COMPUTER FORENSICS Seminar Report

1. INTRODUCTION
1.1 COMPUTER FORENSICS

“Forensic computing is the process of identifying, preserving, analyzing and presenting digital
evidence in a manner that is legally acceptable.”(Rodney Mckemmish 1999).
From the above definition we can clearly identify four components:-

IDENTIFYING

This is the process of identifying things such as what evidence is present, where and how it is
stored, and which operating system is being used. From this information the investigator can
identify the appropriate recovery methodologies, and the tools to be used.

PRESERVING

This is the process of preserving the integrity of digital evidence, ensuring the chain of custody
is not broken. The data needs to preserved (copied) on stable media such as CD-ROM, using
reproducible methodologies. All steps taken to capture the data must be documented. Any
changes to the evidence should be documented, including what the change was and the reason
for the change. You may need to prove the integrity of the data in the court of law.

ANALYSING

This is the process of reviewing and examining the data. The advantage of copying this data
onto CD-ROMs is the fact it can be viewed without the risk of accidental changes, therefore
maintaining the integrity whilst examining the changes
PRESENTING
This is the process of presenting the evidence in a legally acceptable and understandable manner.
If the matter is presented in court the jury who may have little or no computer experience, must

vishal.more1@gmail.com Page 1
COMPUTER FORENSICS Seminar Report
all be able to understand what is presented and how it relates to the original, otherwise all efforts
could be futile.

Far more information is retained on the computer than most people realize. Its also more
difficult to completely remove information than is generally thought. For these reasons (and
many more), computer forensics can often find evidence or even completely recover, lost or
deleted information, even if the information was intentionally deleted.

vishal.more1@gmail.com Page 2
COMPUTER FORENSICS Seminar Report

2. NEED FOR COMPUTER FORENSICS

2.1 Purpose

The purpose of computer forensics is mainly due to the wide variety of computer crimes that
take place. In the present technological advancements it is common for every organization to
employ the services of the computer forensics experts. There are various computer crimes that
occur on small scale as well as large scale. The loss caused is dependent upon the sensitivity of
the computer data or the information for which the crime has been committed.

The computer forensics has become vital in the corporate world. There can be theft of the data
from an organization in which case the organization may sustain heavy losses. For this purpose
computer forensics are used as they help in tracking the criminal.

The need in the present age can be considered as much severe due to the internet advancements
and the dependency on the internet. The people that gain access to the computer systems with
out proper authorization should be dealt in. The network security is an important issue related to
the computer world. The computer forensics is a threat against the wrong doers and the people
with the negative mindsets.

The computer forensics is also efficient where in the data is stored in a single system for the
backup. The data theft and the intentional damage of the data in a single system can also be
minimized with the computer forensics. There are hardware and software that employ the
security measures in order to track the changes and the updating of the data or the information.
The user information is provided in the log files that can be effectively used to produce the
evidence in case of any crime a legal manner.

The main purpose of the computer forensics is to produce evidence in the court that can lead to
the punishment of the actual. The forensic science is actually the process of utilizing the
scientific knowledge for the purpose of collection, analysis, and most importantly the

vishal.more1@gmail.com Page 3
COMPUTER FORENSICS Seminar Report
presentation of the evidence in the court of law. The word forensic itself means to bring to the
court.

The need or the importance of the computer forensics is to ensure the integrity of the computer
system. The system with some small measures can avoid the cost of operating and maintaining
the security. The subject provides in depth knowledge for the understanding of the legal as well
as the technical aspects of computer crime. It is very much useful from a technical stand point,
view.

The importance of computer forensics is evident in tracking the cases of the child pornography
and email spamming. The computer forensics has been efficiently used to track down the
terrorists from the various parts of the world. The terrorists using the internet as the medium of
communication can be tracked down and their plans can be known.
There are many tools that can be used in combination with the computer forensics to find out
the geographical information and the hide outs of the criminals. The IP address plays an
important role to find out the geographical position of the terrorists. The security personnel
deploy the effective measures using the computer forensics. The Intrusion Detecting Systems
are used for that purpose.

