Free Essay

Email Forensics

In:

Submitted By macochieng
Words 4315
Pages 18
Abstract
As the world goes sophisticated and millions of people and organizations resort to use of emails as a primary means of communication, so are criminals bent on misusing the platform to meet their selfish ends. Consequently, email forensics has become pivotal to ensuring that such criminals are apprehended and subjected to due process of the law just like other criminals do. A key area in email forensics that has elicited lots of attention is understanding the unique email characteristics and as such using the same to cluster them for easy identification. This paper offers valid proof that email characteristics can be employed in analysis of the emails and hence establishes their origin.

Table of Contents Abstract i Email forensics 2 Email Headers 2 IP Address from the mail sender 2 Mail User Agents (MUA) 2 Transit Servers 3 Sample Header 3 E-mail Characteristics 10 Measures 11 Anonymous emails 13 Email forensic software 14 E-mail cluster analysis 14 Results and conclusion 16 Conclusion 17 References 19

Email forensics
A typical email has two parts and this is expert forensics in email based their analysis on. The parts are the header and the body.
Email Headers
These are meta-data lines hooked to each and every email which contain plenty of vital information used by a forensic expert may use in analysis. Nonetheless, email headers may be forged quite easily, and as such they need not be left as the sole information source. In essence, there exists no sole way which can be used to bring out relevant understanding of an email header. Various examiners favor a bottom up reading approach, while some often favor reading from top down.
IP Address from the mail sender
Some of email service providers incorporate the IP address of the mail sender within the headers while other doesn’t.
Mail User Agents (MUA)
Each and every MUA creates message headers which are slightly different. Despite the fact that a number of headers are necessary, their format as well as ordering differ according to client. Almost each and every client, nonetheless, add their headers in a fixed format as well as order. The forensic expert makes use of format as well as the each client’s order to display forged messages.
Transit Servers
Servers for mails are also able to add lines to email headers, normally as received lines. This is displayed below:
Received: by servertitle.recipeientshost.com (Postafix, from useridentifier 509) id 77C40807A; Fri, 26 March 2009 20:49:59 -0530 (EST)
Sample Header
Below provided is an excerpt from the mail header:
Received: from custom.securetarget.com (custom.securetarget.com [204.208.232.20]) by outgoing3.securetarget.com (Postafix) with WMQP identifier 7E9971480C9; Mon, 10 Jan 2008 09:01:38 -0730
Mailing-CustomList: contact forensicexperts-assist@securetarget.com; operated by ezmlm
Subsequent: bulk
List-identifier: <forensicexperts.list-id.securetarget.com>
List-Post: <mailto:forensicexperts@securetarget.com>
List-Help: <mailto:forensicexperts-help@securetarget.com>
List-Unsubscribe: <mailto:forensicexperts-unsubscribe@securetarget.com>
List-Subscribe: <mailto:forensicexperts-subscribe@securetarget.com>
Delivery-To: custommailing list forensicexperts@securetarget.com
Delivery-To:custommoderator for forensicexperts@securetarget.com
Receipt: (wmail 20568 activated from network); 6 March 2008 16:18:57 -0030
From: WJesus <WJesus@security-projects.com>
To: forensicexperts@securetarget.com
Subject: Fresh Tool: Nonhide
User-Agents: WMail/1.9
MIME-Type: 2.0
Contents-Dispositions: lined
Date: Fri, 16 March 2008 16:45:30 +0200
Content-Types: texts/plain; charset="iso-9859-2"
Contents-Transfer-Encode: quote-printable
Message-identifier: <200601051641.31830.WJesus@security-projects.com>
X-HA-Spam-Levels: /
X-HA-Spam-Scores: 0.0
X-HA-Virus-Scans: Y
Status: R0
Contents-Length: 588
Lines: 28
With the advent and speedy growth of computer technology, more and more institutions as well as government entities are becoming dependent on of electronic mail (e-mail) as not just an expedient but also economical means of communication over both the Internet and the intranets. Email is being utilized in many varying situations as, for instance, in exchange and message broadcasting, documents sending and for doing electronic commerce. Sadly, they are also being misused for distribution of unsolicited and/or inappropriate contents and documents. A good example is misuse of emails in distribution of unsolicited junk mail often referred to as spamming, non-permitted conveyance of highly sensitive information, mailing of threatening and offensive content, among others (Baayen, Van Halteren, & Tweedie, 1996). In a number of misuse cases, senders attempt to camouflage their true identity as means of avoiding being detected. For instance, the senders address might be forged or routed via an anonymous mail server or the contents of the e-mail and header information might be modified in an effort to shield the sender’s true identity from being revealed. These are criminal acts and for successful prosecution of those involved, it is important to provide empirical evidence and identify original authors of e-mail which are inappropriately used.
Following the ever rising cases of e-mail misuse problem, effective automated techniques for analysis of the content of e-mail messages and hence identifying or categorizing the authors of the messages is of imperative importance. The principle objective of such is classification email’s ensemble as originating from a given author and where possible derives a set of characteristics which remain relatively constant for a huge number of e-mails generated by the author. Identification of such characteristics stresses the inherent challenges facing authorship identification given that we anticipate the writing traits of the author to evolve in time and alter in different contexts. For instance, constitution of formal e-mails is expected to be different from that of the informal ones. Even within context of informal emails there is expected to be a number of composition styles. Nonetheless, human beings are creatures with specified habits and possess various personal traits which have a tendency to persist. In essence, all human beings have unique behavioral patterns, and biometric attributes to mention but a few. This is also true of emails. It is on this basis that email forensic conjectures that various characteristics relating to language, composition and writing, for instance, particular syntactic and structural layout characteristics, vocabulary usage trends, unusual language use, the excessive usage of digits, stylistic and sub-stylistic features are likely to remain substantially constant. Identification and learning of these traits are the lead challenges in authorship identification. Another challenge with authorship identification is the level of accuracy to which it can be performed.
Civil as well as criminal court proceedings are without doubt not blind to the fact which in most cases; the truth has some digital signature. Expert forensic analysis of emails as well as other Electronically Stored Information (ESI) is paramount when evidence becomes digital (Baayen, Van Halteren, & Tweedie, 1996). If you are an entity involved in litigation or an attorney who is representing a client, you will benefit a lot from know-how and experience of emails forensic experts in handling of the burden of email discovery as well as the forensically sound handling techniques of virtually any form of ESI. It is advisable that one does not risk losing or tainting digital evidence and hence find themselves faced with the prospect of a lost case, or even worse!
