This document provides an overview of computer forensics. It defines computer forensics as the process of preserving, identifying, extracting, documenting and interpreting computer data for legal evidence. The document outlines the history of the field from the 1970s to present day, describes the typical steps of acquisition, identification, evaluation and presentation, and discusses certifications, requirements, evidence collection, uses, advantages and disadvantages of computer forensics. It concludes that computer forensics is needed to uncover electronic evidence for prosecuting cybercrimes.

1. COMPUTER
FORENSICS
By Group :-G10
Group Members are as:1:Pradeep Kumar
2:Parvez
3:Surender Singh

2. CONTENTS
Definition of Computer Forensics
History of Computer Forensics
Steps Of Computer Forensics
Certifications for Computer Forensic
Computer Forensic Requirements
Collecting Evidence
Uses of Computer forensics
Advantages of Computer Forensics
Disadvantages of Computer Forensics
Computer forensics labs and centers in India
Conclusion

3. THE FIELD OF
COMPUTER FORENSICS
What is Computer Forensics?

Computer forensics involves the
preservation, identification, extraction,
documentation, and interpretation of computer
media for evidentiary and root cause analysis

Computer forensics is the process of
identifying, preserving, and analyzing data and
technical items for evidence that will be used
in court

4. THE FIELD OF
COMPUTER FORENSICS
Used to obtain potential legal evidence
 Evidence might be required for a wide range of
computer crimes and misuses
 Multiple methods of computer forensics are:
 Discovering data on computer system
 Recovering deleted, encrypted, or damaged
file information
 Monitoring live activity
 Detecting violations of corporate policy
 Information collected assists in arrests,
prosecution, termination of employment, and
preventing future illegal activity


5. THE FIELD OF
COMPUTER FORENSICS
 Example:-
Recovering thousands of deleted emails
 Performing investigation post employment
termination
 Recovering evidence post formatting hard
drive


6. HISTORY OF COMPUTER
FORENSICS
1970s
 First crimes cases involving computers, mainly financial fraud
1980’s
 Financial investigators and courts realize that in some cases all the
records and evidences were only on computers.
 Norton Utilities, “Un-erase” tool created
 Association of Certified Fraud Examiners began to seek training in
what became computer forensics
 SEARCH High Tech Crimes training created
 Regular classes began to be taught to Federal agents in California
and at FLETC in Georgia
 HTCIA formed in Southern California

7. HISTORY OF COMPUTER
FORENSICS
1984
 FBI Magnetic Media Program created... this later becomes
the Computer Analysis and Response Team (CART)
1993
 First International Conference on Computer Evidence held
1995
 International Organization on Computer Evidence (IOCE)
formed

8. HISTORY OF COMPUTER
FORENSICS
1997
 The G8 countries declared that "Law enforcement personnel
must be trained and equipped to address high-tech crimes" in
the Moscow
1998
 In March G8 appointed IICE to create international
principles for the procedures relating to digital evidence
1998
 INTERPOL Forensic Science Symposium

9. HISTORY OF COMPUTER
FORENSICS
1999
 FBI CART case load exceeds 2000 cases,
 examining 17 terabytes of data
2000
 First FBI Regional Computer Forensic Laboratory
established
2003
 FBI CART case load exceeds 6500 cases,
 examining 782 terabytes of data

10. STEPS OF COMPUTER
FORENSICS

According to many professionals, Computer Forensics is
a four (4) step process
 Acquisition

Physically or remotely obtaining possession of the
computer, all network mappings from the system,
and external physical storage devices
 Identification

This step involves identifying what data could be
recovered and electronically retrieving it by
running various Computer Forensic tools and
software
suites

11. STEPS OF COMPUTER
FORENSICS
 Evaluation

Evaluating the information/data recovered to
determine if and how it could be used again the
suspect for employment termination or prosecution
in court
 Presentation

This step involves the presentation of evidence
discovered in a manner which is understood by
lawyers, non-technically staff/management, and
suitable as evidence as determined by United States
and internal laws

12. CERTIFICATION FOR COMPUTER
INVESTIGATIVE SPECIALISTS
CEECS (Certified Electronic Evidence Collection Specialist
Certification)
 Awarded to individuals who complete the CEECS regional
certification course
 Also awarded to individuals in the Certified Forensic
Computer Examiner course that successfully pass the written
test

13. CERTIFICATION FOR
FORENSIC COMPUTER
EXAMINER
Internal Certification Training Program

Must successfully complete two week training course
offered by IACIS and correspondence proficiency
problems
External Certification Testing Process
Not a training course
 Testing process
Active Law Enforcement
Individuals qualified for IACIS membership

