Articulo Inf. Forense Final Ingles

1Introduction to Computer Forensics

Introduction to Computer Forensics and Related Legislation

Ana Karen Moreno Serrano

Eydi Villanueva Arroyo

Instituto Tecnológico de Tuxtepec

Tutor: Ing. Meztli Valeriano Orozco

May 26 Th, 2014


Abstract

The value that information have achieve in recent years, it is increasingly important

for the rise of companies; consequential from the necessity to protect information

the forensic informatics obtains great importance and every time more significance.

That is why is essential to know forensic informatics, how we can use it, how it is

consisted and which is the purpose of forensic informatics, emphasizing

procedures to be taken into account to do a forensic analysis and the minimal legal

requirements to not infringe in any moment the rights of third persons that may be

affected.


Keywords

Forensic

Forensic analysis

The infringement systems

Forensic methodology

Forensic experts


Introduction

In the year 1984, is created a program named magnetic media (CART), the special

agent named Michael Anderson, who is considered the father of computer

forensics, for his acclaimed work for the FBI and the Criminal Investigation

Division. After Michael Anderson founded one of the most important companies in

forensic firms, known as New Technologies. Over the years, the international

organization of computer evidence (1990) was established. It was thanks to all the

advances that computer forensics began to play an important role in agent’s law.

Computer forensics has been unfolding more and he has managed to peak in the

computer world, but the truth is that there is not much reliable information to enable

users to understand what it means, events, techniques and promising future this

science.

Accordingly, this article search, to provide an overview of the technical and legal

expertise to enlighten readers on the general principles and legal bases for the

development of projects focused on computer forensics.


Chapter 1. Computer Crimes

1.1 WHAT IS A COMPUTER CRIME?Computer crime in typical and atypical, meaning the first to "the typical behaviors,

anti-juridical and guilty that have computers as an instrument or order" and the

second "illicit attitudes that have computers as a tool or end”. (Tellez Valdéz, 2002)

Computer crime is any criminal wrongdoing in which computers, techniques and

functions play a role either as a method, middle or end. (Lima, 2006)

1.2 TYPES OF COMPUTER CRIMESDr. Julio Tellez Valdez, researcher at the Institute for Legal Research of the

UNAM, classifies cybercrime based on two criteria: As an instrument or medium.

Figure 1.2.1 Classification of cybercrime as the author Julio Tellez Valdez

1.2.1 INSTRUMENT OR HALFApply criminal behavior using computers as a method, or symbol means to commit

an unlawful act, such as falsifying documents digitally, the change in accounting

situation and intervention data communication lines or teleprocessing.

1.2.2 PURPOSE OR OBJECTIVEWhere criminal behavior go against computer or programs as a physical entity

such as instructions that produce a partial or complete blockage of the system of

Cybercrime

Are classified as:

Instrument or Mean

End or Target


programs destruction by any method and physical attack on the computer, its

accessories or media .

Chapter 2. Forensic Computer Science

2.1 WHAT IS COMPUTER FORENSICS?The computer forensics, is set research techniques that identify a variety of keys

when analyzing certain elements of security incidents, and by which to reconstruct

the procedure performed for this purpose. (Rivas López, 2009)

According to the group Forensic and Associates Lawyers, computer forensics,

computer forensics, digital forensics and digital forensic examination are

synonymous and are defined as the application of scientific techniques to

specialized analytical and technological infrastructure to identify, preserve, analyze

and present data that are valid in a legal process. (Juristas Forenses y Asociados,

2012)

2.2 OBJECTIVES AND IMPORTANCE OF FORENSIC COMPUTERThe importance of computer forensics is that it is a discipline that uses computer

techniques to reconstruct the right, examine residual data, authentication data, and

explain the technical features of use applied to the data and information assets.

The challenge of computer forensics is that through the use of technology can

make data extraction devices and to maintain the integrity of the data and the

processing thereof.

The aims of this discipline are numerous, but in general, the forensic computing

allows a company to provide services consisting pursue preventive objectives,

anticipating potential problems or objectives corrective to a favorable solution once

infringement and violations and have occurred.


