Computer forensics involves the collection, analysis and presentation of digital evidence for use in legal cases. It combines elements of law, computer science and forensic science. The goal is to identify, collect and analyze digital data in a way that preserves its integrity so it can be used as admissible evidence. This involves understanding storage technologies, file systems, data recovery techniques and tools for acquisition, discovery and analysis of both volatile and persistent data. Computer forensics practitioners must be aware of ethical standards to maintain impartiality and integrity in their investigations.
Computer forensics is a very important branch of computer science in relation to computer and Internet related crimes. Earlier, computers were only used to produce data but now it has expanded to all devices related to digital data. The goal of Computer forensics is to perform crime investigations by using evidence from digital data to find who was the responsible for that particular crime.
For better research and investigation, developers have created many computer forensics tools. Police departments and investigation agencies select the tools based on various factors including budget and available experts on the team.
Digital Forensics is the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital devices.
Computer forensics is a very important branch of computer science in relation to computer and Internet related crimes. Earlier, computers were only used to produce data but now it has expanded to all devices related to digital data. The goal of Computer forensics is to perform crime investigations by using evidence from digital data to find who was the responsible for that particular crime.
For better research and investigation, developers have created many computer forensics tools. Police departments and investigation agencies select the tools based on various factors including budget and available experts on the team.
Digital Forensics is the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital devices.
Forensic science is a scientific method of gathering and examining information about the past which is then used in the court of law. Digital Forensics is the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital devices for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
Reliance on forensic investigation of information systems has become a daily requirement for law enforcement and security practitioners around the world.
Effective evidence collection and analysis is the foundation of any investigation; identification of suspects, motives and methods demand the acquisition of the largest amount information that evidence can provide us. Anti-Forensics – Real world identification, analysis and prevention will discuss how criminals, attackers, non-enlightened investigators all have the ability to impact the amount useful information we have at our disposal. Michael will show the audience real world scenarios detailing how Anti-forensics tools are used to
hide and destroy incriminating evidence, outlining common anti-forensic techniques. This will be followed by discussion of hands-on identification and prevention
practices used to raise awareness around current academic research and identify potential solutions for practitioners and law enforcement organizations.
The presentation is all about computer forensics. the process , the tools and its features and some example scenarios.. It will give you a great insight into the computer forensics
Forensic science is a scientific method of gathering and examining information about the past which is then used in the court of law. Digital Forensics is the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital devices for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
Reliance on forensic investigation of information systems has become a daily requirement for law enforcement and security practitioners around the world.
Effective evidence collection and analysis is the foundation of any investigation; identification of suspects, motives and methods demand the acquisition of the largest amount information that evidence can provide us. Anti-Forensics – Real world identification, analysis and prevention will discuss how criminals, attackers, non-enlightened investigators all have the ability to impact the amount useful information we have at our disposal. Michael will show the audience real world scenarios detailing how Anti-forensics tools are used to
hide and destroy incriminating evidence, outlining common anti-forensic techniques. This will be followed by discussion of hands-on identification and prevention
practices used to raise awareness around current academic research and identify potential solutions for practitioners and law enforcement organizations.
The presentation is all about computer forensics. the process , the tools and its features and some example scenarios.. It will give you a great insight into the computer forensics
Computer forensics is the “who, what, when, and how” of electronic evidence. Typically narrow in scope, it attempts to reconstruct events, focusing on the computer-based conduct of an individual or group of individuals. The types of cases involving computer forensics are numerous and varied – from the personal (i.e. locating hidden assets in a messy divorce case), to the political (i.e. investigating alleged misuse of government computers for political gain), to the dramatic (i.e. “What was your client’s former
employee downloading from the Internet before he was fired
and brought suit for wrongful termination?”).
An Introduction to Computer Forensics Field ... Some Information's about the Field .. Some Demos ... How to be a Forensic expert ... Forensics Steps .... Dark Side of Forensics .... and lot more great Information's .....
computer forensics: consists of history, their need, types of crime, how experts work, rules of evidence, forensic tools, tools based on different categories.
extremely detailed ppt, consists of information difficult to find. very useful for paper presentation competitions.
