COMPUTER FORENSICS

Presented ByParitosh Goldar

P08CO979

Guided ByDR Patel

INDEX• Introduction• Components of Computer Forensic

Analysis• The Forensic Investigation Process• Objectives of the Investigative Process.• Applications of Computer Forensics • Security Incidence• Computer Forensic Tools• Conclusion• References

Introduction

• computer forensics is the collection, preservation, analysis, and presentation of computer-related evidence.

• Real scientific discipline for crime investigation.

• The use of science and technology to investigate and establish facts in criminal or civil courts of law.

Introduction• Proper Acquisition and Preservation of Computer Evidence.• Authentication of Collected Data for Court Presentation.• Recovery of All Available Data, Including delete files. Computer forensics creates opportunities

to uncover evidence impossible to find using a manual process

Components of Computer Forensic Analysis

• Preservation– Involves making a forensic copy of the

original data and conducting a comparison between the copy and the original

–Examine the live computer system if possible

– Inspect the surroundings, collect all pertinent physical evidence

–Photograph all devices before examination–Fully document the hardware configuration

Components of Computer Forensic Analysis

• Identification– Identify the potential containers of

electronic evidence (e.g. hard drives, etc.)– Identify the data pertinent to the case under

investigation• Extraction

–Making electronic and hard copies of relevant data

Components of Computer Forensic Analysis

• Interpretation–Results of investigation based on data and

tools used must be interpreted by forensic experts

• Documentation–Document everything from start to finish

Components of Computer Forensic Analysis

• Rules of Evidence–Forensic investigators must consider local

rules of evidence (define conditions for admissibility, reliability, and relevance) that apply to the situation at hand

The Forensic Investigation Process– Recovery of evidence: recovery of hidden and

deleted information, recovery of evidence from damaged equipment

– Harvesting: Obtaining data about data– Data reduction: Eliminate/filter evidence– Organization and search: Focus on

arguments– Analysis: Analysis of evidence to support

positions– Reporting: Record of the investigation– Persuasion and testimony: In the courts

Objectives of the Investigative Process• Acceptance: Process has wide

acceptance• Reliability: Methods used can be trusted

to support findings• Repeatability: Process can be

replicated• Integrity: Trust that the evidence has not

been altered• Cause & Effect: Logical relationship

between suspects, events, evidence• Documentation: Recording of evidence

Applications of Computer Forensics

• High Tech Crime Investigations• Incident Response• Email Recovery & Analysis• Document & File recovery• Law enforcement agencies e.g.

cybercrime• Civil Litigators e.g. IP infringement• Insurance companies

Security Incidents

• Incident: "A computer security incident, is any adverse event whereby some aspect of computer security could be threatened: loss of data confidentiality, disruption of data or system integrity, or disruption or denial of availability.“

• any security relevant adverse event that might threaten the security of a computer system or a network.

Security Incidence

Types of Incidents

• Most incidents point towards: 1. Confidentiality, 2. Integrity, 3. Availability.

Main Categories of Incidents• Compromise of integrity

–Such as when a virus infects a program or the discovery of a serious system vulnerability.

• Denial of service–Such as when an attacker has

disabled a system or a network worm has saturated network bandwidth.

Main Categories of Incidents• Misuse

–Such as when an intruder (or insider) makes unauthorized use of an account or information.

• Damage–Such as when a virus destroys

data.• Intrusions

–Such as when an intruder penetrates system security.

Examples of IncidentsDifferent types of incidents:• Repudiation,• Harassment,• Pornography trafficking,• Organized crime activity,• Subversion.

Incident Response Methodology

Preparation Detection Containment Analysis Eradication Recovery Follow-up

Feed Back

Digital Forensics/Evidence Management

Types of Digital Forensics

• “Network” Analysis–Communication analysis–Log analysis–Path tracing

Types of Digital Forensics• Media Analysis

–Disk imaging–MAC time analysis (Modify,

Access, Create)–Content analysis–Slack space analysis–Steganography

Types of Digital Forensics

• Code Analysis–Reverse engineering–Malicious code review–Exploit Review

Computer Forensics Tools

• Filter and search software• Password recovery software• Data recovery• Data elimination• Hashing tools to validate accuracy of

forensic copies

Computer Forensics Tools

• Imaging Softwares ex. EnCase, SafeBack.

• Data extraction or data mining softwares

Example of Crime Solved by Computer Forensics

TYPE OF CRIME TYPE OF E-EVIDENCE

Murder Files on computer hard drives and a PDA

Double murder GPS data from his car and cell phone; Internet history

Terrorism E-mail, files from his computers

Example of Crime Solved by Computer Forensics

TYPE OF CRIME TYPE OF E-EVIDENCE

Serial killer Deleted files on a pen drive used by the criminal at his computer

Kidnapping E-mail communication between the victim and criminal—tracing an IP address to a computer at criminal’s home

Snipers Digital recordings on a device in suspects’ car

Rape E-evidence of pornography on his computer

Conclusion• Several unique opportunities give

computer forensics the ability to uncover evidence that would be extremely difficult to find using a manual process

• Computer forensics also has a unique set of challenges that are not found in standard evidence gathering, including volume of electronic evidence, how it is scattered in numerous locations, and its dynamic content

ReferencesBooks :1. Computer Forensics For Dummies®2. Cyber Forensics- A Field Manual for

Collecting, Examining, and Preserving Evidence of Computer Crimes

3. Computer Forensics Computer Crime Scene Investigation

References

Websites1. http://computer-forensics.safemode.org2. http://www.cybersecurityinstitute.biz/

forensics.htm 3. www.forensics-intl.com4. www.cybersecurityinstitute.biz

COMPUTER FORENSICS

Questions???

andTHANK YOU!!