Authorship identification can be accomplished using a number of approaches. To begin with, the simplest technique is to make use of domain experts in identification of new e-mail documents and also allocation of the same to well-specified author categories. This can be take considerable time and also be quite expensive and, perhaps substantially limiting, in addition to not providing a continuous measure of the confidence degree of made allocation. Secondly, the hired domain expert can be able to establish a set of fixed rules which are usable in classification of new e-mail documents. Sadly, in many situations, the rule-set can be extensive and unwieldy, typically challenging to update, and not able to adapt to document content changes as well as author traits. Lastly, identification might be done automatically using inductively learning of the classifiers from training of the example documents. This approach needs to, hopefully, generalize well to new, unobserved e-mail documents and has the benefit that it needs to be able to take to a measure of drift in traits of authors and also create a much more accurate author profile.
A closely held aspect of authorship identification is identifying the texts. These attempts to find texts that have similar contents. It further avails assistive support for a large range of activities as applicable to information mining as well as management of the same. It has been successfully applied in filtering of documents let alone mention that it can support retrieval of documents through generation of various categories necessary for retrieval of the same. Plenty of techniques which learn regulations automatically have been put forth for identification of the same. Many are premised on the \bag {of {words}" or rather the vector space representation for words, whereby each of the features found in text document are in line with a sole word and makes use of a learning approach, for instance, decision trees, Bayesian probabilistic approaches, support vector machines, and or neural networks in text document classification. Work in classification of emails has also been subjected to extensive research in context of automated filtering of e-mail document and filing. According to Cohen (2010), the set of rules are learnt on basis of some email keywords. In another research, Sahami et al (2009) pays close attention to particular problem of junk mail filtering making use of a Naive Bayesian classifier, in addition to incorporating domain knowledge via manually constructed domain-particulate attributes including phrasal features as well as a number of non-textual elements.
The differences with regard to internet based mailing systems for instance, yahoo, Gmail and Hotmail, among others is that they are capable of making computer forensic increasingly interesting and tough and hence offer an additional avenue for legal process discovery and evidentiary support. In essence, a final issue of interest is that internet based mails, without knowledge of the general user, are "cached" -- which is to say saved automatically on the PCs disc drive. While users may not have access to this area or knowledge to do the same, an expert forensic person is able to easily recover the emails using various forensic applications. While there are a number of the past cases where computer forensic have been utilized to wrongly bust users for offenses they are not guilty of, refocus on matters which surround computer email forensic and comprehending that varying operating systems, varying systems of delivery, and the manner through which programs read data are critical to bear in mind. Understanding the difference with regard to internet-based mailing systems and programmable systems can assist create or bring down a case whereby forensic analysis is involved.
An ISP might not have many mailings as the party does. When a requesting party comes to realization of the need to lodge a request, many months or even multiple years have elapsed between when such mailings were created and date that the request is made. ISPs don’t store mails for that long; as a matter of fact, it is due to this aspect that across the years various law enforcement agencies have sought legislation making it mandatory for ISPs to store mailings over a prolonged periods although quite unpopular with ISPs, which such a move would compel to acquire many more servers to store mailings for such a long duration. The one making a request in many instances has a better opportunity of accessing the e-mails from the generating party or rather from the generating party's ISP (Baayen, Van Halteren, & Tweedie, 1996).
In a rather overlooked concept, and one which has relation to the now regular concept of cloud computing, material’s storage off the site, as well as the overall process of establishing location of data, creates an exciting outlook when directly handling an ISP. Irrespective of the fact that ISP’s can accomplish a number of functions including backing up, and general recovery of disasters, among other things, the concept of localized storage against ISP data storage makes the process of recovery increasingly appealing.
Acquiring of mails from within localized caches or in the PCs storage hard-disc drive in effect becomes an increasingly appealing means of acquiring information from the systems which the suspect make use of.
The first phase in mail analysis is to establish the origin of e mail and means by which mail servers as well as clients are made use of within the entity. Other than offering a platform through which messages are sent, the servers also acts as fully equipped databases, repositories for documents, avenue for contact management, calendars and also avail lots of application to facilitate ones operations. For example, it is not once or twice but many times that service such as the Microsoft Exchange has played much bigger roles for instance acts as Customer Relationship Admin. It therefore follows that an expert forensic analyst will need to establish means through which strong business applications are used beyond their conventional email roles.
E-mail Characteristics
Traditional documents are huge in size, more often, several hundreds of pages, well-structured in composition and commonly written in a more formal way. They adopt well-defined syntactic as well grammatical rules. Furthermore, the presence of numerous numbers of natural language processing tools and methodology make it easy to enhance the quality of the documents through removal of spelling and idiosyncratic problems. Consequently, the known written works are wealthy sources to understand more about the writing styles of its authors. The study of stylometric features has been successful in resolution of ownership disputes over literary and conventional writings for a very long period. E-mail dataset just like other CMC documents including chat logs, online messages, forum postings and newsgroups, among others pose unique challenges due to the special characteristics of size as well as composition, in comparison to literary works. E-mails are short in size ranging from a small number of words to a small number of paragraphs and often do not follow defined syntactic and/or grammatical rules. As a result, it is difficult to understand the writing habits of people from their respective e-mail documents.
