Free Essay

Computer Forensics

In:

Submitted By avishekctg
Words 4790
Pages 20
computer forensics
Background of Computer forensics:
What is most worth to remember is that computer forensic is only one more from many forensic subdivisions. It’s not new, it’s not revolution.. Computer forensics use the same scientific methods like others forensics subdivisions. So computer forensics is not revolution in forensic science! It’s simple evolution of crime techniques and ideas.

Forensic origins:

Forensic roots from a Latin word, “forensic” which generally means forum or discussion. In the reign of the Romans, any criminal who has been charged with a crime is presented before an assembly of public folks. Both of the complainant and the defendant are to present their sides through their own speeches. The one who was able to explain his side with fervent delivery and argumentation typically won the case.
It is important to realize that computer forensics is only one subdivision of forensic science. It is digital, it includes most advanced computer science but still it is only branch of forensic science, an its main goal is submission of the proven claims of scientific methods and strategies to recover any significant digital traces.

Computer Forensic Timeline:

1970s • First crimes cases involving computers, mainly financial fraud
1980’s
• Financial investigators and courts realize that in some cases all the records and evidences were only on computers. • Norton Utilities, “Un-erase” tool created • Association of Certified Fraud Examiners began to seek training in what became computer forensics • SEARCH High Tech Crimes training created • Regular classes began to be taught to Federal agents in California and at FLETC in Georgia • HTCIA formed in Southern California
1984
• FBI Magnetic Media Program created. Later it become Computer Analysis and Response Team (CART)

1987 • Access Data – Cyber Forensic Company formed
1988
• Creation of IACIS, the International Association of Computer Investigative Specialists • First Seized Computer Evidence Recovery Specialists (SCERS) classes held
1993
• First International Conference on Computer Evidence held
1995
• International Organization on Computer Evidence (IOCE) formed
1997
• The G8 countries in Moscow declared that “Law enforcement personnel must be trained and equipped to address high-tech crimes”.

1998 • In March G8 appointed IICE to create international principles, guidelines and procedures relating to digital evidence
1998
• INTERPOL Forensic Science Symposium
1999
• FBI CART case load exceeds 2000 cases, examining 17 terabytes of data
2000
• First FBI Regional Computer Forensic Laboratory established
2003
• FBI CART case load exceeds 6500 cases, examining 782 terabytes of data
.

Technical definition of Computer forensics:
Computer forensics (sometimes known as computer forensic science) is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information.
Although it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail.
Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence. It has been used in a number of high profile cases and is becoming widely accepted as reliable within US and European court systems.

Why Computer Forensics?

Computer Forensic Techniques help provide a methodological and systematic approach to gathering information on computer systems and networks, which could be cryptic and hidden and which would otherwise be extremely hard to get through normal routine access to computer resources.

Normally a computer system or network on which forensic science techniques are to be applied hides the data or garbles the data through encryption, steganography or other technical methods. The process of first analyzing the system, gathering important data fragments which are prevalent over the system and interpreting it with the use of certain mechanisms and tools, is the process which is called computer forensics. Let us see what are the techniques used in computer forensics:

Computer forensics Technical versions & description:
|Name |Platform |License |Version |Description |
|SANS Investigative Forensics|Ubuntu | |2.1 |Multi-purpose forensic operating system |
|Toolkit - SIFT | | | | |
|WindowsSCOPE |Windows |commercial |1.0 |Memory forensics and live analysis, cyber security; |
| | | | |includes hardware based capture. |
|EnCase |Windows |commercial |6.18 |Multi-purpose forensic tool |
|FTK |Windows |commercial |3.2 |Multi-purpose tool, commonly used to index acquired |
| | | | |media. |
|Digital Forensics Framework |Windows / Linux / |GPL |1.1 |DFF is both a digital investigation tool and a |
| |MacOS | | |development platform |
|PTK Forensics |LAMP |free/commercial |2.0 |GUI for The Sleuth Kit |
|The Coroner's Toolkit |Unix-like |IBM Public License |1.19 |A suite of programs for Unix analysis |
|COFEE |Windows |Proprietary |n/a |A suite of tools for Windows developed by Microsoft, |
| | | | |only available to law enforcement |
|The Sleuth Kit |Unix-like/Windows |IPL, CPL, GPL |3.1.1 |A library of tools for both Unix and Windows |
|Categoriser 4 Pictures |Windows |Free |4.0.2 |Image categorisation tool develop, available to law |
| | | | |enforcement |
|Paraben P2 Commander |Windows |Commercial |n/a |General purpose forensic tool |
|Open Computer Forensics |Linux |LGPL/GPL |2.3.0 |Computer forensics framework for CF-Lab environment |
|Architecture | | | | |
|Safe Back |N/a |commercial |3.0 |Digital media (evidence) acquisition and backup |
|Windows To Go |n/a |commercial |n/a |Bootable operating system |
|Forensic Assistant |Windows |commercial |1.2 |User activity analyzer(E-mail, IM, Docs, Browsers), |
| | | | |plus set of forensics tools |
|Peer Lab |Windows |commercial |1.13 |File Sharing and "Instant Messaging"-analyzer |
|OS Forensics |Windows |free/commercial |0.99f |General purpose forensic tool for E-mail, Files, |
| | | | |Images & browsers. |
|X-Way Forensics |Windows |commercial |16.1 |General purpose forensic tool based on WinHex hex |
| | | | |editor. |
|bulk extractor |Windows, Linux |Public Domain |1.1 |Stream-based forensic feature extraction of e-mail |
| | | | |addresses, phone numbers, urls and other identified |
| | | | |objects. |

Application of computer forensics:

Computer forensics is a field of study concerned with the digital extraction and analysis of latent information. While a relatively new science, computer forensics has gained a reputation for being able to uncover evidence that would not have been recoverable otherwise, such as emails, text messages and document access. The application of computer forensics is given below.

