Upload File

departemt of computer scicence

32
 DEPARTEMT OF COMPUTER SCICENCE F ACUL TY OF PHYSICAL SCI ENCE UNIVESITY OF BENIN BENIN CITY SEMINAR PRESENTATION ON COMPUTER FORENSIC INVESTIGATION B Y AWOWO SAMUEL PSC1113593 1 | Page

Upload: sammy

Post on 01-Nov-2015

3 views

Category:

Documents


0 download

Report

DESCRIPTION

computer forensic investigation

TRANSCRIPT

DEPARTEMT OF COMPUTER SCICENCEFACULTY OF PHYSICAL SCIENCEUNIVESITY OF BENINBENIN CITY

SEMINAR PRESENTATION ON COMPUTER FORENSIC INVESTIGATION

BY

AWOWO SAMUELPSC1113593

JULY 31ST 2015

CERTIFICATIONI hereby certify that the department seminar presentation COMPUTER FORENSIC INVESTIGATION was presented by Awowo Samuel in the month of JULY 2015 and was accordingly approved.

.Prof. Mrs F.A. EgbokharedateChief supervisor

.Dr. V.A. AladesludateSupervisor

..Dr. F. A. U. Imouokhome (Engr)dateSupervisor

..Mr. E. NwelihdateSupervisor

.Mr. K.O. OtokitidateSupervisor

AKNOWLEDEGEMENTThanks be to God who gave me the grace and strength to attain the desired goal in bringing this seminar research to a light.

Am indeed grateful to all my supervisor for their patience and guidance in the supervision of this work and to other lecturers in the Department for their impact intellectually.

Lastly, I express my profound gratitude to my parents Rev and Mrs. V.M Awowo, and all who contributed intellectually, morally, spiritually, physically and financially to make this work successful.

TABLE OF CONTENT1. Title page 2. Certification 3. Acknowledgement 4. Table of content 5. Introduction6. Purpose of computer forensic 7. Classes of forensic investigation8. What happens when a file is deleted9. Typical Computer Forensic Investigations10. Who uses Computer Forensics11. Computer Forensic software12. EnCase Forensic13. Conclusion 14. References

iv | Page

ABSTRACTThis paper provides an introduction to the discipline of Computer Forensics. With computers being involved in an increasing number, and type, of crimes the trace data left on electronic media can play a vital part in the legal process. To ensure acceptance by the courts, accepted processes and procedures have to be adopted and demonstrated which are not dissimilar to the issues surrounding traditional forensic investigations. This paper provides a straightforward overview of the three steps involved in the examination of digital media: * Acquisition of data,* Investigation of evidence, * Reporting and presentation of evidence.

INTRODUCTIONComputer Forensics Computer Forensics can be defined simply, as a process of applying scientific and analytical techniques to computer Operating Systems and File Structures in determining the potential for Legal Evidence. This is the collection, preservation, analysis and presentation of computer-related evidence .Determining the past actions that have taken place on a computer system using computer forensic techniquesPurpose of Computer ForensicsForensics, also known as forensic science, is the application of science to questions that are of interest to the legal profession. Forensics is not limited to analyzing evidence from a murder scene; it can also be applied to technology. As computers are the foundation for communicating and recording information, a new area known as computer forensics, which uses technology to search for computer evidence of a crime, can attempt to retrieve informationeven if it has been altered or erasedthat can be used in the pursuit of the attacker or criminal.

