SlideShare a Scribd company logo

Computer forensics and its role

Download as PPTX, PDF
S
Sudeshna Basak

Computer forensics involves the legal acquisition, preservation, analysis and presentation of digital evidence found on computers and digital devices. It follows standard processes and guidelines to ensure evidence is collected properly and can be used in legal cases. The main steps are acquisition of evidence from devices, identification and evaluation of relevant data found, and proper presentation of findings. Computer forensics experts work in law enforcement, private companies, and other organizations to gather digital evidence for various crimes and disputes.

Technology
1 of 35
Downloaded 103 times
1
2
Most read
3
4
5
Most read
6
7
8
9
10
11
Most read
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Computer Forensics
Topics to be covered • Defining Computer Forensics • Who uses Computer Forensics • Laws • Reasons for gathering evidence • Evidence processing guidelines • Requirements • Steps of Computer Forensics • Forensics recovery • Examples • Anti-forensics • Conclusion • Acknowledgement
• The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable.” (McKemmish, 1999) • “Gathering and analyzing data in a manner as freedom distortion or bias as possible to reconstruct data or what has happened in the past on a system.” (Farmer & Vennema,1999) • Computer forensics is the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. • Forensic Computing, also known as Evidential Computing and even sometimes Data Recovery, is the specialist process of imaging and processing computer data which is reliable enough to be used as evidence in court What is Computer Forensics? (Some definitions)
What will Computer Forensics do? • Computer forensics, innovators of image copying technology, defined the principles of the science of computer forensics and formalized an approved and accepted methodology to COLLECT, ANALYSE and PRESENT suspect data to a Court of Law. • Computer forensics evidence is frequently sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. • Computer forensics specialists draw on an array of methods for discovering data that resides in a computer system. • Experts in forensics computing can frequently recover files that have been deleted, encrypted, or damaged, sometimes as long as years earlier. • Evidence gathered by computer forensics experts is useful and often necessary during discovery, depositions, and actual litigation.
Who Uses Computer Forensics? • Criminal Prosecutors • -Rely on evidence obtained from a computer to prosecute suspects and use as evidence • Civil Litigations • -Personal and business data discovered on a computer can be used in fraud, divorce, harassment, or discrimination cases • Insurance Companies • -Evidence discovered on computer can be used to mollify costs (fraud, worker’s compensation, arson, etc) • Private Corporations • -Obtained evidence from employee computers can be used as evidence in harassment, fraud, and embezzlement cases
FBI Computer Forensic Services • Content • Comparison again known data • Transaction sequencing • Extraction of data • Recovering deleted data files • Format conversion • Keyword searching • Decrypting passwords • Analyzing and comparing limited source code
KNOW THE LAW... • The US DOJ maintains a website with guidelines and case law pertaining to seizing and searching computers. It's the best place to start putting together a legal case that will be based on evidence obtained from a computer system. The US DOJ website is: http://www.usdoj.gov/criminal/cybercrime/searching.html They also have a wealth of "cyber-crime" information online at: http://www.usdoj.gov/criminal/cybercrime/
Reasons For Evidence • Wide range of computer crimes and misuses • Non-Business Environment: evidence collected by Federal, State and local authorities for crimes relating to: – -Theft of trade secrets – -Fraud – -Extortion – -Industrial espionage – -Position of pornography – -SPAM investigations – -Virus/Trojan distribution – -Intellectual property breaches – -Unauthorized use of personal information – -Perjury
• Computer related crime and violations include a range of activities including: • Business Environment: • -Theft of or destruction of intellectual property • -Unauthorized activity • -Tracking internet browsing habits • -Reconstructing Events • -Inferring intentions • -Selling company bandwidth • -Wrongful dismissal claims • -Software Piracy Reasons For Evidence (cont)
Evidence Processing Guidelines • New Technologies Inc. recommends following 16 steps in processing evidence • They offer training on properly handling each step – Step 1: Shut down the computer • Considerations must be given to volatile information • Prevents remote access to machine and destruction of evidence (manual or ant-forensic software) – Step 2: • Document the Hardware Configuration of The System • Note everything about the computer configuration prior to re-locating
Evidence Processing Guidelines (cont) • Step 3: Transport the Computer System to A Secure Location – Do not leave the computer unattended unless it is locked in a secure location • Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks • Step 5: Mathematically Authenticate Data on All Storage Devices – Must be able to prove that you did not alter any of the evidence after the computer came into your possession • Step 6: Document the System Date and Time • Step 7: Make a List of Key Search Words • Step 8: Evaluate the Windows Swap File
Evidence Processing Guidelines (cont) • Step 9: Evaluate File Slack – The DOS file system file allocation table (FAT) was never designed to handle storage device with more than 32767 units of data. 32767 is the largest number that can be represented with 16 bits. – Data is written in sectors of 512 bytes (hard drives, floppy), or 2048 bytes (CD-ROM). – This set an arbitrary limit on disk storage devices of 512x32767 = 16MB. – To accommodate larger drives the concept of “clusters” was invented. Clusters are a group of sectors written as a single atomic unit. With clustering came file slack.
Evidence Processing Guidelines (cont) • RAM Slack If the file you are writing is shorter than the number of bytes in the clusters you have allocated for your file, the file system will pad the data out to the end of the current sector with “RAM slack”. RAM slack is random data that happens to be in RAM memory at the time the file is written. It can contain any data that you were working on since you last booted the PC. Such as emails, word documents, graphics, etc. • Drive Slack Unlike RAM slack which comes from working storage, “drive slack” is data left on the drive from a previous file. After completing the last partial sector with RAM slack, subsequent whole sectors in the last cluster are left as is with whatever data was written there previously.