Criminal cases:

Computer forensics is popularly applied in criminal cases. Computer forensics analysis may provide evidence that a crime has been committed, whether that crime involved computers directly or not. Evidence may be in the form of a document, an email, an instant message, a chat room or a photograph. This is seen frequently in narcotics cases, stalking, sexual harassment, sexual exploitation, extortion, kidnapping and even murder cases.

Domestic cases:

Computer forensics also frequently plays a role in domestic cases and is generally centered on proof of infidelity. Examples include recovered emails, chat room transcripts, instant messaging and photographs.

Security incidents:

The Center for Computer Forensics reports that 92% of all business documents and records are stored digitally and that although hackers are commonly seen as a threat to security, in reality greater risks are found within a company. Examples include theft of intellectual property (such as customer lists, new designs, company financials or trade secrets) and embezzlement. The fact is that if a person is alone with a computer for less than five minutes, it is enough time to copy a hard drive on a removable storage device.

Internal

There are many applications of computer forensics that exist within companies to monitor computer usage. While what is being monitored may not be illegal itself, it is tracked because doing so is "illegal" within the confines of the company. For example, many companies have "acceptable use policies," meaning policies prohibiting personal use of the computers. Common examples of acceptable use violations include online shopping, Internet surfing, online gambling, personal emails and instant messaging or chats.

Marketing purposes:

Computer forensics is also applicable in marketing. Examples of this can be seen on Amazon.com when recommendations are provided or “Just for you” from the iTunes Store. When a person visits a website, a memory of that website is placed in the computer's memory. Each site has different meta-tags embedded in it; meta-tags are one or two word descriptions of the site content. The advertisements that person experiences are tailored to the meta-tags of the sites visited, similar to a target demographic.
Basic Computer Forensic Techniques:

The Basic computer forensic techniques can be divided into two parts

Computer Networks:

For computer networks, the following are the forensic techniques that are most commonly used - • Packet Sniffing:
Sniffing, in normal language means sensing something and here too it has the same meaning. Data flows through the network lines just like oxygen through air, pulling out critical data packets from these networks is called packet sniffing.. • IP Address Tracing
Internet Protocol Address Tracing means to trace an IP address right down to its real address. IP Address tracing involves reverse address look up, which means, counting the number of servers that lie between source and destination. • Email Address Tracing
Sometimes it becomes important to know where an email came from. This can be achieved by analyzing email headers. Email headers consist of source machine IP address which could be used for an IP Trace.

For Computer Systems

• File Structure
For a physical computer system, the file structure is analyzed and a look out is done for suspicious files which are scattered in every nook and corner of the system. Some of these files may be encrypted, garbled or hashed with some algorithms. Such files are then processed and decrypted for gathering digital evidence.

• Storage Media

Storage media might be in the form of physical or removable disks. These disks might have been erased (formatted) and it can become almost impossible to recover data from it. However, with the help of advanced utilities and data recovery tools this is possible. Every time data is recovered, it is not necessary that it would be in proper form, so it is seen that whatever data fragments are gathered, are put up together to form formidable digital evidence material.

• Steganography
Steganography is the art of hiding information in images, sounds or any other file format than the routine format. A piece of data or information hidden into a image or sound file is extremely difficult to catch and this can lead to waste propagation of the material through internet or other media. Stag-Analysis and decryption techniques are applied to get the data back to its original form.

• Prints
Prints are print outs which are taken from a computer printer device. Most of the computer forensic experts forget to concentrate on these print outs. These print outs are taken such that at first glance they are not visible to the naked eye. They would either be too microscopic or would be garbled or again crypt for deception. So while evaluation and gathering of digital evidence analyzing print out becomes a very important aspect and should not be neglected or handled carelessly.

Tools of the Trade:

Some of the most common tools of the trade use in Computer Forensics are: • Hex Editors • Dissemblers • Disk Analyzers • Descriptors • Packet Sniffers • DNS Tools
Computer Forensic Science is a field which is gaining heavy momentum across the world due to rise in cyber crimes and will continue to rise at a tremendous pace in the coming decade.

