IO
Uploaded byibraheem ogundele
218 views

Computer forensic

This document discusses computer forensics and its importance. It begins by defining computer forensics as the process of identifying, preserving, analyzing, and presenting digital evidence. It then describes the four main components of computer forensics as identifying evidence, preserving evidence integrity, analyzing evidence, and presenting evidence in a legally acceptable manner. The document emphasizes that computer forensics is important for recovering lost or deleted data, advising on data security, examining computer usage, investigating technical crimes, and presenting evidence in court. It outlines the standard computer forensics methodology and process of acquiring, identifying, evaluating, and presenting digital evidence.

Embed presentation

Downloaded 11 times
INTRODUCTION COMPUTER FORENSICS “Forensic computing is the process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable.”(Rodney Mckemmish 1999). From the above definition we can clearly identify four components:- IDENTIFYING This is the process of identifying things such as what evidence is present, where and how it is stored, and which operating system is being used. From this information the investigator can identify the appropriate recovery methodologies, and the tools to be used. PRESERVING This is the process of preserving the integrity of digital evidence, ensuring the chain of custody is not broken. The data needs to preserved (copied) on stable media such as CD-ROM, using reproducible methodologies. All steps taken to capture the data must be documented. Any changes to the evidence should be documented, including what the change was and the reason for the change. You may need to prove the integrity of the data in the court of law. ANALYSING This is the process of reviewing and examining the data. The advantage of copying this data onto CD-ROMs is the fact it can be viewed without the risk of accidental changes, therefore maintaining the integrity whilst examining the changes PRESENTING This is the process of presenting the evidence in a legally acceptable and understandable manner. If the matter is presented in court the jury who may have little or no computer experience, must all be able to understand what is presented and how it relates to the original, otherwise all efforts could be futile. Far more information is retained on the computer than most people realize. Its also more difficult to completely remove information than is generally thought. For these reasons (and many more), computer forensics can often find evidence or even completely recover, lost or deleted information, even if the information was intentionally deleted. The goal of computer forensics is to retrieve the data and interpret as much information about it as possible as compared to data recovery where the goal is to retrieve the lost data. WHAT IS COMPUTER FORENSICS? Computer forensics is simply the application of disciplined investigative techniques in the automated environment and the search, discovery, and analysis of potential evidence. It is the method used to investigate and analyze data maintained on or retrieved from electronic data storage media for the purposes of presentation in a court of law, civil or administrative proceeding. Evidence may be sought in a wide range of computer crime or misuse cases. Computer forensics is rapidly becoming a science recognized on a par with other forensic sciences by the legal and law enforcement communities. As this trend continues, it will become even more important to handle and examine computer evidence properly. Not every department or organization has the resources to have trained computer forensic specialists on staff. History of Computer Forensics Michael Anderson  “Father of computer forensics”  special agent with IRS Meeting in 1988 (Portland, Oregon)  creation of IACIS, the International Association of Computer Investigative Specialists  the first Seized Computer Evidence Recovery Specialists (SCERS) classes held
NEED FOR COMPUTER FORENSICS Purpose The purpose of computer forensics is mainly due to the wide variety of computer crimes that take place. In the present technological advancements it is common for every organization to employ the services of the computer forensics experts. There are various computer crimes that occur on small scale as well as large scale. The loss caused is dependent upon the sensitivity of the computer data or the information for which the crime has been committed. The computer forensics has become vital in the corporate world. There can be theft of the data from an organization in which case the organization may sustain heavy losses. For this purpose computer forensics are used as they help in tracking the criminal. The need in the present age can be considered as much severe due to the internet advancements and the dependency on the internet. The people that gain access to the computer systems with out proper authorization should be dealt in. The network security is an important issue related to the computer world. The computer forensics is a threat against the wrong doers and the people with the negative mindsets. The computer forensics is also efficient where in the data is stored in a single system for the backup. The data theft and the intentional damage of the data in a single system can also be minimized with the computer forensics. There are hardware and software that employ the security measures in order to track the changes and the updating of the data or the information. The user information is provided in the log files that can be effectively used to produce the evidence in case of any crime a legal manner. The main purpose of the computer forensics is to produce evidence in the court that can lead to the punishment of the actual. The forensic science is actually the process of utilizing the scientific knowledge for the purpose of collection, analysis, and most importantly the presentation of the evidence in the court of law. The word forensic itself means to bring to the court. The need or the importance of the computer forensics is to ensure the integrity of the computer system. The system with some small measures can avoid the cost of operating and maintaining the security. The subject provides in depth knowledge for the understanding of the legal as well as the technical aspects of computer crime. It is very much useful from a technical stand point, view. The importance of computer forensics is evident in tracking the cases of the child pornography and email spamming. The computer forensics has been efficiently used to track down the terrorists from the various parts of the world. The terrorists using the internet as the medium of communication can be tracked down and their plans can be known. There are many tools that can be used in combination with the computer forensics to find out the geographical information and the hide outs of the criminals. The IP address plays an important role to find out the geographical position of the terrorists. The security personnel deploy the effective measures using the computer forensics. The Intrusion Detecting Systems are used for that purpose. Why is Computer Forensics Important? Adding the ability to practice sound computer forensics will help you ensure the overall integrity and survivability of your network infrastructure. You can help your organization if you consider computer forensics as a new basic element in what is known as a “defense-in-depth”1 approach to network and computer security. For instance, understanding the legal and technical aspects of computer forensics will help you capture vital information if your network is compromised and will help you prosecute the case if the intruder is caught. Two basic types of data are collected in computer forensics. (a) Persistent data (b) Volatile data. Computer forensics helps the organization in the following way:-  RECOVER DATA THAT YOU THOUGHT WAS LOST FOREVER:- Computers systems may crash, files may be accidentally deleted, disks may accidentally be reformatted, viruses may corrupt files, file may be accidentally overwritten, and disgruntled employees may try to destroy your files. All of this can lead to loss of your critical data, but computer forensic experts should be able to employ the latest tools and techniques to recover your data.
 ADVICE YOU ON HOW TO KEEP YOUR DATA AND INFORMATION SAFE FROM THEFT OR ACCIDENTAL LOSS:- Business today relies on computers. Your sensitive records and trade secrets are vulnerable to intentional attacks from, for e.g. hackers, disgruntled employees, viruses, etc. also unintentional loss of data due to accidental deletion, h/w or s/w crashes are equally threatening. Computer forensic experts can advise you on how to safeguard your data by methods such as encryption and back-up.  EXAMINE A COMPUTER TO FIND OUT WHAT ITS USER HAS BEEN DOING:- Whether you’re looking for evidence in a criminal prosecution, looking for evidence in a civil suit, or determining exactly what an employee has been up to. Your computer forensics expert should be equipped to find and interpret the clues left behind.  SWEEP YOUR OFFICE FOR LISTNENING DEVICES:- There are various micro-miniature recording and transmitting devices available in todays hi-tech world. The computer forensic expert should be equipped to conduct thorough electronic countermeasure (ECM) sweeps of your premises.  HI-TECH INVESTIGATION:- The forensic expert should have the knowledge and the experience to conduct hi-tech investigations involving cellular cloning, cellular subscription fraud, s/w piracy, data or information theft, trade secrets, computer crimes, misuse of computers by employees, or any other technology issue. 2.4 Advantage of Computer Forensics:- The main task or the advantage from the computer forensic is to catch the culprit or the criminal who is involved in the crime related to the computers. Computer Forensics deals extensively to find the evidence in order to prove the crime and the culprit behind it in a court of law. The forensics provides the organization with a support and helps them recover their loss. The important thing and the major advantage regarding the computer forensics is the preservation of the evidence that is collected during the process. The protection of evidence can be considered as critical. The ethicality can be considered as an advantage of the forensics in computer systems. At last the computer forensics has emerged as important part in the disaster recovery management COMPUTER FORENSIC METHODOLOGY Methods Used:- According to many professionals, Computer Forensics is a four (4) step process Acquisition Physically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices. Identification This step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites. Evaluation Evaluating the information/data recovered to determine if and how it could be used againthesuspect for employment termination or prosecution in court.