2.2 Why is Computer Forensics Important?

Adding the ability to practice sound computer forensics will help you ensure the overall integrity
and survivability of your network infrastructure. You can help your organization if you consider
computer forensics as a new basic element in what is known as a “defense-in-depth”1 approach
to network and computer security. For instance, understanding the legal and technical aspects of
computer forensics will help you capture vital information if your network is compromised and
will help you prosecute the case if the intruder is caught.

Two basic types of data are collected in computer forensics.

(a) Persistent data
(b) Volatile data.

vishal.more1@gmail.com Page 4
COMPUTER FORENSICS Seminar Report

2.3 Computer forensics helps the organization in the following way:-


RECOVER DATA THAT YOU THOUGHT WAS LOST FOREVER :-
Computers systems may crash, files may be accidentally deleted, disks may
accidentally be reformatted, viruses may corrupt files, file may be accidentally overwritten,
disgruntled employees may try to destroy your files. All of this can lead to loss of your critical
data, but computer forensic experts should be able to employ the latest tools and techniques to
recover your data.


ADVICE YOU ON HOW TO KEEP YOUR DATA AND INFORMATION
SAFE FROM THEFT OR ACCIDENTAL LOSS:-

Business today relies on computers. Your sensitive records and trade secrets are
vulnerable to intentional attacks from, for e.g. hackers, disgruntled employees, viruses,
etc. also unintentional loss of data due to accidental deletion, h/w or s/w crashes are
equally threatening. Computer forensic experts can advice you on how to safeguard
your data by methods such as encryption and back-up.

EXAMINE A COMPUTER TO FIND OUT WHAT ITS USER HAS BEEN DOING:-

Whether you’re looking for evidence in a criminal prosecution, looking for evidence in
a civil suit, or determining exactly what an employee has been up to. Your computer forensics
expert should be equipped to find and interpret the clues left behind.

 SWEEP YOUR OFFICE FOR LISTNENING DEVICES:-


There are various micro-miniature recording and transmitting devices available in todays
hi-tech world. The computer forensic expert should be equipped to conduct thorough
electronic countermeasure (ECM) sweeps of your premises.

 HI-TECH INVESTIGATION:-

vishal.more1@gmail.com Page 5
COMPUTER FORENSICS Seminar Report

The forensic expert should have the knowledge and the experience to conduct hi-tech
investigations involving cellular cloning, cellular subscription fraud, s/w piracy, data or
information theft, trade secrets, computer crimes, misuse of computers by employees, or any
other technology issue.

2.4 Advantage of Computer Forensics:-

The main task or the advantage from the computer forensic is to catch the culprit or the
criminal who is involved in the crime related to the computers.

Computer Forensics deals extensively to find the evidence in order to prove the crime and the
culprit behind it in a court of law. The forensics provides the organization with a support and
helps them recover their loss.

The important thing and the major advantage regarding the computer forensics is the
preservation of the evidence that is collected during the process. The protection of evidence
can be considered as critical.

The ethicality can be considered as an advantage of the forensics in computer systems. At last
the computer forensics has emerged as important part in the disaster recovery management

3. COMPUTER FORENSIC METHODOLOGY

vishal.more1@gmail.com Page 6
COMPUTER FORENSICS Seminar Report

3.1 Methods Used:-

According to many professionals, Computer Forensics is a four (4) step process

Acquisition

Physically or remotely obtaining possession of the computer, all network mappings from the
system, and external physical storage devices.

Identification

This step involves identifying what data could be recovered and electronically retrieving it
by running various Computer Forensic tools and software suites.

Evaluation

Evaluating the information/data recovered to determine if and how it could be used again the
suspect for employment termination or prosecution in court.