Evidence Processing Guidelines (cont) • Step 10: Evaluate Unallocated Space (Erased Files) • Step 11: Search Files, File Slack and Unallocated Space for Key Words • Step 12: Document File Names, Dates and Times • Step 13: Identify File, Program and Storage Anomalies • Step 14: Evaluate Program Functionality • Step 15: Document Your Findings • Step 16: Retain Copies of Software Used
Computer Forensic Requirements Hardware – Familiarity with all internal and external devices/components of a computer – Thorough understanding of hard drives and settings – Understanding motherboards and the various chipsets used – Power connections – Memory BIOS – Understanding how the BIOS works – Familiarity with the various settings and limitations of the BIOS
Computer Forensic Requirements (cont) • .Operation Systems – Windows 3.1/95/98/ME/NT/2000/2003/XP – DOS – UNIX – LINUX – VAX/VMS Software – Familiarity with most popular software packages such as Office Forensic Tools – Familiarity with computer forensic techniques and the software packages that could be used
Steps Of Computer Forensics • .According to many professionals, Computer Forensics is a four (4) step process Acquisition – Physically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices Identification -This step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites Evaluation – Evaluating the information/data recovered to determine if and how it could be used again the suspect for employment termination or prosecution in court
Steps Of Computer Forensics (cont) • .Presentation – This step involves the presentation of evidence discovered in a manner which is understood by lawyers, non-technically staff/management, and suitable as evidence as determined by United States and internal laws
Handling Evidence • No possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to search the computer • Preventing viruses from being introduced to a computer during the analysis process • Establishing and maintaining a continuing chain of custody • Limiting the amount of time business operations are affected
Initiating An Investigation • DO NOT begin by exploring files on system randomly • Establish evidence custodian - start a detailed journal with the date and time and date/information discovered • If possible, designate suspected equipment as “off-limits” to normal activity. This includes back-ups, remotely or locally scheduled house-keeping, and configuration changes • Collect email, DNS, and other network service logs
Incidence Response • Identify, designate, or become evidence custodian • Review any existing journal of what has been done to system already and/or how intrusion was detected • Begin new or maintain existing journal • Install monitoring tools (sniffers, port detectors, etc.) • Without rebooting or affecting running processes, perform a copy of physical disk • Capture network information
Forensic Recovery Take pictures to document area around the computer. You may find removable media, or clues to your subject’s passwords in your photos.
Forensic Recovery • . Tip #3: Don’t assume system will boot first from the floppy drive. Always go into setup first and make sure the system will boot first from where you expect it to. Ex. Floppy or CD-ROM.
Forensic Recovery • . Take screen shots to preserve evidence. In this case documented “buddies list” in ICQ and Yahoo! Messenger. Used FTK to find emails to / from same buddies. And their solicitations on Internet adult meeting sites.
EXAMPLES • 1.Hot Hard Drives: In an arson and murder investigation, computer forensic investigators were asked to analyze hard drives recovered from a burned house which were charred and covered with ash and soot. When experienced engineers opened the drives in a sterile cleanroom – designed for repairing damaged computer media – they discovered the data contained on the individual data platters was not subjected to a high enough heat to cause permanent data loss. Relying on years of experience with fire-damaged computer media, engineers recovered and produced all of the data to the prosecutor’s office for analysis. The evidence contained on the hard drives helped the prosecutors build their case against the charged individual.
EXAMPLES • 2.Usurping USB Drives: On behalf of a bank, a computer forensic investigation was undertaken focusing on several computers owned by a bank customer suspected in a money laundering scheme. The initial review of the computers revealed that a large capacity USB drive was installed on the machine one day prior to turning over the computers pursuant to the court order. Upon further review of the USB drive, the engineers proved the individual had engaged in corporate financial fraud, stolen business funds and moved the money in foreign back accounts.
Anti-Forensics • Software that limits and/or corrupts evidence that could be collected by an investigator • Performs data hiding and distortion • Exploits limitations of known and used forensic tools • Works both on Windows and LINUX based systems • In place prior to or post system acquisition
Methods Of Hiding Data To human eyes, data usually contains known forms, like images, e-mail, sounds, and text. Most Internet data naturally includes gratuitous headers, too. These are media exploited using new controversial logical encodings: steganography and marking. – Steganography: The art of storing information in such a way that the existence of the information is hidden.
Methods Of Hiding Data • 1 To human eyes, data usually contains known forms, like images, e-mail, sounds, and text. Most Internet data naturally includes gratuitous headers, too. These are media exploited using new controversial logical encodings: steganography and marking. The duck flies at midnight. Tame uncle Sam Simple but effective when done well
Methods Of Hiding Data Watermarking: Hiding data within data – Information can be hidden in almost any file format. – File formats with more room for compression are best • Image files (JPEG, GIF) • Sound files (MP3, WAV) • Video files (MPG, AVI) – The hidden information may be encrypted, but not necessarily – Numerous software applications will do this for you: Many are freely available online
CONCLUSION • Use a systematic approach to investigations • Plan a case by taking into account: – Nature of the case – Case requirements – Gathering evidence techniques • Do not forget that every case can go to court • Apply standard problem-solving techniques • Keep track of the chain of custody of your evidence • Produce a final report detailing what you did and found
ACKNOWLEDGEMENT • .I wish to thank my faculty members of CSE department ,Dr. Sudhir Chandra Sur Degree Engineering College for guidance and useful suggestions, which helped us a lot in completing the presentation work, in time. We also took help from internet for ideas which made us able to complete this presentation.
Computer forensics and its role
• . THANK YOU.
• . PRESENTED BY: OIESWARYA BHOWMIK SUDESHNA BASAK