Presentation This step involves the presentation of evidence discovered in a manner which is understood by lawyers, non- technically staff/management, and suitable as evidence as determined by United States and internal laws COMPUTER FORENSIC PROCESS:- As in any investigation, establishing that an incident has occurred is the first key step. Secondly, the incident needs to be evaluated to determine if computer forensics may be required. Generally, if the computer incident resulted in a loss of time or money, or the destruction or compromise of information, it will require the application of computer forensic investigative techniques. When applied, the preservation of evidence is the first rule in the process. Failure to preserve evidence in its original state could jeopardize the entire investigation. Knowledge of how the crime was initiated and committed may be lost for good. Assignment of responsibility may not be possible if evidence is not meticulously and diligently preserved. The level of training and expertise required to execute a forensics task will largely depend on the level of evidence required in the case. If the result of the investigation were limited to administrative actions against an employee, the requirement would be lower than taking the case to court for civil or criminal litigation. Approach to retrieve the evidence:- The following steps should be taken:- Shut Down the Computer Depending upon the computer operating system involved, this usually involves pulling the plug or shutting down a net work computer using relevant operating system commands. At the option of the computer specialists, pictures of the screen image can be taken using a camera. However, consideration should be given to possible destructive processes that may be operating in the background. These can be resident in memory or available through a modem or network connection. Depending upon the operating system involved, a time delayed password protected screen saver may potentially kick in at any moment. This can complicate the shutdown of the computer. Generally, time is of the essence and the computer system should be shut down or powered down as quickly as possible. Transport the Computer System to A Secure Location This may seem basic but all too often seized evidence computers are stored in less than secure locations. It is imperative that the subject computer is treated as evidence and it should be stored out of reach of curious computer users. All too often, individuals operate seized computers without knowing that they are destroying potential computer evidence and the chain of custody. Furthermore, a seized computer left unintended can easily be compromised. Evidence can be planted on it and crucial evidence can be intentionally destroyed. A lack of a proper chain of custody can 'make the day' for a savvy defense attorney. Lacking a proper chain of custody, how can you say that relevant evidence was not planted on the computer after the seizure? The answer is that you cannot. Do not leave the computer unattended unless it is locked in a secure location! NTI provides a program named Seized to law enforcement computer specialists free of charge. It is also made available to NTI's business and government in various suites of software that are available for purchase. The program is simple but very effective in locking the seized computer and warning the computer operator that the computer contains evidence and should not be operated Make Bit Stream Backups of Hard Disks and Floppy Disks The computer should not be operated and computer evidence should not be processed until bit stream backups have been made of all hard disk drives and floppy disks. All evidence processing should be done on a restored copy of the bit stream backup rather than on the original computer. The original evidence should be left untouched unless compelling circumstances exist. Preservation of computer evidence is vitally important. It is fragile and can easily be altered or destroyed. Often such alteration or destruction of data is irreversible. Bit stream backups are much like an insurance policy and they are essential for any serious computer evidence processing. Mathematically Authenticate Data on All Storage Devices You want to be able to prove that you did not alter any of the evidence after the computer came into your possession. Such proof will help you rebut allegations that you changed or altered the original evidence. Since 1989, law
enforcement and military agencies have used a 32 bit mathematical process to do the authentication process. Mathematically, a 32 bit data validation is accurate to approximately one in 4.3 billion. However, given the speed of today's computers and the vast amount of storage capacity on today's computer hard disk drives, this level of accuracy is no longer accurate enough. A 32 bit CRC can easily be compromised. Therefore, NTI includes two programs in its forensic suites of tools that mathematically authenticate data with a high level of accuracy. Large hashing number, provides a mathematical level of accuracy that is beyond question. These programs are used to authenticate data at both a physical level and a logical level. The programs are called CrcMD5 and DiskSig Pro. The latter program was specifically designed to validate a restored bit stream backup and it is made available free of charge to law enforcement computer specialists as part of NTI's Free Law Enforcement Suite. The programs are also included in our various suites of forensic software which are sold NTI's clients. Document the System Date and Time The dates and times associated with computer files can be extremely important from an evidence standpoint. However, the accuracy of the dates and times is just as important. If the system clock is one hour slow because of daylight- saving time, then file time stamps will also reflect the wrong time. To adjust for these inaccuracies, documenting the system date and time settings at the time the computer is taken into evidence is essential. Make a List of Key Search Words Because modern hard disk drives are so voluminous, it is all but impossible for a computer specialist to manually view and evaluate every file on a computer hard disk drive. Therefore, state-of-the-art automated forensic text search tools are needed to help find the relevant evidence. Evaluate the Windows Swap File The Windows swap file is potentially a valuable source of evidence and leads. The evaluation of the swap file can be automated with several of NTI's forensic tools, e.g., NTA Stealth, Filter_N, FNames, Filter_G, GExtract and GetHTML. These intelligent filters automatically identifies patterns of English language text, phone numbers, social security numbers, credit card numbers, Internet E-Mail addresses, Internet web addresses and names of people. REQUIRMENTS AND ANALYSIS The Tools:- The tools developed perform the following functions:  Analysing a hard disk and detecting HPAs, DCOs and bad sectors with a reasonable degree of accuracy  Creating a bit stream image of a hard disk and verifying the copy  Mapping the systems logical partitions and locating hidden data with a reasonable degree of accuracy.  Locating file contained in a file system, recovering deleted file where possible, and recon-structing fragmented files.  Displaying the contents of an encrypted file (where possible) and at least identify that the file is encrypted,  Reconstructing computer events which occurred before a crime was committed.  Detecting the use of steganographic methods, with reasonable accuracy, and extracting the data hidden using those methods.
5.1.1 Partition Analysis:- Once an image has been acquired it is then necessary to find and recover deleted (and undeleted) files. However these files will be contained inside a file system so it is obviously necessary to find the file system before this can happen. File systems, on most systems, are contained inside partitions of which there may be several so the first step is to be able to analyse the partitioning formation. This is why the next tool to be developed will be a partition analysis tool. The first, and most obvious, requirement of the partition analysis tool is that it must be able to map the partitions and present the information to the user. However the partition table (for many systems) is contained inside the first sector of the disk, therefore it will be necessary for the tool to know how many bytes are in a sector so that it knows how many bytes to read. This information will have been gathered and stored by the disk imaging tool so the first step of analyzing a partition will be to parse the disk information file to find the information required for the analysis. It will also be necessary to find the size of the disk from this file for use when finding slack space. During a computer forensics investigation every procedure and result must be well documented. The tool should therefore also be able to store the partition information in a log file along with the date and time the analysis was carried out. When presenting the information to the user it might be helpful to display the information in a diagram to make the data easier to understand although this isn't a critical requirement. The tool must be able to detect volume and partition slack, record the location of this slack space and record this information in the appropriate log file along with the reason for identifying it as slack space. This reason would consist of the total size of the partitions in the volume compared to the total size of the volume. There may be occasions when one or more of the partition tables are corrupted and can't be used. The tool should be able to identify that some of the tables are unusable, make a note of which tables are missing, and then recover the partition information using other methods such as searching for known signatures. In the literature review I mentioned that searching for signatures often yields many false results. The tool should make a note of all the results in the appropriate log and then filter out the results which are definitely false, again noting these results in the log along with reasons why they're false. The remaining results which may be positive should be recorded in a log.
There are many different partitioning systems and MS-DOS is just one example, modern 64-bit systems and some Unix/Linux systems use completely different methods. The system being developed is simply an example system so only be 1 Get Partition Info. The system must be able together the partition information from the specified disk image. This information must include the type and address of each partition the image contained. The gathered data should be displayed to the user if requested and also saved in a specified file. Essential Parse Disk Info Map Partition Analyse slack Write Log File Space Locate Partition Table Analyse Enteries Calculate Total Partition Compare to volume report Size size discrepancies Requirement No. Name Description Type Fig 5.1.Task Hierarchy for the Partition Analysis Tool