Future Prospects of Computer Forensics:
1: Hardware -The size of storage media & memory and the speed of processors.
We can expect that in upcoming years, computers will come standard with 5TB or more of storage and that portable media like flash drives will carry something like 250GB of data - what the average hard drive was holding one or two years ago. After some years, computers will probably be 7 or 8 times faster. So these things will hold lots and lots more data and people will fill them up with lots & lots more data. Therefore, each computer forensics job will require sorting through and analyzing many times more data than today.
2: Computer Forensic Tools - The capabilities, automated nature and cost of computer forensic tools.
We can expect that in upcoming years, computer forensic tools will be about 5 times as fast, and twice as sophisticated. That means that even with all the additional data, the average, non-automated job will take about the same effort as it does now.
However, a lot of automated tools for collection and initial processing are starting to be released. These tools can be used by less-trained people, so it may be that data collection and preliminary processing will be faster due to automation.
We expect that the cost of computer forensic tools will not go down in relative terms. However, more Open Source forensic tools will be available for free for those willing to learn to use them.
3: Bad guys - Anti-forensics tools & schemes, sophistication of hackers
There's always a race between how harmful software and cyber-marauders can be and the defenses against them. There is also software constantly being developed to stump investigation by erasing or scrambling traces of wrongdoing. This trend will continue to accelerate and there will continue to be an uneasy balance between the two sides, with lots of collateral damage. In most cases, people will continue to forget to hide or cover all of their tracks and there will still usually be evidence to find.

BUSINESS VALUE OF COMPUTER FORENSICS:

Over recent years, computers have penetrated almost every area of business and personal life. Its resources for organizations are available 24 hours a day and enable electronic business activities between clients, other organizations or state administration during which important data is exchanged. A negative consequence for such development in technology and society is the increasing number of mobile devices, portable and desktop computers and servers from which information may leak, or which may even be used for criminal activities - whether done by malicious employees of the organization or other malicious individuals. Thus it is important that all those who manage or administer information systems and networks be familiar with the protocols foreseen in case of security incidents together with the principles of computer forensics.

Here we explain the requirements for the implementation of computer forensics in a business environment in an efficient and legal way.

Keywords: security incidents, computer safety, data collection and analysis, security policies, legal framework

1. Security incidents

The protection of vital IT resources requires not only the implementation of cautionary measures and security policies aimed at their protection but also the possibility of a quick and efficient reaction, should such security incidents occur. However, it is not easy to respond to security incidents. The appropriate answer to the security incident requires technical knowledge as well as communication and coordination between the staff responsible for intervention. Within organizations, often the system and network administrators are the first to face such an incident and are also the first responders, so it is essential that they know the basic areas of computer forensics and the procedures they have to take care of during interventions on the compromised computer system or network.

Adequately to incidents, it is necessary to be able to recognize them. In the following text there is a list and explanation of security incidents for which the correct response is to use computer forensics methods.

• Attack by malicious programs

Malicious programs are called viruses, Trojan horses, worms and scripts by which malicious users obtain permission from the organization computers or computer networks, to obtain possession of authorized users‟ passwords or to change log files for the purpose of hiding unauthorized activity. Malicious programs that are programmed to hide their presence create great problems as their presence on the computer is very hard to discover. Besides this, malicious programs such as viruses or worms have the possibility of multiplying in great numbers, so stopping their spreading is quite a challenging job to be undertaken.

• Unauthorized access:

Unauthorized access includes a set of security incidents, starting from irregular user log-in within the system itself. In the case when a malicious user logs into the system with the username and password of an organization employee, to the unauthorized access of a malicious user to files and directories situated on local or network disks using higher (or administrator) authorizations. Example: the passwords of authorized users which are transferred through the network, and use them for further malicious activities.

• Malicious use of the service:

Entering into possession of information within the organization can be achieved by abusing the server and programs that provide the service using the security failures within them. Examples of this are the abuse of web or FTP server services – by taking over control, the malicious user can enter inappropriate content and use the server for their further distribution.

• Inappropriate usage of information resources:

It can be said that the inappropriate usage of information resources is using the information resource for purposes not determined by security policies, such as using the official computer for saving inappropriate (e.g. pirate) software.

• Spying:

Confidential information of organizations and state administration bodies can be of great value to other organizations and governments, so intrusion into information systems for the purpose of spying and stealing information is a serious security incident.

• Hoaxes:

Hoaxes refer to the spreading of false information regarding the presence of security errors in programs. Users are misled by false information and alerted to particular false threats and on occasion are also asked to delete important programs on the computer they are working on, thus causing damage.

2. Organizational policies, security and computer forensics:

Implementing adequate tools and security policies and enabling computer forensics when necessary, helps organizations to create integrity and sustainability of their infrastructure. It is important that each organization consider computer forensics as a new basic element in the so-called „defense in-depth “strategy to insure the computers and network infrastructure of the organization. Shows the international framework of organizational structures that enables a more rapid undertaking of investigations in the case of security incidents and a higher quality of electronic evidence. During these procedures, employees are exposed to multiple authorities and must, as well as laws respect all organizational and security policies established on the basis of the mission and targets of the organization, and which, in turn, they must reconcile with the legal regulations.

The wider definition of the aim of computer security is to ensure that the system functions as defined by the security policies. The purpose of computer forensics is to discover and explain how a particular security policy has been breached. Policies in the implementation of computer systems security and forensics:

There is a specific overlap between the data that is necessary for computer systems security and that which can be used for computer forensics. Many security measures, if implemented completely, facilitate computer forensics: Event logs, computer systems access logs, error logs, traces of attempts to access computers, etc. are just some of these. Countermeasures for unauthorized access to the computer, such as smart cards for access to the computer itself, security policies for the complexity of passwords or a limited number of unsuccessful logins, together with the policy of registering the unsuccessful login, leave traces for further analysis.