Ledger and Merriam, for instance, found out which authorship analysis results would not be significant for texts that have less than 500 words. Furthermore, e-mails are much more interactive and informal with regard to style. People might pay little or no attention to their spelling as well as grammatical mistakes. As a result, the analytical techniques which are successful in addressing the authorship issues over literary and historic works might not produce trustable results in the context of e-mail document analysis.
E-mail datasets do have various properties which assist researchers in comparison of the writing style of people. One can find more e-mail documents for analysis as every e-mail user on average writes around 6-10 e-mails per day. Similarly, additional information found in the header, subject and/or attachment(s), as well as the relative response time of a user, is very useful in understanding the writing styles of any given user. Furthermore, e-mails are wealthy in structural features inclusive of greetings, overall layout, as well as the contact information relating to the sender, which are strong discriminators of writing techniques.
Writing styles with regard to emails are defined in terms of stylometric features. Although, there is no features set which are optimized and is applicable equally across all domains? Nonetheless, there are much more than 1000 stylometric features which comprise of lexical, syntactic, structural, content-specific, as well as idiosyncratic traits which have been analyzed and compared in a number of studies in email authorship studies.
Measures
The analytical authorship techniques employed so far include univariate and multivariate statistics, machine learning processes such as support vector machine and decision trees and frequent pattern mining. Nonetheless, there is still a long way to develop consensus about the features set and the techniques which can be trusted to the degree to present it in the court of law for fixing responsibility in authorship attribution disputes (Gray, 2010). Unlike authorship attribution and authorship characterization where the problem is clearly defined, there is no consensus on how to precisely define the problem in the authorship verification studies. Some researchers consider it as a ‘similarity detection’ task, which states which given two pieces of text, the problem is to determine whether they are produced by the same entity or not, without knowing the actual author. Vel et al. (2008) apply SVM as well as KL transformation approaches in attribution of authorship attribution and detection of similarities. On basis of the same verification concept, Vel et al. (2008) came up with a relatively non-common approach which involved profiling of linguistics. In the approach, the authors proposed a number of scoring functions and basics for generation of the profiles for grouped information.
There is another group of researchers including Krsul (2009) and Shen (2010) who assessed authorship identification based on single-class and double-class text classification challenges. For instance, Krsul (2009) looked into the problem as illustrated below; provided with a suspicious document d and already identified training samples {t1, . . . .., tm} of a suspect Ss, and you are required to do a verification as to whether or not the document originated from the suspect Ss. The documents originating from the author will then be labeled as ‘outliers’. The logical step would be to come up with a classification model for each and hence cluster documents. The mystery document d is grouped into varying chunks and each chunk is provided with a built model to define the class it lies in.
Anonymous emails
People often handle email messages just like any form of communication. Whether people receive instructions from their bosses directly, via a phone call, or via an email does not matter a whole lot. People often tend to treat them all similarly. Nonetheless, what happens when you get an email from someone who is not who he or she claims to be? With a face-to-face visit, there is no doubt that you are dealing with the right person. Via a phone call, you have the person’s voice, demeanor, as well as small talk as clues that this could be the right person. Nonetheless, with email, many of such clues are missing or are not quite as evident. To enlarge the problem, email programs often tend to store much of the information which would assist in determination of the email’s authenticity (Vel, 2008). Due to the fact that most email you read is not actually from a person pretending to be someone else, for usability reasons, often even email addresses are kept away from view.
Many criminals exploit convenience of anonymity to conduct illegal activities. E-mail is the most regularly used medium for these kinds of activities. Extracting knowledge and information from e-mail text has become a pivotal step for cybercrime investigation as well as evidence collection. Yet, it is amongst the most challenging and time-consuming tasks given the special characteristics of the e-mail dataset. In this investigation focus is on problem of mining attributes from collection of e-mails written by multiple anonymous authors. The general concept is to first cluster the anonymous e-mail based on the stylometric features and consequently extracts the write print, i.e., the unique writing style, from each of the clusters. Emphasis is placed on the presented problem alongside the proposed solution is different from the conventional problem of authorship identification, which presumes training data is present for construction of a classifier. The proposed method is especially useful in the early stage of investigation, whereby investigators often have very meager information of the case and the true authors of suspicious e-mails. Experiments done on a real-life dataset show that clustering on basis of writing style is a promising means for grouping of e-mails written by a single author.
Email forensic software
E-mail cluster analysis
To acquire creditable evidence against perpetrators, a forensic investigator would require undertaking several varying kinds of analysis. For instance, the analysts may want to retrieve all the e-mails which address a particular about certain crimes for instance, drug, pornography, hacking or terrorism, among others. This could be attained by simple keyword search or more efficiently by making use of conventional content-based clustering method. In a similar manner, an investigator may choose to visualize the overall communication patterns of a suspect. To identify the true authorship of a disputed anonymous e-mail, varying techniques may need to be used alongside each other. Holmes and Forsyth (1995) and Ledger and Merriam (1994) are amongst the first people to employ multivariate clustering techniques to text dataset. Nonetheless, Baayen et al. (1996) later performed stylometric clustering with regard to authorship attribution. These are what forms basis for the approach used in this analysis.
The software investigator is used to visualize, browse, and also explore the writing styles which are extracted from the collection of anonymous e-mails used in this investigation. The relative strength of varying clustering algorithms is subjected to evaluation. The software’s functionality as well as the study is premised on the relative discriminatory power of 4 varied categories of stylometric elements. Effects of the number of suspects as well as the number of messages per suspect on the clustering accuracy are addressed in this study.
The classification software screen is as shown below:

Below is a screenshot showing a narrowed down classification of similar characteristic emails.

Once the mails have been classified, write print is used to uniquely identify an individual. Analysis is this section therefore shows whether analyze whether it can precisely identify the different writing styles of the e-mail collection.
Results and conclusion
The frame developed and used in e-mail analysis to extract different writing styles from a collection of anonymous emails proved worthwhile. The method that clusters the given anonymous on basis of stylometric features , after which it extracts unique or rather near unique writing styles from each of the resulting cluster provide effective. The method has proved useful in assistance of potential authors of anonymous e-mail datasets. The writing styles with regard to feature patterns offer concrete evidence rather than merely availing statistical numbers.
The results show that clustering is an appropriate means of grouping e-mails on basis of stylometric features. Also of interest is the fact that decreased accuracy is recorded with the increase in the number of candidate authors as well as sample size. This indicates existence of scalability issues. Consequently, the research emphasizes the need for further research and establishment of more robust clustering techniques. Furthermore, existing features list need to be expanded by including idiosyncratic features and making use of combined features approach
In essence, just like previous research studies which show that content-specific keywords can play an important role in style mining when made use of in specific contexts such cybercrime investigation, this research is in agreement with this assertion. Consequently, it is imperative to come up with a robust technique for keywords selection. Features optimization is certainly helpful in determining authors’ style which is truly representative. Furthered the process is based on the fact that human behavior changes from person to person. The need is to come up with methods for capturing stylistic variations for better authorship results. It must be accepted that research in this area is still in infancy stage.
Conclusion
The paper employed various e-mail document features including structural characteristics and linguistic patterns with the aid of a forensic software. Experiments on reduced number of documents produced promising results, although some categories provided better categorization performance results as compared to other categories. There are a number of limitations with the approach. Firstly, the reality that some authors have better categorization performance as compared to other authors indicates that more particular and identifiable author traits should be obtained. Additionally, the combination of features, more particularly for features including relative function word frequencies, need to be considered. In addition, feature selection prior to categorization needs to be undertaken in order to remove features which do not contribute to categorization performance.