Presentation
This step involves the presentation of evidence discovered in a manner which is understood by
lawyers, non-technically staff/management, and suitable as evidence as determined by United
States and internal laws

3.2 COMPUTER FORENSIC PROCESS:-

As in any investigation, establishing that an incident has occurred is the first key step. Secondly,
the incident needs to be evaluated to determine if computer forensics may be required.
Generally, if the computer incident resulted in a loss of time or money, or the destruction or
compromise of information, it will require the application of computer forensic investigative
techniques. When applied, the preservation of evidence is the first rule in the process. Failure to
preserve evidence in its original state could jeopardize the entire investigation. Knowledge of
how the crime was initiated and committed may be lost for good. Assignment of responsibility

vishal.more1@gmail.com Page 7
COMPUTER FORENSICS Seminar Report
may not be possible if evidence is not meticulously and diligently preserved. The level of
training and expertise required to execute a forensics task will largely depend on the level of
evidence required in the case. If the result of the investigation were limited to administrative
actions against an employee, the requirement would be lower than taking the case to court for
civil or criminal litigation.

3.3 Approach to retrieve the evidence:-

The following steps should be taken:-

3.3.1 Shut Down the Computer

Depending upon the computer operating system involved, this usually involves pulling the plug
or shutting down a net work computer using relevant operating system commands. At the option
of the computer specialists, pictures of the screen image can be taken using a camera. However,
consideration should be given to

possible destructive processes that may be operating in the background. These can be
resident in memory or available through a modem or network connection. Depending upon the
operating system involved, a time delayed password protected screen saver may potentially
kick in at any moment. This can complicate the shutdown of the computer. Generally, time is
of the essence and the computer system should be shut down or powered down as quickly as
possible.

vishal.more1@gmail.com Page 8
COMPUTER FORENSICS Seminar Report

3.3.2Document the Hardware Configuration of the System

It is assumed that the computer system will be moved to a secure location where a proper chain
of custody can be maintained and the processing of evidence can begin. Before dismantling the
computer, it is important that pictures are taken of the computer from all angles to document the
system hardware components and how they are connected. Labeling each wire is also important
so that the original computer configuration can be restored. Computer evidence should ideally
be processed in a computer hardware environment that is identical to the original hardware
configuration.

3.3.3 Transport the Computer System to A Secure Location

This may seem basic but all too often seized evidence computers are stored in less than secure
locations. It is imperative that the subject computer is treated as evidence and it should be stored
out of reach of curious computer users. All too often, individuals operate seized computers
without knowing that they are destroying potential computer evidence and the chain of custody.
Furthermore, a seized computer left unintended can easily be compromised. Evidence can be
planted on it and crucial evidence can be intentionally destroyed. A lack of a proper chain of
custody can 'make the day' for a savvy defense attorney. Lacking a proper chain of custody, how

vishal.more1@gmail.com Page 9
COMPUTER FORENSICS Seminar Report
can you say that relevant evidence was not planted on the computer after the seizure? The
answer is that you cannot. Do not leave the computer unattended unless it is locked in a
secure location! NTI provides a program named Seized to law enforcement computer specialists
free of charge. It is also made available to NTI's business and government in various suites of
software that are available for purchase. The program is simple but very effective in locking the
seized computer and warning the computer operator that the computer contains evidence and
should not be operated
3.3.4 Make Bit Stream Backups of Hard Disks and Floppy Disks

The computer should not be operated and computer evidence should not be processed until bit
stream backups have been made of all hard disk drives and floppy disks. All evidence processing
should be done on a restored copy of the bit stream backup rather than on the original computer.
The original evidence should be left untouched unless compelling circumstances exist.
Preservation of computer evidence is vitally important. It is fragile and can easily be altered or
destroyed. Often such alteration or destruction of data is irreversible. Bit stream backups are
much like an insurance policy and they are essential for any serious computer evidence
processing.

