Computer Forensics

BY
B.Brahmani ITIII\IV K.Ahalya ITIII\IV

Email:brahmani09@gmail.com Contact:9963072821

email:01ahalya@gmail.com

GUDLAVALLERU ENGINEERING COLLEGE GUDLAVALLERU.-521356 KRISHNA DIST,ANDHRA PRADESH technologies, and requires the Abstract
In todays day and age, there is no such thing as 100% secure. But with the stroke of a key, the bad guys can erase all of their data and hide their tracks when using computers for not so legal purposes, or can they? Just because you hit the delete key doesnt mean that the evidence is gone. Today, there is a growing demand for computer forensics professionals to aid in the fight against those that would use the very technology we depend on against day, identity us. We see the evidence every theft, viruses, malware, computer intrusion and more. But what about the things we dont think or hear about? The emails, downloaded programs, or even the corporate espionage that we only used to read about. What about those threats such as the latest and greatest viruses that attack our cell phones, PDAs, etc. Law enforcement is in a perpetual race with criminals in the application of digital development systematically of tools to search digital

devices for pertinent evidence. Another part of this race, and perhaps more crucial, is the development of a methodology in digital encompasses forensics the that forensic

analysis of all genres of digital crime scene investigations. This paper explores the development of the computer forensics, tools. its basics, anti forensics and computer forensics

Introduction
The field of computer forensics is relatively young. In the early days of computing, courts considered evidence from computers to be no different from any other kind of evidence. As computers advanced became and more sophisticated,

opinion shifted -- the courts learned that computer evidence was easy to corrupt, destroy or change.

possible warrant.

when

requesting

Investigators realized that there was a need to develop specific tools and processes to search computers for evidence without affecting the information itself. Detectives partnered with computer scientists to discuss the appropriate procedures and tools they'd need to use to retrieve evidence from a computer. Gradually, they developed the procedures that now make up the field of computer forensics. Usually, detectives have to secure a warrant to search a suspect's computer for evidence. The warrant must include where detectives can search and what sort of evidence they can look for. In other words, a detective can't just serve a warrant and look wherever he or she likes for anything suspicious. In addition, the warrant's terms can't be too general. Most judges require detectives to be as specific as Every investigation unique. Some is computer somewhat investigations

might only require a week to complete, but others could take months. Here are some factors that can impact the length of an investigation:

The expertise The number of being

of the detectives

computers searched

The amount of

storage detectives must sort through.

Whether

the

suspect attempted to

hide

or The

delete presence

can detect and retrieve deleted data. 4. files Reveal with of the contents of all hidden programs hidden and designed to detect the presence data. 5. 6. Decrypt Analyze disks, access protected files. special areas of the computer's including parts that are normally inaccessible.
7.

information of encrypted files or files that are protected by passwords

Phases of a Computer Forensics Investigation

Judd Robbins, a computer scientist and leading expert in computer following should 1. ensure safe.
2.

forensics, steps follow to

lists

the

investigators retrieve the to the

computer evidence: Secure system that computer

Document step of the

every 8. expert

procedure. Be prepared to witness in testify in court as an computer forensics. All of these steps are important, but the first step is critical. If investigators can't prove that they secured the computer system, the evidence they find may not be admissible. It's also a big job. In the early days of computing, the system might have included a PC and a few floppy disks. Today, it could include multiple computers, disks, thumb drives, external

equipment and data are Find every file the are computer encrypted, by

on that

system, including files protected

passwords, hidden or deleted, but not yet overwritten. 3. much Recover as deleted

information as possible using applications that

drives, servers.

peripherals

and

Web

gadget or software designed to hamper a computer investigation.

There are dozens of ways people can hide information. Some Some criminals have programs by can fool the computers changing

found ways to make it even more difficult for investigators to find information on their systems. They use programs known as and antiapplications

information in files' headers. A file header is normally invisible to humans, but it's extremely important -- it tells the computer what kind of file the header is attached to. Some programs let you change the information in the header so that the computer thinks it's a different kind of file. Detectives looking for a specific file format could skip over important evidence because it looked like it wasn't relevant. It's also possible to hide one file inside another. Executable files -- files that computers recognize as programs -- are particularly problematic. Programs called packers can insert executable files into other kinds of files, while tools called

forensics. Detectives have to be aware of these programs and how to disable them if they want to access the information in computer systems.