2 Create Analysis Log. The system should be able to create a log of the analysis highlighting why particular results were obtained. Optional Partition Analysis Tool Requirements File System Analysis:- Now that the file systems have been found the tool should now be able to analyze them and recover files. There may be many file systems and the user may only want to analyze data from one of these file systems. Therefore the first requirement of the tool will be to parse the partition information file created by the partition analysis tool and present the user with a choice of file systems to analyze. The initial requirement for the file system tool is to be able to record the type of file system (i.e. FAT, NTFS etc.) and the directory structure it contains for all current non deleted files. This information should both be stored in the log file and presented to the user. Again it could be helpful if the information was presented to the user in the form of a diagram but this isn't a critical requirement as the user should be able to quite easily understand directory listings. The tool must also record basic file system information such as the number of sectors per cluster, the size of the file system and other file system specific information. The tool must record which clusters are marked as good and which are marked as bad. The bad clusters should be analyzed for possible evidence although this will depend on the kind of information the user is searching for. In other words the tool should include bad sectors in any searches. One problem is that many file systems, such as FAT and NTFS, store files in clusters rather than sectors and it will be necessary to identify these clusters before the files can be recovered. File system generally have data structures which contain this information along with other general file system information such as the date it was created that might be useful to an investigation. It is therefore necessary for the tool to be capable of analyzing the appropriate data structure(s) and presenting the information to a user. Now that the basic file system information is known files containing evidence can be recovered. Whilst there has been some work on creating models for automated analysis of file systems some user interaction is still required. The user must be able to search the directory structure for files with names containing specified keywords or files with contents matching specified keywords. The tool must also provide the option of searching for specific file types which should be located by using both the extension in the file name and the file's signature, although if the values don't match then the signature should be trusted rather than the extension. The details of the search should be noted in the log (i.e. the keywords, the file types searched for, the date and time of the search etc.) along with the results which will contain the file name and directory address. It is necessary to be able to search for files because a typical system could contain hundreds, or thousands, of files which may need to be analyzed in detail to determine if they can be considered as evidence. If an investigator could fully examine a text/pdf file in 30 minutes and the system contained 1000 files, many of which are irrelevant for the investigation, then it would take over 20 days to be able to gather the required evidence. Alternatively searching for files containing certain keywords is more likely to find the relevant files more quickly than manually searching. The tool should be able to find and recover a reasonable amount of hidden data from the file system. It will do this by first identifying possible locations in which data could be hidden and then recording these locations in the log along with reasons why they were identified. One example of this might be when the number of sectors in the file system isn't divisible by the number of sectors per cluster. These locations will also be used during the searches conducted by the user. As the data being analyzed is simply a binary file containing the disk image it will be difficult for the user to view a file's contents by just using this image file. The tool must therefore be capable of extracting the bits from the image which correspond to the file the user wants to view and place them in a file of an appropriate type, e.g. extract the bits of a jpeg image and place them into an empty jpeg file. I have managed to create a program which can place extracted bit into an empty file although it is currently necessary for the user to input the type of the file. The tool must be capable of recovering a reasonable amount of deleted data from the system. The term reasonable is used here as some data cannot be recovered without use of specialist equipment which I won't have access to. The details of the recovered files, including their original directory address, must be stored in the log and be presented to the user. It should be noted that some of the data may have originated from other locations such as slack space or the windows swap file in which case the directory address stored would refer to these locations. The tool must allow the
user to conduct the same sort of searches as with non-deleted data. It must also identify cases where data wiping software has been used and record the signature of the tool and locations which the tool has wiped. COMPUTER FORENSICS SERVICES There are many different areas of computers where in the services of computer forensics is employed. Most of computer forensics services provide useful services to an organization. It is very much useful in professional environment where the requirement is quite high. Computer forensics services also include investigative assistance. The computer forensics is also important in corporate consulting. Forensic data recovery – FDR is also a part of computer forensics. Incident Response Systems also play a part of computer forensics. The services of computer forensics are availed in private as well as government organizations. The secrecy or the privacy of organization is important in some cases where it is maintained as per expectations. Some of important fields where in the services of computer forensics can be applied include the following. Incident response systems and internal investigations can be done using the computer forensics. Computer forensics is extensively used in criminal as well as civil litigations. There are many laws that provide the support to a computer forensic. Another aspect of computer forensics is the electronic document discovery. Data recovery in itself is a large topic. But sometime it is referred to as a part of computer forensic. Security risk management can also be carried out using the computer forensic tools. The services provided by the computer forensics are the development of the plans to gather the electronic evidence. Computer forensic can be used for its services to support criminal and civil warrants. Also the computer forensics is useful in electronic discovery requests. Even computer forensics investigation is beneficent for the purpose of identification, acquisition, preservation, analysis and reporting of digital evidence. The digital evidence may be from desktop computers, laptops, storage servers, or any type of removable storage devices. The services are also available for dispute resolution and to provide an expert witness testimony. In the event of conducting the audits also its services can be availed. These audits may involve remote or even network analysis. The compliance of proactive reviews as well as risk assessment and even for the investigation of specific allegations the services of computer forensics can be availed. In case of corporate consultations the services provided by the computer forensics professional include the development of in house standards. Also the protection of intellectual property is a major service. The protection of corporate assets is also a service of computer forensics. The consultation of computer forensic can be provided to adhere to the legislation involving federal and provincial privacy. The electronic file retention policies are also a part of consultancy services of computer forensics. Apart from all these services, the computer forensics can be even applied for individual case studies involving personal issues. Even the services of computer forensics can be used for data recovery problems. Intentional misuse of privacy or personal information can be considered as a legal case with the help of computer forensics. APPLICATION OF COMPUTER FORENSICS System forensics is not different from any other forensic science when it comes to application. It can be applied to any activity, where other mainstream traditional forensics such as DNA mapping is used, if there has been an involvement of a system or computer in the event. Some of the common applications of computer forensics are:-  FINANCIAL FRAUD DETECTION:- Corporates and banks can be detect financial frauds with the help of evidence collected from systems. Also, insurance companies can detect possible fraud in accident, arson, and workman’s compensation cases with the help of computer evidence.  CRIMINAL PROSECUTION:- Prosecutors can use computer evidence to establish crimes such as homicides, drug and false record-keeping, financial frauds, and child pornography in the court of law.  CIVIL LITIGATION:- Personal and business records found on the computer systems related to fraud, discrimination, and harassment cases can be used in civil litigations.  “CORPORATE SECURITY POLICY AND ACCEPTABLS USE VIOLATIONS”:-
A lot of computer forensic work done is to support management and human resources (HR) investigations of employee abuse. Besides cyber crimes and system crimes, criminals use computers for other criminal activities. In such cases, besides the traditional forensics, system forensic investigation also plays a vital role. CONCLUSION With computers becoming more and more involved in our everyday lives, both professionally and socially, there is a need for computer forensics. This field will enable crucial electronic evidence to be found, whether it was lost, deleted, damaged, or hidden, and used to prosecute individuals that believe they have successfully beaten the system. The computer forensic needs and challenges can be accomplished only with the cooperation of the private, public, and international sectors. All stakeholders must be more willing to exchange information on the effect economic and cyber-crime has on them and the methods they are using to detect and prevent it. REFERENCES • www.google.com • www.wikipedia.com www.studymafia.org

