This document discusses the process of computer forensics which includes acquiring data from computers and storage devices, identifying recoverable data through forensic tools, evaluating the recovered data to determine how it can be used in employment termination or prosecution, and presenting the evidence in a manner that is understandable for legal purposes. It also discusses techniques for hiding and recovering hidden data such as steganography, watermarking, and analyzing disk slack space and swap files. The challenges of digital evidence acceptance in court and costs of computer forensics are also summarized.

6. Acquisition
physically or remotely obtaining possession of the computer, all
network mappings from the system, and external physical
storage devices.
Identification
This step involves identifying what data could be recovered and
electronically retrieving it by running various Computer Forensic
tools and software suites.
Evaluation
Evaluating the information/data recovered to determine if and how it
could be used again the suspect for employment termination or
prosecution in court.
Presentation
This step involves the presentation of evidence discovered in a manner
which is understood by lawyers, non-technically staff/management,
and suitable as evidence as determined by United States
and internal laws

7.  To human eyes, data usually contains known forms, like images, e-mail,
sounds, and text. Most Internet data naturally includes gratuitous headers, too.
These are media exploited using new controversial logical encodings:
steganography and marking.
Steganography: The art of storing information in such a way that the
existence of the information is hidden.
 Watermarking: Hiding data within data Information can be hidden
in almost any file format.
File formats with more room for compression are best
• Image files (JPEG, GIF)
• Sound files (MP3, WAV)
• Video files (MPG, AVI)
The hidden information may be encrypted, but not necessarily.
 Hard Drive/File System manipulation
Slack Space is the space between the logical end and the physical
end of file and is called the file slack

8. • Steganalysis - the art of detecting and decoding hidden data.
•Hiding information within electronic media requires alterations
of the media properties that may introduce some form of
degradation or unusual characteristics.
• The pattern of degradation or the unusual characteristic
of a specific type of steganography method is called a signature.
• Steganalysis software can be trained to look for a signature.

9. •Human Observation
•Software analysis
•Disk analysis utilities
•Statistical Analysis
•Frequency scanning

10. Recovery of watermarked data is extremely hard.
Currently, there are very few methods to recover
hidden, encrypted data.
Data hidden on disk is much easier to find. Once found, if
unencrypted, it is already recovered
Deleted data can be reconstructed (even on hard drives
that have been magnetically wiped)
Check swap files for passwords and encryption keys which
are stored in the clear (unencrypted)
Software Tools
• Scan for and reconstruct deleted data
• Break encryption

11. The "network" in "network forensics" != "computer"
•Network here means "relating to packets" or "network traffic"
Definition of forensics (dictionary.com)
•Relating to, used in, or appropriate for courts of law
or for public discussion or argumentation.
•Of, relating to, or used in debate or argument; rhetorical.
•Relating to the use of science or technology in the
investigation and establishment of facts or evidence in
a court of law: a forensic laboratory.
Many claim to perform network forensics,but most of these
practitioners are probably just capturing packets
•These guidelines will elevate your game to forensic levels
Forensics helps with "patch and proceed" or "pursue
and prosecute"

12. It has an ability to search through a
massive amount of data
Quickly
Easily
Thoroughly
In any language

13. Digital evidence accepted into court
Must prove that there is no tampering.
All evidence must be fully accounted for.
Computer forensic specialists must have
complete knowledge of legal
requirements, evidence handling and
storage and documentation procedures
Costs.
Producing electronic records & preserving
them is extremely costly.
Presents the potential for exposing
privileged documents.
Legal practitioners must have extensive
computer knowledge.

14.  FINANCIAL FRAUD DETECTION
 CRIMINAL PROSECUTION
 CIVIL LITIGATION

15. With computers becoming more and more
involved in our everyday lives, both
professionally and socially, there is a need for
computer forensics. This field will enable
crucial electronic evidence to be
found, whether it was
lost, deleted, damaged, or hidden and used to
prosecute individuals that belive they have
succecessfully beaten the system.