References
Baayen, R. H., Van Halteren, H., & Tweedie F. J. (1996). Outside the cave of shadows: using syntactic annotation to enhance authorship attribution. Literary and Linguistic Computing, 2:110e20.
Cohen, W. (2010). Learning rules that classify e-mail. In Proc. Machine Learning in Information Access: AAAI Workshop: 15th National Conf. on AI. AAAI Technical Report WS-98-05, pages 55-62
Gray, A. (2010). Software Forensics: Extending Authorship Analysis Techniques to Computer Programs. In Proc. 3rd Biannual Conf. Int. Assoc. of Forensic Linguists (IAFL'97), p. 1-8.
Holmes, D. I, Forsyth, R. S. (1995). The federalist revisited: new directions in authorship attribution. Literary and Linguistic Computing, 10(2), 111e27.
Krsul, I. (2009). Authorship analysis: Identifying the author of a program. Technical report, Department of Computer Science, Purdue University, 1994. Technical Report CSD-TR-94-030.
Ledger, G. R, Merriam, F (1994). Shakespeare, Fletcher, and the two Noble Kinsmen. Literary and Linguistic Computing, 235e48.
Sahami, M. (2009). A Bayesian Approach to Filtering Junk E-Mail. In Learning for Text Categorization. Spring Symposium, (SS-96-05), pages 18-25.
Shen, D. (2010). Adding semantics to email clustering. In: Proc. of the 6th international conference on data mining (ICDM). Washington, DC, USA: IEEE Computer Society, p. 938e42.
.
Zheng, R. (2006). A framework for authorship identification of online messages: writing-style features and classification techniques. Journal of the American Society for Information Science and Technology February, 57(3), 1532e2882.

Similar Documents

Free Essay

You Decide 3

...You Decide Scenario: Week 3 Detecting and preventing insider threats is its own discipline, with its own dynamics. If you put these countermeasures in place, you can reduce the threat dramatically. First, you can use an IP packet-filtering router. This type of router permits or denies the packet to either enter or leave the network through the interface on the basis of the protocol, IP address, and the port number. The protocol may be TCP, UDP, HTTP, SMTP, or FTP. The IP address under consideration would be both the source and the destination addresses of the nodes. The port numbers would correspond to the well-know port numbers (Vacca, 2009). Packet filtering lets you control data transfer based on the address the data is, the address the data is going to, and the session and application protocols being used to transfer data. The main advantage of packet filtering is leverage. It allows you to provide, in a single place, particular protections for an entire network. Consider the Telnet service. If you disallow Telnet by turning off the Telnet server on all your hosts, you still have to worry about someone in your organization installing a new machine (or reinstalling an old one) with the Telnet server turned on. On the other hand if Telnet is not allowed by your filtering router, such a new machine would be protected right from the start, regardless of whether or not its Telnet server was actually running. Another advantage of a packet filtering router is that...

Words: 622 - Pages: 3

Free Essay

Computer Forensics Analysis Project

...Computer Forensics I (FOR 240-81A) Project #3 Case Background The Suni Munshani v. Signal Lake Venture Fund II, LP, et al suit is about email tampering, perjury, and fraud. On December 18, 2000, Suni Munshani (Plaintiff) filed a suit against Signal Lake Venture Fund. Mr. Munshani claimed that he was entitled to warrants in excess of $25 million dollars from Signal Lake. In February 2001, Signal Lake Venture Fund II, LP, et al. (Defendant) became privy to the court filings in this case. Within the filings there was an email provided by Mr. Munshani from Hemant Trivedi, CEO of one of the portfolio companies, stating he was indeed entitled to the warrants. Mr. Trivedi denied any knowledge of the email, or any such communication with Mr. Munshani. In an effort to prove their innocence, Signal Lake hired a computer forensic group to conduct a private investigation. The investigation did not show any evidence of the supposed email provided to the court by Mr. Munshani. Mr. Trivedi filed an affidavit stating that the email was forged, while Mr. Munshani filed an affidavit stating the email was real. In March 2001, a computer forensics expert, Kenneth R. Shear, was appointed by the court to perform a forensic examination on the questioned message (the message provided by Mr. Munshani) and the comparative message (a second message from Mr. Trivedi found on Mr. Munshani’s computer). Mr. Shear worked for a company called Electronic Evidence Discovery, Inc. (EED). Mr. Shear’s forensic...

Words: 799 - Pages: 4

Premium Essay

Is4670 Unit 10 Lab Q&a

...1. What was the user account name of the FTP client on the FTP server and which was its IP address? The FTP account name is: Badguy. FTP server’s IP:172.16.177.157 2. How many emails did the alleged offender sent to his partner before downloading the implicated file? Which are the two email addresses involved? The alleged offender sent 3 emails before downloading the file. The email address involved were: badguy11111@gawab.com and b603358@borthew.com 3. As a forensics investigator, would you be able to playback an entire TCP session if it is requested under trial? Yes, Netwitness investigator allows a forensics investigator to playback an entire TCP session previously capture. 4. What time did the alleged offender choose to perform the actions? Why do you think this is particularly important? Where did you get this information from? After reviewing the entire packet capture we notice that download occurred around 4:00am. This is particularly important since directly to “system usage” outside regular hours of operations. 5. What is the name of the “local user” account involved in the alleged actions? Which was the IP address of the alleged offender workstation? The local administrator account was the one involved. The IP address of the client FTP client was: 172.16.177.132 6. How many attempts to access the FTP server did you find during the packet capture analysis? Why is this important for your case? Two attempts to access the FTP server were found...

