What is Computer Forensics?What is Computer Forensics?(Some definitions)(Some definitions)

““ The process of identifying, preserving, analyzing and The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally presenting digital evidence in a manner that is legally acceptable.” (McKemmish, 1999)acceptable.” (McKemmish, 1999)

““Gathering and analyzing data in a manner as freedom Gathering and analyzing data in a manner as freedom distortion or bias as possible to reconstruct data or what distortion or bias as possible to reconstruct data or what has happened in the past on a system.” (Farmer & has happened in the past on a system.” (Farmer & Vennema,1999)Vennema,1999)

Computer forensics is the application of computer Computer forensics is the application of computer investigation and analysis techniques in the interests of investigation and analysis techniques in the interests of determining potential legal evidence.determining potential legal evidence.

Forensic Computing, also known as Evidential Forensic Computing, also known as Evidential Computing and even sometimes Data Recovery, is the Computing and even sometimes Data Recovery, is the specialist process of imaging and processing computer specialist process of imaging and processing computer data which is reliable enough to be used as evidence in data which is reliable enough to be used as evidence in courtcourt （（ http://www.vogon-international.com/index.htmhttp://www.vogon-international.com/index.htm ））

What will Computer Forensics do?What will Computer Forensics do?

Computer forensics, innovators of image copying Computer forensics, innovators of image copying technology, defined the principles of the science of technology, defined the principles of the science of computer forensics and formalized an approved and computer forensics and formalized an approved and accepted methodology to COLLECT, ANALYSE and PRESENT accepted methodology to COLLECT, ANALYSE and PRESENT suspect data to a Court of Law.suspect data to a Court of Law.

Computer forensics evidence is frequently sought in a wide Computer forensics evidence is frequently sought in a wide range of computer crime or misuse, including but not range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud.intellectual property, and fraud.

Computer forensics specialists draw on an array of methods Computer forensics specialists draw on an array of methods for discovering data that resides in a computer system.for discovering data that resides in a computer system.

Experts in forensics computing can frequently recover files Experts in forensics computing can frequently recover files that have been deleted, encrypted, or damaged, sometimes that have been deleted, encrypted, or damaged, sometimes as long as years earlier.as long as years earlier.

Evidence gathered by computer forensics experts is useful Evidence gathered by computer forensics experts is useful and often necessary during discovery, depositions, and and often necessary during discovery, depositions, and actual litigation.actual litigation.

Some areas of Computer ForensicsSome areas of Computer Forensics

Image Capture - The Imaging process is Image Capture - The Imaging process is fundamental to any computer investigation.fundamental to any computer investigation.

Image Processing - The processing software Image Processing - The processing software consists of two modules, GenX and GenText, consists of two modules, GenX and GenText, running automatically to index and extract running automatically to index and extract text from all areas of the target image.text from all areas of the target image.

Investigation - Once the processing has Investigation - Once the processing has taken place full searches of all areas of the taken place full searches of all areas of the disk takes only seconds.disk takes only seconds.

Case study of Computer ForensicsCase study of Computer Forensics(what is computer forensics look like?)(what is computer forensics look like?)

HackerHacker Human resourcesHuman resources Money on diskMoney on disk Hidden bitsHidden bits Disk swapDisk swap Tapes rarely lie...Tapes rarely lie... NarcoticsNarcotics FraudFraud TheftTheft Corporate or University internal investigationCorporate or University internal investigation FBI or (unlikely) Sheriff investigationFBI or (unlikely) Sheriff investigation Computer Security ResearchComputer Security Research Post Mortem or Damage AssessmentPost Mortem or Damage Assessment Child PornographyChild Pornography Espionage & TreasonEspionage & Treason Corporate or University Policy ViolationCorporate or University Policy Violation ……

The broad tests for evidence The broad tests for evidence ( from Sherlock Holmes to current forensic scientist )( from Sherlock Holmes to current forensic scientist )

authenticity - does the material come from where authenticity - does the material come from where it purports? it purports?

reliability - can the substance of the story the reliability - can the substance of the story the material tells be believed and is it consistent? In material tells be believed and is it consistent? In the case of computer-derived material are there the case of computer-derived material are there reasons for doubting the correct working of the reasons for doubting the correct working of the computer? computer?

completeness - is the story that the material completeness - is the story that the material purports to tell complete? Are there other stories purports to tell complete? Are there other stories which the material also tells which might have a which the material also tells which might have a bearing on the legal dispute or hearing? bearing on the legal dispute or hearing?

