Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Business Intelligence (BI) Tools For Computer Forensic


Published on

The presentation contains: Concept of Forensic, Need & Purpose of Forensic
Computer Forensic, Role of IT for Forensic, Data Collection / Mining Tools, Data Analysis & Reporting, Fraud Detection & Auditing

Published in: Technology, Education
  • Be the first to comment

Business Intelligence (BI) Tools For Computer Forensic

  1. 1.
  2. 2. Security Technology Forum - CSI<br /> Security Technology forum will operate to provide a knowledge sharing forum and also provide a platform for  research in emerging technology in the area of Security for Members of CSI. <br />Vision is to make India safe and secure by use of technology.<br />Mission is to enable Indian technology professionals to understand world class security technology by effectively developing and sharing knowledge assets and best practices.<br />
  3. 3. Contents of the Interaction<br />Concept of Forensic <br />Need & Purpose of Forensic <br />Computer Forensic <br />Role of IT for Forensic <br />Data Collection / Mining Tools<br />Data Analysis & Reporting <br />Fraud Detection & Auditing <br />
  4. 4. Forensics – Forensic Science<br />Forensic science (often shortened to forensics) is the application of a broad spectrum of sciences to answer questions of interest to a legal system. This may be in relation to a crime or a civil action. Besides its relevance to a legal system, more generally forensics encompasses the accepted scholarly or scientific methodology and norms under which the facts regarding an event, or an artifact, or some other physical item (such as a corpse) are ascertained as being the case. In that regard the concept is related to the notion of authentication, whereby an interest outside of a legal form exists in determining whether an object is what it purports to be, or is alleged as being.<br />
  5. 5. Computer Forensic<br />The goal of computer forensics is to explain the current state of a digital artifact. The term digital artifact can include a computer system, a storage medium (such as a hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image) or even a sequence of packets moving over a computer network.<br />The field of computer forensics also has sub branches within it such as firewall forensics, network forensics, database forensics and mobile device forensics.<br />
  6. 6. Simplified Understanding<br />Forensic = Postmortem<br />Computer forensics involves the <br />preservation, <br />identification, <br />extraction, <br />documentation, <br />and interpretation of computer media <br />for evidentiary and/or root cause analysis<br />Recovering Information the naked eye can no longer see.<br />
  7. 7. Need for Computer Forensic Techniques<br />Evidence might be required for a wide range of computer crimes and misuses. The Need for deploying Computer forensic can be <br />In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases). <br />To recover data in the event of a hardware or software failure. <br />To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did. <br />To gather evidence against an employee that an organization wishes to terminate. <br />To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering. <br />
  8. 8. Reasons For Evidence<br />Wide range of computer crimes and misuses<br />Non-Business Environment: evidence collected by Federal, State and local authorities for crimes relating to: <br />Theft of trade secrets<br />Fraud<br />Extortion<br />Industrial espionage<br />Position of pornography<br />SPAM investigations<br />Virus/Trojan distribution<br />Homicide investigations<br />Intellectual property breaches<br />Unauthorized use of personal information<br />Forgery<br />Perjury<br />
  9. 9. Reasons For Evidence (cont)<br />Computer related crime and violations include a range of activities including:<br />Business Environment: <br />Theft of or destruction of intellectual property<br />Unauthorized activity<br />Tracking internet browsing habits<br />Reconstructing Events<br />Inferring intentions<br />Selling company bandwidth<br />Wrongful dismissal claims<br />Sexual harassment<br />Software Piracy<br />
  10. 10. Who Uses Computer Forensics?<br />Criminal Prosecutors<br />Rely on evidence obtained from a computer to prosecute suspects and use as evidence<br />Civil Litigations<br />Personal and business data discovered on a computer can be used in fraud, divorce, harassment, or discrimination cases<br />Insurance Companies<br />Evidence discovered on computer can be used to mollify costs (fraud, worker’s compensation, arson, etc)<br />Private Corporations<br />Obtained evidence from employee computers can be used as evidence in harassment, fraud, and embezzlement cases<br />
  11. 11. Steps Of Computer Forensics<br />According to many professionals, Computer Forensics is a four (4) step process<br />Acquisition<br />Physically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices<br />Identification<br />This step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites<br />
  12. 12. Steps Of Computer Forensics (cont)<br />According to many professionals, Computer Forensics is a four (4) step process<br />Evaluation<br />Evaluating the information/data recovered to determine if and how it could be used again the suspect for employment termination or prosecution in court<br />Presentation<br />This step involves the presentation of evidence discovered in a manner which is understood by lawyers, non-technically staff/management, and suitable as evidence as determined by United States and internal laws<br />
