computer forensics an intro to computer crime. computer forensics btk the btk killer ( b lind, t...

Computer ForensicsComputer Forensics

An Intro to Computer CrimeAn Intro to Computer Crime


The BTK Killer (BBlind, TTorture, KKill)Dennis Rader - Feb 2005 Charged with committing 10

murders beginning in 1974 in the Wichita, KS area.“Erased” information on a floppy disk sent to a local

TV station was recovered and restored by forensic computer specialists was traced back to Christ Lutheran Church where Dennis Rader was Council President. This, along with other mounting evidence since his last murder in 2001 served to convict him.


Computer forensics involves the preservation, acquisition, extraction, analysis, and interpretation of computer data.

Investigators frequently encounter computers and other digital devices in all types of cases.

The most logical place to start to examine these practices is with the most common form of electronic data: the personal computer.

Computer ForensicsComputer Forensics Basic Parts/Key Terms:

• Bit• Byte• CPU• Cluster• File slack• HDD• Hardware• Message Digest 5/Secure

hash algorithm (SHA)

• Motherboard• OS• Partition• RAM slack• RAM• Sector• Software• Swap file• Temporary File• Unallocated Space• Visible Data

Computer ForensicsComputer Forensics The Personal Computer

• Hardware• Software

Computer ForensicsComputer Forensics• Power Supply converts power

from the wall outlet to a usable format for the computer.

• External drive is used to read from and write to a disk.

• CD/DVD Drive are used to store everything from music and video to data files.

• Hard Disk Drive (HDD) is the component of storage in the personal computer.


ROM: class of storage media used in computers and other electronic devices.

Motherboard : basic purpose is to provide the electrical and logical connections by which the other components of the system communicate.

Floppy Disk Drive: used to boot an operating system or to store data. By today’s standards, they don’t hold much data

Expansion Bus with Expansion Drive: lots of wires that carry data from one hardware device to another

Computer ForensicsComputer ForensicsCPU (Central Processing Unit): The main chip within the computer, know as the brain of the computer.

RAM (Random-Access Memory): the volatile memory of the computer, when power is turned off, its contents are lost.

Computer Case/ Chassis: it the physical box holding the fixed internal computer components in place.

Input Device – the user side of the computer i.e., keyboard, mouse, joystick, scanner


Output Device – equipment through which data is obtained from the computer i.e., monitor

HDD – primary storage component in a personal computer. Stores the OS, programs, and data files created by the user.

Computer ForensicsComputer ForensicsThe Operating System is a software program that allows the computer hardware to communicate and operate with the computer software. Without an operating system, a computer would be useless.


The Operating System Recognizing input from the keyboard Sending output to the display screen Keep track of files and directories on the disk Controlling peripheral devices such as disk

drives and printers


Provide a software platform on top of other programs called application programs.

Some examples of operating systems are Windows and Linux.

Types of HDD IDE – Integrated drive electronicsSCSI – small computer system interfaceSATA – serial ATA

HDD are formatted or mapped and have a defined layout. They are “logically” divided into sectors, clusters, tracks and cylinders.


Computer ForensicsComputer Forensics Sectors are the smallest unit of data by a hard disk

drive. They generally consist of 512 bytes. Bytes are a group of eight bits. A bit takes the form of either a one or a zero, it is the

smallest unit of measurement on a machine. The word bit is short for binary digit.

Clusters are a group of sectors in multiples of two. The cluster size varies from file system to file system and is typically the minimum space allocated to a file.

Other Common Storage DevicesCD-ROM (CD-R/RW)USB-thumb driveFloppy disksZip disksTapesDVD +/R /RW


NIC – Network Interface CardAdd-on cards that plug into the motherboardHard-wired devices on the motherboardAdd-on cards for laptops (PCMCIA)USB plug-in cards

Wired/Wireless 801.11 a/b/g/n


How the HDD is Made Up


On each disk or platter there are tracks; these tracks are divided into sectors.

A group of sectors is a cluster.

