Digital Forensic

Yanuar Nurdiansyah S.T., M.Cs.

M. Arief Hidayat M.Kom.

Program Studi Sistem Informasi

Universitas Jember
Forensic
 the application of a broad spectrum of
sciences to answer questions of interest
to a legal system
Forensic
Forensic
Technical Definition: Digital Forensics
“Tools and techniques to recover, preserve, and examine digital
evidence on or transmitted by digital devices.”

PLUS data recovery

Quick Facts
 More than 90% of today’s information is created and stored or
processed electronically.
 More than 70% are never printed or produced into a hard copy
 Information can be erased, moved around, or hidden with ease.
 A good forensic examiner can restore or find this missing
information.
Definition
 Using computer science to aid in the
legal process and to conduct
investigations.
 Gathering data for evidence
 Aid police investigations
 Recover data
 Provide testimony in court
 Gather any other information that
can be found on a digital or
electronic media.
 Information gathered can be audio,
video, or graphical.
Devices
 Computer systems
 PDAs
 Cell phones
 USB drives
 CD-ROMs
 Laptops
 Any other storage media
When is digital forensics used?
 Property disputes
 Contract disputes
 Fraud or embezzlement
 Wrongful termination
 Sexual harassment suits
 Medical malpractice
What do they do?
 Forensics experts extract both visible and invisible computer data.
 More than simply data recovery:
 Locate data throughout the system
 Recover data
 Responsible for maintaining the integrity of the information found, preventing
damage, data corruption, or virus exposure. (All data must be acceptable for use in a
court of law.)
 Results of forensic investigation must be reproducible in such a way that the
information is authenticated and reliable
 Work closely with law enforcement, government officials, and attorneys.
 Must be well-versed in relevant case law.
Data Recovery
 A skilled forensic worker can recover
all of the files on a computer or
storage device.
 Active files
 Invisible files
 Deleted but remaining files
 Hidden files
 Encrypted files
 Pass-word protected files
 Most information that is gathered is
undetectable or unviewable to the
average computer user.
Data Recovered
 Digital forensic practitioners are generally concerned with three
types of data:
 Active data: information that is readily available and easily
accessed on the computer. Ex: Programs, files, and other data used
by the operating system.
 Archival data: data that has been backed up and stored. Ex: hard
disks, cd’s, USB drives
 Latent or Ambient data: data that requires special tools or skills to
retrieve. Ex: data that has been overwritten or deleted
 Steps for Investigating an Electronic
Device
Step 1
 All files that have been deleted or have not yet been overwritten
are recovered.
 Computers constantly write data to the hard drive when in use. The
operating system over writes data on the hard drive that is no longer
needed or used.
 This data can be retrieved if not completely overwritten.
Step 2
 All data found in special or
inaccessible areas of the device
are analyzed.
 Areas of disk that are not
currently in use, but have had
data previously stored on them.
 Slack Space- unused space at
end of file where previously
created information could be
stored
Final Step
Report the analysis of the device or system
 Provide copies of data collected
 Arranged into support for legal theories or strategies.
Often provide expert testimony or advice when
necessary.
Tools Used
 Light analyzers
 Tools that analyze lighting allow
forensics practitioners to determine
if a photo has been tampered with
 Win Hex
 Data Recovery
 Microsoft Log Parser
 Extract information of almost any
format
 PMDump
 Dumps memory contents of a
process into a file without stopping
the procedure (Windows).
 Famous Cases
 Dennis Rader
 Known as BTK killer in Wichita, KS area.
 Murdered 10 people between 1974 and
1991.
 Communicated with police through
letters for years. Sent a message on a
floppy disk in February 2005.
 Examination of the disk’s properties
revealed the words “Dennis” and “Christ
Lutheran Church.”
 DNA tests confirmed him a match and he
was arrested 9 days later.
 Rader was planning his first murder since
1991.
Conclusion
Digital forensics is a very high tech field
Can be expensive
Has immense potential in law enforcement, and
especially in the future of law enforcement.
Field grows in leaps and bounds every day.
 REF
http://web.presby.edu/~phmeeker/classes/pc/CSC201/Projects/Brett
%20Garrison%20Digital%20Forensics.ppt
TERIMA KASIH