Computer forensics and its role


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Computer forensics and its role

  1. 1. Computer Forensics
  2. 2. Topics to be covered • Defining Computer Forensics • Who uses Computer Forensics • Laws • Reasons for gathering evidence • Evidence processing guidelines • Requirements • Steps of Computer Forensics • Forensics recovery • Examples • Anti-forensics • Conclusion • Acknowledgement
  3. 3. • The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable.” (McKemmish, 1999) • “Gathering and analyzing data in a manner as freedom distortion or bias as possible to reconstruct data or what has happened in the past on a system.” (Farmer & Vennema,1999) • Computer forensics is the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. • Forensic Computing, also known as Evidential Computing and even sometimes Data Recovery, is the specialist process of imaging and processing computer data which is reliable enough to be used as evidence in court What is Computer Forensics? (Some definitions)
  4. 4. What will Computer Forensics do? • Computer forensics, innovators of image copying technology, defined the principles of the science of computer forensics and formalized an approved and accepted methodology to COLLECT, ANALYSE and PRESENT suspect data to a Court of Law. • Computer forensics evidence is frequently sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. • Computer forensics specialists draw on an array of methods for discovering data that resides in a computer system. • Experts in forensics computing can frequently recover files that have been deleted, encrypted, or damaged, sometimes as long as years earlier. • Evidence gathered by computer forensics experts is useful and often necessary during discovery, depositions, and actual litigation.
  5. 5. Who Uses Computer Forensics? • Criminal Prosecutors • -Rely on evidence obtained from a computer to prosecute suspects and use as evidence • Civil Litigations • -Personal and business data discovered on a computer can be used in fraud, divorce, harassment, or discrimination cases • Insurance Companies • -Evidence discovered on computer can be used to mollify costs (fraud, worker’s compensation, arson, etc) • Private Corporations • -Obtained evidence from employee computers can be used as evidence in harassment, fraud, and embezzlement cases
  6. 6. FBI Computer Forensic Services • Content • Comparison again known data • Transaction sequencing • Extraction of data • Recovering deleted data files • Format conversion • Keyword searching • Decrypting passwords • Analyzing and comparing limited source code
  7. 7. KNOW THE LAW... • The US DOJ maintains a website with guidelines and case law pertaining to seizing and searching computers. It's the best place to start putting together a legal case that will be based on evidence obtained from a computer system. The US DOJ website is: They also have a wealth of "cyber-crime" information online at:
  8. 8. Reasons For Evidence • Wide range of computer crimes and misuses • Non-Business Environment: evidence collected by Federal, State and local authorities for crimes relating to: – -Theft of trade secrets – -Fraud – -Extortion – -Industrial espionage – -Position of pornography – -SPAM investigations – -Virus/Trojan distribution – -Intellectual property breaches – -Unauthorized use of personal information – -Perjury
  9. 9. • Computer related crime and violations include a range of activities including: • Business Environment: • -Theft of or destruction of intellectual property • -Unauthorized activity • -Tracking internet browsing habits • -Reconstructing Events • -Inferring intentions • -Selling company bandwidth • -Wrongful dismissal claims • -Software Piracy Reasons For Evidence (cont)
  10. 10. Evidence Processing Guidelines • New Technologies Inc. recommends following 16 steps in processing evidence • They offer training on properly handling each step – Step 1: Shut down the computer • Considerations must be given to volatile information • Prevents remote access to machine and destruction of evidence (manual or ant-forensic software) – Step 2: • Document the Hardware Configuration of The System • Note everything about the computer configuration prior to re-locating
  11. 11. Evidence Processing Guidelines (cont) • Step 3: Transport the Computer System to A Secure Location – Do not leave the computer unattended unless it is locked in a secure location • Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks • Step 5: Mathematically Authenticate Data on All Storage Devices – Must be able to prove that you did not alter any of the evidence after the computer came into your possession • Step 6: Document the System Date and Time • Step 7: Make a List of Key Search Words • Step 8: Evaluate the Windows Swap File
  12. 12. Evidence Processing Guidelines (cont) • Step 9: Evaluate File Slack – The DOS file system file allocation table (FAT) was never designed to handle storage device with more than 32767 units of data. 32767 is the largest number that can be represented with 16 bits. – Data is written in sectors of 512 bytes (hard drives, floppy), or 2048 bytes (CD-ROM). – This set an arbitrary limit on disk storage devices of 512x32767 = 16MB. – To accommodate larger drives the concept of “clusters” was invented. Clusters are a group of sectors written as a single atomic unit. With clustering came file slack.
  13. 13. Evidence Processing Guidelines (cont) • RAM Slack If the file you are writing is shorter than the number of bytes in the clusters you have allocated for your file, the file system will pad the data out to the end of the current sector with “RAM slack”. RAM slack is random data that happens to be in RAM memory at the time the file is written. It can contain any data that you were working on since you last booted the PC. Such as emails, word documents, graphics, etc. • Drive Slack Unlike RAM slack which comes from working storage, “drive slack” is data left on the drive from a previous file. After completing the last partial sector with RAM slack, subsequent whole sectors in the last cluster are left as is with whatever data was written there previously.