Nevertheless, in practice, only minimal measures of recording are used, because of the influence they could have on the system performances. Files with event logs have configured fixed sizes in order to avoid filling up the disk space, whilst the logic of recording within them is such that the old values are overwritten with the new ones and data needed for forensics investigation is lost. Numerous security countermeasures are based on cleaning the computer system of data which is unnecessary for normal operation, such as deleting the history of web pages which have been viewed, in addition to temporary files. Procedures for accelerating system performance can also delete forensic data. One of these procedures is disk defragmentation, by which data on the disk is reorganized and disk content is overwritten in spaces where incompletely deleted files may be situated. Antivirus programs, when performing automatic virus cleaning, may also effect data, so it is important that all automatic activities are recorded in files with event logs and when viruses are found, that they are not deleted, but put, e.g. „into quarantine‟.

Managing security risks and estimating security threats are generally effective in protecting the computer system. However, as the majority of organizations are focused on prevention and system performance rather than on enabling procedures of computer forensics, it is more than obvious that due to this, data collected in the case of security incidents will be either incomplete or there will be no collected data.

Therefore, it is necessary to determine policies within the organization by which the system will work optimally and all security policies needed for the implementation of computer forensic procedures in cases of security incidents will be implemented.

3. Important legal frameworks necessary for computer forensics:

Nowadays people are more and more conscious of protecting their privacy. However, the protection of

Applicable law and regulations

Organizational policy

Computer security policy

Computer security enforcement

Users

Organizational mission and objectives

Company operations

Privacy and resolving security incidents or computer crimes are two almost conflicting activities. Legal implementation agencies have to have access to as much of the data as possible stored in an electronic form, such as for Internet banking, a list of telephone calls, electronic mail, internet connections, etc. whilst citizens are concerned about the abuse of their private data and privacy. So, one part of the law takes care of the protection of privacy and private data, whilst the other part of legislation consists of laws punishing the computer criminal and determining punishments for those who provoke security incidents.

• Private data and privacy protection laws

There is a Private data and privacy protection law that “regulates the protection of private data of physical persons as well as the supervision of collecting, processing and using this personal data” But, what is not defined is a privacy protection law which would determine which personal information may be collected. It is very possible that the aforementioned law may not have any influence on data collecting during computer forensics procedures when this computer forensics procedure is being carried out on the basis of a court order, but may influence organization security policies, particularly when this refers to recording users‟ activities which would thus acquire a level of privacy.

Limitations of Computer Forensics:
The major limitations of the computer forensics are given below: 1. To maintain the secrecy of the data or Information:
It is the duty of the computer forensics expert to maintain the high standards and the keep in mind the sensitivity of the case and maintain the privacy and secrecy of the data or the information of the client’s interests. But in some circumstances it becomes almost impossible for the computer forensics professional to maintain the secrecy of the data or the information. This may happen if the information is necessary to prove the crime and should be produced as the evidence in the court of law in order to prove the crime.

2. Sensitive data or information can lost in order to find the evidence:
There are other disadvantages as well regarding the computer forensics. It is also possible that some sensitive data or information that is important to the client may be lost in order to find the evidence. The forensics professional must maintain the concern that the data information or the possible evidence is not destroyed, damaged, or even otherwise be compromised by the procedures that are utilized for the purpose of investigating a computer system.

3. Physically damage of computer hardware or software attack by virus:
There are also the chances of introduction of some malicious programs in the computer system that may corrupt the data at a later stage of time. During the analysis process care should be taken that no possible computer virus is released or introduced in the computer system. IT is also possible that the hardware of the computer system is damaged physically.
The evidence that is physically extracted and the relevant evidence should be properly handled as well as protected from later damage that may either mechanical or electromagnetic in nature. The integrity of the data and the information that is acquired should be preserved. The custody of the data that is acquired as the evidence is the responsibility of the computer forensics team. 4. Effects in business operations:
During the time case is solved; it may be required that the data or the information is stored in the court. In some cases it is also possible that the data is in dispute and neither of the disputing parties can use the data. Due to this reason the business operations may also be affected. The duty of the computer forensics expert is to ensure that justice is delivered as fast as possible so that the inconvenience and the subsequent loss to the organization can be avoided.
It is also important the information that is acquired during the forensic exploration is ethically and legally respected. More over despite some of the limitations of the Computer Forensics the subject is still perceived. Also the advantages and the benefits of the subject have wide applications in various situations. Measures should be taken and the care of the professional employed for the computer forensics is a must to avoid any subsequent damage to the computer system.

Conclusion:

Computer forensics has been present for some time as a computer discipline but lately it has become more specialized and an accepted technique for providing a response to security incidents. Evidence collected in this way is also valid in court.

Computer forensic procedures are well known and defined and should be adhered to when responding to security incidents. It is particularly important to collect data from the compromised computer with as little intervention as possible, but is also necessary to take care regarding the verification of collected data – even more importantly if they are to be presented in court. The quality of collected data will also depend on the implementation of organizational and security policies of an organization as well as computer security measures. While some of these measures are helpful, others are against the rules of computer forensics, so it is necessary to find the most favorable midpoint between computer security measures, system performances and protecting data important for computer forensics.