Business Intelligence (BI) Tools For Computer ForensicDhiren Gala
The presentation contains: Concept of Forensic, Need & Purpose of Forensic
Computer Forensic, Role of IT for Forensic, Data Collection / Mining Tools, Data Analysis & Reporting, Fraud Detection & Auditing
Introduction to Cyber forensics: Information Security Investigations, Corporate Cyber Forensics, Scientific method in forensic analysis, investigating large scale Data breach cases.
Analyzing Malicious software.
Encryption: Who, What, When, Where, and Why It's Not a PanaceaResilient Systems
Encryption is a crucial and powerful tool in any organization's data protection / privacy arsenal. But to be effective, it must be applied properly. And even then it's not a silver bullet, including from a privacy breach disclosure perspective.
This webinar will discuss:
- Encryption vs. hashing: what is it, and when might you want to use one over the other?
- Practical considerations: implementation options and their merits
- Legal considerations: encryption requirements, benefits and restrictions
- Legal limitations: situations in which encryption is not enough
Our featured speakers for this webinar will be:
- Suhna Pierce, Associate, Morrison Foerster
- Gant Redmon, Esq. CIPP/US, General Counsel & VP of Business Development, Co3 Systems
Are you a CIPP holder? (CIPP/US, CIPP/C, CIPP/E, CIPP/G and CIPP/IT) Attend this webinar for CPE credit.
Draft current state of digital forensic and data science Damir Delija
In this presentation we will introduce current state of digital forensics, its positioning in general IT security and relations with data science and data analyses. Many strong links exist among this technical and scientific fields, usually this links are not taken into consideration. For data owners, forensic researchers and investigators this connections and data views presents additional hidden values.
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
How to Split Bills in the Odoo 17 POS ModuleCeline George
Bills have a main role in point of sale procedure. It will help to track sales, handling payments and giving receipts to customers. Bill splitting also has an important role in POS. For example, If some friends come together for dinner and if they want to divide the bill then it is possible by POS bill splitting. This slide will show how to split bills in odoo 17 POS.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
We all have good and bad thoughts from time to time and situation to situation. We are bombarded daily with spiraling thoughts(both negative and positive) creating all-consuming feel , making us difficult to manage with associated suffering. Good thoughts are like our Mob Signal (Positive thought) amidst noise(negative thought) in the atmosphere. Negative thoughts like noise outweigh positive thoughts. These thoughts often create unwanted confusion, trouble, stress and frustration in our mind as well as chaos in our physical world. Negative thoughts are also known as “distorted thinking”.
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxEduSkills OECD
Andreas Schleicher presents at the OECD webinar ‘Digital devices in schools: detrimental distraction or secret to success?’ on 27 May 2024. The presentation was based on findings from PISA 2022 results and the webinar helped launch the PISA in Focus ‘Managing screen time: How to protect and equip students against distraction’ https://www.oecd-ilibrary.org/education/managing-screen-time_7c225af4-en and the OECD Education Policy Perspective ‘Students, digital devices and success’ can be found here - https://oe.cd/il/5yV
How to Create Map Views in the Odoo 17 ERPCeline George
The map views are useful for providing a geographical representation of data. They allow users to visualize and analyze the data in a more intuitive manner.
2. What is Computer Forensics?
• Forensics is the process of using scientific knowledge for
collecting, analyzing, and presenting evidence to the courts.
(The word forensics means “to bring to the court.” ).
• Forensics deals primarily with the recovery and analysis of
latent evidence.
• Latent evidence can take many forms, from fingerprints left
on a window to DNA evidence recovered from blood stains to
the files on a hard drive.
3. What is Computer Forensics? (cont)
• Because computer forensics is a new discipline, there
is little standardization and consistency across the
courts and industry.
• “We define computer forensics as the discipline that
combines elements of law and computer science to
collect and analyze data from computer systems,
networks, wireless communications, and storage
devices in a way that is admissible as evidence in a
court of law”.
4. Why is Computer Forensics
Important?
• From a technical standpoint, the main goal of
computer forensics is to identify, collect,
preserve, and analyze data in a way that
preserves the integrity of the evidence
collected so it can be used effectively in a legal
case.