3.3.5 Mathematically Authenticate Data on All Storage Devices

You want to be able to prove that you did not alter any of the evidence after the computer came
into your possession. Such proof will help you rebut allegations that you changed or altered the
original evidence. Since 1989, law enforcement and military agencies have used a 32 bit
mathematical process to do the authentication process. Mathematically, a 32 bit data validation
is accurate to approximately one in 4.3 billion. However, given the speed of today's computers
and the vast amount of storage capacity on today's computer hard disk drives, this level of
accuracy is no longer accurate enough. A 32 bit CRC can easily be compromised. Therefore,
NTI includes two programs in its forensic suites of tools that mathematically authenticate data
with a high level of accuracy. Large hashing number, provides a mathematical level of accuracy
that is beyond question. These programs are used to authenticate data at both a physical level
and a logical level. The programs are called CrcMD5 and DiskSig Pro. The latter program was

vishal.more1@gmail.com Page 10
COMPUTER FORENSICS Seminar Report
specifically designed to validate a restored bit stream backup and it is made available free of
charge to law enforcement computer specialists as part of NTI's Free Law Enforcement Suite.
The programs are also included in our various suites of forensic software which are sold NTI's
clients.

3.3.6 Document the System Date and Time

The dates and times associated with computer files can be extremely important from an evidence
standpoint. However, the accuracy of the dates and times is just as important. If the system clock is
one hour slow because of daylight-saving time, then file time stamps will also reflect the wrong
time. To adjust for these inaccuracies,
documenting the system date and time settings at the time the computer is taken into evidence
is essential.

3.3.7 Make a List of Key Search Words

Because modern hard disk drives are so voluminous, it is all but impossible for a computer
specialist to manually view and evaluate every file on a computer hard disk drive. Therefore,
state-of-the-art automated forensic text search tools are needed to help find the relevant
evidence.
3.3.8 Evaluate the Windows Swap File

The Windows swap file is potentially a valuable source of evidence and leads. The evaluation of
the swap file can be automated with several of NTI's forensic tools, e.g., NTA Stealth, Filter_N,
FNames, Filter_G, GExtract and GetHTML. These intelligent filters automatically identifies
patterns of English language text, phone numbers, social security numbers, credit card numbers,
Internet E-Mail addresses, Internet web addresses and names of people.

3.3.9 Evaluate File Slack

File slack is a data storage area of which most computer users are unaware. It is a source of
significant 'security leakage' and consists of raw memory dumps that occur during the work

vishal.more1@gmail.com Page 11
COMPUTER FORENSICS Seminar Report
session as files are closed. The data dumped from memory ends up being stored at the end of
allocated files, beyond the reach or the view of the computer user. Specialized forensic tools
are required to view and evaluate file slack and it can prove to provide a wealth of information
and investigative leads. Like the Windows swap file, this source of ambient data can help
provide relevant key words and leads that may have previously been unknown.

3.3.10 Evaluate Unallocated Space (Erased Files)

The DOS and Windows 'delete' function does not completely erase file names or file content.
Many computer users are unaware the storage space associated with such files merely becomes
unallocated and available to be overwritten with new files. Unallocated space is a source of
significant 'security leakage' and it potentially contains erased files and file slack associated
with the erased files. Often the DOS Undelete program can be used to restore the previously
erased files. Like the
Windows swap file and file slack, this source of ambient data can help provide relevant key
words and leads that may have previously been unknown to the computer investigator.

3.3.11 Search Files, File Slack and Unallocated Space for Key Words

The list of relevant key words identified in the previous steps should be used to search all
relevant computer hard disk drives and floppy diskettes. There are several forensic text search
utilities available in the marketplace. NTI's forensic search TextSearch NT can be used for that
purpose and it has been tested and certified for accuracy by the U.S. Department of Defense.
This powerful search tool is also included as part of NTI's suites of software tools.

3.3.12 Document File Names, Dates and Times

From an evidence standpoint, file names, creation dates, last modified dates and times can be
relevant. Therefore, it is important to catalog all allocated and 'erased' files. NTI includes a
program called File List Pro in its various suites of forensic tools. The File List Pro program
generates its output in the form of a database file. The file can be sorted based on the file name,

vishal.more1@gmail.com Page 12
COMPUTER FORENSICS Seminar Report
file size, file content, creation date, last modified date and time. Such sorted information can
provide a timeline of computer usage.

