Introduction to Computer

Forensics
WHAT IS COMPUTER FORENSICS?
• Computer forensics is the process of methodically
examining computer media (hard disks, diskettes,
tapes, etc.) for evidence. In other words, computer
forensics is the collection, preservation, analysis,
and presentation of computer-related evidence.
• Computer forensics also referred to as computer
forensic analysis, electronic discovery, electronic
evidence discovery, digital discovery, data recovery,
data discovery, computer analysis, and computer
examination.
• Computer evidence can be useful in criminal cases,
civil disputes, and human resources/employment
proceedings.
Cyber crime: any illegal act that involves a
computer, its systems, or its applications.

Enterprise theory of investigation (ETI): a

methodology of investigating criminal activity
that uses a holistic approach and looks at any
criminal activity as a piece of criminal operation
rather than as a single criminal act.
• Forensic investigator: an investigator who helps
organizations and law enforcement agencies in
investigating cyber crimes and prosecuting the
perpetrators of those crimes
• Forensic readiness: an organization’s ability to
make optimal use of digital evidence in a limited
period of time and with minimal investigation
costs; the technical and nontechnical actions that
maximize an organization’s capability to use
digital evidence
• Forensic science: the application of physical
sciences to law in the search for truth in civil,
criminal, and social behavioral matters for the
purpose of ensuring injustice shall not be
done to any member of society
 Case Example
• Jacob was the vice president of sales for a software
giant located in Canada. He was responsible for the
growth of the software service sector of his company.
He had a team of specialists assisting him in several
assignments and signing deals across the globe.
• Rachel was a new recruit to Jacob’s specialist team.
She handled client relations for the software giant.
• Rachel accused Jacob of demanding some sensual
favors in return for her annual performance raise. She
claimed that Jacob sent a vulgar e-mail in which he
made an indecent proposal for the favor if she agreed
to his terms.
• Rachel lodged a complaint against Jacob at the
district police department and served a copy of the
complaint to the management of the software
giant. If found guilty, Jacob will face the possibility
of losing his job and reputation, and could have
faced up to 3 years of imprisonment as well as a
fine of $15,000.
• The company management team called Ross, a
computer forensic investigator, to determine the
truth. Ross searched for e-mails on Rachel’s system
and found incriminating e-mail from Jacob.
• Jacob hired an attorney to defend him against the
complaint Rachel lodged. Ross produced the evidence
before the court of law.
• James, Jacob’s attorney, challenged the evidence Ross
had collected. James proved that Ross did not follow
chain of custody, and in turn, tampered with the
evidence. The court rejected Rachel’s case and issued a
warning to Ross for tampering with the evidence.
• Jacob resigned from his post, even though the
allegations were proved false, and started his own
software service company.
 Evolution of Computer Forensics
•1888: Francis Galton made the first-ever
recorded study of fingerprints to catch potential
criminals in crimes such as murders.
• 1893: Hans Gross was the first person to apply
science to a criminal investigation.
• 1910: Albert Osborn became the first person to
develop the essential features of documenting
evidence during the examination process.
• 1915: Leone Lattes was the first person to use
blood groupings to connect criminals to a crime.
• 1925: Calvin Goddard became the first person to
make use of firearms and bullet comparisons for
solving many pending court cases.
• 1932: The Federal Bureau of Investigation (FBI) set
up a laboratory to provide forensic services to all
field agents and other law authorities.
• 1984: The Computer Analysis and Response Team
(CART) was developed to provide support to FBI
field officers searching for computer evidence.
• 1993: The first international conference on
computer evidence was held in the United States.
• 1995: The International Organization on Computer Evidence (IOCE)
was formed to provide a forum to global law enforcement
agencies for exchanging information regarding cyber crime
investigations and other issues associated with computer
forensics.
• 1998: The International Forensic Science Symposium was formed
to provide a forum for forensic managers and to exchange
information.
• 2000: The first FBI Regional Computer Forensic Laboratory (RCFL)
was established for the examination of digital evidence in support
of criminal investigations such as identity theft, hacking, computer
viruses, terrorism, investment fraud, cyber stalking, drug
trafficking, phishing/spoofing, wrongful programming, credit card
fraud, online auction fraud, e-mail bombing and spam, and
property crime.
• In 2002, Scientific Working Group on Digital Evidence
(SWGDE) published the first book about digital
forensic called "Best practices for Computer
Forensics".
• In 2010, Simson Garfinkel identified issues facing
digital investigations.
To effectively combat cyber crime the following subject
matter:
1.Computer crime
2.The computer forensic objective
3.The computer forensic priority
4.The accuracy versus speed conflict
5.The need for computer forensics
6.The double tier approach
7.Requirements for the double tier approach
8.The computer forensics specialist
1. Computer Crime
• Computer crime is any criminal offense, activity or issue
that involves computers
• Computer misuse may tends to fall into two categories:
– Computer is used to commit a crime
– Computer itself is a target of a crime. Computer is the victim.
Computer Security Incident.
• Computer Incident Response.
Computer is Used to Commit a Crime
• Computer is used in illegal activities like threatening
letters, e-mail spam or harassment, extortion, fraud and
theft of intellectual property, embezzlement – all these
crimes leave digital tracks.
– Investigation into these types of crimes include searching
computers that are suspected of being involved in illegal
activities
– Analysis of gigabytes of data looking for specific keywords,
examining log files to see what happened at certain times
Computer Security Incident
• Unauthorized or unlawful intrusions into computing
systems.
• Scanning a system - the systematic probing of ports to
see which ones are open.
• Denial–of–Service (DoS) attack - any attack designed
to disrupt the ability of authorized users to access data.
• Malicious Code – any program or procedure that makes
unauthorized modifications or triggers unauthorized
actions (virus, worm, Trojan horse).
Computer Incident Response
• It is a structured methodology for handling security incidents,
breaches, and cyber threats. A well-defined incident response plan
allows you to effectively identify, minimize the damage, and reduce
the cost of a cyber attack, while finding and fixing the cause to
prevent future attacks.
Steps to take after a cyber crime event occurs
• Preparation – Planning in advance how to handle and prevent
security incidents
• Detection and Analysis – Encompasses everything from monitoring
potential attack vectors, to looking for signs of an incident, to
prioritization
• Containment, Eradication, and Recovery – Developing a
containment strategy, identifying and mitigating the hosts and
systems under attack, and having a plan for recovery
• Post-Incident Activity – Reviewing lessons learned and having a
plan for evidence retention.
2. The Computer Forensic Objective