In order to punish malicious users discovered by computer forensics measures, a legal regulation has to exist. Croatia has foreseen in its Criminal law punishment for all those who provoke security incidents and, on the basis of these laws, compensation for committed damages can be applied for.

Although more care is being taken with computer security, undoubtedly computer forensics will be increasingly necessary, as every day faster development of new technologies and a growing number of networked organizations increase the risk of computers, information and information systems being abused.

References:
Michael G. Noblett; Mark M. Pollitt, Lawrence A. Presley (October 2000). "Recovering and examining computer forensic evidence". http://bartholomewmorgan.com/resources/RecoveringComputerEvidence.doc. Retrieved 26 July 2010. A Yasinsac; RF Erbacher, DG Marks, MM Pollitt (2003). "Computer forensics education". IEEE Security & Privacy. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.1.9510&rep=rep1&type=pdf. Retrieved 26 July 2010.
Warren G. Kruse; Jay G. Heiser (2002). Computer forensics: incident response essentials. Addison-Wesley. pp. 392. ISBN 0201707195. http://books.google.com/books?id=nNpQAAAAMAAJ. Retrieved 6 December 2010.
Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4. http://books.google.com/?id=Xo8GMt_AbQsC&dq=Digital%20Evidence%20and%20Computer%20Crime,%20Second%20Edition.
Various (2009). Eoghan Casey. ed. Handbook of Digital Forensics and Investigation. Academic Press. pp. 567. ISBN 0123742676. http://books.google.co.uk/books?id=xNjsDprqtUYC. Retrieved 27 August 2010.
Garfinkel, S. (August 2006). "Forensic Feature Extraction and Cross-Drive Analysis". http://www.simson.net/clips/academic/2006.DFRWS.pdf.
"EXP-SA: Prediction and Detection of Network Membership through Automated Hard Drive Analysis". http://www.nsf.gov/awardsearch/showAward.do?AwardNumber=0730389.
Maarten Van Horenbeeck (24). "Technology Crime Investigation". http://www.daemon.be/maarten/forensics.html. Retrieved 18 August 2010. Aaron Phillip; David Cowen, Chris Davis (2009). Hacking Exposed: Computer Forensics. McGraw Hill Professional. pp. 544. ISBN 0071626778. http://books.google.co.uk/books?id=yMdNrgSBUq0C. Retrieved 27 August 2010.
J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten (2008-02-21). Lest We Remember: Cold Boot Attacks on Encryption Keys. Princeton University. http://citp.princeton.edu/memory/. Retrieved 2009-11-20.

Similar Documents

Free Essay

Computer Forensics

...International Journal of Digital Evidence Fall 2007, Volume 6, Issue 2 Computer Forensic Analysis in a Virtual Environment Derek Bem Ewa Huebner University of Western Sydney, Australia Abstract In this paper we discuss the potential role of virtual environments in the analysis phase of computer forensics investigations. General concepts of virtual environments and software tools are presented and discussed. Further we identify the limitations of virtual environments leading to the conclusion that this method can not be considered to be a replacement for conventional techniques of computer evidence collection and analysis. We propose a new approach where two environments, conventional and virtual, are used independently. Further we demonstrate that this approach can considerably shorten the time of the computer forensics investigation analysis phase and it also allows for better utilisation of less qualified personnel. Keywords: Computer Forensics, Virtual Machine, computer evidence. Introduction In this paper we examine the application of the VMWare (VMWare, 2007) virtual environment in the analysis phase of a computer forensics investigation. We show that the environment created by VMWare differs considerably from the original computer system, and because of that VMWare by itself is very unlikely to produce court admissible evidence. We propose a new approach when two environments, conventional and virtual, are used concurrently and independently. After the images...

Words: 3983 - Pages: 16

Free Essay

Computer Forensics

...Computer Forensics Through the Years Prof. Pepin Galarga Computer Forensics Sep 11, 2010 Table of Content Introduction …………………………………………………………………………………Page 2 The Early Years……………………………………………………………….......................Page 3 Early Training Programs …………………………………………………………………....Page 4 Typical Aspects of Computer Forensic Investigations ……………………………………..Page 5 Legal Aspects of Computer Forensics …………………………………………..……...…..Page 6 Conclusion ………………………………………………………………………………….Page 7 References………………………………………………………………………………..…Page 8 Introduction If you manage or administer information systems and networks, you should understand computer forensics. Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts. (The word forensics means “to bring to the court.”) Forensics deals primarily with the recovery and analysis of latent evidence. Latent evidence can take many forms, from fingerprints left on a window to DNA evidence recovered from blood stains to the files on a hard drive. Because computer forensics is a new discipline, there is little standardization and consistency across the courts and industry. As a result, it is not yet recognized as a formal “scientific” discipline. Image by Flickr.com, courtesy of Steve Jurvetson Computer forensics is the study of extracting, analyzing and documenting evidence from a computer system or network. It is often used by law enforcement officials to seek...