More Related Content

PPT
Introduction to computer forensic
Online
 
PPTX
Computer forensics powerpoint presentation
Somya Johri
 
PPT
Computer Forensic
Tawhidur Rahman
 
PPTX
Computer forensics toolkit
Milap Oza
 
PPTX
Cyber Crime
Akash Dolas,PMP [Open Networker]
 
PPTX
Cyber crime
Harendra Singh
 
PPTX
Social engineering
Vîñàý Pãtêl
 
PPTX
Introduction to cyber security
Self-employed
 
Introduction to computer forensic
Online
 
Computer forensics powerpoint presentation
Somya Johri
 
Computer Forensic
Tawhidur Rahman
 
Computer forensics toolkit
Milap Oza
 
Cyber Crime
Akash Dolas,PMP [Open Networker]
 
Cyber crime
Harendra Singh
 
Social engineering
Vîñàý Pãtêl
 
Introduction to cyber security
Self-employed
 

What's hot (20)

PPTX
Social Engineering new.pptx
Santhosh Prabhu
 
PPTX
Computer crimes and forensics
Avinash Mavuru
 
PDF
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
PPTX
Digital forensic tools
Parsons Corporation
 
PPTX
Application of Machine Learning in Cybersecurity
Pratap Dangeti
 
PPT
Computer forensics
SCREAM138
 
PDF
A brief Intro to Digital Forensics
Manik Bhola
 
PPTX
Malware ppt final.pptx
LakshayNRReddy
 
PPTX
ETHICAL HACKING.pptx
ethicalhackerhub
 
PPTX
Digital Forensics
Mithileysh Sathiyanarayanan
 
PPTX
Cyber Forensics Overview
Yansi Keim
 
PPTX
Digital Forensics by William C. Barker (NIST)
AltheimPrivacy
 
PPTX
Ethical Hacking
Tharindu Kalubowila
 
PPTX
Introduction to Cybersecurity Fundamentals
Toño Herrera
 
PPTX
Cyber security
Samsil Arefin
 
PDF
AI in security
Subrat Panda, PhD
 
PPT
Cyber forensics
pranjal dutta
 
PPT
Role of a Forensic Investigator
Agape Inc
 
PDF
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
PPT
“Privacy Today” Slide Presentation
tomasztopa
 