More Related Content

PDF
4.content (computer forensic)
byJIEMS Akkalkuwa
 
PDF
Chfi V3 Module 01 Computer Forensics In Todays World
bygueste0d962
 
PPTX
computer forensics
byVaibhav Tapse
 
PPT
Codebits 2010
byTiago Henriques
 
PPTX
computer forensics
byshivi123456
 
PPTX
Lect 1 computer forensics
byKabul Education University
 
PPTX
Case study on Physical devices used in Computer forensics.
byVishal Tandel
 
PPTX
Computer forensics
bydeaneal
 
4.content (computer forensic)
byJIEMS Akkalkuwa
 
Chfi V3 Module 01 Computer Forensics In Todays World
bygueste0d962
 
computer forensics
byVaibhav Tapse
 
Codebits 2010
byTiago Henriques
 
computer forensics
byshivi123456
 
Lect 1 computer forensics
byKabul Education University
 
Case study on Physical devices used in Computer forensics.
byVishal Tandel
 
Computer forensics
bydeaneal
 

What's hot

PPT
Role of a Forensic Investigator
byAgape Inc
 
PPTX
Evidence and data
byAtul Rai
 
PPT
Secure Computer Forensics and its tools
byKathirvel Ayyaswamy
 
PPTX
Computer forensics powerpoint presentation
bySomya Johri
 
PDF
FORENSIC COMPUTING MODELS: TECHNICAL OVERVIEW
bycscpconf
 
PDF
Cyber forensics and auditing
bySweta Kumari Barnwal
 
PDF
Computer Forensic
byNovizul Evendi
 
PPT
Legal aspects of handling cyber frauds
bySagar Rahurkar
 
PDF
Cyber forensic readiness cybercon2012 adv j fick
byJacqueline Fick
 
PPTX
Cyber forensic-Evedidence collection tools
byN.Jagadish Kumar
 
PPTX
Computer forensics
byRamesh Ogania
 
PDF
Computer and Cyber forensics, a case study of Ghana
byMohammed Mahfouz Alhassan
 
PDF
An introduction to cyber forensics and open source tools in cyber forensics
byZyxware Technologies
 
PDF
Computer forensic
bySinggih Prasetya
 
DOCX
R15 a0533 cf converted
bylillian Kobusingye
 
PDF
Computer Forensics-An Introduction of New Face to the Digital World
byrahulmonikasharma
 
PPTX
Business Intelligence (BI) Tools For Computer Forensic
byDhiren Gala
 
PDF
Ce hv6 module 57 computer forensics and incident handling
byVi Tính Hoàng Nam
 
PPTX
Search Inform DLP
bySergei Yavchenko
 
PDF
Computer forencis
byTeja Bheemanapally
 
Role of a Forensic Investigator
byAgape Inc
 
Evidence and data
byAtul Rai
 
Secure Computer Forensics and its tools
byKathirvel Ayyaswamy
 
Computer forensics powerpoint presentation
bySomya Johri
 
FORENSIC COMPUTING MODELS: TECHNICAL OVERVIEW
bycscpconf
 
Cyber forensics and auditing
bySweta Kumari Barnwal
 
Computer Forensic
byNovizul Evendi
 
Legal aspects of handling cyber frauds
bySagar Rahurkar
 
Cyber forensic readiness cybercon2012 adv j fick
byJacqueline Fick
 
Cyber forensic-Evedidence collection tools
byN.Jagadish Kumar
 
Computer forensics
byRamesh Ogania
 
Computer and Cyber forensics, a case study of Ghana
byMohammed Mahfouz Alhassan
 
An introduction to cyber forensics and open source tools in cyber forensics
byZyxware Technologies
 
Computer forensic
bySinggih Prasetya
 
R15 a0533 cf converted
bylillian Kobusingye
 
Computer Forensics-An Introduction of New Face to the Digital World
byrahulmonikasharma
 
Business Intelligence (BI) Tools For Computer Forensic
byDhiren Gala
 
Ce hv6 module 57 computer forensics and incident handling
byVi Tính Hoàng Nam
 
Search Inform DLP
bySergei Yavchenko
 
Computer forencis
byTeja Bheemanapally
 

Viewers also liked

PPTX
Chapter 3 cmp forensic
byshahhardik27
 
PDF
retail idea
bydeepshikha gupta
 
DOC
Profile
byRamesh Rai
 
PDF
WSTIAC Article One
byJeff Widder
 
PPTX
Book ppt
byNeha Kumari
 
PDF
Bp888
byVladislav Mitrofanov
 
PPTX
A2 Media - Planning Media Technologies
bywhu27
 
PDF
catalogue
byParis Swainston
 
PDF
Dog Litter
byKeep Thailand Beautiful
 
DOC
Nozipho Ngwane Updated CV
byNozipho Ngwane
 
PPTX
Slide share presentacion
byJüän Müñöz Gütïërrëz
 
PDF
Top 10 Indoor Places to Play in Kentuckiana
byMegan Harlan
 
PDF
Instructivos para presentacion_desarrollo_trabajos_de_grado(1) ute
byConsuelo Medina Correa, Mg
 
PDF
Parkour
byAgredoOo
 
PPTX
Powerpoint Presentation for ITE212L
byklegaria
 
PPTX
womens pro soccer
byNeha Kumari
 
PDF
Project recycling presentation revision
byKeep Thailand Beautiful
 
PDF
J. Lipid Res.-2011-Blade-237-44
byAnna Blade Griffis
 
PDF
2008 9combinepdf
bymadhesi
 
Chapter 3 cmp forensic
byshahhardik27
 
retail idea
bydeepshikha gupta
 
Profile
byRamesh Rai
 
WSTIAC Article One
byJeff Widder
 
Book ppt
byNeha Kumari
 
Bp888
byVladislav Mitrofanov
 
A2 Media - Planning Media Technologies
bywhu27
 
catalogue
byParis Swainston
 
Dog Litter
byKeep Thailand Beautiful
 
Nozipho Ngwane Updated CV
byNozipho Ngwane
 
Slide share presentacion
byJüän Müñöz Gütïërrëz
 
Top 10 Indoor Places to Play in Kentuckiana
byMegan Harlan
 
Instructivos para presentacion_desarrollo_trabajos_de_grado(1) ute
byConsuelo Medina Correa, Mg
 
Parkour
byAgredoOo
 
Powerpoint Presentation for ITE212L
byklegaria
 
womens pro soccer
byNeha Kumari
 
Project recycling presentation revision
byKeep Thailand Beautiful
 
J. Lipid Res.-2011-Blade-237-44
byAnna Blade Griffis
 
2008 9combinepdf
bymadhesi
 

Similar to Computer forensic

PDF
A Review on Recovering and Examining Computer Forensic Evidences
byBRNSSPublicationHubI
 
