2. CONTENTS
Definition of Computer Forensics
History of Computer Forensics
Steps Of Computer Forensics
Certifications for Computer Forensic
Computer Forensic Requirements
Collecting Evidence
Uses of Computer forensics
Advantages of Computer Forensics
Disadvantages of Computer Forensics
Computer forensics labs and centers in India
Conclusion
References
3. THE FIELD OF
COMPUTER FORENSICS
What is Computer Forensics?
Computer forensics involves the preservation,
identification, extraction, documentation, and
interpretation of computer media for evidentiary
and root cause analysis
Computer forensics is the process of identifying,
preserving, and analyzing data and technical items
for evidence that will be used in court
4. THE FIELD OF
COMPUTER FORENSICS
Used to obtain potential legal evidence
Evidence might be required for a wide range of computer
crimes and misuses
Multiple methods of computer forensics are:
Discovering data on computer system
Recovering deleted, encrypted, or damaged file information
Monitoring live activity
Detecting violations of corporate policy
Information collected assists in arrests, prosecution,
termination of employment, and preventing future illegal
activity
5. THE FIELD OF
COMPUTER FORENSICS
Example:-
Recovering thousands of deleted emails
Performing investigation post employment
termination
Recovering evidence post formatting hard
drive
6. HISTORY OF COMPUTER
FORENSICS
1970s
First crimes cases involving computers, mainly financial fraud
1980’s
Financial investigators and courts realize that in some cases all the records and evidences were
only on computers.
Norton Utilities, “Un-erase” tool created
Association of Certified Fraud Examiners began to seek training in what became computer
forensics
SEARCH High Tech Crimes training created
Regular classes began to be taught to Federal agents in California and at FLETC in Georgia
HTCIA formed in Southern California
7. HISTORY OF COMPUTER
FORENSICS
1984
FBI Magnetic Media Program created... this later becomes the
Computer Analysis and Response Team (CART)
1993
First International Conference on Computer Evidence held
1995
International Organization on Computer Evidence (IOCE)
formed
8. HISTORY OF COMPUTER
FORENSICS
1997
The G8 countries declared that "Law enforcement personnel
must be trained and equipped to address high-tech crimes" in
the Moscow
1998
In March G8 appointed IICE to create international
principles for the procedures relating to digital evidence
1998
INTERPOL Forensic Science Symposium
9. HISTORY OF COMPUTER
FORENSICS
1999
FBI CART case load exceeds 2000 cases,
examining 17 terabytes of data
2000
First FBI Regional Computer Forensic Laboratory
established
2003
FBI CART case load exceeds 6500 cases,
examining 782 terabytes of data
10. STEPS OF COMPUTER
FORENSICS
According to many professionals, Computer Forensics is a four (4) step process
Acquisition
Physically or remotely obtaining possession of the computer, all network
mappings from the system, and external physical storage devices
Identification
This step involves identifying what data could be recovered and
electronically retrieving it by running various Computer Forensic tools and
software
suites
11. STEPS OF COMPUTER
FORENSICS
Evaluation
Evaluating the information/data recovered to
determine if and how it could be used again the
suspect for employment termination or prosecution
in court
Presentation
This step involves the presentation of evidence discovered in a manner
which is understood by lawyers, non-technically staff/management, and
suitable as evidence as determined by United States and internal laws
12. CERTIFICATION FOR COMPUTER
INVESTIGATIVE SPECIALISTS
CEECS (Certified Electronic Evidence Collection Specialist Certification)
Awarded to individuals who complete the CEECS regional
certification course
Also awarded to individuals in the Certified Forensic
Computer Examiner course that successfully pass the written
test
13. CERTIFICATION FOR
FORENSIC COMPUTER
EXAMINER
Internal Certification Training Program
Must successfully complete two week training course offered