• It is to recover, analyze, and present computer-based material

in such a way that it is useable as evidence in a court of law.

• The key phrase here is useable as evidence in a court of law. It

is essential that none of the equipment or procedures used
during the examination of the computer obviate this.
3. The Computer Forensic Priority

• Computer forensics is concerned primarily with forensic

procedures, rules of evidence, and legal processes. It is only
secondarily concerned with computers.
• Therefore, in contrast to all other areas of computing, where
speed is the main concern, in computer forensics the absolute
priority is accuracy. One talks of completing work as efficiently
as possible, that is, as fast as possible without sacrificing
accuracy.
4. Accuracy Versus Speed
• In this seemingly frenetic world where the precious
resource of time is usually at a premium, pressure is
heaped upon you to work as fast as possible. Working
under such pressure to achieve deadlines may induce
people to take shortcuts in order to save time.
• In computer forensics, as in any branch of forensic
science, the emphasis must be on evidential integrity
and security. In observing this priority, every forensic
practitioner must adhere to stringent guidelines. Such
guidelines do not encompass the taking of shortcuts,
and the forensic practitioner accepts that the precious
resource of time must be expended in order to maintain
the highest standards of work.
5. The need for computer forensics
Computer forensics is important because it can save
your organization money. From a technical
standpoint, the main goal of computer forensics is to
identify, collect, preserve, and analyze data in a way
that preserves the integrity of the evidence collected
so that it can be used effectively in solving a case.
6. The double tier approach
• In the double tier approach it is assumed that 95% of the work will be
routine and will be performed by non-technical personnel under
supervision. The scarce and expensive technical personnel will be utilized to
supervise routine task performance and to complete complex tasks.
• The non-technical personnel are referred to as trainee forensic analysts.
They are the people who do not have technical qualifications but they do
have knowledge of computers, enthusiasm and seek to develop a career.
They can be recruited by way of an internship program that will provide
them with three years training resulting in certification, by the employer, as
a qualified forensic analyst.
• Within the double tier approach, the forensic analyst will perform the
routine non-technical tasks such as seizing, copying and reconstructing
computer hard drives, running searches, examining hits and printing
evidence. All of this will be undertaken under the supervision of the
technical staff who will liase with clients, write reports, appear as expert
witnesses and solve the complex problems found in the more difficult
investigations.
7. Requirements for the double tier approach
In order for a double tier approach to work it is necessary to have:
• A defined methodology
• Detailed and standardized operating procedures
• Efficient and practical equipment.