Chapter 3. Forensic Analysis

3.1 CONCEPT OF FORENSIC ANALYSISForensic analysis in a computer system is a modern science that allows us to

reconstruct what has happened in a system after a security incident. This analysis

can determine who, from where, how, when and what actions it has carried out an

intruder in the systems affected by a security incident. (Rivas López, 2009)

3.2 KEY WORDS IN A FORENSIC ANALYSIS Chain of Custody: Refers to the responsibility of the person handling the

evidence to ensure that the items are recorded and accounted for during the

time in which they are held, and are protected, keeping track of the names

of persons who handled the evidence or items with the lapse of time and

date of delivery and receipt.

Forensic Image: Also called "Mirror", which is a bitwise copy of an

electronic storage medium. In the picture are recorded spaces on the files,

including hidden areas deleted partitions.

File Analysis: Examine each discovered digital file and creates a database

of information related to the file as metadata; consisting inter alia in the file

signature or hash, author, size, name and path, and their creation, last

access and modification date.

3.3 TYPES OF FORENSIC ANALYSIS

TYPES OF FORENSIC ANALYSIS

Systems Network Embedded Systems


Figure 3.3. The different types of existing forensic analysis

3.3.1. FORENSIC ANALYSIS SYSTEMS

In this type of analysis security incidents occurred are addressed in servers and

workstations with the different operating systems, as shown in Table 1.2.1.

Table 3.3.1 Operating Systems for forensic analysis

Operating System: VersionsMac OS Mac OS X Server 1.0, Cheetah,

Panther, Puma, Jaguar, etc.

Microsoft (Windows) Windows 9X/Me, Windows 2000

server/workstation, Windows 2003

Server, Windows XP, Windows Vista,

Windows 2008 Server, etc.

UNIX Systems Sun OS, SCO, Unix, etc

GNU/LINUX Systems Debian, RedHat,Suse, Ubuntu, etc.

3.3.2 NETWORK FORENSICS

In this analysis, the analysis of different types of networks is included, such as:

wired, wireless, bluetooth, etc.

3.3.3 FORENSIC ANALYSIS OF EMBEDDED SYSTEMS

This type of analysis is based on the analysis of incidents in mobile devices, PDA,1

etc.

An embedded system has a similar to that of a personal computer architecture.

1 Personal digital assistant. Small device that combines a computer, telephone/ fax, Internet and network connections.


3.4 PHASES OF FORENSIC ANALYSIS

According to the nature of the crimes and investigating behavior may occur in two

places: Crime Scene and Forensic Laboratory.

Figure 3.4. Steps to consider for forensic analysis

3.4.1 CRIME SCENE

Phases that aim to protect the state of the scene so that it does not affect the

identification and collection of evidence are available. In the scene are the tests

that could be taken as digital evidence, therefore care should be taken to preserve

them.

You also need to identify information systems that may contain relevant

information, all types of electronic device, CDs and DVDs. To collect evidence

should be treated as far as possible, minimize the impact on the original test,

making exact copies of the evidence for these to be used in forensic analysis and

original evidence is not altered.

3.4.2 FORENSIC LABORATORY

The Forensic Laboratory stages are performed by experts in Digital Forensic

Science, starting preserve evidence documenting performing each activity and

Forensic Laboratory

Crime Scene

PHASES OF FORENSIC ANALYSIS


procedure, performing forensic analysis following the methodology specialized for

results and presenting appropriately to make them valid legal process.

3.5 STEPS OF PROCESS ANALYSIS OF FORENSIC COMPUTER

For proper forensics computer equipment 4 phases are raised to follow, as shown

in image 3.5

Figure 3.5. Forensics Process

3.5.1 IDENTIFICATION

It is important to know the history, current situation and the process to be followed

to make the best decision regarding the research strategy.

It should take into account the identification of computer good use within the

network, the beginning of the chain of custody, the review of the legal environment

that protects the good and support for decision making regarding the next step

once reviewed the results.

3.5.2 PRESERVATION

Includes review and generation of forensic images of evidence to perform the

analysis.

AnalysisPreservation

PresentationIdentification


A forensic image, is the process that is required to generate copies "bit-abit" the

entire disc; is performed using the latest technology to maintain the integrity of the

evidence and the chain of custody is required. To avoid contamination of the hard

drive, hardware write blockers are normally occupy, which prevent contact with the

disc reading, causing undesired alteration in the media.