by IACIS and correspondence proficiency problems
External Certification Testing Process
Not a training course
Testing process
Active Law Enforcement
Individuals qualified for IACIS membership
Recertification
Every three years must complete recertification process
Must be in good standing with IACIS
Complete proficiency test
14. A COMPUTER FORENSIC
SPECIALIST PROMISES TO:
Do not delete, damage or alter any evidence
Protect the computer and files against a virus
Handle all evidence properly to prevent any future damage
Keep a log of all work done and by whom
Keep any Client-Attorney information that is gained confidential
15. COMPUTER FORENSIC
REQUIREMENTS
Hardware
Familiarity with all internal and external devices/components of
a computer
Thorough understanding of hard drives and settings
Understanding motherboards and the various chipsets used
Power connections
Memory
BIOS
Understanding how the BIOS works
Familiarity with the various settings and limitations of the BIOS
16. COMPUTER FORENSIC
REQUIREMENTS
Operation Systems
Windows 3.1/95/98/ME/NT/2000/2003/XP
DOS
UNIX
LINUX
Software
Familiarity with most popular software packages
such as MS Office
Forensic Tools
Familiarity with computer forensic techniques and the
software packages that could be used
17. Make Exact copies of all hard drives
& disks using computer software
Date and Time stamped on each
file; used for timeline
Protect the Computer system
Avoid deletion, damage,
viruses and corruption
Discover files
Normal Files
Deleted Files
Password Protected Files
Hidden Files
Encrypted Files
Reveal all contents of hidden files
used by application and operating
system
Access contents of password
protected files if legally able to do so
Analyze data
Print out analysis
Computer System
All Files and data
Overall opinion
Provide expert
consultation/testimony
COLLECTING EVIDENCE
18. USES OF COMPUTER
FORENSICS
Criminal Prosecutors
Rely on evidence obtained from a computer to prosecute
suspects and use as evidence
Civil Litigations
Personal and business data discovered on a computer can be
used in fraud, divorce, harassment, or discrimination cases
Insurance Companies
Evidence discovered on computer can be
used to mollify costs (fraud, worker’s
compensation, arson, etc)
19. USES OF COMPUTER
FORENSICS
Private Corporations
Obtained evidence from employee computers can
be used as evidence in harassment, fraud, and embezzlement
cases
Law Enforcement Officials
Rely on computer forensics to backup search warrants and
post-seizure handling
Individual/Private Citizens
Obtain the services of professional computer forensic
specialists to support claims of harassment, abuse, or
wrongful termination from employment
21. DISADVANTAGES OF
COMPUTER FORENSICS
Digital evidence accepted
into court
must prove that there is no
tampering
all evidence must be fully
accounted for
computer forensic specialists
must have complete knowledge
of legal requirements, evidence
handling and storage and
documentation procedures
22. DISADVANTAGES OF
COMPUTER FORENSICS
Costs
producing electronic records & preserving them is
extremely costly ,
Presents the potential for exposing privileged
documents
Legal practitioners must have extensive computer
knowledge
23. COMPUTER FORENSICS LABS
AND CENTERS IN INDIA
1. cyber college, Dehradun
2. Secure India (A Group of Cyber Security Specialists), Muzaffarnagar, Uttar
Pradesh
3. E2Labs Research & Development Center, Hyderabad, Andhra Pradesh
4. Agape Inc, Nagpur, Maharashtra
5. Appin Technology Lab, Hyderabad, Andhra Pradesh
6. Shoeb Online, Mumbai, Maharashtra
7. ForensicsGuru.com, New Delhi
8. I.TECH COMPUTERS - DATA FORENSICS & DATA
RECOVERY, Mumbai
9. Indiaforensic Center of Studies , Pune
10. Focus Forensics Technology Private Limited,Delhi
24. CONCLUSION
With computers becoming more and more involved
in our everyday lives, both professionally and
socially, there is a need for computer forensics.
This field will enable crucial electronic evidence to
be found, whether it was lost, deleted, damaged, or
hidden, and used to prosecute individuals that
believe they have successfully beaten the system.