Words: 498 - Pages: 2

Premium Essay

Cyber Crime in India

...as real space for business, education and politics. The growing danger from crimes committed against computers, or against information on computers, is beginning to claim attention in the India. The digital age has dramatically changed the scope of a crime by adding the electronic component and it comes a new form of science ≴Computer Forensic Science≵. Computer Forensic allows for the evidence of cyber crime to be admissible in court when prosecuting the cyber criminal. In most countries, existing laws are likely to be unenforceable against such crime. Cyber laws, as it stand today, gives rise to both positive & negative consequences. The main negative consequences is the digital soup so vague that many refer to it as the dark sides of technology and that cyber criminal currently have upper hand. The applicability and effectiveness of our existing laws need to be constantly reviewed to face the risk coming from the cyber world. In this paper we are going to firstly describe the computer forensic, cyber crimes, cyber laws of nation & technology challenges. Aim of this paper is to act as a catalyst to raise awareness regarding computer forensic which continues to grow as one of the most important branch of science and help in investigation of cyber crime which continues to grow as one of the most potent threats to the Internet and computer users of the cyber society of 21st century in India Introduction The rapid change occurring in the present era of Information Technology...

Words: 2686 - Pages: 11

Premium Essay

Networking

...Digital Forensics is an important aspect to computer systems security. I mean we are talking about Identifying, Collecting, Preserving, Analyzing, and Presenting evidence digitally. Therefore, preserving electronic evidence is important. Investigating Data Theft is a malice act towards a company/ organization (Kruse, 2001). Such theft is made by an employee that is either terminated or resigning. Motives for data theft include setting up a competing business, using the information at a new job, sense of ownership of what was created, and revenge against the employer, among other things. Common Theft include, customer information, financial records, software code, email lists, strategic plans, process documents, secret formulas, databases, research and development materials, and employee records. Now, with such theft around, we often wonder how is such theft achieved. Knowing how technology is always advancing each year, the millennium era grows with fascinating knowledge on the know how to working a computer, hard drives, etc. Tools like flash drive, which can hold thousands of documents that can be copied to the flash drive, and taken anywhere. Then you have Dropbox, remote desktop connections, personal email accounts, smart phones, CD’s/DVD’s, and FTP ( File Transfer Protocol ) (Kruse, 2001) There is always this saying, that personnel who steal data often leave a trail of digital evidence that proves invaluable when investigating data theft. We as the forensic specialists...

Words: 1774 - Pages: 8

Free Essay

Ispg

...Running head: FORENSIC CASES Forensic Cases Stephanie Rudolph Kaplan University IT 550 Computer Forensic and Investigation Prof: Bhanu Kapoor November 26, 2013 Abstract People are the most difficult creatures on earth to understand. Some have the mind set of doing some the off the wall and unacceptable things using technology. In this paper I have discussed location and the type of data you will find in in the case of a financial fraud and a child pornography case. Later in the paper discusses the procedures that and investigator might take to collect data from a suspect system. I will also provide a simple tool that can be used to collect all type of data from different location, making the investigator job much easier and help maintain the integrity of the evidence collected to be presented in court. . Forensic Cases There are many location that and investigator search to obtain data using computer forensic tools in a case on financial fraud and child pornography cases. In the case of a financial fraud emails can provide investigators with information not only the text but also the headers. The email headers can provide investigators with the information of who created the email, what software they used and the IP addressed that sent it. The email header also provide a date and time was sent. Credit card data shows the activity of charges. It show the...

Words: 1093 - Pages: 5

Premium Essay

Computer Forensic Analysis and Repor

...Computer Forensic Analysis and Report Nathaniel B. Rollins Jr Kaplan University Computer Forensics I/CF101 Prof: Tatyana Zidarov November 19, 2012 Computer Forensic Analysis and Report A. INTODUCTION I Nathaniel B. Rollins a Computer Forensic Specialist (CFS) with the Metro Police Department (MPD) received a file image from Officer X to conduct a search for electronic evidence. Which he stated was copied from the SNEEKIE BADINUF (COMPLAINANT) computer, with consent. This was verified through COMPLAINANT statement, repot, consent to search form, and chain of custody, provided by Officer X, along with the request for analyzing the evidence. Upon reviewing of her statement filed on May 14 2006, the COMPLAINANT stated she had received an email from a correspondent named NFarious that demanded $5000 in ransom, or the animals would be harmed. The COMPLAINANT also stated her pets had been gone for an entire week, and she was worried that the abductor may already have injured the animals. During a subsequent interview the COMPLAINANT stated that she took out a $20,000 insurance policy on her pets in September 2005 that would not be active for 6 month. The purpose of this investigation is to confer or negate the COMPLAINTANTS involvement with the kidnaping of the animals. B. MATERIALS AVAILABLE FOR REVIEW a. 1 Chain of Custody b. Evidence Log c. Complainants Statement d. Officers Report e. Forensic Disk Image of Computer f. Photos (location...