Clusters always have sectors in groups of 2



There are several platters stacked vertically which are divided by sectors, clusters, tracks, and cylinders. Tracks are circles that are defined around the platter. Cylinders are groups of tracks that reside directly above and below each other.

Each file system table tracks data in different ways.

OS – Provides a bridge between the system hardware and the user. It lets the user interact with the hardware and manages the file system and applications

Partition – is a contiguous set of blocks that are defined and treated as an independent disk. After it is partitioned it is Formatted (high-level). i.e. floppy – FAT 12, Windows – FAT 32, Linux – EXT3 and Mac – HPFS

Each has a different way of storing data


Computer ForensicsComputer Forensics Consider a room full of safe

deposit boxes. If a person rents two boxes located in opposite ends of the room – the db tracking the locations of the boxes is much like a file system tracking the location of data within the clusters of a HDD.

If the db managing the locations of the boxes were wiped out, the property in them would still remain; we just wouldn’t know what was where!

Computer ForensicsComputer ForensicsProcessing the Electronic Crime Scene Before an investigator can begin processing the

crime scene he/she must still ensure that the proper legal requirements are present.

Search warrant (on school property, school has say!) Consent

The scene must be documented in as much detail as possible. The investigator must make sure not to disturb any evidence before he/she touches the computer.

Crime Scene DocumentationSketching and PhotographingFloor plan of network, overall layout, close-ups of

any running computer on the network.All the connections to the main frame, peripheral

devices and notation of serial numbers (Photos)“Encase” , Forensic Toolkit (FTK), Forensic

Autopsy Software – Forensic software applications capable of imaging and assisting in the analysis of data.


Forensic Software comes equipped with a method to obtain forensic images and compress data if need be.


Investigators must decide:Perform a live acquisition of the dataPerform a system shutdown (i.e. with a server)“Pull the Plug”Combination of all three


BEFORE Disconnecting Labeling all peripherals of the computer to the port Numbering scheme to ID peripherals if more than 1

computer

Forensic Image AcquisitionLeast Intrusive Method to obtain data without

destroying evidentiary dataRemove HDD and place in Laboratory Forensic

Computer so that a “Forensic Image” or copy can be created in a ‘read-only’ format

Must be able to PROVE there were no ‘Writes’ to the forensic image

Copy “Empty areas of the Drive”


Analysis of Electronic Data – Based on the skill of the Computer Forensic Technologist

Most Common Types of Evidentiary Data Visible Data – all data that the OS is presently aware of

and thus is readily accessible to the user Data/Work Product Files – data from any software

program. White Collar crimes-MS Word or WordPerfect, EXCEL or Peachtree or QuickBooks, etc. A suspect’s computer may contain valuable information in these files

Such as Bank Account Records, Counterfeiting pictures, and questionable E-Mails.


Swap File Data – a file or defined space on the HDD used to conserve RAM. Data is paged or swapped to this file or space to free – up RAM for use by applications that are open.

Temporary Files–temporarily written by an application to perform a function or a backup copy while working on a project. Some are automatically written as a program is running without the user telling the program to ‘save’.


Swap Files, Temporary Files, and Print Spools (data sent to a printer) can all be used to recover data not easily accessible to the average user and usually, even the suspect.


Latent Data – Areas of files and disks that are typically not apparent to the computer user & sometimes the OS but contains data all the same. Examples:

Slack Space-file & RAM Unallocated Space Defragmented Space Swap Files and Space Deleted Files


Deleted FilesWhen files are deleted, they still remain on the Hard

Drive. The first character of a filename is replaced with the Greek letter sigma.

This renders the file inaccessible to the average user.

Forensic Scientists have programs that can access these files and obtain evidence.


The files you save on your computer rarely are ever totally gone.

Forensic Scientists can access a plethora of data from a Hard Drive even if it is deleted, defragmented, and reformatted.

This data can be used to incriminate or exonerate the suspect.


computer forensics an intro to computer crime. computer forensics btk the btk killer ( b lind, t...

Documents

computer software

computer hardware

computer forensicsrom

computer forensicsinput

computer forensicsan

computer case chassis

forensic computer specialists

data files