conformity with common law and legislative rules conformity with common law and legislative rules - acceptable levels of freedom from interference - acceptable levels of freedom from interference and contamination as a result of forensic and contamination as a result of forensic investigation and other post-event handling investigation and other post-event handling

Elements of Computer ForensicsElements of Computer Forensics

well-defined procedures to address the various tasks well-defined procedures to address the various tasks an anticipation of likely criticism of each methodology an anticipation of likely criticism of each methodology

on the grounds of failure to demonstrate authenticity, on the grounds of failure to demonstrate authenticity, reliability, completeness and possible contamination reliability, completeness and possible contamination as a result of the forensic investigation as a result of the forensic investigation

the possibility for repeat tests to be carried out, if the possibility for repeat tests to be carried out, if necessary by experts hired by the other side necessary by experts hired by the other side

check-lists to support each methodology check-lists to support each methodology an anticipation of any problems in formal legal tests of an anticipation of any problems in formal legal tests of

admissibility admissibility the acceptance that any methods now described the acceptance that any methods now described

would almost certainly be subject to later modification would almost certainly be subject to later modification

Four steps of forensic processFour steps of forensic process

AcquisitionAcquisition Identification– Technical AnalysisIdentification– Technical Analysis Evaluation– What the Lawyers Do Evaluation– What the Lawyers Do PresentationPresentation

Divergences from conventional Divergences from conventional forensic investigationforensic investigation

the main reason is the rate of change of computer technologythe main reason is the rate of change of computer technology a key feature of computer forensics is the examination of a key feature of computer forensics is the examination of

data mediadata media computer architectures have show profound change in the computer architectures have show profound change in the

same short periodsame short period computer peripherals keep on changing as well computer peripherals keep on changing as well wide area telecoms methods are being used more and more. wide area telecoms methods are being used more and more. the growth of e-mail the growth of e-mail the growth of client / server applications, the software the growth of client / server applications, the software

outcome of the more complex hardware architectures. outcome of the more complex hardware architectures. the greater use of EDI and other forms of computer-based the greater use of EDI and other forms of computer-based

orders, bills of lading, payment authorizations, etc. orders, bills of lading, payment authorizations, etc. computer graphics computer graphics the greater use of computer-controlled procedures the greater use of computer-controlled procedures the methods of writing and developing software have the methods of writing and developing software have

changed also changed also

Computer Forensics Situations Computer Forensics Situations documents - to prove authenticity; alternatively to documents - to prove authenticity; alternatively to

demonstrate a forgery. demonstrate a forgery. reports, computer generated from human input. reports, computer generated from human input. real evidence - machine readable measurements, etc.real evidence - machine readable measurements, etc. reports, generated from machine readable measurements, reports, generated from machine readable measurements,

etc.etc. electronic transactions - to prove that a transaction took electronic transactions - to prove that a transaction took

place - or to demonstrate that a presumption that it had place - or to demonstrate that a presumption that it had taken place was incorrect.taken place was incorrect.

conclusions reached by "search“- programs which have conclusions reached by "search“- programs which have searched documents, reports, etc. searched documents, reports, etc.

event reconstruction- to show a sequence of events or event reconstruction- to show a sequence of events or transactions passing through a complex computer system. transactions passing through a complex computer system.

liability in situations where CAD designs have relied on liability in situations where CAD designs have relied on auto-completion or filling in by a program conclusions of auto-completion or filling in by a program conclusions of computer "experts" - the results of expert systems. computer "experts" - the results of expert systems.

Some litigations Some litigations Civil Matters Civil Matters Breach of Contract Breach of Contract Asset recovery Asset recovery Tort, including negligence Tort, including negligence Breach of Confidence Breach of Confidence Defamation Defamation Breach of securities industry legislation and Breach of securities industry legislation and

regulation and /or Companies Acts regulation and /or Companies Acts Employee disputes Employee disputes Copyright and other intellectual property disputes Copyright and other intellectual property disputes Consumer Protection law obligations (and other Consumer Protection law obligations (and other

examples of no-fault liability) examples of no-fault liability) Data Protection law legislation Data Protection law legislation

Criminal Matters Criminal Matters Theft Acts, including deceptionTheft Acts, including deception Criminal DamageCriminal Damage Demanding money with menacesDemanding money with menaces Companies Law, Securities Industry and banking Companies Law, Securities Industry and banking

offencesoffences Criminal offences concerned with copyright and Criminal offences concerned with copyright and

intellectual propertyintellectual property Drug offencesDrug offences Trading standards offencesTrading standards offences Official SecretsOfficial Secrets Computer Misuse Act offencesComputer Misuse Act offences