PPT
01 computer%20 forensics%20in%20todays%20world
byAqib Memon
 
PPTX
Computer forensic
byShashi Mishra
 
PPTX
Computer Forensics (1).pptx
byGautam708801
 
PDF
Cyber Forensics Module 1
byManu Mathew Cherian
 
PPTX
Computer forensic ppt
byPriya Manik
 
PDF
computerforensicppt-160201192341.pdf
byGnanavi2
 
PPT
Computer forensics 1
byJinalkakadiya
 
PPT
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
byAlchemist095
 
PDF
III year VI sem CYber forensics material
byprakashv818087
 
PPT
Computer forensics
byLalit Garg
 
PPTX
Computer Forensics ppt
byOECLIB Odisha Electronics Control Library
 
PPTX
ppt on computer forensic concept and types
bys48ourabh
 
DOCX
Project_Paper_ISSC455_Intindolo
byJohn Intindolo
 
PDF
cyber forensics notes presentation chp1.pdf
byanupamapadhi04
 
PPT
Introduction to Computer Forensics for all streams.
byMayuraD1
 
PDF
FINAL_MSCIT_CYBER_FORENSICS_NOTES_SEM_IV_PROFAJAYPASHANKAR.pdf
byajay pashankar
 
PPTX
Digital&computforensic
byRahul Badekar
 
PPT
cyber forensics - TYPES OF CYBER FORENSICS.ppt
bymcjaya2024
 
PPTX
computer forensics by amritanshu kaushik
byamritanshu4u
 
A Review on Recovering and Examining Computer Forensic Evidences
byBRNSSPublicationHubI
 
01 computer%20 forensics%20in%20todays%20world
byAqib Memon
 
Computer forensic
byShashi Mishra
 
Computer Forensics (1).pptx
byGautam708801
 
Cyber Forensics Module 1
byManu Mathew Cherian
 
Computer forensic ppt
byPriya Manik
 
computerforensicppt-160201192341.pdf
byGnanavi2
 
Computer forensics 1
byJinalkakadiya
 
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
byAlchemist095
 
III year VI sem CYber forensics material
byprakashv818087
 
Computer forensics
byLalit Garg
 
Computer Forensics ppt
byOECLIB Odisha Electronics Control Library
 
ppt on computer forensic concept and types
bys48ourabh
 
Project_Paper_ISSC455_Intindolo
byJohn Intindolo
 
cyber forensics notes presentation chp1.pdf
byanupamapadhi04
 
Introduction to Computer Forensics for all streams.
byMayuraD1
 
FINAL_MSCIT_CYBER_FORENSICS_NOTES_SEM_IV_PROFAJAYPASHANKAR.pdf
byajay pashankar
 
Digital&computforensic
byRahul Badekar
 
cyber forensics - TYPES OF CYBER FORENSICS.ppt
bymcjaya2024
 
computer forensics by amritanshu kaushik
byamritanshu4u
 

Recently uploaded

PPTX
History in your Hands Class 2 November 2025.pptx
byEilsONeill
 
PPTX
An inclusive AI - Supporting students with special education needs by Andreas...
byEduSkills OECD
 
PPTX
Unit 7- Organ Function Test(Biochemical parameters.
byAkanksha Kotangale
 
PDF
ENVIRONMENTAL SERVICES PROVIDERS ASSOCIATION.pdf
bynservice241
 
PPTX
Shiro Bhedas - Head movements .pptx
bysatyavaani
 
PDF
2025 Caribbean Examinations Council CAPE Merit List
byCaribbean Examinations Council
 
PPTX
Overview of Cash on delivery in Odoo 19
byCeline George
 
PPTX
How to configure Client action in odoo 18
byCeline George
 
PPTX
Merge similar leads and opportunities in Odoo 18 CRM
byCeline George
 
PPTX
What is Scheduled Actions in Odoo 18
byCeline George
 
PDF
BP605 T PHARMACEUTICAL BIOTECHNOLOGY UNIT 3 PART 1
byRushiMandali
 
PDF
Guidelines for Management of Libraries: KVS Library Policy-2025
byBISWA BAG
 
PPTX
PLAY-IMPORTANCE OF PLAY,FUNCTIONS OF PLAY AND TYPES
byBHUVANESHWARI BADIGER
 
PPTX
Gender, School and Society - B.Ed Course
byRejoshaRajendran
 
PDF
JRF Plant Science Syllabus | Complete Unit-Wise Discussion & Preparation Stra...
bySatyam Sharma
 
PPTX
NMR Spectroscopy M.Pharm 1st Semester, Pharmacy
bySaurabh Dubey
 
PPTX
THERAPEUTIC COMMUNICATION for 2nd year GNM, 2ND YEAR P.B.B.SC NSG, 5TH SEM B....
byparmarjuli1412
 
PPTX
major drivers of biodiversity change.pptx
byKajal Kashyap
 
PDF
ARS Nematology Syllabus | Complete Unit-wise Topics, Booklist & Preparation S...
bySatyam Sharma
 
PPTX
Duplication of Records in Odoo 18.1 Studio
byCeline George
 
History in your Hands Class 2 November 2025.pptx
byEilsONeill
 
An inclusive AI - Supporting students with special education needs by Andreas...
byEduSkills OECD
 
Unit 7- Organ Function Test(Biochemical parameters.
byAkanksha Kotangale
 
ENVIRONMENTAL SERVICES PROVIDERS ASSOCIATION.pdf
bynservice241
 
Shiro Bhedas - Head movements .pptx
bysatyavaani
 
2025 Caribbean Examinations Council CAPE Merit List
byCaribbean Examinations Council
 
Overview of Cash on delivery in Odoo 19
byCeline George
 
How to configure Client action in odoo 18
byCeline George
 
Merge similar leads and opportunities in Odoo 18 CRM
byCeline George
 
What is Scheduled Actions in Odoo 18
byCeline George
 
BP605 T PHARMACEUTICAL BIOTECHNOLOGY UNIT 3 PART 1
byRushiMandali
 
Guidelines for Management of Libraries: KVS Library Policy-2025
byBISWA BAG
 
PLAY-IMPORTANCE OF PLAY,FUNCTIONS OF PLAY AND TYPES
byBHUVANESHWARI BADIGER
 
Gender, School and Society - B.Ed Course
byRejoshaRajendran
 
JRF Plant Science Syllabus | Complete Unit-Wise Discussion & Preparation Stra...
bySatyam Sharma
 
NMR Spectroscopy M.Pharm 1st Semester, Pharmacy
bySaurabh Dubey
 
THERAPEUTIC COMMUNICATION for 2nd year GNM, 2ND YEAR P.B.B.SC NSG, 5TH SEM B....
byparmarjuli1412
 
major drivers of biodiversity change.pptx
byKajal Kashyap
 
ARS Nematology Syllabus | Complete Unit-wise Topics, Booklist & Preparation S...
bySatyam Sharma
 