  14. 14. Evidence Processing Guidelines (cont) • Step 10: Evaluate Unallocated Space (Erased Files) • Step 11: Search Files, File Slack and Unallocated Space for Key Words • Step 12: Document File Names, Dates and Times • Step 13: Identify File, Program and Storage Anomalies • Step 14: Evaluate Program Functionality • Step 15: Document Your Findings • Step 16: Retain Copies of Software Used
  15. 15. Computer Forensic Requirements Hardware – Familiarity with all internal and external devices/components of a computer – Thorough understanding of hard drives and settings – Understanding motherboards and the various chipsets used – Power connections – Memory BIOS – Understanding how the BIOS works – Familiarity with the various settings and limitations of the BIOS
  16. 16. Computer Forensic Requirements (cont) • .Operation Systems – Windows 3.1/95/98/ME/NT/2000/2003/XP – DOS – UNIX – LINUX – VAX/VMS Software – Familiarity with most popular software packages such as Office Forensic Tools – Familiarity with computer forensic techniques and the software packages that could be used
  17. 17. Steps Of Computer Forensics • .According to many professionals, Computer Forensics is a four (4) step process Acquisition – Physically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices Identification -This step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites Evaluation – Evaluating the information/data recovered to determine if and how it could be used again the suspect for employment termination or prosecution in court
  18. 18. Steps Of Computer Forensics (cont) • .Presentation – This step involves the presentation of evidence discovered in a manner which is understood by lawyers, non-technically staff/management, and suitable as evidence as determined by United States and internal laws
  19. 19. Handling Evidence • No possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to search the computer • Preventing viruses from being introduced to a computer during the analysis process • Establishing and maintaining a continuing chain of custody • Limiting the amount of time business operations are affected
  20. 20. Initiating An Investigation • DO NOT begin by exploring files on system randomly • Establish evidence custodian - start a detailed journal with the date and time and date/information discovered • If possible, designate suspected equipment as “off-limits” to normal activity. This includes back-ups, remotely or locally scheduled house-keeping, and configuration changes • Collect email, DNS, and other network service logs
  21. 21. Incidence Response • Identify, designate, or become evidence custodian • Review any existing journal of what has been done to system already and/or how intrusion was detected • Begin new or maintain existing journal • Install monitoring tools (sniffers, port detectors, etc.) • Without rebooting or affecting running processes, perform a copy of physical disk • Capture network information
  22. 22. Forensic Recovery Take pictures to document area around the computer. You may find removable media, or clues to your subject’s passwords in your photos.
  23. 23. Forensic Recovery • . Tip #3: Don’t assume system will boot first from the floppy drive. Always go into setup first and make sure the system will boot first from where you expect it to. Ex. Floppy or CD-ROM.
  24. 24. Forensic Recovery • . Take screen shots to preserve evidence. In this case documented “buddies list” in ICQ and Yahoo! Messenger. Used FTK to find emails to / from same buddies. And their solicitations on Internet adult meeting sites.
  25. 25. EXAMPLES • 1.Hot Hard Drives: In an arson and murder investigation, computer forensic investigators were asked to analyze hard drives recovered from a burned house which were charred and covered with ash and soot. When experienced engineers opened the drives in a sterile cleanroom – designed for repairing damaged computer media – they discovered the data contained on the individual data platters was not subjected to a high enough heat to cause permanent data loss. Relying on years of experience with fire-damaged computer media, engineers recovered and produced all of the data to the prosecutor’s office for analysis. The evidence contained on the hard drives helped the prosecutors build their case against the charged individual.
  26. 26. EXAMPLES • 2.Usurping USB Drives: On behalf of a bank, a computer forensic investigation was undertaken focusing on several computers owned by a bank customer suspected in a money laundering scheme. The initial review of the computers revealed that a large capacity USB drive was installed on the machine one day prior to turning over the computers pursuant to the court order. Upon further review of the USB drive, the engineers proved the individual had engaged in corporate financial fraud, stolen business funds and moved the money in foreign back accounts.
  27. 27. Anti-Forensics • Software that limits and/or corrupts evidence that could be collected by an investigator • Performs data hiding and distortion • Exploits limitations of known and used forensic tools • Works both on Windows and LINUX based systems • In place prior to or post system acquisition
  28. 28. Methods Of Hiding Data To human eyes, data usually contains known forms, like images, e-mail, sounds, and text. Most Internet data naturally includes gratuitous headers, too. These are media exploited using new controversial logical encodings: steganography and marking. – Steganography: The art of storing information in such a way that the existence of the information is hidden.
  29. 29. Methods Of Hiding Data • 1 To human eyes, data usually contains known forms, like images, e-mail, sounds, and text. Most Internet data naturally includes gratuitous headers, too. These are media exploited using new controversial logical encodings: steganography and marking. The duck flies at midnight. Tame uncle Sam Simple but effective when done well
  30. 30. Methods Of Hiding Data Watermarking: Hiding data within data – Information can be hidden in almost any file format. – File formats with more room for compression are best • Image files (JPEG, GIF) • Sound files (MP3, WAV) • Video files (MPG, AVI) – The hidden information may be encrypted, but not necessarily – Numerous software applications will do this for you: Many are freely available online
  31. 31. CONCLUSION • Use a systematic approach to investigations • Plan a case by taking into account: – Nature of the case – Case requirements – Gathering evidence techniques • Do not forget that every case can go to court • Apply standard problem-solving techniques • Keep track of the chain of custody of your evidence • Produce a final report detailing what you did and found
  32. 32. ACKNOWLEDGEMENT • .I wish to thank my faculty members of CSE department ,Dr. Sudhir Chandra Sur Degree Engineering College for guidance and useful suggestions, which helped us a lot in completing the presentation work, in time. We also took help from internet for ideas which made us able to complete this presentation.
  33. 33. • . THANK YOU.