3.5.3 ANALYSIS

This phase must apply scientific and analytical techniques to duplicate through the

forensic process means to find evidence of certain behaviors.

Some examples of searches that can be performed are: strings, specific actions or

users of the machine such as the use of USB devices (make, model), search for

specific files, recovery and identification of emails recovery of the last visited

websites, recovering Internet browser cache, etc.

3.5.4 PRESENTATION

This phase should gather all the information obtained from the analysis for the

report and presentation to lawyers, generating an expert2 and correct interpretation

without using jargon.

3.6 DEVICES THAT CAN BE DISCUSSED

The infrastructure that can be analyzed may be all that you have a memory, so that

you can analyze the following devices shown in Table 3.6.

Table 3.6 Supported devices for forensic analysis

2 Formal structure of presentation of expert results suitable for their understanding and interpretation by readers who are not specialists in the field.


Supported devices for forensic analysis

Server

Documentation relating the

case.

Logs security.

Authentication Credentials

Stroke of network packets.

Mobile or Cellular Phone, some

cell phone.

Electronic Agendas (PDA)

GPS Devices.

Printer

USB Memory

Chapter 4. Legislation Related to Computer Forensics

4.1 INTRODUCTION TO FORENSIC LEGISLATION

To perform a proper analysis of Computer forensics a multidisciplinary team that

includes professional legal experts of IT3 and technical experts in forensic

methodology is required.

This is because it is about ensuring compliance with both legal requirements and

the technical requirements derived from the forensic methodology. Similarly to

wear a proper forensic analysis are multiple and varied national and international

laws related to computer crime and digital level.

4.2 NATIONAL LAW

Law on Transparency and Access to Public Information which

guarantees the fundamental right of people to freely access information of

3 Information Technologies.


public sector entities, all of which must publish information about the internal

organization.

Law on Electronic Commerce, Electronic Signatures and Message Data: Controls data messages, electronic signatures, certification services,

electronics and telematics recruitment, electronic service delivery through

information networks, including the trade address and protect users of these

systems

Intellectual Property Law: Guarantees and acknowledge copyright and

other rights holders in their works. The theft of digital information can be

treated as a violation of intellectual property, and that it would be personal

and of great importance to its owner.

Special Telecommunications Law aims to regulate the country in the

installation, operation, use and development of any transmission, emission

or reception of signs, signals, pictures, sounds and information of any nature

by wire, radio, optical or other electromagnetic systems.

Law of Constitutional Control: which states that any person or entity

whether local or foreign, and seeking access to documents, databases and

reports in the possession of public entities, private individuals or

corporations, may file an appeal for habeas data4 to require answers and

enforce custodial measures prescribed in this Act, by persons holding such

data or information.

4.3 INTERNATIONAL LAW

Internationally there are several countries that have developed laws related to

cybercrime and hence computer forensics, among the most prominent are:

"Computer Crime Law" issued in Chile on May 28, 1993 It should be

noted that it was the first country to issue such a law, which consists of four

articles that unlawful conduct is punished as the destruction of an

information processing system, as interference, interception or access to an

4 Action constitutional law for any person to be supplied to existing information about yourself.


information system in order to seize data stored in it, also the damage or

destruction of data, as well as disclosure or dissemination of data a system

contained in a malicious manner.

"Act 1273" issued in Colombia, the January 5, 2009. Amended the penal

code by adding new penalties related to computer crime cases, seeking to

protect and preserve the information systems of information and

communication technologies.

Act Computer Fraud and Abuse, issued in the U.S. in 1986. Where

federal computer-related offenses are punishable.

(USA PATRIOT Act 2001), issued in the USA in 2001 in which punishes

the person who knowingly accesses a computer without authorization and

access data from financial institutions; as well as if accessing a computer

does not publish without government permission.

Second Economic Crimes Act, issued in Germany on May 15, 1986. Which amended the Criminal Code to contemplate the data espionage,

computer fraud, falsification of evidence, alteration of data, computer

sabotage, etc.

