3. WHAT IS COMPUTER FORENSICS
A process of applying scientific and analytical techniques to
computer Operating Systems and File Structures to
determining the potential Legal Evidence.
4. IT IS THE PRACTICE OF LAWFULLY ESTABLISHING
EVIDENCE AND FACTS.
This is science involving legal evidence THAT IS FOUND IN
DIGITAL STORAGE MEDIUMS AND IN COMPUTERS.
Subdivisions: -
DISK FORENSICS
Network forensics
MOBILE FORENSICS
5. TYPES OF CYBER CRIMES
FORGERY
BREECH OF COMPUTER
SECURITY
FRAUD/THEFT
COPYRIGHT VIOLATIONS
IDENTITY THEFT
THREATS
BURGLARY
HOMICIDE
ADMINISTRATIVE
INVESTIGATIONS
CYBER TERRORISM
SALES AND INVESTMENT
FRAUD
ELECTRONIC FUND TRANSFER
FRAUD
7. SOURCE OF EVIDENCE
SLACK, FREE, SWAP, RECYCLE BIN
EVENT LOGS
REGISTRY
APPLICATION FILES, TEMP FILES
E-MAIL
BROWSER HISTORY AND CACHE
8. DIGITAL EVIDENCE
•“ANY DATA THAT IS RECORDED OR PRESERVED ON ANY MEDIUM IN
OR BY A COMPUTER SYSTEM OR OTHER SIMILAR DEVICE, THAT CAN
BE READ OR UNDERSTAND BY A PERSON OR A COMPUTER SYSTEM
OR OTHER SIMILAR DEVICE. IT INCLUDES A DISPLAY, PRINT OUT OR
OTHER OUTPUT OF THAT DATA.”
9. TYPES OF DIGITAL EVIDENCE
1) PERSISTANT DATA
Meaning data that remains intact when the computer is turned
off. E.G. Hard drives, disk drives and removable storage devices
(such as USB drives or flash drives).
2) VOLATILE DATA,
Meaning data that would be lost if the computer is turned off.
E.G. Deleted files, computer history, the computer's
registry, temporary files and web browsing history.
10. FORENSIC TOOLS
•BLACKLIGHT - Windows, mac and ios forensics analysis software
•INTERNET EVIDENCE FINDER - Forensic tool that recovers
internet related communications (chat, social
networking, webmail, cloud, web history, and more), including
deleted data
•SANS INVESTIGATIVE FORENSICS TOOLKIT (SIFT) - Multi-
purpose forensic operating system
•REGISTRY RECON - Forensics tool that rebuilds windows registries
from anywhere on a hard drive and parses them for deep analysis.
11. MOBILE DEVICE FORENSICS
•CELLEBRITE MOBILE FORENSICS - Universal forensics
extraction device - hardware and software
•MICROSYSTEMATION XRY/XACT - Hardware/software package,
specialises in deleted data
•ELCOMSOFT IOS FORENSIC TOOLKIT (EIFT) - Acquires bit-
precise images of apple ios devices in real time
•ELCOMSOFT PHONE PASSWORD BREAKER - Enables forensic
access to password-protected backups for smartphones and portable
devices based on RIM blackberry and apple ios platforms,
12. FORENSICS PROCEDURES
1) Make a digital copy of the original evidence. Investigators make a
copy of the evidence and work with the copy to reduce the
possibility of inadvertently changing the original evidence.
2) Authenticate that the copy of the evidence. Investigators must verify
the copy of the evidence is exactly the same as the original.
3) Analyze the digital copy. The specific procedures performed in an
investigation are determined by the specific circumstances under
which the investigation is occurring.
13. CREATING A FORENSIC IMAGE
•Use a write blocker to ensure that no data is written back to the
subject’s hard drive
•Connect the disk to forensic server.
•Create the image of disk using commands or specific applications
•Verify the image using md5 sum
14. ANALYSIS OF A FORENSIC IMAGE
•Logical and Physical analysis
•Logical – Conventional way of accessing files using file explorer, image viewers
e.t.c. Analyses allocated space
•Physical – Using hex editors. Analyses unallocated and slack space
• Mount image
• Search for files using keywords, type e.t.c
16. SEARCHING FOR EVIDENCE
•Emails
•Windows swap file - A swap file is virtual memory that is used as an
extension of the computer systems RAM
•Cookies - cookies are pieces of information generated by a web
server and stored in the user's computer, ready for future access
•INDEX.DAT
17. index.dat FILE
•Every time a user uses windows explorer or internet explorer access a
file or web site, digital traces of these activities are placed on the hard
drive.
•index.dat files are binary files
•Pasco is a small open source application that parses the contents of
index.dat files, and outputs the results into a tab delimited file
•Containing informations
Files accessed and opened via windows explorer (rows 4 through 9)
Keywords used in searches over the internet (rows 10 and 11)
Urls visited via internet explorer (rows 12 through 15)
18. WHAT HAPPENS WHEN A FILE IS DELETED..?
Consider fat file system
•Constructed with
1. The boot record is the 1st sector of the disk
2. 1st file allocation table
3. 2nd file allocation table (a backup to the first)
4. Root directory
5. Data area
19. When file is deleted
•The first character of the file’s name in the root directory is changed
to e5h.
•The fat entries are set to 0.
20. COMPUTER FORENSICS METHODOLOGY
1) SHUT DOWN THE COMPUTER
2) DOCUMENT THE HARDWARE CONFIGURATION OF THE
SYSTEM
3) TRANSPORT THE COMPUTER SYSTEM TO A SECURE
LOCATION
4) MAKE BIT STREAM BACKUPS OF HARD DISKS AND
FLOPPY DISKS
5) MATHEMATICALLY VERIFY DATA ON ALL STORAGE
DEVICES
6) DOCUMENT THE SYSTEM DATE AND TIME
7) MAKE A LIST OF KEY SEARCH WORDS
21. 8) EVALUATE THE WINDOWS SWAP FILE
9) EVALUATE FILE SLACK
10) EVALUATE UNALLOCATED SPACE (ERASED FILES)
11) SEARCH FILES, FILE SLACK AND UNALLOCATED
SPACE FOR KEY WORDS
12) DOCUMENT FILE NAMES, DATES AND TIMES
13) IDENTIFY FILE, PROGRAM AND STORAGE ANOMALIES
14) EVALUATE PROGRAM FUNCTIONALITY
15) DOCUMENT YOUR FINDINGS
23. WHO USES COMPUTER FORENSICS
CRIMINAL PROSECUTORS
RELY ON EVIDENCE OBTAINED FROM A COMPUTER TO
PROSECUTE SUSPECTS AND USE AS EVIDENCE.
CIVIL LITIGATIONS
PERSONAL AND BUSINESS DATA DISCOVERED ON A COMPUTER
CAN BE USED IN FRAUD, HARASSMENT, OR DISCRIMINATION
CASES.
PRIVATE CORPORATIONS
OBTAINED EVIDENCE FROM EMPLOYEE COMPUTERS CAN BE
USED AS EVIDENCE IN HARASSMENT, FRAUD, AND
EMBEZZLEMENT CASES.
24. LAW ENFORCEMENT OFFICIALS
RELY ON COMPUTER FORENSICS TO BACKUP SEARCH
WARRANTS AND POST-SEIZURE HANDLING.
INDIVIDUAL/PRIVATE CITIZENS
OBTAIN THE SERVICES OF PROFESSIONAL COMPUTER
FORENSIC SPECIALISTS TO SUPPORT CLAIMS OF
HARASSMENT, ABUSE, OR WRONGFUL TERMINATION
FROM EMPLOYMENT.