Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Computer forensics


Published on

Published in: Technology
  • Be the first to comment

Computer forensics

  1. 1. ComputerComputerForensicsForensicsYogesh E.
  3. 3. REAL-WORLD & VIRTUAL-WORLDCurrent approaches evolved todeal with real-world crimeCybercrime occurs in a virtual-world and therefore presentsdifferent issues
  4. 4. EXAMPLE : THEFTReal-world theft:Possession of property shifts completelyfrom A to B, i.e., A had it now B has itTheft in Virtual-world (Cyber-theft):Property is copied, so A “has” it and so does B
  5. 5. Think beforeThink beforeyou Clickyou Click
  6. 6. What is Computer Crime“Unlawful acts wherein the computer is either a tool or atarget or both".Two aspects:•Computer as a tool to commit crimeChild porn, Threatening email, identity theft,sexual harassment, defamation, phishing.•Computer itself becomes target of crimeViruses, worms, software piracy, hacking.
  7. 7. TYPES OF COMPUTERCRIME HACKINGHacking in simple terms means illegal intrusion intoa computer system without the permission of thecomputer owner/user. SOFTWARE PIRACYAn unauthorized copying of software. PORNOGRAPHYComputer pornography covers pornographicwebsites, pornographic magazines produced usingcomputers (to publish and print the material) and theInternet (to download and transmit pornographicpictures, photos.
  8. 8.  FORGED DOCUMENTSTo create fake documents such as, fake academiccertificates, mark sheets etc. CREDIT CARD FRAUDCredit card fraud is a wide-ranging term for theft andfraud committed using a credit card or any similarpayment mechanism as a fraudulent source of funds in atransaction. Computer STALKINGUse of the e-mail, Internet to harass or threaten anindividual.CONT… TYPES OF COMPUTERCRIME
  9. 9.  PHISHINGIn the field of computer security, phishing is the criminallyfraudulent process of attempting to acquire sensitive informationsuch as usernames, passwords and credit card details bymasquerading as a trustworthy entity in an electroniccommunication. Computer DEFAMATIONThis occurs when defamation takes place with the help ofcomputers and / or the Internet.e.g. Mr. X publishes defamatory matter about Ms. Y on a website orsends e-mails containing defamatory information to Ms. Y’sfriends.CONT… TYPES OF COMPUTERCRIME
  10. 10. WHAT IS DIGITAL EVIDENCE? Digital Evidence is any information of probativevalue that is either stored or transmitted in a binaryform. Digital Evidence includes computer evidence, digitalaudio recorder, digital video recorder, mobilephones, pen drives, CD, DVD etc.
  11. 11. ELECTRONIC RECORDElectronic record - is that which is generated, stored,sent or received by electronic means and includesdata, image or sound.
  12. 12. CHALLENGES FOR INVESTIGATINGAGENCIES Difficulty in collection of evidenceFragility of Computer dataFear of destruction of vital dataVast volume to be examinedDiversity of hardware & Software.Admissibility in the courts.
  13. 13. COMPUTER FORENSICS Definition:Identification, Extraction, Documentation, andPreservation of computer media for evidentiaryand/or root cause analysis using well-definedmethodologies and procedures.
  14. 14. COMPUTER FORENSICS Methodology:Acquire the evidence without altering or damagingthe original.Authenticate that the recovered evidence is thesame as the original seized.Analyze the data without modifying it.
  15. 15. COMPUTER FORENSICS-STEPSIdentificationSeizureAuthenticationAcquisitionAnalysisPresentationPreservationScene of CrimeForensics Lab
  16. 16. What to carry?Camera Note or Sketch Pads– Blank CDs, DVDs, PenDrives, Hash Calculator,Write-Blocker, Cross-Overcable etc.Sealing Material –Labels, Pens, MarkersStorage Containers –Anti Static Bags, PlasticBubble WrapSoftware / Hardware foronsite virtual data retrievaland imaging
  17. 17. How to secure the crime scene? The entire work area, office, or cubicle is apotential crime scene, not just the computer itself. No one should be allowed to touch the computer,to include shutting the computer down or exitingfrom any programs/files in use at the time orremove anything from the scene.
  18. 18. How to secure the crime scene?Continued…. Disconnect the power supply. Else there can be aloss of files to hard drive crash. If required access system to take backup ofvolatile data
  19. 19. Computer Forensic Steps - Scene of Crime Backup Volatile data in RAM / Router etc. Photograph / Video the scene of incidence / crime Identifying Digital storage media Draw Network Topology
  20. 20. Questions to be asked the Sceneof crime• Login Details : User Name/s and Password/s• Encryption• Files of interest• E-mail accounts• Internet service provider(s)• Off site storage• Hidden storage devices
  21. 21. WHY PRECAUTIONSREQUIRED ? The integrity of data is essential for making itpresentable in court of law with in acceptable limitsof law. The active data recovered can give us vital links. The deleted data too can be recovered and used forreconstruction of events. Certain damaged media too can be read/viewed.
  22. 22. Computer Forensic Steps - Scene of Crime Identification Seizure Acquisition
  23. 23. Exhibits Seized
  24. 24. Identification
  25. 25. IdentificationFront Side ofCPU Cabinet orCase or ChasisBack Side ofCPU Cabinet orCase or ChasisThe CPU
  26. 26. Identification Continued….Internal Hard Disk
  27. 27. Identification Continued….External Hard Disk
  28. 28. Identification Continued….FloppyCD/DVD
