Need for computer forensics
Types of computer forensics
Components & steps in
Principle of exchange
Brief description of digital
Metadata, slack space, swap
files & unalloacted space
Creating a forensic image
Computer forensic toolkit
Encase by guidance
Methods to hide data
Pros & cons of computer
is the process of
evidence in a manner
that is legally
is the application of
analysis in the
The need of computer forensics in the present age
can be considered as much severe due to the
internet advancements and the dependency on the
internet. The people that gain access to the
computer systems without proper authorization
should be dealt in.
Cyber crime rates are accelerating and computer
forensics is the crucial discipline that has the
power to impede the progress of these cyber
Open a case
Acquire the evidence
Create a forensic image
Index & catalogue the evidence
Analyze the data(evidence)
Save evidence to viewable drive
Create a report of findings
Admissible your report of findings to legal
When seizing a stand alone computer at the crime
if the computer is “POWERED OFF” , do not
turn It ON.
if the computer is “POWERED ON” , do not
turn it OFF & do not allow any suspect or
associate to touch it.
“..when a person commits a crime
something is always left at the
scene of the crime that was not
present when the person arrived.”
any data that is stored in memory or exist in transit and
will be lost when the computer is turned off.
Volatile data might be key evidence, so it is important
that if the computer is on at the scene of the crime it
that data which is stored on a hard drive or another
medium and is preserved when the computer is turned
Some forms of digital evidence are:-
Present / Active (doc’s, spreadsheets, images,
Archive (including as backups)
Deleted (in slack and unallocated space)
Temporary (cache, print records, Internet usage
Encrypted or otherwise hidden
Compressed or corrupted
DIGITAL EVIDENCE is fragile.
DIGITAL EVIDENCE is easily altered if not
Simply turning a computer on or operating the
computer changes and damages evidence.
Even the normal operation of the computer can
destroy computer evidence that might be lurking in
unallocated space, file slack, or in the Windows
1.Before touching the
computer, place an
unformatted or blank
floppy disk or attach an
external device to copy
all the data, and write
detailed notes about
what is on the
2.Photograph the back of
the computer & everything
that is connected to it.
3. Photograph and label the
back of any computer
components with existing
connections to the
o If u do not have a
on the scene, the
safest way to turn off
a computer is to pull
the plug from the
back of the
o Disconnect all power
sources; unplug the
power cords from the
wall and the back of
may need to have
The following are the digital evidences always
found at a crime scene system & are the most
important part of investigation.
Metadata is data about data.
Metadata is information embedded in the file itself
that contains information about the file.
Metadata does contain useful information about file
but it is limited.
file name , size , location
Might contain revision comments etc.
Space not occupied by an active file, but not
available for use by the operating system.
Every file in a computer fills a minimum amount
slack space results when file systems create a
cluster (Windows) or block (Linux) but do not
necessarily use the entire fixed length space that
Clusters are form because of collection of garbage
and dangling references.
The swap file is a hidden system file that is used
for virtual memory when there is not enough
physical memory to run programs.
Space on the hard drive is temporarily swapped
with the RAM as programs are running.
This swap file contains portions of all documents
and other material a user produces while using the
When a user deletes a file, it is flagged as no
longer needed, but it remains on the system
until it is overwritten.
The remaining files are in unallocated disk
space, where clusters/blocks are not assigned
but may contain data.
It includes identifying or
evidence such as
removal of computer
hardware or making
attempts to reach
It is referred to as digital
investigation it means
analyzing file & data in
the system. It requires a
well defined security
Forensic server is a system which contains forensic
toolkits for investigation with dual-bootable
The activities performed in a forensic analysis may
easily tax the average computer.
It is desirable to have as much physical RAM, as well
as a fast processor , enough drive space to hold the
operating system, several forensic tools, as well as all
of the forensic images collected from the subject’s
The first activity performed by law enforcement at a
physical crime is to restrict access by surrounding the
crime scene with yellow tape.
The second rule is to document the crime scene and all
Bag-and-tag of all potential evidence.
Search for ‘sticky notes’ or any other written
documentation near the computer.
Take any computer manuals in case they are needed for
reference back at the forensics lab.
The first step after acquiring digital
evidence is to create an exact physical
copy of the evidence. This copy is often
called a bit-stream image, forensic
duplicate, or forensic image. Creating a
forensic image is important for a legal
standpoint, courts look favorably upon
forensic images because it demonstrates
that all of the evidence was captured.
shut down the computer.
Document the hardware configuration of the system.
Transport the computer system to a secure location.
Make bit stream back ups of hard disk and floppy disk.
Mathematically authenticate data on all storage
Document the system date and time.
Make a list of key search words.
Evaluate the window swap file.
Evaluate file slack.
Evaluate unallocated space.
Search file slack and unallocated space for key words.
Document file names, dates and times.
Identify file, program and storage anomalies.
Evaluate program functionally.
Document every activity and findings.
EnCase by Guidance Software
Forensic Tool Kit by Access Data
SMART by ASR Data
The Sleuth kit(TSK)
ProDiscover by technology pathways
The image master
Data and password recovery toolkit
Maresware by Mares & Associates
DataLifter by StepaNet Communications
EnCase is considered as the leader in stand-alone
This means it is a bundled software package that
provides multiple forensic tools within the box.
EnCase is Windows-based and can acquire and
analyze data using the local or network-based
versions of the tool.
EnCase can analyze many file system formats,
including FAT, NTFS, Ext2/3, CD-ROMs, and
DVDs. EnCase also supports Microsoft Windows
EnCase allows you to list the files and directories,
recover deleted files, conduct keyword searches,
view all graphic images, make timelines of file
activity, and use hash databases to identify known
It also has its own scripting language, called
EnScript, which allows you to automate many
The EnCase Enterprise Edition is a network
enabled incident response system which offers
immediate and complete forensic analysis.
Some of its impressive features are:-
Enterprise Edition – Centralized monitoring and
Snapshot – Capture of RAM contents, running
programs, open files and ports.
Organizes results into case file & provides case
management for multiple cases.
Maintains chain of custody.
Tools for incident response to respond to emerging
Supports real-time and post-mortem investigations.
It consists of three components:
The first of these components is the Examiner
software. This software is installed on a secure system
where investigations are performed.
The second component is called SAFE, which stands
for Secure Authentication of EnCase. SAFE is a server
which is used to authenticate users, administer access
rights, maintain logs of EnCase transactions, and
provide for secure data transmission.
The final component is Servlet, an efficient software
component installed on servers to establish
connectivity between the Examiner, SAFE, and the
devices being investigated.
Using a key algorithm to convert simple text into
Changing the file extension
changing a .docx to .jpg file.
Steganography simply takes one piece of
information and hides it within another. Computer
files, such as images, sound recordings, and slack
space contain unused or insignificant areas of data.
With its help, we can
Can prevent data theft.
Recover hidden &
ethics let the
remain in legal rules &
Privacy of client is
some sensitive data or
information that is
important to the client
may be lost in order to
find the evidence.
It is an expensive