Computer Forensics Methods Computer Forensics Methods (1)(1)

safe seizure of computer systems and files, to avoid safe seizure of computer systems and files, to avoid contamination and/or interference contamination and/or interference

safe collection of data and software safe collection of data and software safe and non-contaminating copying of disks and safe and non-contaminating copying of disks and

other data media other data media reviewing and reporting on data media reviewing and reporting on data media sourcing and reviewing of back-up and archived sourcing and reviewing of back-up and archived

files files recovery / reconstruction of deleted files - logical recovery / reconstruction of deleted files - logical

methods methods recovery of material from "swap" and "cache" files recovery of material from "swap" and "cache" files recovery of deleted / damaged files - physical recovery of deleted / damaged files - physical

methods methods

Computer Forensics Methods Computer Forensics Methods (2)(2)

core-dump: collecting an image of the contents of the core-dump: collecting an image of the contents of the active memory of a computer at a particular time active memory of a computer at a particular time

estimating if files have been used to generate forged estimating if files have been used to generate forged output output

reviewing of single computers for "proper" working reviewing of single computers for "proper" working during relevant period, including service logs, fault during relevant period, including service logs, fault records, etc. records, etc.

proving / testing of reports produced by complex proving / testing of reports produced by complex client / server applications client / server applications

reviewing of complex computer systems and reviewing of complex computer systems and networks for "proper" working during relevant period, networks for "proper" working during relevant period, including service logs, fault records, etc. including service logs, fault records, etc.

review of system / program documentation for: review of system / program documentation for: design methods, testing, audit, revisions, operations design methods, testing, audit, revisions, operations management. management.

Computer Forensics Methods(3) Computer Forensics Methods(3) reviewing of applications programs for "proper" reviewing of applications programs for "proper"

working during relevant period, including service working during relevant period, including service logs, fault records, etc. logs, fault records, etc.

identification and examination of audit trails identification and examination of audit trails identification and review of monitoring logs identification and review of monitoring logs telecoms call path tracing (PTTs and telecoms telecoms call path tracing (PTTs and telecoms

utilities companies only) utilities companies only) reviewing of access control services - quality and reviewing of access control services - quality and

resilience of facilities (hardware and software, resilience of facilities (hardware and software, identification / authentication services) identification / authentication services)

reviewing and assessment of access control reviewing and assessment of access control services - quality of security management services - quality of security management

reviewing and assessment of encryption methods reviewing and assessment of encryption methods - resilience and implementation - resilience and implementation

Computer Forensics Methods Computer Forensics Methods (4)(4)

setting up of pro-active monitoring in order to detect setting up of pro-active monitoring in order to detect unauthorised or suspect activity unauthorised or suspect activity

monitoring of e-mail monitoring of e-mail use of special "alarm" or "trace" programs use of special "alarm" or "trace" programs use of "honey pots" use of "honey pots" inter-action with third parties, e.g. suppliers, inter-action with third parties, e.g. suppliers,

emergency response teams, law enforcement emergency response teams, law enforcement agencies agencies

reviewing and assessment of measuring devices, etc. reviewing and assessment of measuring devices, etc. and other sources of real evidence, including service and other sources of real evidence, including service logs, fault records, etc. logs, fault records, etc.

use of routine search programs to examine the use of routine search programs to examine the contents of a file contents of a file

use of purpose-written search programs to examine use of purpose-written search programs to examine the contents of a file the contents of a file

Computer Forensics Methods Computer Forensics Methods (5)(5)

reconciliation of multi-source files reconciliation of multi-source files examination of telecoms devices, location of examination of telecoms devices, location of

associated activity logs and other records perhaps held associated activity logs and other records perhaps held by third parties by third parties

event reconstruction event reconstruction complex computer intrusion complex computer intrusion complex fraud complex fraud system failure system failure disaster affecting computer driven machinery or disaster affecting computer driven machinery or

process process review of "expert" or rule-based systems review of "expert" or rule-based systems reverse compilation of suspect code reverse compilation of suspect code use of computer programs which purport to provide use of computer programs which purport to provide

simulations or animations of events: review of simulations or animations of events: review of accuracy, reliability and quality accuracy, reliability and quality