Reform Act Criminal Code, issued in Austria on December 22, 1987. Sanctioned the destruction of non-personal data includes personal data, and

software, and computer fraud which punishes those who cause prejudice to

third parties.

Law No. 88-19, issued in France on January 5, 1988. Sanctioned

fraudulent intrusion to remove or modify data, obstruction or alteration of a

system of automatic data processing, computer sabotage and forgery.

Penal Code of Spain. It is the country's most experienced cybercrime in

Europe; that through the criminal code punishes damage, alteration or

mutilation of data, programs or electronic documents outside, violation of

secrets, espionage, disclosure, fraud using computer manipulation.


Method

To research this article, a search method, given that the primary function for which

it was developed is used for information only.

The search method that adheres research is the method of finding information on

the Internet, which is explained below:

On the internet there are so many documents that are difficult to quantify , this has

led to the solution of problems related to efficient search methods is an important

research topic , so it is difficult to acquire a knowledge of different tools that gives

us the Internet ; such as search engines.

Search engines are defined as a software or tool support to users, which allows

them to seek information about a topic; this tool works so that searches databases

that contain information about the web sites published and indexes the range of

possible outcomes related to the topic or keywords you entered.

His techniques using this method are:

Techniques exact words: to locate words in a precise order, insert in the

box that phrase in double quotes.

- AND (+): retrieve all documents containing the keywords separated

by the operator. Example: AND Quijote Cervantes finds documents

where both the term and the term Quijote Cervantes are present.

- AND NOT (-) search excludes documents that contain the keyword

specified after the operator. Example: AND NOT Quijote Cervantes

finds documents where the term Cervantes is present, but not the

term Quijote.

- OR: presents documents that have some of the keywords that

separates the operator. Example: OR Quixote Cervantes, where the

documents are located at least one of the two terms (or Cervantes, or

Quijote), including those that also contain both.


- XOR: like OR, but the result excludes documents that contain both

terms.

- ADJ: terms are together, regardless of the order. Example: car racing

ADJ submit documents with the terms race cars or race cars.

Advanced search by file type: Especially Google has this feature that

allows delineation of exploration of different types of formats (text,

spreadsheets, animations, presentations, videos) for it only requires the file

type command: followed the type of format.

Thematic Indices: These systems subject search or hierarchical

categories. They have a boating theme directory. Within each directory you

can find pages related to that topic.


Results

The preparation of this article was conducted with the purpose of showing an

overview of computer forensics focused legal framework; which as observed, is an

area that has become very important in recent years and that a great future is

expected.

Given that in Mexico there is little reliable information about computer forensics, is

that the development of this paper the most important points that are required for

the reader to understand and has the necessary knowledge of this science are

discussed, and likewise create a perspective of what could be vulnerable to

information, even when it is created that is protected or removed.

The carry out the development of this article about computer forensics is because it

is an issue of great relevance, because nowadays society has changed the way we

communicate and perform certain activities of daily living; only in Mexico, it is

estimated that 80% of households have one or more cell phones, cell on average

1.9 per household. On the other hand, 37% of households own at least one

computer and October 7 internet access.

Therefore, due to the large use of electronic devices must be some security in

them, but in this area the numbers are not the most encouraging, the research was

obtained that Mexico ranks last in computer security, as a member country OECD

(Organization for economic Cooperation and development), where we find that at

least 45% of people jeopardizes their cyber identity due to neglect of information as

personal data, passwords, accounts, etc.

In analyzing these data, we find that computer crimes are increasing as more and

have only the year 2011 to date increased by 41%, around 403 million threats and

cybercrime. Therefore, the use of computer forensics will hand to detect evidence

to help checking the guilt of these crimes; only by examining data recorded cases

of computer forensics Mexico obtained the following categories:


Image 1. Cases Registered in computer forensics labs according Recovery studies

As shown in figure 1, 47% of cases are about fraudulent crimes like forgery and

computer fraud; 43% of cases are concerning offenses against the confidentiality,

integrity and availability of computer data and systems, such as criminal behavior

related to interference in the operation of a system; and finally 10% of cases are

Crimes of content such as pornographic content acquisition through computer

systems.

