Introduction to Computer

Forensics

Fall 2007
 Definitions
 What is Computer Forensics??
 Computer forensics is the practice of
collecting,analysing and reporting on
digital data in a way that is legally
admissible.
 it can be used in the dectection and
prevention of crime and in any
disputenwhere evidence is stored digitally
 Evidence might be required for a wide range
of computer crimes and misuses
 Definitions (cont)
 What Constitutes Digital Evidence?
Any information being subject to human
intervention or not, that can be extracted from
a computer.
 Must be in human-readable format or capable
of being interpreted by a person with
expertise in the subject.
 Computer Forensics Examples
 Recovering thousands of deleted emails
 Performing investigation post employment
termination
 Recovering evidence post formatting hard
drive
Computer Forensic Capabilities
 Recover deleted files
 Find out what external devices have been attached and
what users accessed them
 Determine what programs ran
 Recover webpages
 Recover emails and users who read them
 Recover chat logs
 Determine file servers used
 Discover document’s hidden history
 Recover phone records and SMS text messages from
mobile devices
 Find malware and data collected
Purpose of Computer Forensics
 Classic Forensics
 Computer forensics uses technology to search for digital
evidence of a crime
 Attempts to retrieve information even if it has been
altered or erased so it can be used in the pursuit of an
attacker or a criminal
 Incident Response
 Live System Analysis
 Computer Forensics
 Post-Mortem Analysis
 Computer Security Incident
 Unauthorized or unlawful intrusions into
computing systems
 Scanning a system - the systematic probing of
ports to see which ones are open
 Denial–of–Service (DoS) attack - any attack
designed to disrupt the ability of authorized users to
access data .
 Malicious Code – any program or procedure that
makes unauthorized modifications or triggers
unauthorized actions (virus, worm, Trojan horse)
Typical Investigations
 Theft of Company Secrets
 Employee Sabotage
 Credit Card Fraud
 Financial Crimes
 Embezzlement (money or information)
 Economic Crimes
 Harassment
 Major Crimes
 Identity Theft
Computer Forensics Users
 Law Enforcement
 Private Computer Forensic Organizations
 Military
 University Programs
 Computer Security and IT Professionals
Important Factors
 Legal procedures
 Not compromising evidence
 Treat every piece of evidence as it will be used in
court
 Documentation*
 Chain of Custody
 Write Blocks
 Imaging
 Bit by bit copy of a piece of electronic media
(Hard drive
 The Goal
The goal of computer forensics
is to do a structured
investigation and find out
exactly what happened on a
digital system, and who was
responsible for it.
 Methodology
 Treat every case as if it will end up in the court [1]
 Forensics Methodology [1]:
 Acquire the evidence without altering or damaging the
origin
 Authenticate that your recovered evidence is the same as
the originally seized data
 Analyze the data without modifying it
 There are essentially three phases for recovering evidence
from a computer system or storage medium. Those phases are:
 (1) acquire,
 (2) analyze,
 (3) report
 Course Curriculum
 Introduction to Criminal Justice
 Computer Ethics
 Computer Organization
 Binary System
 Encryption and Computer Forensics
 Steganography: Data Hiding
 Introduction to Computer Security: Handling Security
Incidents, Malicious Code
 Computer Forensics Evidence and Analysis
 More….
Conclusion
 With computers becoming more and more
involved in our everyday lives, both
professionally and socially, there is a need for
computer forensics.
 This field will be found wheather it was lost,
deleted, damaged or hidden and used to
prosecute individuals that belives they have
successfully beaten the system.
 References
[1] Computer Forensics, Incident Response Essentials, Warren
G. Kruse II, Jay G. Heiser, Addison-Wesley
[2] Incident Responce and Computer Forensics, Kevin Mandia,
Chris Prosise, Matt Pepe, McGraw-Hill
[3] Information Security Illuminated, Michael G. Solomon, Mike
Chapple, Jones and Bartlett Publishers, Inc
[4] Computer Forensics, Computer Crime Scene Investigation,
John R. Vacca, Charles River Media Inc
[5] Forensic Computing, A Practitioner's Guide, Tony Sammes
and Brian Jenkinson, Springer.
[6] Mark Pollitt, Computer Forensics: An Approach to Evidence
in Cyberspace,
http://www.digitalevidencepro.com/Resources/Approach.pdf