2. Topics to be covered
• Defining Computer Forensics
• Who uses Computer Forensics
• Laws
• Reasons for gathering evidence
• Evidence processing guidelines
• Requirements
• Steps of Computer Forensics
• Forensics recovery
• Examples
• Anti-forensics
• Conclusion
• Acknowledgement
3. • The process of identifying, preserving, analyzing and presenting digital
evidence in a manner that is legally acceptable.” (McKemmish, 1999)
• “Gathering and analyzing data in a manner as freedom distortion or bias
as possible to reconstruct data or what has happened in the past on a
system.” (Farmer & Vennema,1999)
• Computer forensics is the application of computer investigation and
analysis techniques in the interests of determining potential legal
evidence.
• Forensic Computing, also known as Evidential Computing and even
sometimes Data Recovery, is the specialist process of imaging and
processing computer data which is reliable enough to be used as
evidence in court
What is Computer Forensics?
(Some definitions)
4. What will Computer Forensics do?
• Computer forensics, innovators of image copying technology, defined the
principles of the science of computer forensics and formalized an
approved and accepted methodology to COLLECT, ANALYSE and PRESENT
suspect data to a Court of Law.
• Computer forensics evidence is frequently sought in a wide range of
computer crime or misuse, including but not limited to theft of trade
secrets, theft of or destruction of intellectual property, and fraud.
• Computer forensics specialists draw on an array of methods for
discovering data that resides in a computer system.
• Experts in forensics computing can frequently recover files that have
been deleted, encrypted, or damaged, sometimes as long as years
earlier.
• Evidence gathered by computer forensics experts is useful and often
necessary during discovery, depositions, and actual litigation.
5. Who Uses Computer Forensics?
• Criminal Prosecutors
• -Rely on evidence obtained from a computer to prosecute suspects and use
as evidence
• Civil Litigations
• -Personal and business data discovered on a computer can be used in
fraud, divorce, harassment, or discrimination cases
• Insurance Companies
• -Evidence discovered on computer can be
used to mollify costs (fraud, worker’s
compensation, arson, etc)
• Private Corporations
• -Obtained evidence from employee computers can
be used as evidence in harassment, fraud, and embezzlement cases
6. FBI Computer Forensic Services
• Content
• Comparison again known data
• Transaction sequencing
• Extraction of data
• Recovering deleted data files
• Format conversion
• Keyword searching
• Decrypting passwords
• Analyzing and comparing limited source code
7. KNOW THE LAW...
• The US DOJ maintains a website with guidelines and case law
pertaining to seizing and searching computers. It's the best
place to start putting together a legal case that will be based
on evidence obtained from a computer system.
The US DOJ website is:
http://www.usdoj.gov/criminal/cybercrime/searching.html
They also have a wealth of "cyber-crime" information online
at: http://www.usdoj.gov/criminal/cybercrime/
8. Reasons For Evidence
• Wide range of computer crimes and misuses
• Non-Business Environment: evidence collected by Federal,
State and local authorities for crimes relating to:
– -Theft of trade secrets
– -Fraud
– -Extortion
– -Industrial espionage
– -Position of pornography
– -SPAM investigations
– -Virus/Trojan distribution
– -Intellectual property breaches
– -Unauthorized use of personal information
– -Perjury
9. • Computer related crime and violations include a range of
activities including:
• Business Environment:
• -Theft of or destruction of intellectual property
• -Unauthorized activity
• -Tracking internet browsing habits
• -Reconstructing Events
• -Inferring intentions
• -Selling company bandwidth
• -Wrongful dismissal claims
• -Software Piracy
Reasons For Evidence (cont)
10. Evidence Processing Guidelines
• New Technologies Inc. recommends following 16 steps in
processing evidence
• They offer training on properly handling each step
– Step 1: Shut down the computer
• Considerations must be given to volatile information
• Prevents remote access to machine and destruction of evidence (manual
or ant-forensic software)
– Step 2:
• Document the Hardware Configuration
of The System
• Note everything about the computer configuration
prior to re-locating
11. Evidence Processing Guidelines (cont)
• Step 3: Transport the Computer System to A Secure Location
– Do not leave the computer unattended unless it is locked in a secure
location
• Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks
• Step 5: Mathematically Authenticate Data on All Storage Devices
– Must be able to prove that you did not alter
any of the evidence after the computer
came into your possession
• Step 6: Document the System Date and Time
• Step 7: Make a List of Key Search Words
• Step 8: Evaluate the Windows Swap File
12. Evidence Processing Guidelines (cont)
• Step 9: Evaluate File Slack
– The DOS file system file allocation table (FAT) was never designed to
handle storage device with more than 32767 units of data. 32767 is
the largest number that can be represented with 16 bits.