3.3.13 Identify File, Program and Storage Anomalies

Encrypted, compressed and graphic files store data in binary format. As a result, text data stored
in these file formats cannot be identified by a text search program. Manual evaluation of these
files is required and in the case of encrypted files, much work may be involved. NTI's
TextSearch Plus program has built in features that automatically identify the most common
compressed and graphic file formats. The use of this feature will help identify files that require
detailed manual evaluation. Depending on the type of file involved, the contents should be
viewed and evaluated for its potential as evidence.
3.3.14 Evaluate Program Functionality

Depending on the application software involved, running programs to learn their purpose
may be necessary. NTI's training courses make this point by exposing the students to
computer applications that do more than the anticipated task. When destructive processes
are discovered that are tied to relevant evidence, this can be
used to prove willfulness. Such destructive processes can be tied to 'hot keys' or the execution
of common operating commands tied to the operating system or applications. Before and after
comparisons can be made using the FileList Pro program and/or mathematical authentication
programs. All these tools are included in most of NTI's suites of forensic tools

3.3.15 Document Your Findings

As indicated in the preceding steps, it is important to document your findings as issues are
identified and as evidence is found. Documenting all of the software used in your forensic
evaluation of the evidence including the version numbers of the programs used is also important.
Be sure that you are legally licensed to use the forensic software

vishal.more1@gmail.com Page 13
COMPUTER FORENSICS Seminar Report

4. COMPUTER FORENSIC TECHNOLOGY

Computer forensics tools and techniques have proven to be a valuable resource for law
enforcement in the identification of leads and in the processing of computer-related evidence.
Computer forensic tools and techniques have become important resources for use in internal
investigations, civil law suits, and computer security risk management.
Forensic S/w tools and methods can be used to identify passwords, logons, and other information
that is automatically dumped from the computer memory. Such forensic tools can be used to tie a
diskette to the computer that created it. Some of the tools used are as follows:-

4.1 Get Free - Forensic Data Capture Tool:-

When files are 'deleted' in DOS, Windows, Windows95 and Windows 98, the data associated
with the file is not actually eliminated. It is simply reassigned to unallocated storage space
where it may eventually be overwritten by the creation of new files over time. Such data can
provide the computer forensics investigator with valuable leads and evidence. However, the
same data can create a significant security risk when sensitive data has been erased using DOS,
Windows, Windows 95 and Windows 98 file deletion procedures and commands.

GetFree software is used to capture all of the unallocated file space on DOS, Windows,
Windows 95 and Windows 98 based computer systems. The program can be used to identify
leads and evidence. It is also effectively used to validate the secure Scrubbing of unallocated
storage space with programs like NTI's M-Sweep ambient data deletion software.

When GetFree software is used as an investigative tool, it eliminates the need to restore
potentially hundreds or thousands of files on computer hard disk drives and floppy diskettes.
The software was primarily developed as a computer forensic tool for use in computer related
investigations and internal audits. However, GetFree has also proven to be an ideal tool for use
in computer security risk assessments because the software automatically captures the data
associated with unallocated file space. Such data can be reviewed and analyzed using other NTI
forensic tools, e.g., Filter_I, Net Threat Analyzer and Graphics Image File Extractor.

vishal.more1@gmail.com Page 14
COMPUTER FORENSICS Seminar Report
GetFree Software - Primary Uses:

 Calculates the amount of unallocated storage space on a computer storage device.

 Automatically captures all logical unallocated storage space on one or more computer
hard disk drives and floppy diskettes.

 Captures the contents of a dynamic Windows swap file for analysis with other tools.

 Used in internal audits, security reviews and computer-related investigations.

 Validates the effectiveness of computer security data scrubbers.

 Identifies classified data spills in unallocated data storage areas.

 Identifies violations of company policy through the identification of sensitive data

leakage into unallocated storage space.

 Used very effectively with NTI's Image File Extractor in investigations involving
computer generated graphic file images, e.g., child pornography investigations.
GetFree - Program Features and Benefits:

 DOS-based for speed and ease of use.

 Compact program size easily fits on one floppy diskette with other forensic software
tools.

 Non-printable characters (ASCII values 0-31 and non ASCII values 127-255) are
replaced by a space character, at the option of the user.