Social Engineering new.pptx
Santhosh Prabhu
 
Computer crimes and forensics
Avinash Mavuru
 
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
Digital forensic tools
Parsons Corporation
 
Application of Machine Learning in Cybersecurity
Pratap Dangeti
 
Computer forensics
SCREAM138
 
A brief Intro to Digital Forensics
Manik Bhola
 
Malware ppt final.pptx
LakshayNRReddy
 
ETHICAL HACKING.pptx
ethicalhackerhub
 
Digital Forensics
Mithileysh Sathiyanarayanan
 
Cyber Forensics Overview
Yansi Keim
 
Digital Forensics by William C. Barker (NIST)
AltheimPrivacy
 
Ethical Hacking
Tharindu Kalubowila
 
Introduction to Cybersecurity Fundamentals
Toño Herrera
 
Cyber security
Samsil Arefin
 
AI in security
Subrat Panda, PhD
 
Cyber forensics
pranjal dutta
 
Role of a Forensic Investigator
Agape Inc
 
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
“Privacy Today” Slide Presentation
tomasztopa
 
Ad

Viewers also liked (20)

PPTX
Computer Forensic Softwares
Dhruv Seth
 
PPT
Computer forensics
Lalit Garg
 
PPT
computer forensics
Akhil Kumar
 
PDF
Chfi V3 Module 01 Computer Forensics In Todays World
gueste0d962
 
PPTX
Digital forensics
Roberto Ellis
 
PPTX
Computer forensics
deaneal
 
PPT
Computer +forensics
Rahul Baghla
 
PPTX
Computer forensics ppt
Nikhil Mashruwala
 
PPTX
Proliferasi Nuklir Era Kontemporer: Kapabilitas Nuklir Korea Utara 2003-2013
Devindra Oktaviano
 
PPTX
Identifikasi forensik
Amirul Hadi
 
PPT
Computer forensics 1
Jinalkakadiya
 
PPTX
Luka Tembak Forensik
Zarah Dzulhijjah
 
PPT
Computer forensics law and privacy
ch samaram
 
PPT
Threats
Mentalist Akram
 
PPT
Firewalls
University of Central Punjab
 
PPT
Digital Forensics
Nicholas Davis
 
PPTX
Data encryption
Deepam Goyal
 
DOC
Communication skills in english
Aqib Memon
 
PDF
OWASP Khartoum Cyber Security Session
OWASP Khartoum
 
PDF
Lecture1
rjaeh
 
Computer Forensic Softwares
Dhruv Seth
 
Computer forensics
Lalit Garg
 
computer forensics
Akhil Kumar
 
Chfi V3 Module 01 Computer Forensics In Todays World
gueste0d962
 
Digital forensics
Roberto Ellis
 
Computer forensics
deaneal
 
Computer +forensics
Rahul Baghla
 
Computer forensics ppt
Nikhil Mashruwala
 
Proliferasi Nuklir Era Kontemporer: Kapabilitas Nuklir Korea Utara 2003-2013
Devindra Oktaviano
 
Identifikasi forensik
Amirul Hadi
 
Computer forensics 1
Jinalkakadiya
 
Luka Tembak Forensik
Zarah Dzulhijjah
 
Computer forensics law and privacy
ch samaram
 
Threats
Mentalist Akram
 
Firewalls
University of Central Punjab
 
Digital Forensics
Nicholas Davis
 
Data encryption
Deepam Goyal
 
Communication skills in english
Aqib Memon
 
OWASP Khartoum Cyber Security Session
OWASP Khartoum
 
Lecture1
rjaeh
 
Ad

Similar to Computer forensics and its role (20)