  13. 13. Handling Information<br />Information and data being sought after and collected in the investigation must be properly handled<br />Volatile Information<br />Network Information<br />Communication between system and the network<br />Active Processes<br />Programs and daemons currently active on the system<br />Logged-on Users<br />Users/employees currently using system<br />Open Files<br />Libraries in use; hidden files; Trojans (rootkit) loaded in system<br />
  14. 14. Handling Information (cont)<br />Non-Volatile Information<br />configuration settings<br />system files <br />registry settings that are available after reboot<br />Accessed through drive mappings from system<br />This information should investigated and reviewed from a backup copy<br />
  15. 15. Anti-Forensics<br />Software that limits and/or corrupts evidence that could be collected by an investigator<br />Performs data hiding and distortion (HPA & Logic Bombs)<br />Exploits limitations of known and used forensic tools<br />Works both on Windows and LINUX based systems<br />In place prior to or post system acquisition<br />
  16. 16. Evidence Processing Guidelines <br />Steps of processing evidence <br />Step 1: Shut down the computer<br />Considerations must be given to volatile information<br />Prevents remote access to machine and destruction of evidence (manual or ant-forensic software)<br />Step 2: Document the Hardware Configuration of The System<br />Note everything about the computer configuration prior to re-locating<br />
  17. 17. Evidence Processing Guidelines (cont)<br />Step 3: Transport the Computer System to A Secure Location<br />Do not leave the computer unattended unless it is locked in a secure location<br />Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks<br />Step 5: Mathematically Authenticate Data on All Storage Devices<br />Must be able to prove that you did not alter any of the evidence after the computer came into your possession<br />Step 6: Document the System Date and Time<br />Step 7: Make a List of Key Search Words<br />Step 8: Evaluate the Windows Swap File<br />
  18. 18. Evidence Processing Guidelines (cont)<br />Step 9: Evaluate File Slack<br />File slack is a data storage area of which most computer users are unaware; a source of significant security leakage.<br />Step 10: Evaluate Unallocated Space (Erased Files)<br />Step 11: Search Files, File Slack and Unallocated Space for Key Words<br />Step 12: Document File Names, Dates and Times<br />Step 13: Identify File, Program and Storage Anomalies<br />Step 14: Evaluate Program Functionality<br />Step 15: Document Your Findings<br />Step 16: Retain Copies of Software Used<br />
  19. 19. Methods deployed<br />Discovering Data on Computer System<br />Recovering deleted, encrypted, or damaged file information<br />Monitoring live activity<br />Detecting violations of corporate policy<br />
  20. 20. Fraud<br />A fraud is an intentional deception made for personal gain or to damage another individual. <br />The specific legal definition varies by legal jurisdiction. Fraud is a crime, and is also a civil law violation. <br />Many hoaxes are fraudulent, although those not made for personal gain are not technically frauds. Defrauding people of money is presumably the most common type of fraud<br />
  21. 21. Fraud – Fast Facts<br /><ul><li> Not aligning with the norm
  22. 22. Use of deception & misrepresentation to obtain an unjust advantage </li></li></ul><li>Nationwide scalability of Problem<br /><ul><li> About US$ 400 billion worldwide fraud reported by the Association of Certified Fraud Examiners;
  23. 23. It is estimated that there has been accelerated growth in economic misappropriation;
  24. 24. Corporate fraud swing to theft of intellectual property and IT- related incidents;
  25. 25. About 42 per cent of the cases in India, it was possible to make recoveries from the perpetrator;
  26. 26. Theft, loss of or attack on information are the biggest concerns to companies .</li></li></ul><li>Probable Reasons : Fraud<br /><ul><li> IT complexity has amplified their exposure to Fraud;
  27. 27. High staff turnover, implanting of personnel are the most recurrent cause of exposure to fraud;
  28. 28. Imperative effect of globalization;
  29. 29. Increased merger and acquisition between companies. </li></ul> CONTINUED……<br />
  30. 30. Forensic to Avoid Fraud<br />Identifying opportunities for fraud and corruption;<br />Implementing risk management, prevention and minimization procedures in day to day operations; <br /><ul><li>Execute procedures to investigate allegations of fraudulent or corrupt behavior;
  31. 31. Reacting appropriately to situations where chances of fraud or corruption allegations are found to be high;
  32. 32. Providing appropriate training and promulgating relevant codes of conduct to ensure employees and contractors are aware of their responsibilities in combating fraud and corruption; and
  33. 33. Ensuring an environment in which fraudulent or corrupt activity is discouraged.</li></li></ul><li>Forensic Auditing after the occurrence of fraud<br /><ul><li> Collect, asses and analyze facts;
  34. 34. Build chain of events;
  35. 35. Document significant Facts;
  36. 36. Model scenarios.</li></ul>Review existing control system<br />Identify week points regarding information system and e-surveillance.<br />Identify origins and causes of loss<br />Assess fraud risk<br />Develop recommendations for follow-up actions<br />Design compatible business process and policies <br />Training to develop immune with contemporary environment<br />
  37. 37. Software for Analysis & Audit of Commercial Data<br />
  38. 38.
  39. 39.
  40. 40. Thank You<br />CA Ashwin Dedhia <br />Director , Solutions<br />MAIA Intelligence<br />