CLASSES OF FORENSIC INVESTIGATIONIncident Response (Live System Analysis): Live forensics considers the value of the data that may be lost by powering down a system and collect it while the system is still running. The other objective of live forensics is to minimize impacts to the integrity of data while collecting evidence from the suspect system.Post-Mortem Analysis: Post-mortem computer forensics analysis is a process that helps determine if an incident response has failed to adequately contain a threat and to assist in selecting increased security measures. It is critical to understand that post-mortem computer forensics analysis is not the same technical process as forensic incident response. Only when failures occur during the incident response process is there a need for the investigative team to perform post-mortem computer forensics.Computer Forensic Capabilities Recover deleted files Find out what external devices have been attached and what users accessed them Determine what programs ran Recover webpages Recover emails and users who read them Recover chat logs Determine file servers used Discover documents hidden history Recover phone records and SMS text messages from mobile devices Find malware and data collected

Typical Investigations 1. Theft of Company Secrets (client, customer or employee lists)2. Employee Sabotage 3. Credit CardFraud4. Financial Crimes5. Embezzlement (money or information)6. Economic Crimes7. Harassment 8. Child Pornography9. Major Crimes10. Identity TheftMedia Devices that hold Potential Data I. Computers and laptopsII. iPadsIII. iPodsIV. Smartphones and most othercell phonesV. MP3 music playersVI. Hard DrivesVII. Digital CamerasVIII. USB Memory DevicesIX. PDAs (Personal Digital Assistants)X. Backup TapesXI. CD-ROMs & DVDs

WINDOWS OPERATING SYSTEM FILE STORAGE File Allocation Table (FAT) , exFAT New technology file system (NTFS) Master File Table (MFT) File Allocation Table (FAT): The File Allocation Table file system (FAT) is a cluster based file system first developed in the mid 1970s. Its latter version, FAT32 (released with Windows 95), is still widely used as the format for removable storage devices. This is largely due to the fact that it is a convenient way of sharing data between different operating systems. A disadvantage of FAT32 is its maximum file size limit of 4GB. In 2006 Microsoft released exFAT to address this issue and to improve performance on large media. Every file on a FAT hard disk is stored in a directory (folder).New technology file system (NTFS): The NTFS File System is what you are likely to encounter on newer hard disk running operating systems like Windows 7 or 2008. Whilst an MFT is more complex, the principal of locating the start of a file and its subsequent storage clusters is essentially the same.What Happens when a File is deletedWhen a file is deleted the Operating System marks the file name in the MFT with a special character that signifies to the computer that the file has been deleted. The computer now looks at the clusters occupied by that file as being empty and therefore available space to store a new file. The actual data that was contained in the file is not deleted instead it remains in the hard drives and the location where the content or data is, is referenced as unallocated space.Unallocated space: sometimes called free space, is logical space on a hard drive that the operating system, e.g Windows, can write to. To put it another way it is the opposite of allocated space, which is where the operating system has already written files to

COMPUTER FORENSICS APPLICATION Cases such as Divorce cases and need proof of infidelity or cheating, Employees stealing information, white collar crime.In the private sector, computer forensic techniques and methodologies are used to investigate electronic break-ins, embezzlement, improper use of computing resources by employees, and theft of trade secrets among other things.Those in the insurance business may use information retrieved from computer systems to identify fraud in workman's compensation, automobile or personal accident cases, or arson. Areas where computer forensic is used are; Law enforcement Military University Programs Computer Security and IT Professionals Law Enforcement such as local, State and Federal levels, several detectives at local levels, Inadequate funding, State Police, FBIs Computer Analysis and, Response Team (CART).

Military Test, identify, and gather evidence in the field Specialized training in imaging and identifying multiple sources of electronic evidence Analyze the evidence for rapid intelligence gathering and responding to security breach incidents Desktop and server forensic techniques University Programs: Authenticity of students, result forgery, impersonation research plagiarism etc.Computer Security Professionals and IT Personnel: Network traffic, Compromised networks, Insider threats, disloyal employees, Malware, Breach of contracts, E-mail Fraud/Spam, Theft of company documents

