Computer forensics


Published on

The presentation is all about computer forensics. the process , the tools and its features and some example scenarios.. It will give you a great insight into the computer forensics

Published in: Engineering, Technology, Education

Computer forensics

  1. 1.  Computer forensics definitions  Need for computer forensics  Cyber crime  Types of computer forensics  Components & steps in computer forensics  Principle of exchange  Brief description of digital evidence  Metadata, slack space, swap files & unalloacted space  Forensic server  Initial response  Creating a forensic image  Computer forensic methodology  Computer forensic toolkit  Encase by guidance software  Methods to hide data  Pros & cons of computer forensics.
  2. 2.  Computer forensics is the process of identifying , preserving , analyzing and presenting the evidence in a manner that is legally acceptable.  Computer forensics is the application of computer investigation & analysis in the interest of determining potential legal evidence.
  3. 3. The need of computer forensics in the present age can be considered as much severe due to the internet advancements and the dependency on the internet. The people that gain access to the computer systems without proper authorization should be dealt in. Cyber crime rates are accelerating and computer forensics is the crucial discipline that has the power to impede the progress of these cyber criminals.
  4. 4.  Identity threats  Email theft  Software piracy  Unauthorized access  Data theft  Credit card cloning  Fraud  Hacking  Cyber terrorism  Copyright violation  Stalking & harassment  Denial of service  Releasing malicious virus  Computer fraud  Stock manipulation
  5. 5. Computer forensics is broadly divided into five categories namely-  Disk forensics  Network forensics  Email forensics  Internet forensics  Source code/portable device forensics
  6. 6.  Identifying(Acquisition)  Collecting  Preserving  Analyzing  Extracting  Documenting  Presenting
  7. 7.  Open a case  Acquire the evidence  Create a forensic image  Index & catalogue the evidence  Analyze the data(evidence)  Save evidence to viewable drive  Create a report of findings  Admissible your report of findings to legal proceedings.
  8. 8. When seizing a stand alone computer at the crime scene: if the computer is “POWERED OFF” , do not turn It ON. if the computer is “POWERED ON” , do not turn it OFF & do not allow any suspect or associate to touch it.
  9. 9. “..when a person commits a crime something is always left at the scene of the crime that was not present when the person arrived.”
  10. 10. Volatile any data that is stored in memory or exist in transit and will be lost when the computer is turned off. Volatile data might be key evidence, so it is important that if the computer is on at the scene of the crime it remain on. Persistent that data which is stored on a hard drive or another medium and is preserved when the computer is turned off.
  11. 11. Some forms of digital evidence are:-  Present / Active (doc’s, spreadsheets, images, email, etc.)  Archive (including as backups)  Deleted (in slack and unallocated space)  Temporary (cache, print records, Internet usage records, etc.)  Encrypted or otherwise hidden  Compressed or corrupted
  12. 12.  DIGITAL EVIDENCE is fragile.  DIGITAL EVIDENCE is easily altered if not handled properly.  Simply turning a computer on or operating the computer changes and damages evidence.  Even the normal operation of the computer can destroy computer evidence that might be lurking in unallocated space, file slack, or in the Windows swap file.
  13. 13. 1.Before touching the computer, place an unformatted or blank floppy disk or attach an external device to copy all the data, and write detailed notes about what is on the computer’s screen.
  14. 14. 2.Photograph the back of the computer & everything that is connected to it. 3. Photograph and label the back of any computer components with existing connections to the computer.
  15. 15. o If u do not have a computer specialist on the scene, the safest way to turn off a computer is to pull the plug from the back of the computer. o Disconnect all power sources; unplug the power cords from the wall and the back of the computer. Notebook computers may need to have their battery removed.
  16. 16.  The following are the digital evidences always found at a crime scene system & are the most important part of investigation.  These include:  metadata  Slack space  Swap files  Unallocated space
  17. 17.  Metadata is data about data.  Metadata is information embedded in the file itself that contains information about the file. Metadata does contain useful information about file but it is limited. Example:-author file name , size , location File properties Might contain revision comments etc.
  18. 18.  Space not occupied by an active file, but not available for use by the operating system.  Every file in a computer fills a minimum amount of space.  slack space results when file systems create a cluster (Windows) or block (Linux) but do not necessarily use the entire fixed length space that was allocated.  Clusters are form because of collection of garbage and dangling references.
  19. 19.  The swap file is a hidden system file that is used for virtual memory when there is not enough physical memory to run programs.  Space on the hard drive is temporarily swapped with the RAM as programs are running.  This swap file contains portions of all documents and other material a user produces while using the computer.