Duplication of Records in Odoo 18.1 Studio
byCeline George
 

Computer forensic

  • 1.
    INTRODUCTION COMPUTER FORENSICS “Forensic computingis the process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable.”(Rodney Mckemmish 1999). From the above definition we can clearly identify four components:- IDENTIFYING This is the process of identifying things such as what evidence is present, where and how it is stored, and which operating system is being used. From this information the investigator can identify the appropriate recovery methodologies, and the tools to be used. PRESERVING This is the process of preserving the integrity of digital evidence, ensuring the chain of custody is not broken. The data needs to preserved (copied) on stable media such as CD-ROM, using reproducible methodologies. All steps taken to capture the data must be documented. Any changes to the evidence should be documented, including what the change was and the reason for the change. You may need to prove the integrity of the data in the court of law. ANALYSING This is the process of reviewing and examining the data. The advantage of copying this data onto CD-ROMs is the fact it can be viewed without the risk of accidental changes, therefore maintaining the integrity whilst examining the changes PRESENTING This is the process of presenting the evidence in a legally acceptable and understandable manner. If the matter is presented in court the jury who may have little or no computer experience, must all be able to understand what is presented and how it relates to the original, otherwise all efforts could be futile. Far more information is retained on the computer than most people realize. Its also more difficult to completely remove information than is generally thought. For these reasons (and many more), computer forensics can often find evidence or even completely recover, lost or deleted information, even if the information was intentionally deleted. The goal of computer forensics is to retrieve the data and interpret as much information about it as possible as compared to data recovery where the goal is to retrieve the lost data. WHAT IS COMPUTER FORENSICS? Computer forensics is simply the application of disciplined investigative techniques in the automated environment and the search, discovery, and analysis of potential evidence. It is the method used to investigate and analyze data maintained on or retrieved from electronic data storage media for the purposes of presentation in a court of law, civil or administrative proceeding. Evidence may be sought in a wide range of computer crime or misuse cases. Computer forensics is rapidly becoming a science recognized on a par with other forensic sciences by the legal and law enforcement communities. As this trend continues, it will become even more important to handle and examine computer evidence properly. Not every department or organization has the resources to have trained computer forensic specialists on staff. History of Computer Forensics Michael Anderson  “Father of computer forensics”  special agent with IRS Meeting in 1988 (Portland, Oregon)  creation of IACIS, the International Association of Computer Investigative Specialists  the first Seized Computer Evidence Recovery Specialists (SCERS) classes held
  • 2.
    NEED FOR COMPUTERFORENSICS Purpose The purpose of computer forensics is mainly due to the wide variety of computer crimes that take place. In the present technological advancements it is common for every organization to employ the services of the computer forensics experts. There are various computer crimes that occur on small scale as well as large scale. The loss caused is dependent upon the sensitivity of the computer data or the information for which the crime has been committed. The computer forensics has become vital in the corporate world. There can be theft of the data from an organization in which case the organization may sustain heavy losses. For this purpose computer forensics are used as they help in tracking the criminal. The need in the present age can be considered as much severe due to the internet advancements and the dependency on the internet. The people that gain access to the computer systems with out proper authorization should be dealt in. The network security is an important issue related to the computer world. The computer forensics is a threat against the wrong doers and the people with the negative mindsets. The computer forensics is also efficient where in the data is stored in a single system for the backup. The data theft and the intentional damage of the data in a single system can also be minimized with the computer forensics. There are hardware and software that employ the security measures in order to track the changes and the updating of the data or the information. The user information is provided in the log files that can be effectively used to produce the evidence in case of any crime a legal manner. The main purpose of the computer forensics is to produce evidence in the court that can lead to the punishment of the actual. The forensic science is actually the process of utilizing the scientific knowledge for the purpose of collection, analysis, and most importantly the presentation of the evidence in the court of law. The word forensic itself means to bring to the court. The need or the importance of the computer forensics is to ensure the integrity of the computer system. The system with some small measures can avoid the cost of operating and maintaining the security. The subject provides in depth knowledge for the understanding of the legal as well as the technical aspects of computer crime. It is very much useful from a technical stand point, view. The importance of computer forensics is evident in tracking the cases of the child pornography and email spamming. The computer forensics has been efficiently used to track down the terrorists from the various parts of the world. The terrorists using the internet as the medium of communication can be tracked down and their plans can be known. There are many tools that can be used in combination with the computer forensics to find out the geographical information and the hide outs of the criminals. The IP address plays an important role to find out the geographical position of the terrorists. The security personnel deploy the effective measures using the computer forensics. The Intrusion Detecting Systems are used for that purpose. Why is Computer Forensics Important? Adding the ability to practice sound computer forensics will help you ensure the overall integrity and survivability of your network infrastructure. You can help your organization if you consider computer forensics as a new basic element in what is known as a “defense-in-depth”1 approach to network and computer security. For instance, understanding the legal and technical aspects of computer forensics will help you capture vital information if your network is compromised and will help you prosecute the case if the intruder is caught. Two basic types of data are collected in computer forensics. (a) Persistent data (b) Volatile data. Computer forensics helps the organization in the following way:-  RECOVER DATA THAT YOU THOUGHT WAS LOST FOREVER:- Computers systems may crash, files may be accidentally deleted, disks may accidentally be reformatted, viruses may corrupt files, file may be accidentally overwritten, and disgruntled employees may try to destroy your files. All of this can lead to loss of your critical data, but computer forensic experts should be able to employ the latest tools and techniques to recover your data.
  • 3.
     ADVICE YOUON HOW TO KEEP YOUR DATA AND INFORMATION SAFE FROM THEFT OR ACCIDENTAL LOSS:- Business today relies on computers. Your sensitive records and trade secrets are vulnerable to intentional attacks from, for e.g. hackers, disgruntled employees, viruses, etc. also unintentional loss of data due to accidental deletion, h/w or s/w crashes are equally threatening. Computer forensic experts can advise you on how to safeguard your data by methods such as encryption and back-up.  EXAMINE A COMPUTER TO FIND OUT WHAT ITS USER HAS BEEN DOING:- Whether you’re looking for evidence in a criminal prosecution, looking for evidence in a civil suit, or determining exactly what an employee has been up to. Your computer forensics expert should be equipped to find and interpret the clues left behind.  SWEEP YOUR OFFICE FOR LISTNENING DEVICES:- There are various micro-miniature recording and transmitting devices available in todays hi-tech world. The computer forensic expert should be equipped to conduct thorough electronic countermeasure (ECM) sweeps of your premises.  HI-TECH INVESTIGATION:- The forensic expert should have the knowledge and the experience to conduct hi-tech investigations involving cellular cloning, cellular subscription fraud, s/w piracy, data or information theft, trade secrets, computer crimes, misuse of computers by employees, or any other technology issue. 2.4 Advantage of Computer Forensics:- The main task or the advantage from the computer forensic is to catch the culprit or the criminal who is involved in the crime related to the computers. Computer Forensics deals extensively to find the evidence in order to prove the crime and the culprit behind it in a court of law. The forensics provides the organization with a support and helps them recover their loss. The important thing and the major advantage regarding the computer forensics is the preservation of the evidence that is collected during the process. The protection of evidence can be considered as critical. The ethicality can be considered as an advantage of the forensics in computer systems. At last the computer forensics has emerged as important part in the disaster recovery management COMPUTER FORENSIC METHODOLOGY Methods Used:- According to many professionals, Computer Forensics is a four (4) step process Acquisition Physically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices. Identification This step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites. Evaluation Evaluating the information/data recovered to determine if and how it could be used againthesuspect for employment termination or prosecution in court.
  • 4.