PPTX
cyber Forensics
Muzzammil Wani
 
PPT
CF.ppt
KhusThakkar
 
PPT
Preserving and recovering digital evidence
Online
 
PPT
Computer forensics
Hiren Selani
 
PPTX
Memory forensics.pptx
9905234521
 
PPT
Digital forensics
Nicholas Davis
 
PDF
Computer Forensics – What Every Lawyer Needs to Know
Winston & Strawn LLP
 
PPT
Collecting and preserving digital evidence
Online
 
PPTX
Processing Crimes and Incident Scenes
primeteacher32
 
PPTX
Cybersecurity and Digital Forensics.pptx
RyujiChanneru
 
PDF
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
Gnanavi2
 
PPTX
DIGITAL FORENSICS_PRESENTATION
Amina Baha
 
PDF
Computer Forensic
Novizul Evendi
 
PPT
3871778
Christiaan Beek
 
PPTX
Examining computer and evidence collection
gagan deep
 
PPT
Electornic evidence collection
Fakrul Alam
 
PDF
cyber forensics and digitalforensics.pdf
mcjaya2024
 
PPT
Digital forensics Computer and mobile forensic
SyedaHira10
 
PPT
Chapter 2 - Understanding Computer Investigations.ppt
kong100
 
PPTX
unit 5 understanding computer forensics.pptx
Dimple Relekar
 
cyber Forensics
Muzzammil Wani
 
CF.ppt
KhusThakkar
 
Preserving and recovering digital evidence
Online
 
Computer forensics
Hiren Selani
 
Memory forensics.pptx
9905234521
 
Digital forensics
Nicholas Davis
 
Computer Forensics – What Every Lawyer Needs to Know
Winston & Strawn LLP
 
Collecting and preserving digital evidence
Online
 
Processing Crimes and Incident Scenes
primeteacher32
 
Cybersecurity and Digital Forensics.pptx
RyujiChanneru
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
Gnanavi2
 
DIGITAL FORENSICS_PRESENTATION
Amina Baha
 
Computer Forensic
Novizul Evendi
 
3871778
Christiaan Beek
 
Examining computer and evidence collection
gagan deep
 
Electornic evidence collection
Fakrul Alam
 
cyber forensics and digitalforensics.pdf
mcjaya2024
 
Digital forensics Computer and mobile forensic
SyedaHira10
 
Chapter 2 - Understanding Computer Investigations.ppt
kong100
 
unit 5 understanding computer forensics.pptx
Dimple Relekar
 

Recently uploaded (20)

PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Teaching material agriculture food technology
LiaRayya
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 