  20. 20.  When a user deletes a file, it is flagged as no longer needed, but it remains on the system until it is overwritten.  The remaining files are in unallocated disk space, where clusters/blocks are not assigned but may contain data.
  21. 21. PHYSICAL INVESTIGATION  It includes identifying or locating physical evidence such as removal of computer hardware or making attempts to reach connected physical devices. LOGICAL INVESTIGATION  It is referred to as digital investigation it means analyzing file & data in the system. It requires a well defined security policy.
  22. 22.  Forensic server is a system which contains forensic toolkits for investigation with dual-bootable window/linux installed.  The activities performed in a forensic analysis may easily tax the average computer.  It is desirable to have as much physical RAM, as well as a fast processor , enough drive space to hold the operating system, several forensic tools, as well as all of the forensic images collected from the subject’s computer.
  23. 23.  The first activity performed by law enforcement at a physical crime is to restrict access by surrounding the crime scene with yellow tape.  The second rule is to document the crime scene and all activities performed.  Bag-and-tag of all potential evidence.  Search for ‘sticky notes’ or any other written documentation near the computer.  Take any computer manuals in case they are needed for reference back at the forensics lab.
  24. 24. The first step after acquiring digital evidence is to create an exact physical copy of the evidence. This copy is often called a bit-stream image, forensic duplicate, or forensic image. Creating a forensic image is important for a legal standpoint, courts look favorably upon forensic images because it demonstrates that all of the evidence was captured.
  25. 25.  shut down the computer.  Document the hardware configuration of the system.  Transport the computer system to a secure location.  Make bit stream back ups of hard disk and floppy disk.  Mathematically authenticate data on all storage devices.  Document the system date and time.  Make a list of key search words.  Evaluate the window swap file.  Evaluate file slack.  Evaluate unallocated space.
  26. 26.  Search file slack and unallocated space for key words.  Document file names, dates and times.  Identify file, program and storage anomalies.  Evaluate program functionally.  Document every activity and findings.
  27. 27.  EnCase by Guidance Software  Forensic Tool Kit by Access Data  SMART by ASR Data  The Sleuth kit(TSK)  ProDiscover by technology pathways  The image master  Data and password recovery toolkit  Maresware by Mares & Associates  DataLifter by StepaNet Communications
  28. 28.  EnCase is considered as the leader in stand-alone forensic analysis.  This means it is a bundled software package that provides multiple forensic tools within the box.  EnCase is Windows-based and can acquire and analyze data using the local or network-based versions of the tool.  EnCase can analyze many file system formats, including FAT, NTFS, Ext2/3, CD-ROMs, and DVDs. EnCase also supports Microsoft Windows dynamic disks.
  29. 29.  EnCase allows you to list the files and directories, recover deleted files, conduct keyword searches, view all graphic images, make timelines of file activity, and use hash databases to identify known files.  It also has its own scripting language, called EnScript, which allows you to automate many tasks.  The EnCase Enterprise Edition is a network enabled incident response system which offers immediate and complete forensic analysis.
  30. 30.  Some of its impressive features are:-  Enterprise Edition – Centralized monitoring and real-time investigation.  Snapshot – Capture of RAM contents, running programs, open files and ports.  Organizes results into case file & provides case management for multiple cases.  Maintains chain of custody.  Tools for incident response to respond to emerging threats.  Supports real-time and post-mortem investigations.
  31. 31. It consists of three components:  The first of these components is the Examiner software. This software is installed on a secure system where investigations are performed.  The second component is called SAFE, which stands for Secure Authentication of EnCase. SAFE is a server which is used to authenticate users, administer access rights, maintain logs of EnCase transactions, and provide for secure data transmission.  The final component is Servlet, an efficient software component installed on servers to establish connectivity between the Examiner, SAFE, and the devices being investigated.
  32. 32.  Encryption  Using a key algorithm to convert simple text into cipher text.  Changing the file extension  changing a .docx to .jpg file.  Steganography  Steganography simply takes one piece of information and hides it within another. Computer files, such as images, sound recordings, and slack space contain unused or insignificant areas of data.
  33. 33.  With its help, we can catch criminal.  Can prevent data theft.  Recover hidden & deleted files.  Computer forensics ethics let the investigation process remain in legal rules & laws.  Privacy of client is compromised.  some sensitive data or information that is important to the client may be lost in order to find the evidence.  It is an expensive process.