Recertification

Every three years must complete recertification process
Must be in good standing with IACIS
Complete proficiency test

14. A COMPUTER FORENSIC
SPECIALIST PROMISES TO:





Do not delete, damage or alter any evidence
Protect the computer and files against a virus
Handle all evidence properly to prevent any future
damage
Keep a log of all work done and by whom
Keep any Client-Attorney information that is gained
confidential

15. COMPUTER FORENSIC
REQUIREMENTS


Hardware
 Familiarity with all internal and external
devices/components of a computer
 Thorough understanding of hard drives and settings
 Understanding motherboards and the various chipsets
used
 Power connections
 Memory
BIOS
 Understanding how the BIOS works
 Familiarity with the various settings and limitations of
the BIOS

16. COMPUTER FORENSIC
REQUIREMENTS

Operation Systems
Windows 3.1/95/98/ME/NT/2000/2003/XP
 DOS
 UNIX
 LINUX



Software
 Familiarity with most popular software packages
such as MS Office
Forensic Tools
 Familiarity with computer forensic techniques and the
software packages that could be used

17. COLLECTING EVIDENCE

Make Exact copies of all
hard drives & disks using
computer software


Protect the Computer
system


Date and Time stamped on each file;
used for timeline
Avoid deletion, damage, viruses
and corruption
Discover files





Normal Files
Deleted Files
Password Protected Files
Hidden Files
Encrypted Files




Reveal all contents of
hidden files used by
application and operating
system
Access contents of
password protected files if
legally able to do so
Analyze data
Print out analysis




Computer System
All Files and data
Overall opinion
Provide expert
consultation/testimony

18. USES OF COMPUTER
FORENSICS

Criminal Prosecutors


Civil Litigations


Rely on evidence obtained from a computer to
prosecute suspects and use as evidence
Personal and business data discovered on a computer
can be used in fraud, divorce, harassment, or
discrimination cases
Insurance Companies

Evidence discovered on computer can be
used to mollify costs (fraud, worker’s
compensation, arson, etc)

19. USES OF COMPUTER
FORENSICS

Private Corporations


Law Enforcement Officials


Obtained evidence from employee computers can
be used as evidence in harassment, fraud, and
embezzlement cases
Rely on computer forensics to backup search warrants
and post-seizure handling
Individual/Private Citizens

Obtain the services of professional computer forensic
specialists to support claims of harassment, abuse, or
wrongful termination from employment

20. ADVANTAGES OF COMPUTER
FORENSICS
Ability to search
through a massive
amount of data
 Quickly
 Thoroughly
 In
any language

21. DISADVANTAGES OF
COMPUTER FORENSICS

Digital evidence accepted
into court



must prove that there is no
tampering
all evidence must be fully
accounted for
computer forensic specialists
must have complete knowledge
of legal requirements, evidence
handling and storage and
documentation procedures

22. DISADVANTAGES OF
COMPUTER FORENSICS

Costs

producing electronic records & preserving them is
extremely costly ,
Presents the potential for exposing privileged
documents
 Legal practitioners must have extensive
computer knowledge


23. COMPUTER FORENSICS LABS
AND CENTERS IN INDIA
1.
2.
3.
4.
5.
6.
7.
cyber college, Dehradun
Secure India (A Group of Cyber Security Specialists),
Muzaffarnagar, Uttar Pradesh
E2Labs Research & Development Center, Hyderabad,
Andhra Pradesh
Agape Inc, Nagpur, Maharashtra
Appin Technology Lab, Hyderabad, Andhra Pradesh
Shoeb Online, Mumbai, Maharashtra
ForensicsGuru.com, New Delhi
8.
I.TECH COMPUTERS - DATA FORENSICS & DATA
RECOVERY, Mumbai
9.
Indiaforensic Center of Studies , Pune
Focus Forensics Technology Private Limited,Delhi
10.

24. CONCLUSION
With computers becoming more and more
involved in our everyday lives, both
professionally and socially, there is a need for
computer forensics. This field will enable crucial
electronic evidence to be found, whether it was
lost, deleted, damaged, or hidden, and used to
prosecute individuals that believe they have
successfully beaten the system.

25. REFERENCES
http://www.allstateinvestigation.com/ComputerForens
icServices.htm
 Computer Forensics, Inc. http://www.forensics.com/
 http://www.computer-forensic.com/index.html
 http://www.forensicsresearch.com/index.php/computer-forensics/tools/


26. QUERY
?