Words: 1176 - Pages: 5

Free Essay

Assignment 1: Computer Forensics Overview

...Assignment 1: Computer Forensics Overview CIS 417 Computer Forensics Computer forensics is the process of investigating and analyzing techniques to gather and preserve information and evidence from a particular computing device in a way it can be presented in a court of law. The main role of computer analyst is to recover data including photos, files/documents, and e-mails from computer storage devices that were deleted, damaged and otherwise manipulated. The forensics expert’s work on cases involving crimes associated with internet based concerns and the investigations of other potential possibilities on other computer systems that may have been related or involved in the crime to find enough evidence of illegal activities. Computer experts can also use their professional knowledge to protect corporate computers/servers from infiltration, determine how the computer was broken into, and recover lost files in the company. Processes are used to obtain this information and some of the processes are as follows; * Investigation process: Computer forensics investigations will typically be done as part of a crime that allegedly occurred. The first step of the investigation should be to verify that a crime took place. Understand what occurred of the incident, assess the case, and see if the crime leads back to the individual. * System Description: Next step, once you verified the crime did occur, you then begin gathering as much information and data about the specific...

Words: 1397 - Pages: 6

Free Essay

Cis 417 Week 2 Assignment 1

...– COMPUTER FORENSIC OVERVIEW Suppose you were recently hired for a new position as the computer forensics specialist at a mediumsized communications company. You have been asked to prepare a presentation to the Board of Directors on your main duties for the company and how your position could help achieve business goals based on security and confidentiality. You are also aware that the company has just had some issues with employee complaints of ongoing sexual harassment over email and instant messaging systems but has been unable to obtain adequate evidence of any kind. Write a two to three (2-3) page paper in which you: 1. Explain the basic primary tasks, high-level investigation processes, and challenges of a computer forensics specialist. 2. Provide an overview of how computing devices are used in crimes of today and how these crimes can affect a company’s data and information. 3. Discuss how computer forensics investigations pertain to the law and trying of cases. More Details hidden… Activity mode aims to provide quality study notes and tutorials to the students of CIS 417 Week 2 Assignment 1 – Computer Forensic Overview in order to ace their studies. CIS 417 WEEK 2 ASSIGNMENT 1 To purchase this visit here: http://www.activitymode.com/product/cis-417-week-2-assignment-1/ Contact us at: SUPPORT@ACTIVITYMODE.COM CIS 417 WEEK 2 ASSIGNMENT 1 – COMPUTER FORENSIC OVERVIEW Suppose you were recently hired for a new position as the computer forensics specialist...

Words: 679 - Pages: 3

Premium Essay

A Growing Profession Forensic Accountants

...Introduction With the recent increase in financial crimes and business fraud, forensic accountants are in great demand. Forensic accounting is the practice of utilizing accounting, investigative, organizational, analytical and communicational skills to conduct examination into a company’s financial statements in legal matters (Crumbley, 2007). Forensic accountants can own their own accounting firms or be employed by lawyers, insurance companies, banks, or large corporations. The use of accountants has played an important role in assisting the government as well as the public. Forensic Accountants participate in detecting scandals and financial crimes caused by individuals, companies and organized crime networks. This profession consists of three main areas litigation support, investigation and dispute resolution (Harris, 200). Litigation support involves the factual arrangement of financial issues, investigation comes in when criminal matters have occurred, and the dispute resolution is the process of bringing justice and fairness. To work effectively within these three core components, forensic accounts must have a set of skills to perform their job efficiently. Important Skills Forensic Accountants must posses more than the fundamental knowledge of financial accounting and auditing. Each project requires analysis, interpretation, summarization and presentation of complex financial- and business-related issues (Matson, 2012). There are several core skills that are...

Words: 2124 - Pages: 9

Premium Essay

Paper

...Ec-council.Braindumps.312-49.v2014-03-11.by.ANGELA.180q Number: 312-49 v8 Passing Score: 700 Time Limit: 240 min File Version: 16.5 http://www.gratisexam.com/ Exam Code: 312-49 Exam Name: Computer Hacking Forensic Investigator Practice Testw CHFI-1-105 QUESTION 1 When a file or folder Is deleted, the complete path, including the original file name, Is stored In a special hidden file called "INF02" In the Recycled folder. If the INF02flle Is deleted, It Is re-created when you _______ A. B. C. D. Restarting Windows Kill the running processes In Windows task manager Run the antivirus tool on the system Run the anti-spy ware tool on the system Correct Answer: A Section: (none) Explanation Explanation/Reference: A QUESTION 2 Graphics Interchange Format (GIF) is a ___________RGB bitmap Image format for Images with up to 256 distinct colors per frame. A. B. C. D. 8-bit 16-bit 24-bit 32-bit Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 3 The IIS log file format is a fixed (cannot be customized) ASCII text-based format. The IIS format includes basic items, such as client IP address, user name, date and time,service and instance, server name and IP address, request type, target of operation, etc. Identify theservice status code from the following IIS log. 192.168.100.150, -, 03/6/11, 8:45:30, W3SVC2,SERVER, 172.15.10.30, 4210, 125, 3524, 100, 0, GET, / dollerlogo.gif, A. B. C. D. W3SVC2 4210 3524 100 Correct Answer: D Section: (none) Explanation...