 Does not alter any data on the target computer and can therefore be operated covertly.
 Captures unallocated clusters marked as bad (by a user or the operating system) in the
event that sensitive data is stored in sectors associated with such clusters.
 Compatible with DOS, Windows 3.x, Windows 95 and Windows 98.
 Estimates the output storage space needed for the data capture prior to use.
 Processes more than one logical drive in one work session.

vishal.more1@gmail.com Page 15
COMPUTER FORENSICS Seminar Report
 Automatically increments the output file names and prompts the user for additional
removable media in the event additional storage space is needed in achieving the data
capture.
 Supports 12 bit, 16 bit and 32 bit FAT types (32-bit FATs).
 If 32 bit FAT (FAT32) file systems are involved, GetFree should be run with a FAT 32
aware version of DOS, e.g., DOS 7x.
 Automatically creates output files which are less that 2 gigabytes in capacity. This aids
in the analysis of the output files and avoids the 2 gigabyte DOS file limitations.
4.2Get Slack - Forensic Data Capture Utility:-

This software is used to capture all of the file slack contained on a logical hard disk drive or
floppy diskette on a DOS, Windows, Windows 95 and/or Windows 98 computer system. The
resulting output from GetSlack can be analyzed with standard computer utilities or with special
NTI tools, e.g., Filter_I and Net Threat Analyzer software. GetSlack software is an ideal
computer forensics tool for use in investigations, internal audits and in computer security
reviews. NTI places special importance on the use of this tool in computer security risk
assessments because memory dumps in file slack are the cause for security related concerns.
Typically, network logons and passwords are found in file slack. It is also possible for
passwords used in file encryption to be stored as memory dumps in file slack.

From an investigative standpoint, file slack is a target rich environment to find lead sand
evidence. File slack can contain leads and evidence in the form of fragments of word
processing communications, Internet E-mail communications, Internet chat room
communications, Internet news group communications and Internet browsing

activity. As a result, this program is a good tool for use in computer related investigations. It
also acts as a good validation tool for use with computer security programs which are
designed to eliminate file slack, e.g., NTI's M-Sweep ambient data scrubbing software.

GetSlack Software - Primary Uses:

vishal.more1@gmail.com Page 16
COMPUTER FORENSICS Seminar Report
 Quickly calculates the amount of storage space which is allocated to file slack on a
logical DOS/Windows partition.
 Captures all file slack on a logical DOS/Windows drive and converts it into one or
more files automatically.
 Used in covert and overt internal audits, computer security reviews and computer
investigations.
 Validates the results of computer security scrubbers used to eliminate sensitive or
classified data from file slack on computer storage devices.

GetSlack Software - Program Features and Benefits:

 DOS based for speed.

 Compact program size easily fits on a single floppy diskette with other forensic
software tools.
 At the option of the user, non-printable characters (ASCII values 0-31 and127-255) can
be replaced with space characters.
 Does not alter or modify the data stored on the target computer.
 Does not leave any trace of operation. Therefore, it can be used coverly when laws
permit such use.
 Does not alter evidence on the target drive. Therefore, this tool is ideal for the
processing of computer evidence.
 Compatible with DOS, Windows 3.x, Windows 95 and Windows 98.
 Estimates the output file space needed prior to use.
 Multiple logical storage devices can be specified in one operating session.
 Configures the output files to fit on one or more removable storage devices
depending on the volume of the computed output.
 Supports 12 bit, 16 bit and 32 bit FAT types (32-bit FATs are currently found on
Windows 95B/98/OSR2/NT).