– Data is written in sectors of 512 bytes (hard drives, floppy), or 2048
bytes (CD-ROM).
– This set an arbitrary limit on disk storage devices of 512x32767 =
16MB.
– To accommodate larger drives the concept of “clusters” was
invented. Clusters are a group of sectors written as a single atomic
unit. With clustering came file slack.
13. Evidence Processing Guidelines (cont)
• RAM Slack
If the file you are writing is shorter than the number of bytes in the clusters
you have allocated for your file, the file system will pad the data out to the end of the
current sector with “RAM slack”. RAM slack is random data that happens to be in
RAM memory at the time the file is written. It can contain any data that you were
working on since you last booted the PC. Such as emails, word documents, graphics,
etc.
• Drive Slack
Unlike RAM slack which comes from working storage, “drive slack” is data
left on the drive from a previous file. After completing the last partial sector with RAM
slack, subsequent whole sectors in the last cluster are left as is with whatever data
was written there previously.
14. Evidence Processing Guidelines (cont)
• Step 10: Evaluate Unallocated Space (Erased Files)
• Step 11: Search Files, File Slack and Unallocated Space for Key
Words
• Step 12: Document File Names, Dates and Times
• Step 13: Identify File, Program and Storage
Anomalies
• Step 14: Evaluate Program Functionality
• Step 15: Document Your Findings
• Step 16: Retain Copies of Software Used
15. Computer Forensic Requirements
Hardware
– Familiarity with all internal and external devices/components of a computer
– Thorough understanding of hard drives and settings
– Understanding motherboards and the various chipsets used
– Power connections
– Memory
BIOS
– Understanding how the BIOS works
– Familiarity with the various settings and limitations of the BIOS
16. Computer Forensic Requirements
(cont)
• .Operation Systems
– Windows 3.1/95/98/ME/NT/2000/2003/XP
– DOS
– UNIX
– LINUX
– VAX/VMS
Software
– Familiarity with most popular software packages
such as Office
Forensic Tools
– Familiarity with computer forensic techniques and the software packages that could be
used
17. Steps Of Computer Forensics
• .According to many professionals, Computer Forensics is
a four (4) step process
Acquisition
– Physically or remotely obtaining possession of the computer, all
network mappings from the system, and external physical storage
devices
Identification
-This step involves identifying what data could be recovered and electronically
retrieving it by running various Computer Forensic tools and software
suites
Evaluation
– Evaluating the information/data recovered to
determine if and how it could be used again the
suspect for employment termination or prosecution
in court
18. Steps Of Computer Forensics (cont)
• .Presentation
– This step involves the presentation of evidence discovered in a
manner which is understood by lawyers, non-technically
staff/management, and suitable as evidence as determined by
United States and internal laws
19. Handling Evidence
• No possible evidence is damaged, destroyed, or otherwise
compromised by the procedures used to search the computer
• Preventing viruses from being introduced to a computer
during the analysis process
• Establishing and maintaining a continuing chain of custody
• Limiting the amount of time business operations are affected
20. Initiating An Investigation
• DO NOT begin by exploring files on system randomly
• Establish evidence custodian - start a detailed journal with the date and
time and date/information discovered
• If possible, designate suspected equipment as “off-limits” to normal
activity. This includes back-ups, remotely or locally scheduled
house-keeping, and configuration
changes
• Collect email, DNS, and other network
service logs
21. Incidence Response
• Identify, designate, or become evidence custodian
• Review any existing journal of what has been done to system
already and/or how intrusion was detected
• Begin new or maintain existing journal
• Install monitoring tools (sniffers, port detectors, etc.)