Words: 1382 - Pages: 6

Free Essay

Computer Forensics

...Computer Forensics The world of crime has expanded right along with the explosion of the internet. The modern cyber criminal has veritable global playground in which to steal money and information from unsuspecting victims. Computer forensics is a quickly emerging science against the increasingly difficult battle to bring criminals to justice who perpetrates crimes on others. The computer forensics field is a relatively new investigative tool but enjoys continual advances in procedures, standards, and methodology which is making the identification, preservation, and analyzing of digital evidence a powerful law enforcement apparatus. The job of the cyber forensic professional is to look for clues the attacker left behind on web sites, servers, and even the e-mail message itself that will unravel their sometimes carefully woven veil of secrecy. Attackers come in all forms and from a variety of different circumstances. For instance, an attacker can begin a phishing scam with only a web server they control with very little programming experience and a way to send a lot of e-mail messages. (Jones 4) In order to combat the waves of cyber-attackers, we must utilize Open Source Community applications to combat the continual onslaught of infections, exploitations, and trickery employed everyday against our systems and networks. Today's attacker uses a variety of technologies to employ their methods and understanding those abilities is integral to preparing for an investigation...

Words: 2742 - Pages: 11

Premium Essay

Computer Forensic Analysis and Repor

...Computer Forensic Analysis and Report Nathaniel B. Rollins Jr Kaplan University Computer Forensics I/CF101 Prof: Tatyana Zidarov November 19, 2012 Computer Forensic Analysis and Report A. INTODUCTION I Nathaniel B. Rollins a Computer Forensic Specialist (CFS) with the Metro Police Department (MPD) received a file image from Officer X to conduct a search for electronic evidence. Which he stated was copied from the SNEEKIE BADINUF (COMPLAINANT) computer, with consent. This was verified through COMPLAINANT statement, repot, consent to search form, and chain of custody, provided by Officer X, along with the request for analyzing the evidence. Upon reviewing of her statement filed on May 14 2006, the COMPLAINANT stated she had received an email from a correspondent named NFarious that demanded $5000 in ransom, or the animals would be harmed. The COMPLAINANT also stated her pets had been gone for an entire week, and she was worried that the abductor may already have injured the animals. During a subsequent interview the COMPLAINANT stated that she took out a $20,000 insurance policy on her pets in September 2005 that would not be active for 6 month. The purpose of this investigation is to confer or negate the COMPLAINTANTS involvement with the kidnaping of the animals. B. MATERIALS AVAILABLE FOR REVIEW a. 1 Chain of Custody b. Evidence Log c. Complainants Statement d. Officers Report e. Forensic Disk Image of Computer f. Photos (location...

Words: 1176 - Pages: 5

Premium Essay

Assignment 4 Computer Forensics Tools

...Assignment 4 Computer Forensic Tools Derek Jackson Computer Crime Investigation Professor: Dr. Jessica Chisholm 03/06/2016 When purchasing computer forensics tools and resources for a company, you always want to make sure you are doing the necessary research and determining which of these programs are the best options for the company. This is very important job in any company as you are in charge of not only protecting the company’s data with these tools, but also recovering any information that may have been lost or deleted. There are many programs that are available that can be used to recover deleted files. Two of the programs that you could use are the MiniTool Partition Recovery and PC Inspector File Recovery. The MiniTool Partition Recovery is a free program that has a wizard-based interface which makes it very easy and straightforward to use and understand. You can point the MiniTool Partition Recovery at the problem drive, specify the area to be searched, and it will scan for the missing partition. Then a report will generate that will let you know what the program has found, and you can then recover that partition in a few seconds typically. The only downfall is that you won’t get a bootable recovery disk, so if the partition is damaged then the MiniTool Recovery program won’t be able to recover the deleted partition. The PC Inspector File Recovery allows you to be able to recover a full set of missing files on both FAT and NTFS drives. They are clearly...

Words: 1005 - Pages: 5

Free Essay

Computer Intrusion Forensics

...Computer Intrusion Forensics Research Paper Nathan Balon Ronald Stovall Thomas Scaria CIS 544 Abstract The need for computer intrusion forensics arises from the alarming increase in the number of computer crimes that are committed annually. After a computer system has been breached and an intrusion has been detected, there is a need for a computer forensics investigation to follow. Computer forensics is used to bring to justice, those responsible for conducting attacks on computer systems throughout the world. Because of this the law must be follow precisely when conducting a forensics investigation. It is not enough to simple know an attacker is responsible for the crime, the forensics investigation must be carried out in a precise manner that will produce evidence that is amicable in a court room. For computer intrusion forensics many methodologies have been designed to be used when conducting an investigation. A computer forensics investigator also needs certain skills to conduct the investigation. Along with this, the computer forensics investigator must be equipped with an array of software tools. With the birth of the Internet and networks, the computer intrusion has never been as significant as it is now. There are different preventive measures available, such as access control and authentication, to attempt to prevent intruders. Intrusion detection systems (IDS) are developed to detect an intrusion as it occurs, and to execute countermeasures when detected...