4.3 DiskScrub - Hard Drive Data Elimination Software:-

vishal.more1@gmail.com Page 17
COMPUTER FORENSICS Seminar Report

It is becoming standard practice in corporations, government agencies, law firms and accounting
firms to reassign computers and to donate older computers to charity. Millions of personal
computers have been put to use since 1981 when the IBM Personal Computer came into
existence. Many of the older personal computers have been reassigned or donated to charity and
many more will fall into this category in the future. However, data security is often ignored
when computers change hands.
You must be aware that personal computers were never designed with security in mind.
Potentially anything that transpired on a used computer still exists. Multiply that by the number
of computers your organization will reassign or surplus this year, and you get the point.
Computers should be reassigned and donated to charity but the contents of the hard disk drives
should not be ignored.
With computer technology changing almost daily, corporations and government agencies have
to stay current while still making the best uses of aging computer resources. Advancements in
hard disk drive storage capacities, operating systems and software applications cause
corporations to buy or lease new computers every year. But what is done with the old
computers? What is done about the sensitive data still existing, essentially "stored" on these
computers when they are sold, transferred or donated? That is a serious problem, and NTI's
Disk Scrub software was specifically designed to deal with these risks, for corporations,
government agencies, hospitals, financial institutions, law firms and accounting firms.

4.4 Forensic Graphics File Extractor:-

NTI's Forensic Graphics Image File Extractor is a computer forensics software tool which was
designed to automatically extract exact copies of graphics file images from ambient data sources
and from SafeBack bit stream image backup files. The latter process has the potential of quickly
identifying all graphics file images stored on a computers hard disk drive. The resulting output
image files can be quickly evaluated using a graphics file viewer, e.g., Firehand Ember
Millennium by Firehand Technologies which NTI recommends. Firehand Ember Millennium

vishal.more1@gmail.com Page 18
COMPUTER FORENSICS Seminar Report
fits limited law enforcement budgets, e.g., priced at under $50 and it is an ideal product for
investigations involving computer graphic images.

NTI’s Image File Extractor software was developed with our law enforcement friends in mind
and it has been priced accordingly. Law enforcement computer crime specialists spend much of
their valuable time in the investigation of computer crimes involving the possession and
distribution of graphic image files which involve child pornography. This computer forensics
tool saves time and it was specifically created to accurately and quickly reconstruct evidence
grade copies of "deleted" image files.

The software can also be used effectively to identify and reconstruct residual graphics file
images which passed through Windows Swap and Windows Page files during Internet web
browsing sessions. An "after the fact" analysis of such files can quickly determine how a
computer may have been used. Such information is invaluable to corporate investigators and law
enforcement computer crime specialists alike. NTI's Graphics Image File Extractor also
provides benefits in internal audits involving them issues of corporate computers by employees
and corporate due diligence reviews of computers.
Forensic Graphics File Extractor - Primary Uses:

 Used to find evidence in corporate, civil and criminal investigations which involve
computer graphics files, e.g., investigations which potentially involve child pornography and/or
inappropriate Internet web browsing in a corporate or government setting.
 Used with other computer forensic software to quickly reconstruct previously deleted
BMP, GIF and JPEG graphics files stored on computer storage media.
 Used to quickly identify and preview BMP, GIF and JPEG image files stored on a
computer hard disk drive when used with SafeBack and Firehand Embers.
 Used effectively in computer investigations involving the distribution of child
pornography.
 Used "after the fact" to determine what files may have been viewed over or
downloaded from the Internet.

vishal.more1@gmail.com Page 19
COMPUTER FORENSICS Seminar Report
 Used very effectively with NTI's GetFree software this can be purchased
separately.
Forensic Graphics File Extractor - Program Features and Benefits:

 Operates under DOS/WIN9x/WINNT/WIN2000/WINXP for ease of operation and

speed.
 Compact program size which easily fits on one floppy diskette with other forensic
software utilities for portability.

 Searches a targeted Windows Swap File or a file created from erased file space for
patterns of BMP, GIF and JPG file images and it reconstructs partial or complete image files in
one highly accurate operation. The accuracy of this process is dependent upon the degree of
fragmentation involved, etc.
 When complete image files are identified and reconstructed by the program the output
of restored graphics images files is exact. Our tests indicate that a majority of reconstructed
files will pass a CRCMD5 hash test when restored
image files are compared with the original files prior to deletion. This feature makes the
software ideal for evidence reconstruction in criminal cases. It also allows for the exact
reconstruction of graphics image files which may contain hidden files or other messages
through the use of steganography.

 Partial image file patterns (caused due to fragmentation and/or file corruption) can be
automatically reconstructed and viewed.