  29. 29. Identification Continued….Mobile PhonesSIM Card Memory Cards
  30. 30. Identification Continued….SkimmerCredit Cards
  31. 31. Identification Continued….Dongle andPen Drives
  32. 32. Identification Continued….
  33. 33. Identification Continued….
  34. 34. Identification Continued….
  35. 35. Seizure
  36. 36. What is Seizure?Definition :-Seizure is the process of capturing the suspectcomputer or storage media for evidencecollection.
  37. 37.  The case related reference documents should also beseized from the crime scene.For Example - In case of Economical Crime look for Account BookDetails, Passbook details, Bank Transaction Details,ATM Credit/Debit Card Details. In case of Forged Documents look for referencedocuments such as, Academic Certificates,Bill Receipts, Passport, Legal Property Papers etc. If video files or picture image files of a particularperson are to traced, then provide the photographs ofthe same for identification.Seizure
  38. 38. Labeling
  39. 39. Labeling
  40. 40. Labeling
  41. 41. Labeling
  42. 42. Labeling
  43. 43. Packaging and Transportation Properly document and label the evidencebefore packaging. Use anti-static wrap or bubble wrap formagnetic media. Avoid folding, bending or scratching thecomputer media such as diskettes, CDs,removable media etc.
  44. 44. Labeling
  45. 45. Packaging and Transportation While transporting, place thecomputer securely on thefloor of the vehicle where theride is smooth. Avoid radio transmissions, electromagneticemissions, moisturein the vicinity ofdigital evidence.
  46. 46. Dealing with the SuspectedMobile Phone• At the time of seizing mobile phone, itscomponents like Battery, SIM card(s),Memory card(s) should be removed.• The User Manualsshould also be seizedfrom the scene,if present.
  47. 47. Guidelines from Forensics Continued…. If CPU Cabinet is seized from the crime scene, bring onlyhard disks for analysis. Not to bring CPU cabinet. Printer, Scanner, Monitor, Keyboard, Mouse etc. shouldnot be seized Only digital storage media like Hard Disk, Pen Drive,Floppies, CDs, DVDs, Mobile Phone etc. are analyzed.If an exhibit is a hard disk then needs to provide a blankhard disk with more(double) capacity.
  48. 48. Acquisition&Authentication
  49. 49. Precautions while Acquisition• Use of Write Blocker devices: Thumbscrew FAST BLOC Tablue• Need of Write Blocker
  50. 50. Acquisition & Authentication Making Forensic Duplicate copy of the Suspect Storagemedia is Acquisition. A Forensic Duplicate is a file that contains every bit ofinformation from the source disk.Two Ways Using Software Using Hardware
  51. 51. Acquisition & Authentication Using Software Tool requires a hardware writeblocker at source end e.g. FASTBloc FE / Tablue andSoftware EnCase, FTK Imager used to for Acquisition Using Hardware Tool has inbuilt write blocker andgives better speed for acquisition e.g. TD2, Talon, SOLO,Dossier by LogiCube etc.
  52. 52. Laboratory Work Authentication Analysis Presentation Preservation
  53. 53. Authentication : Hash ValueHow to verify the integrity of Forensic Duplicate?It is also known as, “Message Digest” or “Fingerprint”, isbasically a digital signature.The checksum is created by applying algorithm to the file.The checksum for each file is unique to that file.E.g. 4a24e1e50622c52122406b77e8438c5a (MD5)
  54. 54. Analysis
  55. 55. Current and Emerging Cyber Forensic Tools of Law Enforcement
  56. 56. Analysis ProcessThe Process of searching for crime relevant dataand extract it.The analyst has to search data inDeleted Files Slack SpaceUnallocated Space Free SpaceLog Entries Registry EntriesSystem Files Printer Spool FilesCookies Keywords
  57. 57. Analysis Process Continued….Why is Slack Space Important?Unallocated Space(New Drive)Allocated SpaceUnallocated Space(After File deletion)Allocated Space(Reallocated, new file)Slack SpaceWhy isn’t this also slack space?
  58. 58. Analysis Process Continued….• “Keyword Search” is one of the most importantsteps of analysis.• The keywords should be listed for getting betterand sorted search results. These keywordsshould be case-relevant.
  59. 59. Documentation & Preservation• Report writing & preparation of notes• Store the Magnetic Storage Media in a securearea.– Cool– Dry– Away from:GeneratorsMagnets
  60. 60. Prevention Of Computer CrimeSafe Computing Tips Do not reveal personal information to unknownpeople or websites. Create hard to guess passwords and keep themprivate & change them regularly. Use anti-virus and update them regularly. Back up your important files regularly. Never reveal your true identity while chatting.
  61. 61. Safe Online Banking Keep your passwords/PIN codes safe and memorize them. Check that the online banking website is secure. Logout immediately after you have completed yourtransaction. Do not respond to emails asking for your personal information.When in doubt, call the institution that claims to have sent thisemail. Read privacy and policy statements before any transaction. Check your account statements to ensure that no unauthorizedtransaction has taken place.
  62. 62. Tips for Safe Social Networking Don’t reveal too much information about yourself online. Add people as friends to your site only if you know thempersonally. Delete inappropriate messages from your profile. Do not post information about your friends as youmay put them at risk. What you post online is not private. It can be seenby everyone.