5. TECHNOLOGY
• Understanding of
– storage technology
– operating system features
• Windows
• Linux
• Unix
• Mac OS
– file systems
6. TECHNOLOGY
• Knowledge of
– Slack space
– Host Protected Area (HPA)
– Device Configuration Overlay (DCO)
• Disk imaging
• Data recovery
• Total data deletion
• Handling encryption
7. COLLABORATION
• Computer Forensics investigation requires
collaboration of
– Law enforcement
– Attorneys
– Computer specialists
• In academia, collaborating units could be:
– Computer Science
– Criminal Justice
– Law
– Accounting & Finance
8. APPLICATIONS
• Email
– Lasts longer than people believe
– Businesses monitor employee emails
– Admissible in legal proceedings
– Protect using PGP
• E-commerce
– Exchange of confidential data
– Impersonation
10. Security Issues
• Data hiding
• Image hiding
• Improper destruction of sensitive data
• Weak authentication tools
– Created, Accessed, Modified date
– Boot password
– Password cracking
11. What are some typical aspects of a
computer forensics investigation?
• First, those who investigate computers have to understand
the kind of potential evidence they are looking for in order to
structure their search.
• Crimes involving a computer can range across the spectrum
of criminal activity, from child pornography to theft of
personal data to destruction of intellectual property.
• Second, the investigator must pick the appropriate tools to
use. Files may have been deleted, damaged, or encrypted,
and the investigator must be familiar with an array of
methods and software to prevent further damage in the
recovery process.
12. NATURE OF FORENSIC EVIDENCE
• Two basic types of data are collected in computer forensics.
– Persistent data is the data that is stored on a local hard drive (or
another medium) and is preserved when the computer is turned off.
– Volatile data is any data that is stored in memory, or exists in transit,
that will be lost when the computer loses power or is turned off.
• Volatile data resides in registries, cache, and random access
memory (RAM). Since volatile data is ephemeral, it is
essential an investigator knows reliable ways to capture it.
13. NATURE OF FORENSIC EVIDENCE
(Cont’)
• Data must be relevant & reliable
• Reliability of evidence gathered by tools assessed by
judge in pre-trial hearing aka Daubert Hearing
• Assesses Methodology to gather evidence
– Sound scientific practices?
– Reliable evidence?
14. PRE-TRIAL HEARINGS
• Frye Test – past method
– Responsibility on scientific community
– Defined acceptable evidence gathering
procedures
– Used Peer Reviewed Journals
• Daubert Hearing – current method
– Offers additional methods to test quality of
evidence
15. DAUBERT HEARING PROCESS
• Testing – Is this procedure tested?
• Error Rate – What is the error rate of this
procedure?
• Publication – Has procedure been published
and reviewed by peers?
• Acceptance – Is the procedure generally
accepted within the relevant scientific
community?
16. TYPES OF FORENSIC SOFTWARE
• Acquisition Tools
• Data Discovery Tools
• Internet History Tools
• Image Viewers
• E-mail Viewers
• Password Cracking Tools
• Open Source Tools
• Mobile Device tools (PDA/Cell Phone)
• Large Storage Analysis Tools
17. MORE ABOUT ELECTRONIC DATA DISCOVERY
TOOLS
• Analyze data
• Retrieve data from different media
• Convert between different media and file
formats
• Extract text & data from documents
• Create images of the documents
• Print documents
• Archive documents
18. INTERNET HISTORY TOOLS
• Reads Information in Complete History
Database
• Displays List of Visited Sites
• Opens URLs in Internet Explorer
• Adds URLs to Favorites
• Copies URLs
• Prints URLS
• Saves Listing/Ranges as Text File
19. IMAGE & E-MAIL VIEWERS
• Views Files
• Converts Files
• Catalogs Files
• Side by Side File
Comparisons
20. PASSWORD CRACKING TOOLS
• Password Recovery
• Allows access to computers
• 3 Methods to Crack Passwords
– Dictionary Attack
– Hybrid Attack
– Brute Force Attack
Source: http://www-128.ibm.com/developerworks/library/s-crack/