    Presentation This step involvesthe presentation of evidence discovered in a manner which is understood by lawyers, non- technically staff/management, and suitable as evidence as determined by United States and internal laws COMPUTER FORENSIC PROCESS:- As in any investigation, establishing that an incident has occurred is the first key step. Secondly, the incident needs to be evaluated to determine if computer forensics may be required. Generally, if the computer incident resulted in a loss of time or money, or the destruction or compromise of information, it will require the application of computer forensic investigative techniques. When applied, the preservation of evidence is the first rule in the process. Failure to preserve evidence in its original state could jeopardize the entire investigation. Knowledge of how the crime was initiated and committed may be lost for good. Assignment of responsibility may not be possible if evidence is not meticulously and diligently preserved. The level of training and expertise required to execute a forensics task will largely depend on the level of evidence required in the case. If the result of the investigation were limited to administrative actions against an employee, the requirement would be lower than taking the case to court for civil or criminal litigation. Approach to retrieve the evidence:- The following steps should be taken:- Shut Down the Computer Depending upon the computer operating system involved, this usually involves pulling the plug or shutting down a net work computer using relevant operating system commands. At the option of the computer specialists, pictures of the screen image can be taken using a camera. However, consideration should be given to possible destructive processes that may be operating in the background. These can be resident in memory or available through a modem or network connection. Depending upon the operating system involved, a time delayed password protected screen saver may potentially kick in at any moment. This can complicate the shutdown of the computer. Generally, time is of the essence and the computer system should be shut down or powered down as quickly as possible. Transport the Computer System to A Secure Location This may seem basic but all too often seized evidence computers are stored in less than secure locations. It is imperative that the subject computer is treated as evidence and it should be stored out of reach of curious computer users. All too often, individuals operate seized computers without knowing that they are destroying potential computer evidence and the chain of custody. Furthermore, a seized computer left unintended can easily be compromised. Evidence can be planted on it and crucial evidence can be intentionally destroyed. A lack of a proper chain of custody can 'make the day' for a savvy defense attorney. Lacking a proper chain of custody, how can you say that relevant evidence was not planted on the computer after the seizure? The answer is that you cannot. Do not leave the computer unattended unless it is locked in a secure location! NTI provides a program named Seized to law enforcement computer specialists free of charge. It is also made available to NTI's business and government in various suites of software that are available for purchase. The program is simple but very effective in locking the seized computer and warning the computer operator that the computer contains evidence and should not be operated Make Bit Stream Backups of Hard Disks and Floppy Disks The computer should not be operated and computer evidence should not be processed until bit stream backups have been made of all hard disk drives and floppy disks. All evidence processing should be done on a restored copy of the bit stream backup rather than on the original computer. The original evidence should be left untouched unless compelling circumstances exist. Preservation of computer evidence is vitally important. It is fragile and can easily be altered or destroyed. Often such alteration or destruction of data is irreversible. Bit stream backups are much like an insurance policy and they are essential for any serious computer evidence processing. Mathematically Authenticate Data on All Storage Devices You want to be able to prove that you did not alter any of the evidence after the computer came into your possession. Such proof will help you rebut allegations that you changed or altered the original evidence. Since 1989, law
  • 5.
    enforcement and militaryagencies have used a 32 bit mathematical process to do the authentication process. Mathematically, a 32 bit data validation is accurate to approximately one in 4.3 billion. However, given the speed of today's computers and the vast amount of storage capacity on today's computer hard disk drives, this level of accuracy is no longer accurate enough. A 32 bit CRC can easily be compromised. Therefore, NTI includes two programs in its forensic suites of tools that mathematically authenticate data with a high level of accuracy. Large hashing number, provides a mathematical level of accuracy that is beyond question. These programs are used to authenticate data at both a physical level and a logical level. The programs are called CrcMD5 and DiskSig Pro. The latter program was specifically designed to validate a restored bit stream backup and it is made available free of charge to law enforcement computer specialists as part of NTI's Free Law Enforcement Suite. The programs are also included in our various suites of forensic software which are sold NTI's clients. Document the System Date and Time The dates and times associated with computer files can be extremely important from an evidence standpoint. However, the accuracy of the dates and times is just as important. If the system clock is one hour slow because of daylight- saving time, then file time stamps will also reflect the wrong time. To adjust for these inaccuracies, documenting the system date and time settings at the time the computer is taken into evidence is essential. Make a List of Key Search Words Because modern hard disk drives are so voluminous, it is all but impossible for a computer specialist to manually view and evaluate every file on a computer hard disk drive. Therefore, state-of-the-art automated forensic text search tools are needed to help find the relevant evidence. Evaluate the Windows Swap File The Windows swap file is potentially a valuable source of evidence and leads. The evaluation of the swap file can be automated with several of NTI's forensic tools, e.g., NTA Stealth, Filter_N, FNames, Filter_G, GExtract and GetHTML. These intelligent filters automatically identifies patterns of English language text, phone numbers, social security numbers, credit card numbers, Internet E-Mail addresses, Internet web addresses and names of people. REQUIRMENTS AND ANALYSIS The Tools:- The tools developed perform the following functions:  Analysing a hard disk and detecting HPAs, DCOs and bad sectors with a reasonable degree of accuracy  Creating a bit stream image of a hard disk and verifying the copy  Mapping the systems logical partitions and locating hidden data with a reasonable degree of accuracy.  Locating file contained in a file system, recovering deleted file where possible, and recon-structing fragmented files.  Displaying the contents of an encrypted file (where possible) and at least identify that the file is encrypted,  Reconstructing computer events which occurred before a crime was committed.  Detecting the use of steganographic methods, with reasonable accuracy, and extracting the data hidden using those methods.
  • 6.
    5.1.1 Partition Analysis:- Oncean image has been acquired it is then necessary to find and recover deleted (and undeleted) files. However these files will be contained inside a file system so it is obviously necessary to find the file system before this can happen. File systems, on most systems, are contained inside partitions of which there may be several so the first step is to be able to analyse the partitioning formation. This is why the next tool to be developed will be a partition analysis tool. The first, and most obvious, requirement of the partition analysis tool is that it must be able to map the partitions and present the information to the user. However the partition table (for many systems) is contained inside the first sector of the disk, therefore it will be necessary for the tool to know how many bytes are in a sector so that it knows how many bytes to read. This information will have been gathered and stored by the disk imaging tool so the first step of analyzing a partition will be to parse the disk information file to find the information required for the analysis. It will also be necessary to find the size of the disk from this file for use when finding slack space. During a computer forensics investigation every procedure and result must be well documented. The tool should therefore also be able to store the partition information in a log file along with the date and time the analysis was carried out. When presenting the information to the user it might be helpful to display the information in a diagram to make the data easier to understand although this isn't a critical requirement. The tool must be able to detect volume and partition slack, record the location of this slack space and record this information in the appropriate log file along with the reason for identifying it as slack space. This reason would consist of the total size of the partitions in the volume compared to the total size of the volume. There may be occasions when one or more of the partition tables are corrupted and can't be used. The tool should be able to identify that some of the tables are unusable, make a note of which tables are missing, and then recover the partition information using other methods such as searching for known signatures. In the literature review I mentioned that searching for signatures often yields many false results. The tool should make a note of all the results in the appropriate log and then filter out the results which are definitely false, again noting these results in the log along with reasons why they're false. The remaining results which may be positive should be recorded in a log.
  • 7.
    There are manydifferent partitioning systems and MS-DOS is just one example, modern 64-bit systems and some Unix/Linux systems use completely different methods. The system being developed is simply an example system so only be 1 Get Partition Info. The system must be able together the partition information from the specified disk image. This information must include the type and address of each partition the image contained. The gathered data should be displayed to the user if requested and also saved in a specified file. Essential Parse Disk Info Map Partition Analyse slack Write Log File Space Locate Partition Table Analyse Enteries Calculate Total Partition Compare to volume report Size size discrepancies Requirement No. Name Description Type Fig 5.1.Task Hierarchy for the Partition Analysis Tool
