COMPUTER

FORENSICS

Presented by:-

SAKSHI MONGIA2808037

CSE-5TH SEM

TOPICS TO BE COVERED Computer forensics

definitions Need for computer forensics Cyber crime Types of computer forensics Components & steps in

computer forensics Principle of exchange Brief description of digital

evidence Metadata, slack space, swap

files & unalloacted space

Forensic server Initial response Creating a forensic image Computer forensic

methodology Computer forensic toolkit Encase by guidance

software Methods to hide data Pros & cons of computer

forensics.

COMPUTER FORENSICS DEFINITIONS Computer forensics

is the process of identifying , preserving , analyzing and presenting the evidence in a manner that is legally acceptable.

Computer forensics is the application of computer investigation & analysis in the interest of determining potential legal evidence.

NEED OF COMPUTER FORENSICSThe need of computer forensics in the present age

can be considered as much severe due to the internet advancements and the dependency on the internet. The people that gain access to the computer systems without proper authorization should be dealt in.

Cyber crime rates are accelerating and computer forensics is the crucial discipline that has the power to impede the progress of these cyber criminals.

AREAS WHERE COMPUTER FORENSICS IS USED MOST Identity threatsEmail theftSoftware piracyUnauthorized accessData theftCredit card cloningFraudHackingCyber terrorism

Copyright violationStalking &

harassmentDenial of serviceReleasing malicious

virusComputer fraudStock manipulation

TYPES OF COMPUTER FORENSICSComputer forensics is broadly divided into five

categories namely-

Disk forensics Network forensics Email forensics Internet forensics Source code/portable device forensics

COMPONENTS OF COMPUTER FORENSICS PROCESS Identifying(Acquisition) Collecting Preserving Analyzing Extracting Documenting Presenting

STEPS IN COMPUTER FORENSICS PROCESS Open a case Acquire the evidence Create a forensic image Index & catalogue the evidence Analyze the data(evidence) Save evidence to viewable drive Create a report of findings Admissible your report of findings to legal

proceedings.

FIRST THING TO BE DONE AT CRIME SCENEWhen seizing a stand alone computer at the crime

scene:

if the computer is “POWERED OFF” , do not turn It ON.

if the computer is “POWERED ON” , do not turn it OFF & do not allow any suspect or associate to touch it.

COMPONENTS OF

INVESTIGATION

PROCESS

PRINCIPLE OF

EXCHANGE“..when a person commits a crime something is

always left at the scene of the crime that was not present when the person arrived.”

TYPES OF DIGITAL EVIDENCEVolatile

any data that is stored in memory or exist in transit and will be lost when the computer is turned off.

Volatile data might be key evidence, so it is important that if the computer is on at the scene of the crime it remain on.

Persistent

that data which is stored on a hard drive or another medium and is preserved when the computer is turned off.

DIGITAL EVIDENCESome forms of digital evidence are:-

Present / Active (doc’s, spreadsheets, images, email, etc.)

Archive (including as backups) Deleted (in slack and unallocated space) Temporary (cache, print records, Internet usage

records, etc.) Encrypted or otherwise hidden Compressed or corrupted

NATURE OF DIGITAL EVIDENCE DIGITAL EVIDENCE is fragile. DIGITAL EVIDENCE is easily altered if not

handled properly. Simply turning a computer on or operating the

computer changes and damages evidence. Even the normal operation of the computer can

destroy computer evidence that might be lurking in unallocated space, file slack, or in the Windows swap file.

GUIDELINES FOR SEIZING DIGITAL EVIDENCE1.Before touching the computer, place an unformatted or blank floppy disk or attach an external device to copy all the data, and write detailed notes about what is on the computer’s screen.

GUIDELINES FOR SEIZING DIGITAL EVIDENCE2.Photograph the back of the computer & everything that is connected to it.3. Photograph and label theback of any computercomponents with existingconnections to thecomputer.

GUIDELINES FOR SEIZING DIGITAL EVIDENCEo If u do not have a

computer specialist on the scene, the safest way to turn off a computer is to pull the plug from the back of the computer.

o Disconnect all power sources; unplug the power cords from the wall and the back of the computer. Notebook computers may need to have their battery removed.

SOME IMPORTANT DIGITAL EVIDENCES The following are the digital evidences always

found at a crime scene system & are the most important part of investigation.

These include: metadata Slack space Swap files Unallocated space

WHAT IS METADATA?? Metadata is data about data. Metadata is information embedded in the file itself

that contains information about the file.

Metadata does contain useful information about file but it is limited.

Example:-author

file name , size , location

File properties

Might contain revision comments etc.

SLACK SPACE Space not occupied by an active file, but not

available for use by the operating system. Every file in a computer fills a minimum amount

of space. slack space results when file systems create a

cluster (Windows) or block (Linux) but do not necessarily use the entire fixed length space that was allocated.

Clusters are form because of collection of garbage and dangling references.

EXAMPLE OF SLACK SPACE GENERATION

SWAP FILES The swap file is a hidden system file that is used

for virtual memory when there is not enough physical memory to run programs.

Space on the hard drive is temporarily swapped with the RAM as programs are running.

This swap file contains portions of all documents and other material a user produces while using the computer.

UNALLOCATED SPACEWhen a user deletes a file, it is flagged as no

longer needed, but it remains on the system until it is overwritten.