21. OPEN SOURCE TOOLS
• Free tools available to Computer Forensic
Specialists
• Cover entire scope of forensic tools in use
• May more clearly and comprehensively meet
the Daubert guidelines than closed source tools
• Among the most widely used
Source:
http://software.newsforge.com/software/05/04/05/2052235.shtml?tid=129&tid=136&t
22. MOBILE DEVICE TOOLS
• Number and variety of toolkits considerably
more limited than for computers
• Require examiner to have full access to device
• Most tools focus on a single function
• Deleted data remains on PDA until successful
HotSync with computer
Sources: http://csrc.nist.gov/publications/nistir/nistir-7100-PDAForensics.pdf
http://www.cs.ucf.edu/courses/cgs5132/spring2002/presentation/weiss.ppt#5
23. FORENSIC TOOL SUITES
– Parben
• Provide a lower cost way to
– The Coroner’s
maximize the tools
Toolkit (TCT)
• Typically include the most – The Sleuth Kit
often used tools (TSK)
– EnCase
– Forensic Toolkit
(FTK)
– Maresware
24. OVERVIEW OF SYSTEMS SECURITY
• Ten guidelines:
– Remove personally identifiable data from storage media
– Store an identical copy of any evidentiary media given to
law enforcement
– Limit search to goal of investigation
– Handle time stamped events in strictest confidence
– On networks, packet acknowledgement be via the use of
tokens than IP addresses
25. OVERVIEW OF SYSTEMS SECURITY
(Cont’)
• Safe storage of all internal logs
• Preservation of event logs in external nodes
• Put policies in place for actionable items related to
attacks
• Put policies in place for safeguarding backed up
data related to an investigation
• Handle disposal of sensitive data in a secure
manner
26. COMPUTER FORENSICS AS A
PROFESSION?
• Attitudes to computer forensics
– Academic
– Application of computer science
– Application of forensic science
– Narrow specialism
– Aligned to computer security
– Core discipline
27. ETHICAL BEHAVIOUR IN COMPUTER
FORENSICS
• There is a very fine line between what is
acceptable and what is deemed to be
malpractice
• Computer Forensics exists in an ethical grey
area
• Often need to balance self motivation
versus legal constraints and procedural
considerations
28. Ethical Behaviour in Computer
Forensics
• Need to understand the ethical responsibility
in Computer Forensics work is to:
– Self
– Profession
– Clients
– Subjects
– Courts
– Society
29. COMPUTER FORENSICS ETHICAL
STANDARDS
• What is worse?
– Failing to convict the guilty
– Convicting the innocent
• The role of the investigator is to expose the
evidence from a neutral point of view
• The Auld Report states that
– “It is the duty of an expert to help the court on the
matters within his expertise. The duty overrides
any obligation to the person from whom he has
received instruction or by whom he is paid”
30. PSYCHOLOGY OF INVESTIGATION
• Evaluate the allegation
– Who made it ?
– Is there a hidden agenda ?
• Avoid presumption of guilt
• Avoid desire to win
• Show all the evidence both contrary and
supporting the accusation
31. PSYCHOLOGY OF INVESTIGATION
• Ask yourself the questions
– Could the person be innocent ?
– Could someone else have done it ?
• Keep an open mind
• Be impartial
• Be rigorous and professional
32. COMPUTER FORENSICS PRACTITIONERS
REQUIRE AWARENESS
• To help in making decisions about “doing
the right thing”.
• To provide material in defending or
justifying a particular position.
• To protect you as a practitioner.
• To consider in terms of practitioner and
system liability.
• To maintain evidential integrity.
33. QUESTIONING THE LAW
• Is the law always ethical ?
• Is the law good and just ?
• Was apartheid legislation ethical ?
• Just because an act or set of circumstances
is permitted in computing does not mean
that it is ethical.
34. AREAS OF KNOWLEDGE
• What laws to consider ?
• What impact the laws might have on a
particular activity
• Critical analysis
– Are the laws appropriate ?
– Are there contradictions in legal provision?
– Can the laws be applied to computer
forensics ?
– Should the laws be challenged ?
