Computer Forensics

What is Computer Forensics?

Computer Forensics can be defined simply, as a process of applying
scientific and analytical techiniques to computer Operating Systems
and File Structures in determining the potential for Legal Evidence.
Overview of Presentation
• Why is Evidence identification and Preservation
required?
• Who benefits from Computer Forensics?
• General Types of Forensic Examinations
requested.
• Computer Investigations.
Why is Evidence important?
• In the legal world, Evidence is EVERYTHING.
• Evidence is used to establish facts.
• The Forensic Examiner is not biased.
Who needs Computer Forensics?
• The Victim!
• Law Enforcement
• Insurance Carriers
• Ultimately the Legal System
Who are the Victims?

Private Business
Government
Private Individuals
Types of Forensic Requests
• Intrusion Analysis
• Damage Assement
• Suspect Examination
• Tool Analysis
• Log File Analysis
• Evidence Search
Computer Investigations
• Introduction
• Digital Evidence
• Preserving Evidence
• Analysis of Digital Evidence
• Writing Investigative Reports
• Proven Security Protocols and Best Practices

8
Introduction
 
• The investigation process involves the extraction, documentation,
examination, preservation, analysis, evaluation, and interpretation of
computer-based material to provide relevant and valid information as
evidence in civil, criminal, administrative, and other cases

9
Digital Evidence
• Evidence is something tangible needed to prove a
fact.
• Tangible evidence to prove a claim or an assertion
can be from one of following sources:
• From an eye witness who provides a testimony
• From physical evidence as traces of the sequence of
activities leading to the claim or assertion.
• Digital evidence as digital footprints of the digital
sequence of activities leading to the claim or assertion.
• Digital evidence is digital footprints left after every
digital activity form a cybertrail

10
Looking for Digital Evidence
• Looking for digital evidence is difficulty and is comparable to
searching for bits of evidence data from a haystack.
• The evidence usually sought includes binary data fixed in any
medium such as on CDs, memory, and floppies, residues of
things used in the committing of a crime and physical
materials such as folders, letters, and scraps of papers.

• At the start of the investigation, the examiner must decide on

things to work with like written and technical policies,
permissions, billing statements, and system application and
device logs.
• Also decide early on what to monitor, if this is needed. This
may include employer and employee computing activities,
Internet e-mail, and chat rooms.
11
Digital Evidence Previewing and Acquisition
• Dealing with digital evidence requires a lot of care because it is
very volatile. The two processes previewing and acquiring of data
may disturb the data evidence to a point of changing its status,
thus creating doubt to its credibility.
• To make sure that this does not happen, a strict sequence of
steps must be followed in handling the evidence.

12
• Handling Evidence – through tracing the sequence of
events by looking for answers the following
questions:
• Who extracted the evidence, how, and when?
• Who packaged it and when?
• Who stored it, how, when and where?
• Who transported it, where and when?
• Previewing Image Files - allows the investigator to
view the evidence media in order to determine if a
full investigation is warranted.
• Evidence Acquisition is the process of evidence
extraction

13
Preserving Evidence
• Given that digital evidence is very fluid in that it can disappear or change
so fast, extra care must be taken in preserving digital evidence.
• One way of preserving evidence is to strictly follow the following
procedures:
• secure the evidence scene from all parties that have no relevancy to it. This is
to avoid contamination usually from deposit of hairs, fibers or trace material
from clothing, footwear or fingerprints. 
• Securely catalog and package evidence in strong anti-static, well-padded, and
labelled evidence bags.
• Image all suspected media as evidence to create a back up. Try to make several
copies of each evidence item.
• Make a checksums of the original evidence disk before and after each copy.
After imaging, the two checksums must agree.
• Institute a good security access control system to make sure that those
handling the evidence are the only ones authorized to handle the evidence.
• Secure the evidence by encryption, where and if possible. Encryption ensures
the confidentiality of the evidence.

14
Analysis of Digital Evidence
• Evidence analysis is the most difficult and
demanding task for investigators
• It involves:
• Analyzing Data Files
• File Directory Structure
• File Patterns
• Metadata
• Content
• Application
• User Configuration

15
• Analysis Based on Digital Media
• Deleted Files
• 2 Hidden Files
• Slack Space
• Bad Blocks
• Steganography Utilities
• Compressed and Coded Files
• Encrypted Files
• Password-Protected Files
• Analysis Based on Operating Systems
• Microsoft–Based File Systems
• UNIX and LINUX File Systems
• Macintosh File System

16
Relevance and Validity of Digital Evidence
• There a need to establish relevancy of the evidence.
• The relevancy of the digital evidence depends on;
• the requesting agency,
• nature of the request,
• type of the case in question.
• The question of validity of data is tied up with the
relevance of data.
• It is also based on the process of authentication of
that data.

17
Writing Investigative Reports
• A report is a summary of all findings of the investigation and it comes from all
the documentation that has been made throughout the investigation.
• Report should include the following documents[4]:
• All notes taken during meetings and contacts that led to the investigation
• All forms used in the investigation including the chain of custody forms
• Copies of search warrants and legal authority notes granting permission to conduct searches
• Notes, video recordings, and pictures taken at the incident scene describing the scene
• Notes and any documentation made to describe the computer components including
description of peripherals and all devices.

18
• Documentation and notes describing the networking of
suspect’s devices
• Notes made on what was discovered including passwords,
pass phrases, encryption and any data hiding.
• Any changes to the suspect’s scene configuration
authorized or not.
• Names of everyone at the suspect’s scene
• Procedures used to deal with the scene including
acquisition, extraction, and analysis of evidence.
• Any observed or suspected irregularities including those
outside the scope of the techniques in use.

19