The document discusses the field of computer forensics, which involves the identification, preservation, analysis, and presentation of digital evidence in a legally acceptable manner, particularly in response to increasing cybercrime. It covers various categories of computer forensics, methodologies for evidence collection, handling of volatile and persistent data, and the importance of creating forensic images for legal proceedings. The document also outlines tools and techniques used in forensic investigations, the challenges of managing digital evidence, and the ethical considerations surrounding the practice.

2.  Computer forensics
definitions
 Need for computer forensics
 Cyber crime
 Types of computer forensics
 Components & steps in
computer forensics
 Principle of exchange
 Brief description of digital
evidence
 Metadata, slack space, swap
files & unalloacted space
 Forensic server
 Initial response
 Creating a forensic image
 Computer forensic
methodology
 Computer forensic toolkit
 Encase by guidance
software
 Methods to hide data
 Pros & cons of computer
forensics.

3.  Computer forensics
is the process of
identifying ,
preserving ,
analyzing and
presenting the
evidence in a manner
that is legally
acceptable.
 Computer forensics
is the application of
computer
investigation &
analysis in the
interest of
determining potential
legal evidence.

4. The need of computer forensics in the present age
can be considered as much severe due to the
internet advancements and the dependency on the
internet. The people that gain access to the
computer systems without proper authorization
should be dealt in.
Cyber crime rates are accelerating and computer
forensics is the crucial discipline that has the
power to impede the progress of these cyber
criminals.

5.  Identity threats
 Email theft
 Software piracy
 Unauthorized access
 Data theft
 Credit card cloning
 Fraud
 Hacking
 Cyber terrorism
 Copyright violation
 Stalking &
harassment
 Denial of service
 Releasing malicious
virus
 Computer fraud
 Stock manipulation

6. Computer forensics is broadly divided into five
categories namely-
 Disk forensics
 Network forensics
 Email forensics
 Internet forensics
 Source code/portable device forensics

7.  Identifying(Acquisition)
 Collecting
 Preserving
 Analyzing
 Extracting
 Documenting
 Presenting

8.  Open a case
 Acquire the evidence
 Create a forensic image
 Index & catalogue the evidence
 Analyze the data(evidence)
 Save evidence to viewable drive
 Create a report of findings
 Admissible your report of findings to legal
proceedings.

10. When seizing a stand alone computer at the crime
scene:
if the computer is “POWERED OFF” , do not
turn It ON.
if the computer is “POWERED ON” , do not
turn it OFF & do not allow any suspect or
associate to touch it.

12. “..when a person commits a crime
something is always left at the
scene of the crime that was not
present when the person arrived.”

13. Volatile
any data that is stored in memory or exist in transit and
will be lost when the computer is turned off.
Volatile data might be key evidence, so it is important
that if the computer is on at the scene of the crime it
remain on.
Persistent
that data which is stored on a hard drive or another
medium and is preserved when the computer is turned
off.

14. Some forms of digital evidence are:-
 Present / Active (doc’s, spreadsheets, images,
email, etc.)
 Archive (including as backups)
 Deleted (in slack and unallocated space)
 Temporary (cache, print records, Internet usage
records, etc.)
 Encrypted or otherwise hidden
 Compressed or corrupted

15.  DIGITAL EVIDENCE is fragile.
 DIGITAL EVIDENCE is easily altered if not
handled properly.
 Simply turning a computer on or operating the
computer changes and damages evidence.
 Even the normal operation of the computer can
destroy computer evidence that might be lurking in
unallocated space, file slack, or in the Windows
swap file.

16. 1.Before touching the
computer, place an
unformatted or blank
floppy disk or attach an
external device to copy
all the data, and write
detailed notes about
what is on the
computer’s screen.

17. 2.Photograph the back of
the computer & everything
that is connected to it.
3. Photograph and label the
back of any computer
components with existing
connections to the
computer.

18. o If u do not have a
computer specialist
on the scene, the
safest way to turn off
a computer is to pull
the plug from the
back of the
computer.
o Disconnect all power
sources; unplug the
power cords from the
wall and the back of
the computer.
Notebook computers
may need to have
their battery
removed.

19.  The following are the digital evidences always
found at a crime scene system & are the most
important part of investigation.
 These include:
 metadata
 Slack space
 Swap files
 Unallocated space

20.  Metadata is data about data.
 Metadata is information embedded in the file itself
that contains information about the file.
Metadata does contain useful information about file
but it is limited.
Example:-author
file name , size , location
File properties
Might contain revision comments etc.

21.  Space not occupied by an active file, but not
available for use by the operating system.
 Every file in a computer fills a minimum amount
of space.
 slack space results when file systems create a
cluster (Windows) or block (Linux) but do not
necessarily use the entire fixed length space that
was allocated.
 Clusters are form because of collection of garbage
and dangling references.