FORENSIC PROCESSTechniquesA number of techniques are used during computer forensics investigations and much has been written on the many techniques used by law enforcement in particular. SeeCross-drive analysisA forensic technique that correlates information found on multiple hard drives. The process, still being researched, can be used to identify social networks and to perform anomaly detection. Live analysisThe examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence. The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.Deleted filesA common technique used in computer forensics is the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted data. Most operating systems and file systems do not always erase physical file data, allowing investigators to reconstruct it from the physical disk sectors. File carving involves searching for known file headers within the disk image and reconstructing deleted materials.Stochastic forensicsA method which uses stochastic properties of the computer system to investigate activities lacking digital artifacts. Its chief use is to investigate data theft.SteganographyOne of the techniques used to hide data is via steganography, the process of hiding data inside of a picture or digital image. An example would be to hide pornographic images of children or other information that a given criminal does not want to have discovered. Computer forensics professionals can fight this by looking at the hash of the file and comparing it to the original image (if available.) While the image appears exactly the same, the hash changes as the data changes.Volatile dataWhen seizing evidence, if the machine is still active, any information stored solely in RAM that is not recovered before powering down may be lost. One application of "live analysis" is to recover RAM data (for example, using Microsoft's COFEE tool, Windows SCOPE) prior to removing an exhibit. Capture GUARD Gateway bypasses Windows login for locked computers, allowing for the analysis and acquisition of physical memory on a locked computer.RAM can be analyzed for prior content after power loss, because the electrical charge stored in the memory cells takes time to dissipate, an effect exploited by the cold boot attack. The length of time that data is recoverable is increased by low temperatures and higher cell voltages. Holding unpowered RAM below 60C helps preserve residual data by an order of magnitude, improving the chances of successful recovery. However, it can be impractical to do this during a field examination.Some of the tools needed to extract volatile data, however, require that a computer be in a forensic lab, both to maintain a legitimate chain of evidence, and to facilitate work on the machine. If necessary, law enforcement applies techniques to move a live, running desktop computer. These include a mouse jiggler, which moves the mouse rapidly in small movements and prevents the computer from going to sleep accidentally. Usually, an uninterruptible power supply (UPS) provides power during transit.However, one of the easiest ways to capture data is by actually saving the RAM data to disk. Various file systems that have journaling features such as NTFS and ReiserFS keep a large portion of the RAM data on the main storage media during operation, and these page files can be reassembled to reconstruct what was in RAM at that time. ANALYSIS TOOLSCommon Computer Forensic Software Arcsight logger Automate analysis, alerting, reporting, intelligence of logs and events for IT security, IT operations, IT GRC and log analytics NetWitness Investigator anaylize network traffic mainly used by IT professionals but now law enforcement and other public and private firms use it- download off the internet, not sure how reliable it is Quest ChangeAuditor report and analyze what is happening on the network. Translate raw data into user friendly data Encase and the forensic tool kit are both accepted in court and mainly used by law enforcement and government agencies. FTK is database driven so wont lose work if your computer crashes Both have a user friendly interface and can do many of the same things but encase is what most law enforcement agencies choose to use so that is what I will talk about in the rest of the presentation.ENCASE FORENSIC

EnCase Forensic works on many operating system such as Windows, Linux, Apple iOS, Sun/Oracle Solaris, Supported smartphones.Capabilities of encase forensic Rapidly acquire data from the widest variety of devices Unearth potential evidence with disk-level forensic analysis Produce comprehensive reports on your findings Maintain the integrity of your evidence in a format the courts have come to TriageEnCase Forensic gives investigators the ability to quickly view and search potential evidence in order to determine whether further investigation is warranted. Add EnCase Portable and you'll equip your forensic experts and non-experts alike to quickly review information stored on computers in the field in real-time - without altering or damaging the information. Let your experts set up specific jobs that let non-experts run them in the field to: Perform quick triage Identify and eliminate computers that aren't relevant to a case Give complete control to the experts as to how non-experts search those computers in the field