Words: 9608 - Pages: 39

Free Essay

Computer Forensics Analysis Project

...Computer Forensics I (FOR 240-81A) Project #3 Case Background The Suni Munshani v. Signal Lake Venture Fund II, LP, et al suit is about email tampering, perjury, and fraud. On December 18, 2000, Suni Munshani (Plaintiff) filed a suit against Signal Lake Venture Fund. Mr. Munshani claimed that he was entitled to warrants in excess of $25 million dollars from Signal Lake. In February 2001, Signal Lake Venture Fund II, LP, et al. (Defendant) became privy to the court filings in this case. Within the filings there was an email provided by Mr. Munshani from Hemant Trivedi, CEO of one of the portfolio companies, stating he was indeed entitled to the warrants. Mr. Trivedi denied any knowledge of the email, or any such communication with Mr. Munshani. In an effort to prove their innocence, Signal Lake hired a computer forensic group to conduct a private investigation. The investigation did not show any evidence of the supposed email provided to the court by Mr. Munshani. Mr. Trivedi filed an affidavit stating that the email was forged, while Mr. Munshani filed an affidavit stating the email was real. In March 2001, a computer forensics expert, Kenneth R. Shear, was appointed by the court to perform a forensic examination on the questioned message (the message provided by Mr. Munshani) and the comparative message (a second message from Mr. Trivedi found on Mr. Munshani’s computer). Mr. Shear worked for a company called Electronic Evidence Discovery, Inc. (EED). Mr. Shear’s forensic...

Words: 799 - Pages: 4

Premium Essay

Essay On Computer Forensics

...Abstract: Rising era of computer and other technologies as internet and gadgets, explosively increase in number of cybercrime or other crimes using technologies. The growth of computer forensic has taken as huge success to control those crimes which are committed using computers. The main task of computer forensic is to examining and collecting electronic data as evidence from a crime scene. The work of computer forensic is to recover the data which has been hacked or lost by the criminals using different system. The growing dependency on computer forensic has decreased the cybercrime and professionals have to understand the computer technology that is used in computer forensic. Introduction Forensic roots from a Latin word, “forensic” which...

Words: 870 - Pages: 4

Premium Essay

Computer Forensics Operational Manual

...COMPUTER FORENSICS OPERATIONAL MANUAL 1. Policy Name: Imaging Removable Hard Drives 2. Policy Number/Version: 1.0 3. Subject: Imaging and analysis of removable evidence hard drives. 4. Purpose: Document the procedure for imaging and analyzing different types of evidence hard drives removed from desktop or laptop computers. 5. Document Control:Approved By/Date: Revised Date/Revision Number: 6. Responsible Authority: The Quality Manager (or designee). 7. Related Standards/Statutes/References: A) ASCLD/LAB Legacy standards 1.4.2.5, 1.4.2.6, 1.4.2.7, 1.4.2.8, 1.4.2.11, and 1.4.2.12. B) ASCLD/LAB International Supplemental requirements: 3 (Terms and Definitions), 4.13.2.4, 5.4.1.1, 5.4.1.2, 5.4.2.1. C) ISO/IEC 17025:2005 clauses: 4.1.5 (a, f, g, h, and i), 4.2.1, 4.2.2 (d), 4.2.5, 4.3.1, 4.15.1, 5.3.2, 5.4.1, 5.4.4, 5.4.5.2, 5.4.7.2 (a - c), all of 5.5, all of 5.8, and 5.9.1 (a). 8. Scope: Imaging and examining different types of hard drives (SATA, SCSI, and IDE) removed from desktops and laptops. 9. Policy Statement: A) No analysis will be performed without legal authority (search warrant or consent form). If not submitted, the examiner must contact the investigator to obtain the necessary legal authority. B) Forensic computers are not connected to the Inter-net. C) All forensic archives created and data recovered during examinations are considered evidence. D) Changes to this procedure can be made if approved by the Quality Manager, who will document the changes...

Words: 731 - Pages: 3

Free Essay

Computer Forensics Case Analysis

...Project 1 Case Analysis CCJS321 The two cases I have chosen to analyze for Project One is the Max Ray Butler aka “Iceman” cybercrime case and the Albert Gonzalez cybercrime case. I have chosen these two cases because they both had significant impact on the computer forensics field. Both of these cybercrimes are similar in nature because both deal in credit card and identity theft on the grandest scale. Max Ray Butler and Albert Gonzalez were brought to justice after many years of a cyber-forensic investigation that went through a network of multiple U.S. agencies; including the FBI, US Secret Service and US-CERT (United States Computer Emergency Readiness Team) a Department of Homeland Security who were all networked together at the National Computer Forensic Training Academy in Pittsburg, Pennsylvania. Both of these men were given the longest prison sentences ever handed out by a judge for computer crimes of their notoriety and magnitude. Finally, they both set a blue print for digital forensic investigators of the proper procedures to follow in order to capture future want-to-be crime lords. Max Butler aka “Iceman” was a white-hat hacker that went rogue. His story is that, “he was a good hacker hired by the government to test the security of one of their websites, while doing that job he installed a backdoor to their system that would allow him to come in later so he could make some fixes to the system on his own time. Well of course this second part of the...

Words: 1323 - Pages: 6

Free Essay

Assignment 1: Computer Forensics Overview

...Assignment 1: Computer Forensics Overview CIS 417 Computer Forensics Computer forensics is the process of investigating and analyzing techniques to gather and preserve information and evidence from a particular computing device in a way it can be presented in a court of law. The main role of computer analyst is to recover data including photos, files/documents, and e-mails from computer storage devices that were deleted, damaged and otherwise manipulated. The forensics expert’s work on cases involving crimes associated with internet based concerns and the investigations of other potential possibilities on other computer systems that may have been related or involved in the crime to find enough evidence of illegal activities. Computer experts can also use their professional knowledge to protect corporate computers/servers from infiltration, determine how the computer was broken into, and recover lost files in the company. Processes are used to obtain this information and some of the processes are as follows; * Investigation process: Computer forensics investigations will typically be done as part of a crime that allegedly occurred. The first step of the investigation should be to verify that a crime took place. Understand what occurred of the incident, assess the case, and see if the crime leads back to the individual. * System Description: Next step, once you verified the crime did occur, you then begin gathering as much information and data about the specific...