Computer forensics and its role

  • 2. Topics to be covered • Defining Computer Forensics • Who uses Computer Forensics • Laws • Reasons for gathering evidence • Evidence processing guidelines • Requirements • Steps of Computer Forensics • Forensics recovery • Examples • Anti-forensics • Conclusion • Acknowledgement
  • 3. • The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable.” (McKemmish, 1999) • “Gathering and analyzing data in a manner as freedom distortion or bias as possible to reconstruct data or what has happened in the past on a system.” (Farmer & Vennema,1999) • Computer forensics is the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. • Forensic Computing, also known as Evidential Computing and even sometimes Data Recovery, is the specialist process of imaging and processing computer data which is reliable enough to be used as evidence in court What is Computer Forensics? (Some definitions)
  • 4. What will Computer Forensics do? • Computer forensics, innovators of image copying technology, defined the principles of the science of computer forensics and formalized an approved and accepted methodology to COLLECT, ANALYSE and PRESENT suspect data to a Court of Law. • Computer forensics evidence is frequently sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. • Computer forensics specialists draw on an array of methods for discovering data that resides in a computer system. • Experts in forensics computing can frequently recover files that have been deleted, encrypted, or damaged, sometimes as long as years earlier. • Evidence gathered by computer forensics experts is useful and often necessary during discovery, depositions, and actual litigation.
  • 5. Who Uses Computer Forensics? • Criminal Prosecutors • -Rely on evidence obtained from a computer to prosecute suspects and use as evidence • Civil Litigations • -Personal and business data discovered on a computer can be used in fraud, divorce, harassment, or discrimination cases • Insurance Companies • -Evidence discovered on computer can be used to mollify costs (fraud, worker’s compensation, arson, etc) • Private Corporations • -Obtained evidence from employee computers can be used as evidence in harassment, fraud, and embezzlement cases
  • 6. FBI Computer Forensic Services • Content • Comparison again known data • Transaction sequencing • Extraction of data • Recovering deleted data files • Format conversion • Keyword searching • Decrypting passwords • Analyzing and comparing limited source code
  • 7. KNOW THE LAW... • The US DOJ maintains a website with guidelines and case law pertaining to seizing and searching computers. It's the best place to start putting together a legal case that will be based on evidence obtained from a computer system. The US DOJ website is: http://www.usdoj.gov/criminal/cybercrime/searching.html They also have a wealth of "cyber-crime" information online at: http://www.usdoj.gov/criminal/cybercrime/
  • 8. Reasons For Evidence • Wide range of computer crimes and misuses • Non-Business Environment: evidence collected by Federal, State and local authorities for crimes relating to: – -Theft of trade secrets – -Fraud – -Extortion – -Industrial espionage – -Position of pornography – -SPAM investigations – -Virus/Trojan distribution – -Intellectual property breaches – -Unauthorized use of personal information – -Perjury
  • 9. • Computer related crime and violations include a range of activities including: • Business Environment: • -Theft of or destruction of intellectual property • -Unauthorized activity • -Tracking internet browsing habits • -Reconstructing Events • -Inferring intentions • -Selling company bandwidth • -Wrongful dismissal claims • -Software Piracy Reasons For Evidence (cont)
  • 10. Evidence Processing Guidelines • New Technologies Inc. recommends following 16 steps in processing evidence • They offer training on properly handling each step – Step 1: Shut down the computer • Considerations must be given to volatile information • Prevents remote access to machine and destruction of evidence (manual or ant-forensic software) – Step 2: • Document the Hardware Configuration of The System • Note everything about the computer configuration prior to re-locating
  • 11. Evidence Processing Guidelines (cont) • Step 3: Transport the Computer System to A Secure Location – Do not leave the computer unattended unless it is locked in a secure location • Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks • Step 5: Mathematically Authenticate Data on All Storage Devices – Must be able to prove that you did not alter any of the evidence after the computer came into your possession • Step 6: Document the System Date and Time • Step 7: Make a List of Key Search Words • Step 8: Evaluate the Windows Swap File
  • 12. Evidence Processing Guidelines (cont) • Step 9: Evaluate File Slack – The DOS file system file allocation table (FAT) was never designed to handle storage device with more than 32767 units of data. 32767 is the largest number that can be represented with 16 bits. – Data is written in sectors of 512 bytes (hard drives, floppy), or 2048 bytes (CD-ROM). – This set an arbitrary limit on disk storage devices of 512x32767 = 16MB. – To accommodate larger drives the concept of “clusters” was invented. Clusters are a group of sectors written as a single atomic unit. With clustering came file slack.
  • 13. Evidence Processing Guidelines (cont) • RAM Slack If the file you are writing is shorter than the number of bytes in the clusters you have allocated for your file, the file system will pad the data out to the end of the current sector with “RAM slack”. RAM slack is random data that happens to be in RAM memory at the time the file is written. It can contain any data that you were working on since you last booted the PC. Such as emails, word documents, graphics, etc. • Drive Slack Unlike RAM slack which comes from working storage, “drive slack” is data left on the drive from a previous file. After completing the last partial sector with RAM slack, subsequent whole sectors in the last cluster are left as is with whatever data was written there previously.
  • 14. Evidence Processing Guidelines (cont) • Step 10: Evaluate Unallocated Space (Erased Files) • Step 11: Search Files, File Slack and Unallocated Space for Key Words • Step 12: Document File Names, Dates and Times • Step 13: Identify File, Program and Storage Anomalies • Step 14: Evaluate Program Functionality • Step 15: Document Your Findings • Step 16: Retain Copies of Software Used