• Without rebooting or affecting running processes, perform a
copy of physical disk
• Capture network information
22. Forensic Recovery
Take pictures to document area around the computer.
You may find removable media, or clues to your subject’s
passwords in your photos.
23. Forensic Recovery
• .
Tip #3: Don’t assume system will boot first from the floppy drive.
Always go into setup first and make sure the system will boot first
from where you expect it to.
Ex. Floppy or CD-ROM.
24. Forensic Recovery
• .
Take screen shots to preserve evidence.
In this case documented “buddies list” in ICQ and Yahoo! Messenger.
Used FTK to find emails to / from same buddies. And their solicitations on
Internet adult meeting sites.
25. EXAMPLES
• 1.Hot Hard Drives:
In an arson and murder investigation, computer forensic
investigators were asked to analyze hard drives recovered from a
burned house which were charred and covered with ash and soot.
When experienced engineers opened the drives in a sterile cleanroom
– designed for repairing damaged computer media – they discovered
the data contained on the individual data platters was not subjected to
a high enough heat to cause permanent data loss. Relying on years of
experience with fire-damaged computer media, engineers recovered
and produced all of the data to the prosecutor’s office for analysis. The
evidence contained on the hard drives helped the prosecutors build
their case against the charged individual.
26. EXAMPLES
• 2.Usurping USB Drives:
On behalf of a bank, a computer forensic investigation was
undertaken focusing on several computers owned by a bank customer
suspected in a money laundering scheme. The initial review of the computers
revealed that a large capacity USB drive was installed on the machine one day
prior to turning over the computers pursuant to the court order. Upon further
review of the USB drive, the engineers proved the individual had engaged in
corporate financial fraud, stolen business funds and moved the money in
foreign back accounts.
27. Anti-Forensics
• Software that limits and/or corrupts evidence that could be
collected by an investigator
• Performs data hiding and distortion
• Exploits limitations of known and used forensic tools
• Works both on Windows and LINUX based systems
• In place prior to or post system acquisition
28. Methods Of Hiding Data
To human eyes, data usually contains known forms, like
images, e-mail, sounds, and text. Most Internet data naturally
includes gratuitous headers, too. These are media exploited
using new controversial logical encodings: steganography and
marking.
– Steganography: The art of storing information in such a
way that the existence of the information is hidden.
29. Methods Of Hiding Data
• 1
To human eyes, data usually contains known forms, like images,
e-mail, sounds, and text. Most Internet data naturally includes
gratuitous headers, too. These are media exploited using new
controversial logical encodings: steganography and marking.
The duck flies at midnight. Tame uncle Sam
Simple but effective when done well
30. Methods Of Hiding Data
Watermarking: Hiding data within data
– Information can be hidden in almost any file format.
– File formats with more room for compression are best
• Image files (JPEG, GIF)
• Sound files (MP3, WAV)
• Video files (MPG, AVI)
– The hidden information may be encrypted, but not
necessarily
– Numerous software applications will do this for you: Many
are freely available online
31. CONCLUSION
• Use a systematic approach to investigations
• Plan a case by taking into account:
– Nature of the case
– Case requirements
– Gathering evidence techniques
• Do not forget that every case can go to court
• Apply standard problem-solving techniques
• Keep track of the chain of custody of your evidence
• Produce a final report detailing what you did and found
32. ACKNOWLEDGEMENT
• .I wish to thank my faculty members of CSE department ,Dr.
Sudhir Chandra Sur Degree Engineering College for guidance
and useful suggestions, which helped us a lot in completing the
presentation work, in time.
We also took help from internet for ideas which made us able
to complete this presentation.