Anti-Forensics
Anti-forensics can be a computer investigator's worst nightmare. Programmers design anti-forensic tools to make it hard or impossible to during retrieve an information

investigation. Essentially, antiforensics refers to any technique,

binders

can

bind is

multiple another

executable files together. Encryption way to hide data. When you encrypt data, you use a complex set of rules called an algorithm to make to use the data computer The unreadable. programs more Without the key, detectives have designed to crack the encryption algorithm. sophisticated the algorithm, the longer it will take to decrypt it without a key. Other anti-forensic tools can change to the files. metadata Metadata attached Some computer

applications will erase data if an unauthorized user tries to access the system. Some programmers have examined how computer forensics programs work and have tried to create applications that either block or attack the programs computer themselves. forensics If specialists

includes information like when a file was created or last altered. Normally you can't change this information, but there are programs that can let a person alter the metadata attached to files. Imagine examining a file's metadata and discovering that it says the file won't exist for another three years and was last accessed a century ago. If the metadata is compromised, it makes it more difficult to present the evidence as reliable.

come up against such a criminal, they have to use caution and ingenuity to retrieve data. A few people use antiforensics to demonstrate how vulnerable and unreliable computer data can be.

Standards of Computer Evidence

In the United States, the rules are extensive for seizing and using computer evidence. The U.S. Department of Justice has a manual titled "Searching and Seizing Computers and Obtaining Electronic Evidence in

Criminal document

Investigations." explains are allowed

The when to

is, the prosecution must be able to prove that the information presented as evidence came from the suspect's computer and that it remains unaltered. Another consideration the courts take into account with computer evidence is hearsay. Hearsay is a term referring to statements made outside of a court of law. In most cases, courts can't allow hearsay as evidence. The courts have determined that information on a computer does not constitute hearsay in most cases, and is therefore basis. admissible. Courts determine this on a case-by-case

investigators

include computers in a search, what kind of information is admissible, how the rules of hearsay apply to computer information and guidelines for conducting a search. If the investigators believe the computer system is only acting as a storage device, they usually aren't allowed to seize the hardware itself. This limits any evidence investigation to the field. On the other hand, if the investigators believe the hardware itself is evidence, they can seize the hardware and bring it to another location. For example, if the computer is stolen property, then the investigators could seize the hardware.

Computer Forensics Tools

Programmers have created many computer forensics applications. For many police departments, the choice of tools depends on department budgets and available expertise. Here are a few computer forensics programs and devices that make computer investigations possible:

In order to use evidence from a computer system in court, the prosecution must authenticate the evidence. That

Disk imaging

software records the

structure and contents of a hard drive.

These tools are only useful as long as investigators follow the right procedures. Otherwise, a good suggest gathered course, a defense that in few lawyer any the could evidence computer

Software

or

hardware write tools copy and reconstruct hard drives bit by bit.

Hashing tools

investigation isn't reliable. Of anti-forensics experts argue that no computer evidence is completely reliable. Whether courts continue to accept computer evidence as reliable remains to be seen. Antiforensics experts argue that it's only a matter of time before someone proves in a court of law that manipulating computer data without being detected is both possible and plausible. If that's the case, courts may have a hard time justifying the inclusion of computer evidence in a trial or investigation.

compare original hard disks to copies.

Investigators file recovery

use

programs to search for and restore deleted data.

There

are

several in a

programs designed to preserve the information random computer's

access

memory (RAM). Analysis software sifts through all the information on a hard drive, looking for specific content.

Encryption and

decoding password

software

Advantages
Ability to search through a massive amount of data
o o o

cracking software are useful for accessing protected data.

Quickly Thoroughly In any language

Conclusion

The purpose of computer forensics techniques is to search, preserve and analyze information on computer systems to find potential evidence for a trial. Many of the techniques have digital detectives use in crime scene investigations counterparts, but there are also some unique aspects to computer investigations. Each year, there is an increase in the number of digital crimes worldwide. As technology evolves, software changes, and users become digitally savvy, the crimes becoming Law perpetual they more race commit is with in are sophisticated. a these

playing

field

remains

level.

Part of this race includes developing tools that have the ability to systematically search digital devices for pertinent evidence. Another part of this race, and perhaps more crucial, is the development of a methodology in digital forensics that encompasses the forensic analysis of all genres of digital crime scene investigations. Thus criminals and by Computer them Forensics we can trace out the punish according to the law and provides security to the computers and its data.

enforcement

criminals to ensure that the

References
Caloyannides, Michael A. Computer Forensics and Privacy. Artech House, Inc. 2001. Digital Forensics Research Workshop. A Road Map for Digital Forensics Research 2001 www.dfrws.org http://www.fish.com/fore nsics/class.html. http://www.fbi.gov/hq/lab /handbook/scene1.htm. http://www.howstuffwork s.com http://abcnews.go.com/se ctions/us/DailyNews/cybe rcrime_000117.html. http://www.fbi.gov/hq/lab /handbook/scene1.htm.