Using EnCase Portable to collect potential evidence in the field can: Instantly view images on the target machine Review documents in real-time Collect only relevant information quicklyCustomizable job creation lets you: Use keywords, metadata, hash values, and other criteria to perform targeted triage and collection Perform memory acquisition Perform full-disk imagingYou can choose from multiple configuration options: Easy Mode: Encase Portable can be preconfigured by your expert team members Advanced Mode: Expert users can create and edit the configuration of Encase Portable instantly in the fieldMake use of multiple triage and collection modes: Live Mode: Lets you collect memory from running computers Boot Mode: Enables collection form Macintosh and Linux computersAll metadata is preserved during triage and collection, maintaining evidence integrity. In addition, all data is stored in our court-accepted EnCase evidence format, the most trusted format in the forensic community. Process

The re-engineered evidence processor lets you: Perform more powerful queries Process even huge files at speeds faster than any solution in the industry Automate tasks Create templates based on case profiles Readily integrate EnCase Forensic results Use even basic team computers to perform processing without additional software or resourcesSearch Encase Forensic gives you the ability to search the tens of thousands of files that exist on a computer with a variety of comprehensive search choices, including: GREP Conditional Boolean Word searches

Once you've begun acquiring your potential evidence, EnCase lets you easily analyze the following to determine whether or not a crime may have been committed: Where the data originated Which type of user activity created the data When the data was last accessed.You can quickly bookmark important pieces of potential evidence for quick access and inclusion in reports later in the investigation. Advanced Analysis

Recover files and partitions, detect deleted files by parsing event logs, file signature analysis, and hash analysis, even within compounded files or unallocated disk spaceMultiple File Viewer SupportView hundreds of file formats in native form, built-in Registry viewer, integrated photo viewer, see results on a timeline/calendar. Prioritized ProcessingThis exclusive capability of EnCase Forensic lets you process a subset of evidence and make it available for analysis more quickly than was ever before possible. You can choose to continue processing or stop processing the remaining evidence while completing your digital investigation. Case Analyzer Offers Deeper InsightCase Analyzer lets you see exactly what happened on a computer system, providing higher-level reports of metadata consisting of multiple artifacts joined together, or specific, pre-filtered data that would indicate system activity.

REPORTPowerful, Flexible Reporting Show in detail which information is presented and how, depending on the purpose and target audience of the investigation Export information into various file formats as needed for reporting and analysis Include relevant evidence, investigator comments, bookmarks, search results, search criteria, pictures, date and time artifacts, and export those into RTF, PDF, or HTML formats for easy distribution to everyone from fellow investigator's to the district attorney's office

With the most powerful, flexible reporting tool of any digital-investigations platforms, EnCase Forensic gives you important capabilities that ensure you'll never miss an important comment, bookmark, or other piece of important information when producing and sharing a report. With the reporting capabilities in EnCase Forensic, you can: Powerful and Highly CustomizableThe easy-to-understand templates in EnCase Forensic can be used for any case and any audience. You can fully customize reports with the Report Template Builder, which makes it easy to: Tailor a report for your audience Define specific case information Create custom headers, footers, and title pages Apply Microsoft Word styles to any and all sectionsCONCLUSIONComputer Forensics helps determine the WHO, WHAT, WHEN, and WHERE related to a computer-based crime or violation. To ensure acceptance by the courts, accepted processes and procedures have to be adopted and demonstrated which are not dissimilar to the issues surrounding traditional forensic investigations.

REFERENCESComputer Forensics: Info Sec Pro Guide http://www.computer-forensics.net/http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202584495563&Product_Review_Encase_Forensic_7&slreturn=20130405160529http://www.scmagazine.com/best-computer-forensics-tool/article/195999/http://www.westwood.edu/programs/school-of-technology/computer-forensics-online-degree/law-enforcement-computer-forensicshttps://www.ncjrs.gov/pdffiles1/nij/183451.pdfSecurity Guide to Network Security Fundamentals

18 | Page


Image Processing and Computer Graphics Computer Graphics · Image Processing and Computer Graphics Computer Graphics ... Procedural Elements of Computer Graphics ... Computer Science

CLASSIFICATIONS OF COMPUTERS AND CONNECTIVITY. CLASSIFICATION OF COMPUTERS Mainframe Computer Mini-Computer Micro-Computer Super Computer Microprocessor

