WHAT IS COMPUTER FORENSICS
A process of applying scientific and analytical techniques to
computer Operating Systems and File Structures to
determining the potential Legal Evidence.
IT IS THE PRACTICE OF LAWFULLY ESTABLISHING
EVIDENCE AND FACTS.
This is science involving legal evidence THAT IS FOUND IN
DIGITAL STORAGE MEDIUMS AND IN COMPUTERS.
TYPES OF CYBER CRIMES
BREECH OF COMPUTER
SALES AND INVESTMENT
ELECTRONIC FUND TRANSFER
SOURCE OF EVIDENCE
SLACK, FREE, SWAP, RECYCLE BIN
APPLICATION FILES, TEMP FILES
BROWSER HISTORY AND CACHE
•“ANY DATA THAT IS RECORDED OR PRESERVED ON ANY MEDIUM IN
OR BY A COMPUTER SYSTEM OR OTHER SIMILAR DEVICE, THAT CAN
BE READ OR UNDERSTAND BY A PERSON OR A COMPUTER SYSTEM
OR OTHER SIMILAR DEVICE. IT INCLUDES A DISPLAY, PRINT OUT OR
OTHER OUTPUT OF THAT DATA.”
TYPES OF DIGITAL EVIDENCE
1) PERSISTANT DATA
Meaning data that remains intact when the computer is turned
off. E.G. Hard drives, disk drives and removable storage devices
(such as USB drives or flash drives).
2) VOLATILE DATA,
Meaning data that would be lost if the computer is turned off.
E.G. Deleted files, computer history, the computer's
registry, temporary files and web browsing history.
•BLACKLIGHT - Windows, mac and ios forensics analysis software
•INTERNET EVIDENCE FINDER - Forensic tool that recovers
internet related communications (chat, social
networking, webmail, cloud, web history, and more), including
•SANS INVESTIGATIVE FORENSICS TOOLKIT (SIFT) - Multi-
purpose forensic operating system
•REGISTRY RECON - Forensics tool that rebuilds windows registries
from anywhere on a hard drive and parses them for deep analysis.
MOBILE DEVICE FORENSICS
•CELLEBRITE MOBILE FORENSICS - Universal forensics
extraction device - hardware and software
•MICROSYSTEMATION XRY/XACT - Hardware/software package,
specialises in deleted data
•ELCOMSOFT IOS FORENSIC TOOLKIT (EIFT) - Acquires bit-
precise images of apple ios devices in real time
•ELCOMSOFT PHONE PASSWORD BREAKER - Enables forensic
access to password-protected backups for smartphones and portable
devices based on RIM blackberry and apple ios platforms,
1) Make a digital copy of the original evidence. Investigators make a
copy of the evidence and work with the copy to reduce the
possibility of inadvertently changing the original evidence.
2) Authenticate that the copy of the evidence. Investigators must verify
the copy of the evidence is exactly the same as the original.
3) Analyze the digital copy. The specific procedures performed in an
investigation are determined by the specific circumstances under
which the investigation is occurring.
CREATING A FORENSIC IMAGE
•Use a write blocker to ensure that no data is written back to the
subject’s hard drive
•Connect the disk to forensic server.
•Create the image of disk using commands or specific applications
•Verify the image using md5 sum
ANALYSIS OF A FORENSIC IMAGE
•Logical and Physical analysis
•Logical – Conventional way of accessing files using file explorer, image viewers
e.t.c. Analyses allocated space
•Physical – Using hex editors. Analyses unallocated and slack space
• Mount image
• Search for files using keywords, type e.t.c
TO REDUCE SEARCH SIZE
SEARCHING FOR EVIDENCE
•Windows swap file - A swap file is virtual memory that is used as an
extension of the computer systems RAM
•Cookies - cookies are pieces of information generated by a web
server and stored in the user's computer, ready for future access
•Every time a user uses windows explorer or internet explorer access a
file or web site, digital traces of these activities are placed on the hard
•index.dat files are binary files
•Pasco is a small open source application that parses the contents of
index.dat files, and outputs the results into a tab delimited file
Files accessed and opened via windows explorer (rows 4 through 9)
Keywords used in searches over the internet (rows 10 and 11)
Urls visited via internet explorer (rows 12 through 15)
WHAT HAPPENS WHEN A FILE IS DELETED..?
Consider fat file system
1. The boot record is the 1st sector of the disk
2. 1st file allocation table
3. 2nd file allocation table (a backup to the first)
4. Root directory
5. Data area
When file is deleted
•The first character of the file’s name in the root directory is changed
•The fat entries are set to 0.
COMPUTER FORENSICS METHODOLOGY
1) SHUT DOWN THE COMPUTER
2) DOCUMENT THE HARDWARE CONFIGURATION OF THE
3) TRANSPORT THE COMPUTER SYSTEM TO A SECURE
4) MAKE BIT STREAM BACKUPS OF HARD DISKS AND
5) MATHEMATICALLY VERIFY DATA ON ALL STORAGE
6) DOCUMENT THE SYSTEM DATE AND TIME
7) MAKE A LIST OF KEY SEARCH WORDS
8) EVALUATE THE WINDOWS SWAP FILE
9) EVALUATE FILE SLACK
10) EVALUATE UNALLOCATED SPACE (ERASED FILES)
11) SEARCH FILES, FILE SLACK AND UNALLOCATED
SPACE FOR KEY WORDS
12) DOCUMENT FILE NAMES, DATES AND TIMES
13) IDENTIFY FILE, PROGRAM AND STORAGE ANOMALIES
14) EVALUATE PROGRAM FUNCTIONALITY
15) DOCUMENT YOUR FINDINGS
WHO USES COMPUTER FORENSICS
RELY ON EVIDENCE OBTAINED FROM A COMPUTER TO
PROSECUTE SUSPECTS AND USE AS EVIDENCE.
PERSONAL AND BUSINESS DATA DISCOVERED ON A COMPUTER
CAN BE USED IN FRAUD, HARASSMENT, OR DISCRIMINATION
OBTAINED EVIDENCE FROM EMPLOYEE COMPUTERS CAN BE
USED AS EVIDENCE IN HARASSMENT, FRAUD, AND
LAW ENFORCEMENT OFFICIALS
RELY ON COMPUTER FORENSICS TO BACKUP SEARCH
WARRANTS AND POST-SEIZURE HANDLING.
OBTAIN THE SERVICES OF PROFESSIONAL COMPUTER
FORENSIC SPECIALISTS TO SUPPORT CLAIMS OF
HARASSMENT, ABUSE, OR WRONGFUL TERMINATION