Also, when considering the above data it is determined that computer forensics is

in great demand in the country, although it is true that there are few experts in this

area, as the statistics make it in the country only 10% professionals computing

area specialize in this science; so for future professionals, this area could be very

promising. Similarly it was found that from 2011, Mexico joined the penal code laws

that allow punish computer crimes that are committed and the use of computer

forensics to detect evidence against those who perform it; but even the laws

passed are not enough to condemn all crimes committed, much less allow the

science of computer forensics data extraction in at least 50 % of cases prosecuted.

47%

43%

10%

Cases in Computer Forensics in Mexico

Fraud OffensesOffenses against the confidentiality, integrity and availability of data and computer systemsOffenses related content


Discussion

Currently, the value of the information acquired is increasing, so we should be

more concerned to take steps to protect it. Therefore, the computer forensics is

born in result of this concern, looking both prevention and correction reaction to

problems that may affect information systems.

Based on the results obtained and analyzed in our research, we can conclude that:

Computer crimes are on the rise; today most people do not have a good

knowledge on how to protect your information, so it is vulnerable to intruder and

victims of various crimes become. Also, most people do not possess the

knowledge that there is a science of computer forensics to detect evidence

required for a judgment on any device that has a storage memory, even if the

information was deleted.

In Mexico, the science of computer forensics is still in development, compared to

countries such as Spain or the United States; it is still much room for improvement

in the legal and human resources; themselves that are essential to meet the high

demand for offenses where devices are involved in the crime scene.

In our country, when it comes to the workplace, few professionals in the area of

computing that are specialized in computer forensics, as being important in the

world in recent times and with a promising future area; so that future students

could be a choice for a study area and workplace.

Regarding the legal framework in the country, there is still insufficient, namely,

there are few laws in the Mexican penal code that support computer forensics

when developing and presenting evidence to prove or disprove one guilt.

The legal field is of vital importance for computer forensics, because it is known

that for everything done in this science to be successful, it is necessary that legal

regulations that penalize attackers and can be sentenced for the crimes they have.

Also, each country needs to recognize the value of information and protect its


citizens through laws that would achieve that all computer crimes do not go

unpunished.


References

Acurio del Pino, S. (s.f.). Delitos informáticos: Generalidades. Spain: Puce. Obtained de OAS.

Borghello, C. (2009). Segu.info Seguridad de la Información. Obtained de Segu.info Seguridad de la Información: http://sugu-info.com.ar/legislacion/

Calderón Valdiviezo., R. G., Guzmán Reyes., G. S., & Salinas González., J. M. (2011). Diseño y plan de implementación de un laboratorio de ciencias forenses digitales. Guayaquil-Ecuador: Escuela superior del politécnica de litoral.

Carrier, B. (2005). File System Forensic Analysis. United States: Pearson Education.

Contraloría Universitaria. (Julio de 2007). Udec. Obtained of Udec: http://www2.udec.cl/contraloria/docs/materias/delitosinformaticos.pdf

Juristas Forenses y Asociados. (15 de Marzo de 2012). Forenses Informáticos. Obtained of Forenses Informáticos: http://delitinfom.blogspot.mx/2012/03/concepto-objetivos-y-herramientas-de-la.html

Lima, M. d. (2006). Criminalia N° 1-6 Año L. Delitos Electrónicos. México: Ediciones Porrua.

Pérez, J. C. (18 de Junio de 2011). Cómputo forense y delitos informáticos en la legislación mexicana. Obtained of Cómputo forense y delitos informáticos en la legislación mexicana: www.juniocarl.com.mx/wordpress/?p=13

Recovery Labs. (2012). Division Computer Forensic. Obtained of Division Computer Forensic: www.delitosinformaticos.info/peritaje_informatico/estadisticas.html

Rivas López, J. (2009). Análisis Forense de Sistemas Informáticos. Barcelona: Eureca Media.

Santes Galván., L. (2009). Propuesta de una metodología forense para depositos de telefonía celular. México, DF: Instituto Politécnico Nacional.

Tellez Valdéz, J. (2002). Derecho Informático. En J. Tellez Valdéz, Derecho Informático (págs. 103-104). México: Mc Graw Hill.

Articulo Inf. Forense Final Ingles

Documents

Transcript of Articulo Inf. Forense Final Ingles