Criteria for equipment must be:

* Simple to use
* Quick to learn
* Totally reliable
* Robust and durable
* Legally acceptable
* Operable under standard procedures.
8. The Computer Forensics Specialist
A computer forensics specialist is responsible for doing computer
forensics, take several careful steps to identify and attempt to retrieve
possible evidence that may exist on a subject computer system:
1. Protect the subject computer system during the forensic examination
from any possible alteration, damage, data corruption, or virus
introduction.
2. Discover all files on the subject system. This includes existing normal
files, deleted yet remaining files, hidden files, password-protected files,
and encrypted files.
3. Recover all (or as much as possible) of discovered deleted files.
4. Reveal (to the extent possible) the contents of hidden files as well as
temporary or swap files used by both the application programs and the
operating system.
5. Accesses (if possible and if legally appropriate) the contents of
protected or encrypted files.
8. The Computer Forensics Specialist (Cont...)

6. Analyze all possibly relevant data found in special (and typically inaccessible)
areas of a disk.
7. Print out an overall analysis of the subject computer system, as well as a
listing of all possibly relevant files and discovered file data. Further, provide
an opinion of the system layout; the file structures discovered; any
discovered data and authorship information; any attempts to hide, delete,
protect, or encrypt information; and anything else that has been discovered
and appears to be relevant to the overall computer system examination.
8. Provide expert consultation and/or testimony, as required.
 Who Can Use Computer Forensic Evidence?
Many types of criminal and civil proceedings can and do make use of evidence revealed by
computer forensics specialists.

• Criminal Prosecutors use computer evidence in a variety of crimes where incriminating

documents can be found: homicides, financial fraud, drug and embezzlement record-
keeping.
• Civil litigations can readily make use of personal and business records found on computer
systems that bear on fraud, divorce, discrimination, and harassment cases. Insurance
companies may be able to mitigate costs by using discovered computer evidence of possible
fraud in accident and workman’s compensation cases.
• Corporations often hire computer forensics specialists to find evidence relating to
embezzlement, theft or misappropriation of trade secrets, other internal / confidential
information.
• Law enforcement officials frequently require assistance in pre-search warrant preparations
and post-seizure handling of the computer equipment.
• Individuals sometimes hire computer forensics specialists in support of possible claims of
wrongful termination, sensual issues, or age discrimination.
 USE OF COMPUTER FORENSICS IN
LAW ENFORCEMENT
Computer forensics assists in Law Enforcement. This can include:
• Recovering deleted files such as documents, graphics, and photos.
• Searching unallocated space on the hard drive, places where an
abundance of data often resides.
• Tracing artifacts, those tidbits of data left behind by the operating system.
Our experts know how to find these artifacts and, more importantly, they
know how to evaluate the value of the information they find.
• Processing hidden files — files that are not visible or accessible to the user
— that contain past usage information. Often, this process requires
reconstructing and analyzing the date codes for each file and determining
when each file was created, last modified, last accessed and when
deleted.
• Running a string-search for e-mail, when no e-mail client is obvious.
Choosing a Computer Forensics Specialist
for a Criminal Case
• When you require the services of a computer
forensics specialist, don’t be afraid to shop around.
There are an increasing number of people who claim
to be experts in the field. Look very carefully at the
level of experience of the individuals involved.
• Make sure you find someone who not only has the
expertise and experience, but also the ability to
stand up to the scrutiny and pressure of cross
examination.
 COMPUTER FORENSICS ASSISTANCE TO HUMAN
RESOURCES/EMPLOYMENT PROCEEDINGS

• Computers can contain evidence in many types of

human resources proceedings, including sensual case
suits, allegations of discrimination and wrongful
termination claims.
• Evidence can be found in electronic mail systems, on
network servers, and on individual employee’s
computers.
EMPLOYER SAFEGUARD PROGRAM
• Employers must safeguard critical business information. An unfortunate
concern today is the possibility that data could be damaged, destroyed, or
misappropriated by a discontented individual.
• Before an individual is informed of their termination, a computer forensic
specialist should come on-site and create an exact duplicate of the data on
the individual’s computer. In this way, should the employee choose to do
anything to that data before leaving, the employer is protected.
• Damaged or deleted data can be re-placed, and evidence can be recovered
to show what occurred. This method can also be used to support an
employer’s case by showing the removal of proprietary information or to
protect the employer from false charges made by the employee.
• You should be equipped to find and interpret the clues that have been left
behind. This includes situations where files have been deleted, disks have
been reformatted, or other steps have been taken to conceal or destroy
the evidence.
For example, did you know?
COMPUTER FORENSICS SERVICES
COMPUTER FORENSICS SERVICES (Cont..)
COMPUTER FORENSICS SERVICES (Cont..)
COMPUTER FORENSICS SERVICES (Cont..)
COMPUTER FORENSICS SERVICES (Cont..)
 Recover Data You Thought Was Lost Forever
 Advise You on How to Keep Your Data and Information Safe
from Theft or Accidental Loss
 Examine a Computer to Find Out What Its User Has Been Doing
 Sweep Your Office for Listening Devices
 High-Tech Investigations