Words: 1397 - Pages: 6

Premium Essay

Computer Forensics and Cyber Crime

...Computer Forensics and Cyber Crime Author Institution Computer Forensics and Cyber Crime A security survey or audit can also be referred to as a vulnerability analysis. A security survey is an exhaustive physical examination whereby all operational systems and procedures are inspected thoroughly (Fischer & Green, 2004). A security survey involves a critical on-site examination and analysis of a facility, plant, institution, business or home to determine its current security status, its current practices deficiencies or excesses, determine level of protection needed, and ways of improving overall security levels are recommended. A security survey can either be done by in-house personnel or by external security consultants. However, outside security experts are preferred their approach to the job would be more objective and would not take some parts of the job for granted therefore resulting to a more complete appraisal of current conditions. A security survey/audit should be carried out regularly so as keep improving to and up to date especially with the growing rate of technology. Overall objectives of a security survey are: determination of current states of security, location various weaknesses in the security defenses, determination of level of protection required and finally give recommendations for the establishment of a total security program (Fischer & Green, 2004). Some weaknesses identified in the process of a security survey may be: vulnerability...

Words: 686 - Pages: 3

Free Essay

Computer Forensics

...Effortless English What is the most important English skill? What skill must you have to communicate well? Obviously, number 1 is Fluency. What is fluency? Fluency is the ability to speak (and understand) English quickly and easily... WITHOUT translation. Fluency means you can talk easily with native speakers-- they easily understand you, and you easily understand them. In fact, you speak and understand instantly. Fluency is your most important English goal. The research is clear-- there is only ONE way to get fluency. You do not get fluency by reading textbooks. You do not get fluency by going to English schools. You do not get fluency by studying grammar rules. The Key To Excellent Speaking Listening Is The Key To get English fluency, you must have a lot of understandable repetitive listening. That is the ONLY way. To be a FANTASTIC English speaker, you must learn English with your ears, not with your eyes. In other words, you must listen. Your ears are the key to excellent speaking. What kind of listening is best? Well, it must be understandable and must be repetitive. Both of those words are important-- Understandable and Repetitive. If you don't understand, you learn nothing. You will not improve. That's why listening to English TV does not help you. You don't understand most of it. It is too difficult. It is too fast. Its obvious right? If you do not understand, you will not improve. So, the best listening material is EASY. That’s right, you should listen mostly...

Words: 1404 - Pages: 6

Premium Essay

Computer Forensics Tools

...Computer Forensics Tools Strayer University E-Support Undelete Plus is powerful software that can quickly scan a computer or storage medium for deleted files and restore them on command. It works with computers, flash drives, cameras, and other forms of data storage. Deleting a file from your computer, flash disk, camera, or the like does not mean it is lost forever. Software doesn’t destroy files when it deletes, it simply marks the space the file was using as being available for re-use. If nothing has needed that space since the deletion, the data is still there and the file can be recovered. Simply scan the device, select the files you want to recover, and click a button to restore the information (Softpedia, 2013). The interface Undelete PLUS is geared up with is very nice and easy to handle. In the right panel, there is the Drives tree. The user can change the view to file types (MP3, PDF, RTF, RAR, ZIP, XML, PNG, etc.) or to folders. In the left, there will be displayed all the files Undelete PLUS was able to detect. The software will inform you of the state of the files it has detected. This way, you will know that if the status reads "very good" then there still is a chance of recovering that file. "Overwritten" status means that the respective file is either corrupted or cannot be recovered. Additional information tell you about the size of the file, format, path, date of its creation and modification. The software is capable of recovering entire...

Words: 1755 - Pages: 8

Free Essay

A History of Modern

...Guide to Computer Forensics and Investigations Fourth Edition Chapter 7 Current Computer Forensics Tools Objectives • Explain how to evaluate needs for computer forensics tools • Describe available computer forensics software tools • List some considerations for computer forensics hardware tools • Describe methods for validating and testing computer forensics tools Guide to Computer Forensics and Investigations 2 Evaluating Computer Forensics Tool Needs • Look for versatility, flexibility, and robustness – – – – – OS File system Script capabilities Automated features Vendor’s reputation • Keep in mind what application files you will be analyzing Guide to Computer Forensics and Investigations 3 Types of Computer Forensics Tools • Hardware forensic tools – Range from single-purpose components to complete computer systems and servers • Software forensic tools – Types • Command-line applications • GUI applications – Commonly used to copy data from a suspect’s disk drive to an image file Guide to Computer Forensics and Investigations 4 Tasks Performed by Computer Forensics Tools • Five major categories: – – – – – Acquisition Validation and discrimination Extraction Reconstruction Reporting Guide to Computer Forensics and Investigations 5 Tasks Performed by Computer Forensics Tools (continued) • Acquisition – Making a copy of the original drive • Acquisition subfunctions: – – – – – – – Physical data copy Logical data copy...

Words: 2076 - Pages: 9