work area, office, or cubicle is apotential crime scene, not just the computer itself. No one should be allowed to touch the computer,to include shutting the computer down or exitingfrom any programs/files in use at the time orremove anything from the scene.
How to secure the crime scene?Continued…. Disconnect the power supply. Else there can be aloss of files to hard drive crash. If required access system to take backup ofvolatile data
Computer Forensic Steps - Scene of Crime Backup Volatile data in RAM / Router etc. Photograph / Video the scene of incidence / crime Identifying Digital storage media Draw Network Topology
Questions to be asked the Sceneof crime• Login Details : User Name/s and Password/s• Encryption• Files of interest• E-mail accounts• Internet service provider(s)• Off site storage• Hidden storage devices
WHY PRECAUTIONSREQUIRED ? The integrity of data is essential for making itpresentable in court of law with in acceptable limitsof law. The active data recovered can give us vital links. The deleted data too can be recovered and used forreconstruction of events. Certain damaged media too can be read/viewed.
Computer Forensic Steps - Scene of Crime Identification Seizure Acquisition
What is Seizure?Definition :-Seizure is the process of capturing the suspectcomputer or storage media for evidencecollection.
The case related reference documents should also beseized from the crime scene.For Example - In case of Economical Crime look for Account BookDetails, Passbook details, Bank Transaction Details,ATM Credit/Debit Card Details. In case of Forged Documents look for referencedocuments such as, Academic Certificates,Bill Receipts, Passport, Legal Property Papers etc. If video files or picture image files of a particularperson are to traced, then provide the photographs ofthe same for identification.Seizure
Packaging and Transportation Properly document and label the evidencebefore packaging. Use anti-static wrap or bubble wrap formagnetic media. Avoid folding, bending or scratching thecomputer media such as diskettes, CDs,removable media etc.
Packaging and Transportation While transporting, place thecomputer securely on thefloor of the vehicle where theride is smooth. Avoid radio transmissions, electromagneticemissions, moisturein the vicinity ofdigital evidence.
Dealing with the SuspectedMobile Phone• At the time of seizing mobile phone, itscomponents like Battery, SIM card(s),Memory card(s) should be removed.• The User Manualsshould also be seizedfrom the scene,if present.
Guidelines from Forensics Continued…. If CPU Cabinet is seized from the crime scene, bring onlyhard disks for analysis. Not to bring CPU cabinet. Printer, Scanner, Monitor, Keyboard, Mouse etc. shouldnot be seized Only digital storage media like Hard Disk, Pen Drive,Floppies, CDs, DVDs, Mobile Phone etc. are analyzed.If an exhibit is a hard disk then needs to provide a blankhard disk with more(double) capacity.
Precautions while Acquisition• Use of Write Blocker devices: Thumbscrew FAST BLOC Tablue• Need of Write Blocker
Acquisition & Authentication Making Forensic Duplicate copy of the Suspect Storagemedia is Acquisition. A Forensic Duplicate is a file that contains every bit ofinformation from the source disk.Two Ways Using Software Using Hardware
Acquisition & Authentication Using Software Tool requires a hardware writeblocker at source end e.g. FASTBloc FE / Tablue andSoftware EnCase, FTK Imager used to for Acquisition Using Hardware Tool has inbuilt write blocker andgives better speed for acquisition e.g. TD2, Talon, SOLO,Dossier by LogiCube etc.
Authentication : Hash ValueHow to verify the integrity of Forensic Duplicate?It is also known as, “Message Digest” or “Fingerprint”, isbasically a digital signature.The checksum is created by applying algorithm to the file.The checksum for each file is unique to that file.E.g. 4a24e1e50622c52122406b77e8438c5a (MD5)
Current and Emerging Cyber Forensic Tools of Law Enforcement
Analysis ProcessThe Process of searching for crime relevant dataand extract it.The analyst has to search data inDeleted Files Slack SpaceUnallocated Space Free SpaceLog Entries Registry EntriesSystem Files Printer Spool FilesCookies Keywords
Analysis Process Continued….Why is Slack Space Important?Unallocated Space(New Drive)Allocated SpaceUnallocated Space(After File deletion)Allocated Space(Reallocated, new file)Slack SpaceWhy isn’t this also slack space?
Analysis Process Continued….• “Keyword Search” is one of the most importantsteps of analysis.• The keywords should be listed for getting betterand sorted search results. These keywordsshould be case-relevant.
Documentation & Preservation• Report writing & preparation of notes• Store the Magnetic Storage Media in a securearea.– Cool– Dry– Away from:GeneratorsMagnets
Prevention Of Computer CrimeSafe Computing Tips Do not reveal personal information to unknownpeople or websites. Create hard to guess passwords and keep themprivate & change them regularly. Use anti-virus and update them regularly. Back up your important files regularly. Never reveal your true identity while chatting.
Safe Online Banking Keep your passwords/PIN codes safe and memorize them. Check that the online banking website is secure. Logout immediately after you have completed yourtransaction. Do not respond to emails asking for your personal information.When in doubt, call the institution that claims to have sent thisemail. Read privacy and policy statements before any transaction. Check your account statements to ensure that no unauthorizedtransaction has taken place.
Tips for Safe Social Networking Don’t reveal too much information about yourself online. Add people as friends to your site only if you know thempersonally. Delete inappropriate messages from your profile. Do not post information about your friends as youmay put them at risk. What you post online is not private. It can be seenby everyone.