  • 15. Computer Forensic Requirements Hardware – Familiarity with all internal and external devices/components of a computer – Thorough understanding of hard drives and settings – Understanding motherboards and the various chipsets used – Power connections – Memory BIOS – Understanding how the BIOS works – Familiarity with the various settings and limitations of the BIOS
  • 16. Computer Forensic Requirements (cont) • .Operation Systems – Windows 3.1/95/98/ME/NT/2000/2003/XP – DOS – UNIX – LINUX – VAX/VMS Software – Familiarity with most popular software packages such as Office Forensic Tools – Familiarity with computer forensic techniques and the software packages that could be used
  • 17. Steps Of Computer Forensics • .According to many professionals, Computer Forensics is a four (4) step process Acquisition – Physically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices Identification -This step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites Evaluation – Evaluating the information/data recovered to determine if and how it could be used again the suspect for employment termination or prosecution in court
  • 18. Steps Of Computer Forensics (cont) • .Presentation – This step involves the presentation of evidence discovered in a manner which is understood by lawyers, non-technically staff/management, and suitable as evidence as determined by United States and internal laws
  • 19. Handling Evidence • No possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to search the computer • Preventing viruses from being introduced to a computer during the analysis process • Establishing and maintaining a continuing chain of custody • Limiting the amount of time business operations are affected
  • 20. Initiating An Investigation • DO NOT begin by exploring files on system randomly • Establish evidence custodian - start a detailed journal with the date and time and date/information discovered • If possible, designate suspected equipment as “off-limits” to normal activity. This includes back-ups, remotely or locally scheduled house-keeping, and configuration changes • Collect email, DNS, and other network service logs
  • 21. Incidence Response • Identify, designate, or become evidence custodian • Review any existing journal of what has been done to system already and/or how intrusion was detected • Begin new or maintain existing journal • Install monitoring tools (sniffers, port detectors, etc.) • Without rebooting or affecting running processes, perform a copy of physical disk • Capture network information
  • 22. Forensic Recovery Take pictures to document area around the computer. You may find removable media, or clues to your subject’s passwords in your photos.
  • 23. Forensic Recovery • . Tip #3: Don’t assume system will boot first from the floppy drive. Always go into setup first and make sure the system will boot first from where you expect it to. Ex. Floppy or CD-ROM.
  • 24. Forensic Recovery • . Take screen shots to preserve evidence. In this case documented “buddies list” in ICQ and Yahoo! Messenger. Used FTK to find emails to / from same buddies. And their solicitations on Internet adult meeting sites.
  • 25. EXAMPLES • 1.Hot Hard Drives: In an arson and murder investigation, computer forensic investigators were asked to analyze hard drives recovered from a burned house which were charred and covered with ash and soot. When experienced engineers opened the drives in a sterile cleanroom – designed for repairing damaged computer media – they discovered the data contained on the individual data platters was not subjected to a high enough heat to cause permanent data loss. Relying on years of experience with fire-damaged computer media, engineers recovered and produced all of the data to the prosecutor’s office for analysis. The evidence contained on the hard drives helped the prosecutors build their case against the charged individual.
  • 26. EXAMPLES • 2.Usurping USB Drives: On behalf of a bank, a computer forensic investigation was undertaken focusing on several computers owned by a bank customer suspected in a money laundering scheme. The initial review of the computers revealed that a large capacity USB drive was installed on the machine one day prior to turning over the computers pursuant to the court order. Upon further review of the USB drive, the engineers proved the individual had engaged in corporate financial fraud, stolen business funds and moved the money in foreign back accounts.
  • 27. Anti-Forensics • Software that limits and/or corrupts evidence that could be collected by an investigator • Performs data hiding and distortion • Exploits limitations of known and used forensic tools • Works both on Windows and LINUX based systems • In place prior to or post system acquisition
  • 28. Methods Of Hiding Data To human eyes, data usually contains known forms, like images, e-mail, sounds, and text. Most Internet data naturally includes gratuitous headers, too. These are media exploited using new controversial logical encodings: steganography and marking. – Steganography: The art of storing information in such a way that the existence of the information is hidden.
  • 29. Methods Of Hiding Data • 1 To human eyes, data usually contains known forms, like images, e-mail, sounds, and text. Most Internet data naturally includes gratuitous headers, too. These are media exploited using new controversial logical encodings: steganography and marking. The duck flies at midnight. Tame uncle Sam Simple but effective when done well
  • 30. Methods Of Hiding Data Watermarking: Hiding data within data – Information can be hidden in almost any file format. – File formats with more room for compression are best • Image files (JPEG, GIF) • Sound files (MP3, WAV) • Video files (MPG, AVI) – The hidden information may be encrypted, but not necessarily – Numerous software applications will do this for you: Many are freely available online
  • 31. CONCLUSION • Use a systematic approach to investigations • Plan a case by taking into account: – Nature of the case – Case requirements – Gathering evidence techniques • Do not forget that every case can go to court • Apply standard problem-solving techniques • Keep track of the chain of custody of your evidence • Produce a final report detailing what you did and found
  • 32. ACKNOWLEDGEMENT • .I wish to thank my faculty members of CSE department ,Dr. Sudhir Chandra Sur Degree Engineering College for guidance and useful suggestions, which helped us a lot in completing the presentation work, in time. We also took help from internet for ideas which made us able to complete this presentation.
  • 35. • . PRESENTED BY: OIESWARYA BHOWMIK SUDESHNA BASAK