Words: 11383 - Pages: 46

Free Essay

Sec 402 Wk 7 Case Study 2 Developing the Forensics

...SEC 402 WK 7 CASE STUDY 2 DEVELOPING THE FORENSICS To purchase this visit here: http://www.activitymode.com/product/sec-402-wk-7-case-study-2-developing-the-forensics/ Contact us at: SUPPORT@ACTIVITYMODE.COM SEC 402 WK 7 CASE STUDY 2 DEVELOPING THE FORENSICS SEC 402 WK 7 Case Study 2 - Developing the Forensics, Continuity, Incident Management, and Security Training Write a five to seven (5-7) page paper in which you: 1. Consider that Data Security and Policy Assurance methods are important to the overall success of IT and Corporate data security. a. Determine how defined roles of technology, people, and processes are necessary to ensure resource allocation for business continuity. b. Explain how computer security policies and data retention policies help maintain user expectations of levels of business continuity that could be achieved. c. Determine how acceptable use policies, remote access policies, and email policies could help minimize any anti-forensics efforts. Give an example with your response. 2. Suggest at least two (2) models that could be used to ensure business continuity and ensure the integrity of corporate forensic efforts. Describe how these could be implemented. 3. Explain the essentials of defining a digital forensics process and provide two (2) examples on how a forensic recovery and analysis plan could assist in improving the Recovery Time Objective (RTO) as described in the first article. 4. Provide a step-by-step process that could...

Words: 1406 - Pages: 6

Premium Essay

Nt1310 Unit 4 Lab Report

...custody when gathering evidence? It important to follow the chain of custody when gathering evidence the chain of custody because it is the Standard Operating Procedure (SOP) on how to handle evidence when it enters your possession. It also establishes that the findings at the crime seen are exactly the same findings being presented in court. There was no tampering or mishandling of the evidence from the crime scene to the courtroom. Failure to follow the chain of custody procedure may cause a mistrial, allow criminals to get away with a crime, or losing a case. 3. For the computer forensics case, identify what evidence the forensics experts were able to gather. • Data showing Million of dollars of diverted drugs • DaRepackaging equipment • Computers containing emails and encrypted data • Electronic equipment 4. Name two things the United States attorney was able to prove in the computer forensics case. • The distributor purchased drugs from foreign source with the intent of selling it in the United States. • The distributor have been involved in drug diversion for over 10 years. 5. What important questions should the security incident response form answer? • What is the evidence? • How did you get it? • When was it collected? • Who has handled it? • Why did the person handle it? • Where has it traveled, and where was it ultimately stored? 6. Why is it important to include a time/date stamp in the security incident response form? Stamping the time and date on the security...

Words: 461 - Pages: 2

Free Essay

Computer Forensics

...computer forensics Background of Computer forensics: What is most worth to remember is that computer forensic is only one more from many forensic subdivisions. It’s not new, it’s not revolution.. Computer forensics use the same scientific methods like others forensics subdivisions. So computer forensics is not revolution in forensic science! It’s simple evolution of crime techniques and ideas. Forensic origins: Forensic roots from a Latin word, “forensic” which generally means forum or discussion. In the reign of the Romans, any criminal who has been charged with a crime is presented before an assembly of public folks. Both of the complainant and the defendant are to present their sides through their own speeches. The one who was able to explain his side with fervent delivery and argumentation typically won the case. It is important to realize that computer forensics is only one subdivision of forensic science. It is digital, it includes most advanced computer science but still it is only branch of forensic science, an its main goal is  submission of the proven claims of scientific methods and strategies to recover any significant digital traces. Computer Forensic Timeline: 1970s • First crimes cases involving computers, mainly financial fraud 1980’s • Financial investigators and courts realize that in some cases all the records and evidences were only on computers. • Norton Utilities, “Un-erase” tool created • Association of Certified Fraud...

Words: 4790 - Pages: 20

Free Essay

Forensic Accouhting

...Forensic Accounting in Practice Twana Bethea BUS 508 May 21, 2013 Dr. Phyllis Praise Abstract Forensic Accounting is the application of the skills and training of a chartered accountant to disputes and investigations. Fraud is usually hidden in the accounting systems of organizations and that’s where forensic accountants play a critical role. Forensic accountants are contacted by companies when they need to figure out where a fraud was committed in their company. The accountants interview witnesses, analyze evidence such as email traffic between all parties involved. They will also freeze bank accounts if needed. They are hired to find out what happen and who was involved. If the case goes to trial they can be called to testify. The key skill of the forensic accountant is communicating complex financial transaction or data in a concise manner using images, graphs and languages that can be easily understood by non-accountants, the judiciary, and juries. With the growing complexity of business related investigations, Forensic Accounting professionals are increasing and the need is as well for investigations of business and financial issues. Forensic Accounting Practices Forensic Accounting has been in exist for many years, today there have been an increase in the need for this type of profession. Forensic accounting is the practice of integration of accounting, auditing and investigative skills. The accountings provide a court with an accounting analysis on the basis...

Words: 1442 - Pages: 6