  • 8.
    2 Create AnalysisLog. The system should be able to create a log of the analysis highlighting why particular results were obtained. Optional Partition Analysis Tool Requirements File System Analysis:- Now that the file systems have been found the tool should now be able to analyze them and recover files. There may be many file systems and the user may only want to analyze data from one of these file systems. Therefore the first requirement of the tool will be to parse the partition information file created by the partition analysis tool and present the user with a choice of file systems to analyze. The initial requirement for the file system tool is to be able to record the type of file system (i.e. FAT, NTFS etc.) and the directory structure it contains for all current non deleted files. This information should both be stored in the log file and presented to the user. Again it could be helpful if the information was presented to the user in the form of a diagram but this isn't a critical requirement as the user should be able to quite easily understand directory listings. The tool must also record basic file system information such as the number of sectors per cluster, the size of the file system and other file system specific information. The tool must record which clusters are marked as good and which are marked as bad. The bad clusters should be analyzed for possible evidence although this will depend on the kind of information the user is searching for. In other words the tool should include bad sectors in any searches. One problem is that many file systems, such as FAT and NTFS, store files in clusters rather than sectors and it will be necessary to identify these clusters before the files can be recovered. File system generally have data structures which contain this information along with other general file system information such as the date it was created that might be useful to an investigation. It is therefore necessary for the tool to be capable of analyzing the appropriate data structure(s) and presenting the information to a user. Now that the basic file system information is known files containing evidence can be recovered. Whilst there has been some work on creating models for automated analysis of file systems some user interaction is still required. The user must be able to search the directory structure for files with names containing specified keywords or files with contents matching specified keywords. The tool must also provide the option of searching for specific file types which should be located by using both the extension in the file name and the file's signature, although if the values don't match then the signature should be trusted rather than the extension. The details of the search should be noted in the log (i.e. the keywords, the file types searched for, the date and time of the search etc.) along with the results which will contain the file name and directory address. It is necessary to be able to search for files because a typical system could contain hundreds, or thousands, of files which may need to be analyzed in detail to determine if they can be considered as evidence. If an investigator could fully examine a text/pdf file in 30 minutes and the system contained 1000 files, many of which are irrelevant for the investigation, then it would take over 20 days to be able to gather the required evidence. Alternatively searching for files containing certain keywords is more likely to find the relevant files more quickly than manually searching. The tool should be able to find and recover a reasonable amount of hidden data from the file system. It will do this by first identifying possible locations in which data could be hidden and then recording these locations in the log along with reasons why they were identified. One example of this might be when the number of sectors in the file system isn't divisible by the number of sectors per cluster. These locations will also be used during the searches conducted by the user. As the data being analyzed is simply a binary file containing the disk image it will be difficult for the user to view a file's contents by just using this image file. The tool must therefore be capable of extracting the bits from the image which correspond to the file the user wants to view and place them in a file of an appropriate type, e.g. extract the bits of a jpeg image and place them into an empty jpeg file. I have managed to create a program which can place extracted bit into an empty file although it is currently necessary for the user to input the type of the file. The tool must be capable of recovering a reasonable amount of deleted data from the system. The term reasonable is used here as some data cannot be recovered without use of specialist equipment which I won't have access to. The details of the recovered files, including their original directory address, must be stored in the log and be presented to the user. It should be noted that some of the data may have originated from other locations such as slack space or the windows swap file in which case the directory address stored would refer to these locations. The tool must allow the
  • 9.
    user to conductthe same sort of searches as with non-deleted data. It must also identify cases where data wiping software has been used and record the signature of the tool and locations which the tool has wiped. COMPUTER FORENSICS SERVICES There are many different areas of computers where in the services of computer forensics is employed. Most of computer forensics services provide useful services to an organization. It is very much useful in professional environment where the requirement is quite high. Computer forensics services also include investigative assistance. The computer forensics is also important in corporate consulting. Forensic data recovery – FDR is also a part of computer forensics. Incident Response Systems also play a part of computer forensics. The services of computer forensics are availed in private as well as government organizations. The secrecy or the privacy of organization is important in some cases where it is maintained as per expectations. Some of important fields where in the services of computer forensics can be applied include the following. Incident response systems and internal investigations can be done using the computer forensics. Computer forensics is extensively used in criminal as well as civil litigations. There are many laws that provide the support to a computer forensic. Another aspect of computer forensics is the electronic document discovery. Data recovery in itself is a large topic. But sometime it is referred to as a part of computer forensic. Security risk management can also be carried out using the computer forensic tools. The services provided by the computer forensics are the development of the plans to gather the electronic evidence. Computer forensic can be used for its services to support criminal and civil warrants. Also the computer forensics is useful in electronic discovery requests. Even computer forensics investigation is beneficent for the purpose of identification, acquisition, preservation, analysis and reporting of digital evidence. The digital evidence may be from desktop computers, laptops, storage servers, or any type of removable storage devices. The services are also available for dispute resolution and to provide an expert witness testimony. In the event of conducting the audits also its services can be availed. These audits may involve remote or even network analysis. The compliance of proactive reviews as well as risk assessment and even for the investigation of specific allegations the services of computer forensics can be availed. In case of corporate consultations the services provided by the computer forensics professional include the development of in house standards. Also the protection of intellectual property is a major service. The protection of corporate assets is also a service of computer forensics. The consultation of computer forensic can be provided to adhere to the legislation involving federal and provincial privacy. The electronic file retention policies are also a part of consultancy services of computer forensics. Apart from all these services, the computer forensics can be even applied for individual case studies involving personal issues. Even the services of computer forensics can be used for data recovery problems. Intentional misuse of privacy or personal information can be considered as a legal case with the help of computer forensics. APPLICATION OF COMPUTER FORENSICS System forensics is not different from any other forensic science when it comes to application. It can be applied to any activity, where other mainstream traditional forensics such as DNA mapping is used, if there has been an involvement of a system or computer in the event. Some of the common applications of computer forensics are:-  FINANCIAL FRAUD DETECTION:- Corporates and banks can be detect financial frauds with the help of evidence collected from systems. Also, insurance companies can detect possible fraud in accident, arson, and workman’s compensation cases with the help of computer evidence.  CRIMINAL PROSECUTION:- Prosecutors can use computer evidence to establish crimes such as homicides, drug and false record-keeping, financial frauds, and child pornography in the court of law.  CIVIL LITIGATION:- Personal and business records found on the computer systems related to fraud, discrimination, and harassment cases can be used in civil litigations.  “CORPORATE SECURITY POLICY AND ACCEPTABLS USE VIOLATIONS”:-
  • 10.
    A lot ofcomputer forensic work done is to support management and human resources (HR) investigations of employee abuse. Besides cyber crimes and system crimes, criminals use computers for other criminal activities. In such cases, besides the traditional forensics, system forensic investigation also plays a vital role. CONCLUSION With computers becoming more and more involved in our everyday lives, both professionally and socially, there is a need for computer forensics. This field will enable crucial electronic evidence to be found, whether it was lost, deleted, damaged, or hidden, and used to prosecute individuals that believe they have successfully beaten the system. The computer forensic needs and challenges can be accomplished only with the cooperation of the private, public, and international sectors. All stakeholders must be more willing to exchange information on the effect economic and cyber-crime has on them and the methods they are using to detect and prevent it. REFERENCES • www.google.com • www.wikipedia.com www.studymafia.org