DEFINITION OF COMPUTER SECURITY - smkstict cd blog · 40 COMPUTER SECURITY LESSON 16 COMPUTER SECURITY DEFINITION OF COMPUTER SECURITY Computer security means protecting our computer

Fundamentals of computer organization and · PDF fileFundamentals of Computer Organization and Architecture / M ... Fundamentals of computer organization and ... Computer architecture

What is a Computer What is a Computer Functions of Computer Functions of Computer Input Device of a Computer Input Device of a Computer Output

School of Computer Applications Bachelor of Computer

Computer fundamentals of computer design

Introduction To computer (discovery of computer)

BLOCK DIAGRAM OF COMPUTER BLOCK DIAGRAM OF COMPUTER COMPONENTS OF COMPUTER COMPONENTS OF COMPUTER HARDWARE-I/0 HARDWARE-I/0 HARDWARE MEMORY HARDWARE

Historical perspectives of computerized imaging Computer classifications Components of computer hardware Define computer terminology

DEPARTMENT OF COMPUTER SCIENCE MASTER OF COMPUTER

Computer Science and Computer Engineering. parts of the computer

Computer Basics Computer Technology The History of the Computer Then & Now

DEPARTMENT OF COMPUTER SCIENCEvpasccollege.edu.in/departmental_evaluative_reports/Science/Computer... · DEPARTMENT OF COMPUTER SCIENCE 1. Name of the department: Computer Science

Computer Basics An overview of computer hardware ICT Tools: Computer Basics

Basics of Computer! BATRA COMPUTER CENTRE

Changing the Perception of Computer Science - School of Computer

Advanced Computer Graphics - Department of Computer

56 2021 School of Computer Science Department of Computer

COMPUTER STUDIES - FLASHLEARNERS OF COMPUTING (a) Overview of Computing System - Definition of a Computer; - Two main constituents of a Computer - Computer hardware; - Computer software

Department of Mathematics and Computer Sciences · Department of Mathematics and Computer Sciences ... The department of mathematics and computer science ... Computer Science Application

Department of Theoretical Computer Science Faculty of Computer and

Introduction to Computer , types of computer,classification of computer What computer can do and cant do

Type of computer Digital computer Micro Computer HomePC Main frame Computer Super Computer Mini Computer Analog computer Hybrid Computer 2

Computer Application - ihmbbs.orgihmbbs.org/upload/Application of Computer new.pdf · 3 Computer Fundamentals Definition of a Computer: A computer is an electronic device that operates

Bachelor of Computer Science (Computer Networking)

Computer Computer Characteristics of computer Characteristics of computer Limitation of computer Limitation of computer What is Computer Hardware?

«Computer Science and Computer Engineering» «Computer Science and Computer Engineering» «Machines and Apparatus of Chemical«Machines and Apparatus of

Diploma in Computer Application & Accounting …Diploma in Computer Application & Accounting (DCAA) DCA Fundamental of Computer Introduction of Computer, Evolution of the Computer,

Advanced Computer Architecture Fundamentals of Computer …soc.ajou.ac.kr/lecture/computer_archtecture/CH1.Fundamentals_.pdf · Advanced Computer Architecture Fundamentals of Computer

Computer Science Department of Computer Science · Computer Science Department of Computer Science ... puter architecture, computer graphics, ... Introduction to Computer Science),

basic notes of computer,computer basic of this year

Fundamentals of Computer Design - Computer Architectureocw.uc3m.es/ingenieria-informatica/computer... · Fundamentals of Computer Design Computer Architecture Architecture Views Computer

College of Engineering & Computer Science of Engineering & Computer Science 2016 ... Computer Science Electrical and Computer Engineering Industrial ... for computer modeling, simulation

© Department of Computer Science and Technology, Taiyuan University of Technology Computer English For Computer Major Master Candidates Department of Computer