23.  The swap file is a hidden system file that is used
for virtual memory when there is not enough
physical memory to run programs.
 Space on the hard drive is temporarily swapped
with the RAM as programs are running.
 This swap file contains portions of all documents
and other material a user produces while using the
computer.

24.  When a user deletes a file, it is flagged as no
longer needed, but it remains on the system
until it is overwritten.
 The remaining files are in unallocated disk
space, where clusters/blocks are not assigned
but may contain data.

26. PHYSICAL
INVESTIGATION
 It includes identifying or
locating physical
evidence such as
removal of computer
hardware or making
attempts to reach
connected physical
devices.
LOGICAL
INVESTIGATION
 It is referred to as digital
investigation it means
analyzing file & data in
the system. It requires a
well defined security
policy.

28.  Forensic server is a system which contains forensic
toolkits for investigation with dual-bootable
window/linux installed.
 The activities performed in a forensic analysis may
easily tax the average computer.
 It is desirable to have as much physical RAM, as well
as a fast processor , enough drive space to hold the
operating system, several forensic tools, as well as all
of the forensic images collected from the subject’s
computer.

29.  The first activity performed by law enforcement at a
physical crime is to restrict access by surrounding the
crime scene with yellow tape.
 The second rule is to document the crime scene and all
activities performed.
 Bag-and-tag of all potential evidence.
 Search for ‘sticky notes’ or any other written
documentation near the computer.
 Take any computer manuals in case they are needed for
reference back at the forensics lab.

30. The first step after acquiring digital
evidence is to create an exact physical
copy of the evidence. This copy is often
called a bit-stream image, forensic
duplicate, or forensic image. Creating a
forensic image is important for a legal
standpoint, courts look favorably upon
forensic images because it demonstrates
that all of the evidence was captured.

31.  shut down the computer.
 Document the hardware configuration of the system.
 Transport the computer system to a secure location.
 Make bit stream back ups of hard disk and floppy disk.
 Mathematically authenticate data on all storage
devices.
 Document the system date and time.
 Make a list of key search words.
 Evaluate the window swap file.
 Evaluate file slack.
 Evaluate unallocated space.

32.  Search file slack and unallocated space for key words.
 Document file names, dates and times.
 Identify file, program and storage anomalies.
 Evaluate program functionally.
 Document every activity and findings.

33.  EnCase by Guidance Software
 Forensic Tool Kit by Access Data
 SMART by ASR Data
 The Sleuth kit(TSK)
 ProDiscover by technology pathways
 The image master
 Data and password recovery toolkit
 Maresware by Mares & Associates
 DataLifter by StepaNet Communications

34.  EnCase is considered as the leader in stand-alone
forensic analysis.
 This means it is a bundled software package that
provides multiple forensic tools within the box.
 EnCase is Windows-based and can acquire and
analyze data using the local or network-based
versions of the tool.
 EnCase can analyze many file system formats,
including FAT, NTFS, Ext2/3, CD-ROMs, and
DVDs. EnCase also supports Microsoft Windows
dynamic disks.

35.  EnCase allows you to list the files and directories,
recover deleted files, conduct keyword searches,
view all graphic images, make timelines of file
activity, and use hash databases to identify known
files.
 It also has its own scripting language, called
EnScript, which allows you to automate many
tasks.
 The EnCase Enterprise Edition is a network
enabled incident response system which offers
immediate and complete forensic analysis.

36.  Some of its impressive features are:-
 Enterprise Edition – Centralized monitoring and
real-time investigation.
 Snapshot – Capture of RAM contents, running
programs, open files and ports.
 Organizes results into case file & provides case
management for multiple cases.
 Maintains chain of custody.
 Tools for incident response to respond to emerging
threats.
 Supports real-time and post-mortem investigations.

37. It consists of three components:
 The first of these components is the Examiner
software. This software is installed on a secure system
where investigations are performed.
 The second component is called SAFE, which stands
for Secure Authentication of EnCase. SAFE is a server
which is used to authenticate users, administer access
rights, maintain logs of EnCase transactions, and
provide for secure data transmission.
 The final component is Servlet, an efficient software
component installed on servers to establish
connectivity between the Examiner, SAFE, and the
devices being investigated.

45.  Encryption
 Using a key algorithm to convert simple text into
cipher text.
 Changing the file extension
 changing a .docx to .jpg file.
 Steganography
 Steganography simply takes one piece of
information and hides it within another. Computer
files, such as images, sound recordings, and slack
space contain unused or insignificant areas of data.

49.  With its help, we can
catch criminal.
 Can prevent data theft.
 Recover hidden &
deleted files.
 Computer forensics
ethics let the
investigation process
remain in legal rules &
laws.
 Privacy of client is
compromised.
 some sensitive data or
information that is
important to the client
may be lost in order to
find the evidence.
 It is an expensive
process.