35. EXAMPLE OF REGULATIONS TO
CONSIDER
• Data Protection Act 1998
– Right of access, Right to prevent processing,
Right to compensation
• Computer Misuse Act 1990 and Computer
Misuse (Amendment) Act 2002
• Regulation of Investigatory Powers Act
2000
36. Example of Regulations to
Consider
• Human Rights Act 1998
• Disability Discrimination Act (1995) and
Special Educational Needs and Disability
Act 2001
37. Example of Regulations to
Consider
• Anti-terrorism, Crime and Security Act 2001
– ISPs (Internet Service Providers) keep track of
their customers’ activities over a period of 12
months
• Freedom of Information Act 2000 and
Freedom of Information (Scotland) Act
2002
38. Example of Regulations to
Consider
• Theft Act 1968, 1978
• Protection from Harassment Act 1997
• Obscene Publications Act 1959
• Protection of Children Act 1978
• Criminal Justice Act 1988
39. EXAMPLE OF REGULATIONS TO
CONSIDER
• Sexual Offences Act 2003
• Anti-terrorism, Crime and Security Act 2001
• Patents Act 1977 and the Copyright,
Designs and Patents Act 1988
– Intellectual Property, Copyright Law, Patent
Law, Trademarks and Passing-off
• Design Right (Semiconductor Regulations)
1989
40. PROFESSIONAL BEHAVIOUR IN
COMPUTER FORENSICS
• Enhance the resolution of crime involving
computers and reduce cyber crime
• Ensure robust, reliable, valid and safe
processes and procedures
• Comply with ethical and legal expectations
41. PROFESSIONAL BEHAVIOUR IN
COMPUTER FORENSICS
• Enhance public confidence in computer
forensics
• Enhance computer security
• Promote awareness and understanding
• Requires the ability and competence to
make appropriate decisions
42. AREAS OF PROFESSIONAL
RESPONSIBILITY
• Litigation and Liability
• Certification and Licence to practice
• Compliance
– For example web sites with Disability Discrimination Act
• Audit
• Dealing with contradictions
• Professional and ethical responsibility
• Organisational regulation and policy
– computing action may be legal but against company policy,
e.g. Internet transactions on work computers, e-mail
language
Editor's Notes
Electronic data discovery tools are not limited to simply finding the data and metadata. Some of the functions of data acquisition tools are listed above.
Internet history tools are useful in tracking how users have used the internet and sites on the internet that were accessed. This is limited, however, in that there is no way to be sure a site was not accessed by simple searches unless there are multiple sites that are similar in content.
Image and E-mail viewers allow the forensic investigator to view images and E-mails and capture as evidence. Most image and E-mail viewers have the capability to view and access multiple image and E-mail formats.
Dictionary Attack - A dictionary file (a text file full of dictionary words) is loaded into a cracking application, which is run against user accounts located by the application. Because the majority of passwords are often simplistic, running a dictionary attack is often sufficient to to the job. Hybrid Attack - A hybrid attack will add numbers or symbols to the filename to successfully crack a password. Many people change their passwords by simply adding a number to the end of their current password. The pattern usually takes this form: first month password is "cat"; second month password is "cat1"; third month password is "cat2"; and so on. Brute Force Attack - A brute force attack is the most comprehensive form of attack, though it may often take a long time to work depending on the complexity of the password. Some brute force attacks can take a week depending on the complexity of the password.
Open Source tools are often classified as freeware and shareware. They are easily and readily available on the internet. The reason open source tools may more clearly and comprehensively meet the Daubert guidelines is because of their extensive use and the fact that the code can be viewed and assessed by experts in the field to verify its value.
Digital forensic investigation of mobile devices is beginning to come into its own. Because these devices have some differences with computers, different tools are needed and the scope of the tools has not yet matured. Therefore, there are fewer tools available for this type of investigation.
Forensic tool suites are typically an enterprise type of application. While some suites are a collection of separately used tools, called upon as needed, other suites are a collection of integrated software that require the investigator to follow a process and use the different applications sequentially. Many commercially available tool suites can be quite costly and intricate. The Coroner’s Toolkit and The Sleuth Kit are the only open source suites listed above.