Computer Forensics

Analysis

Chapter 9
 Learning Outcome:

Conduct forensic
investigation if your system is
compromised.
At the end of this
lesson, student are 01 Listing the electronic evidence.

expected to:
02 Analyze the identification of data.

03 Plan the reconstructing past event.

SUBTOPIC: 01 Discovery of Electronic Evidence.

02 Identification of Data.

03 Reconstructing Past Events.

Electronic Evidence
 Evidence in digital form
 Data recovered from digital devices
 Data relating to digital devices
Characteristics of Electronic Evidence

Requires
Is easily special tools
altered or and
destroyed equipment

1 2 3 4 5

Is Invisible Requires Requires

precautions specialized
to prevent training
alteration
 Where is Electronic Evidence?
1 2 3 4

Any kind of Any kind of

storage storage
Any kind of device device Fax
storage Digital machines,
device cameras, Evidence in answering
Computers, memory digital form. machines,
CD’s, DVD’s, sticks and cordless
floppy disks, memory / phones,
hard drives, SIM cards, pagers,
thumb drives. PDA’s, caller-ID,
cellphones scanners,
and palm printers and
computer copiers
devices.
 Where is Electronic Evidence?
1 2 3 4

Any kind of Any kind of

storage storage
Any kind of device device Fax
storage Digital machines,
device cameras, Evidence in answering
Computers, memory digital form. machines,
CD’s, DVD’s, sticks and cordless
floppy disks, memory / phones,
hard drives, SIM cards, pagers,
thumb drives. PDA’s, caller-ID,
cellphones scanners,
and palm printers and
computer copiers
devices.
Digital Artifact
 A Computer System
 Storage medium (hard disk or CDROM)
 An electronic document (e.g. an email
message or JPEG image)
 Even a sequence of packets not moving
over a computer network.
An examination of electronic media can reveal
the following:
Databases,
spreadsheets,
pictures, and
documents.
Registered ownership 3

and software
registration Deleted and hidden
information. 2 4 files.

Journals, diaries, and Internet activity.

1 5
logs.
An examination of electronic media can reveal
the following:
Communications-user
input (e.g., e-mail,
chat logs). Data to be used in a timeline
analysis.
Communications-data
transfers (e.g., peer to peer
(P2P), newsgroups) Contraband

Financial records
Type of Analysis

Video Analysis

Audio Analysis

Picture Analysis
Network Protocol built on top of transmission
control protocol/Internet protocol
Time (TCP/IP) that ensures accurate local
timekeeping with reference to radio,
atomic, or other clocks located on the
Protocol Internet.
This protocol is capable of 01
(NTP) synchronizing distributed clocks
within milliseconds over long periods
of time. 04
Many authentication
systems, Kerberos
being the most
03
prominent example,
use dated tickets to
control access to
systems and resources.
02
NTP began as a tool that permitted
05
researchers to synchronize workstation
clocks to within milliseconds or better.
 Technique Identification Of Data

Using Access Validating Addressing

Data Forensic Forensic Data Data-Hiding
Toolkit to Techniques
Analyze Data
Using Access Data Forensic
Toolkit to Analyze Data
 FTK can perform forensics analysis
on the following file systems:
 Microsoft FAT12, FAT16, and
FAT32
 Microsoft NTFS (for Windows NT,
2000, XP, and Vista)
 Linux Ext2fs and Ext3fs
Validating Forensic Data
 One of the most critical aspects of
computer forensics
 Ensuring the integrity of data you
collect is essential for presenting
evidence in court
 Most computer forensic tools
provide automated hashing of
image files
 Computer forensics tools have
some limitations in performing
hashing
 Learning how to use advanced
hexadecimal editors is necessary
 • Infographic Style
Validating
with
Hexadecimal
Editors
Member Name Member Name
Get a modern PowerPoint Get a modern PowerPoint
Presentation that is Presentation that is
beautifully designed. beautifully designed.

Teacher Teacher
 • Infographic Style
Validating
with
Hexadecimal
Editors
Member Name Member Name
Get a modern PowerPoint Get a modern PowerPoint
Presentation that is Presentation that is
beautifully designed. beautifully designed.

Teacher Teacher
Data Hiding Technique
Data hiding involves
changing or manipulating a
file to conceal information.
Data-hiding techniques
include hiding entire
partitions, changing file
extensions, setting file
attributes to hidden, bit-
shifting, using encryption,
and setting up password
protection.
 Example of Data Hiding Technique

Hiding Partitions

Marking Bad Clusters

Using Steganography to
Hide Data

Examining Encrypted Files

Bit-Shifting
Software For
Digital Evidence

Data Dump

DCode

D
D D
D
D
DATA
DUMP
DCode
 Case Studies
A CFS team (CFST) arrived at a company site to collect
computer evidence from a server. The company was not
the perpetrator of the investigated crime but apparently
did possess imported evidence that resided on a mission-
critical server that could not be taken offline. What did the
CFST do to collect key evidence to solve this problem?
 The following is a partial solution to aid the CFS in coming up with his or
her own solution to solve this case.
 The CFST successfully used a computer forensics tool to preview the
server and collect key evidence, without disrupting operations.
 Without the computer forensics tool,
 the CFST would have either walked away from the scene empty-handed
or performed a highly invasive and incomplete investigation by making
logical file copies of active data.
Thank You
Work Hard, Dream Big