The remaining files are in unallocated disk space, where clusters/blocks are not assigned but may contain data.

BEGINNING OF INVESTIGATIO

N PROCESSOR

PLAN OF ACTION

TYPES OF INVESTIGATION PROCESSPHYSICAL

INVESTIGATION

It includes identifying or locating physical evidence such as removal of computer hardware or making attempts to reach connected physical devices.

LOGICAL INVESTIGATION

It is referred to as digital investigation it means analyzing file & data in the system. It requires a well defined security policy.

THIS IS A FORENSIC SERVER

WHAT IS FORENSIC SERVER?? Forensic server is a system which contains forensic

toolkits for investigation with dual-bootable window/linux installed.

The activities performed in a forensic analysis may easily tax the average computer.

It is desirable to have as much physical RAM, as well as a fast processor , enough drive space to hold the operating system, several forensic tools, as well as all of the forensic images collected from the subject’s computer.

ARRIVING AT THE SCENE : THE INITIAL RESPONSE The first activity performed by law enforcement at a

physical crime is to restrict access by surrounding the crime scene with yellow tape.

The second rule is to document the crime scene and all activities performed.

Bag-and-tag of all potential evidence. Search for ‘sticky notes’ or any other written

documentation near the computer. Take any computer manuals in case they are needed for

reference back at the forensics lab.

CREATING A FORENSIC

IMAGEThe first step after acquiring digital evidence is to create an exact physical copy of the evidence. This copy is often called a bit-stream image, forensic duplicate, or forensic image. Creating a forensic image is important for a legal standpoint, courts look favorably upon forensic images because it demonstrates that all of the evidence was captured.

COMPUTER FORENSICS METHODOLOGY shut down the computer. Document the hardware configuration of the system. Transport the computer system to a secure location. Make bit stream back ups of hard disk and floppy disk. Mathematically authenticate data on all storage

devices. Document the system date and time. Make a list of key search words. Evaluate the window swap file. Evaluate file slack. Evaluate unallocated space.

COMPUTER FORENSICS METHODOLOGY(CONT..) Search file slack and unallocated space for key words. Document file names, dates and times. Identify file, program and storage anomalies. Evaluate program functionally. Document every activity and findings.

COMPUTER FORENSIC TOOLKIT(FTK)

EnCase by Guidance SoftwareForensic Tool Kit by Access DataSMART by ASR DataThe Sleuth kit(TSK)ProDiscover by technology pathwaysThe image masterData and password recovery toolkitMaresware by Mares & AssociatesDataLifter by StepaNet Communications

EnCase BY GUIDANCE SOFTWARE EnCase is considered as the leader in stand-alone

forensic analysis. This means it is a bundled software package that

provides multiple forensic tools within the box. EnCase is Windows-based and can acquire and

analyze data using the local or network-based versions of the tool.

EnCase can analyze many file system formats, including FAT, NTFS, Ext2/3, CD-ROMs, and DVDs. EnCase also supports Microsoft Windows dynamic disks.

EnCase BY GUIDANCE SOFTWARE EnCase allows you to list the files and directories,

recover deleted files, conduct keyword searches, view all graphic images, make timelines of file activity, and use hash databases to identify known files.

It also has its own scripting language, called EnScript, which allows you to automate many tasks.

The EnCase Enterprise Edition is a network enabled incident response system which offers immediate and complete forensic analysis.

EnCase BY GUIDANCE SOFTWARE Some of its impressive features are:- Enterprise Edition – Centralized monitoring and

real-time investigation. Snapshot – Capture of RAM contents, running

programs, open files and ports. Organizes results into case file & provides case

management for multiple cases. Maintains chain of custody. Tools for incident response to respond to emerging

threats. Supports real-time and post-mortem investigations.

EnCase BY GUIDANCE SOFTWAREIt consists of three components: The first of these components is the Examiner software.

This software is installed on a secure system where investigations are performed.

The second component is called SAFE, which stands for Secure Authentication of EnCase. SAFE is a server which is used to authenticate users, administer access rights, maintain logs of EnCase transactions, and provide for secure data transmission.

The final component is Servlet, an efficient software component installed on servers to establish connectivity between the Examiner, SAFE, and the devices being investigated.

ENCASE : DEMOSTRATION

THE FILE IS EITHER LOST OR DELETED….

EnCase Doesn’t Think So

IT’S ALLLLLIVE…………..

CARVING HEADS

THERE IT IS……..

SOME WAYS TO HIDE DATA Encryption Using a key algorithm to convert simple text into

cipher text. Changing the file extension changing a .docx to .jpg file. Steganography Steganography simply takes one piece of

information and hides it within another. Computer files, such as images, sound recordings, and slack space contain unused or insignificant areas of data.

EXAMPLE : STEGANOGRAPHY

AFTER INVESTIGATION

PROS & CONS OF COMPUTER FORENSICS With its help, we can

catch criminal. Can prevent data theft. Recover hidden &

deleted files. Computer forensics

ethics let the investigation process remain in legal rules & laws.

Privacy of client is compromised.

some sensitive data or information that is important to the client may be lost in order to find the evidence.

It is an expensive process.

THANK YOU FOR YOUR

ATTENTION……..

ANY QUERIES???