 The highly accurate graphics file identification search engine ensures that every byte is
checked for integrity.

 The software operates in batch file mode for automatic processing when combined
with other NTI software processes.

 It automatically creates a complete log of the processing steps taken by the program to
aid in expert witness testimony.

vishal.more1@gmail.com Page 20
COMPUTER FORENSICS Seminar Report

Priced to easily fit limited law enforcement budgets.

 Operation of the software is easy and is not hampered by hardware anti-theft software
protection.

 Free Upgrades for one year from the date of purchase.

 Quantity discounts are available.

5. COMPUTER FORENSICS SERVICES

There are many different areas of computers where in the services of computer forensics is
employed. Most of computer forensics services provide useful services to an organization. It is
very much useful in professional environment where the requirement is quite high. Computer
forensics services also include investigative assistance. The computer forensics is also
important in corporate consulting. Forensic data recovery – FDR is also a part of computer
forensics. Incident Response Systems also play a part of computer forensics. The services of
computer forensics are availed in private as well as government organizations.

vishal.more1@gmail.com Page 21
COMPUTER FORENSICS Seminar Report
The secrecy or the privacy of organization is important in some cases where it is maintained
as per expectations. Some of important fields where in the services of computer forensics can
be applied include the following. Incident response systems and internal investigations can be
done using the computer forensics. Computer forensics is extensively used in criminal as well
as civil litigations. There are many laws that provide the support to a computer forensic.

Another aspect of computer forensics is the electronic document discovery. Data recovery in
itself is a large topic. But some times it is referred to as a part of computer forensic. Security risk
management can also be carried out using the computer forensic tools. The services provided by
the computer forensics are the development of the plans to gather the electronic evidence.
Computer forensic can be used for its services to support criminal and civil warrants.

Also the computer forensics is useful in electronic discovery requests. Even computer forensics
investigation is beneficent for the purpose of identification, acquisition, preservation, analysis
and reporting of digital evidence. The digital evidence may be from desktop computers, laptops,
storage servers, or any type of removable storage devices. The services are also available for
dispute resolution and to provide an expert witness testimony. In the event of conducting the
audits also its services can be availed. These audits may involve remote or even network
analysis.

The compliance of proactive reviews as well as risk assessment and even for the investigation of
specific allegations the services of computer forensics can be availed. In case of corporate
consultations the services provided by the computer forensics professional include the
development of in house standards. Also the protection of intellectual property is a major
service.

The protection of corporate assets is also a service of computer forensics. The consultation of
computer forensic can be provided to adhere to the legislation involving federal and provincial
privacy. The electronic file retention policies are also a part of consultancy services of computer
forensics.

vishal.more1@gmail.com Page 22
COMPUTER FORENSICS Seminar Report

6. APPLICATION OF COMPUTER FORENSICS

System forensics is not different from any other forensic science when it comes to application.
It can be applied to any activity, where other mainstream traditional forensics such as DNA
mapping is used, if there has been an involvement of a system or computer in the event.

Some of the common applications of computer forensics are:-

 FINANCIAL FRAUD DETECTION:-

vishal.more1@gmail.com Page 23
COMPUTER FORENSICS Seminar Report

Corporates and banks can be detect financial frauds with the help of evidence collected from
systems. Also, insurance companies can detect possible fraud in accident, arson, and
workman’s compensation cases with the help of computer evidence.

CRIMINAL PROSECUTION:-
Prosecutors can use computer evidence to establish crimes such as homicides, drug and false
record-keeping, financial frauds, and child pornography in the court of law.

CIVIL LITIGATION:-

Personal and business records found on the computer systems related to fraud,
discrimination, and harassment cases can be used in civil litigations.

 “CORPORATE SECURITY POLICY AND ACCEPTABLS USE

VIOLATIONS”:-
A lot of computer forensic work done is to support management and human resources
(HR) investigations of employee abuse.
Besides cyber crimes and system crimes, criminals use computers for other criminal activities.
In such cases, besides the traditional forensics, system forensic investigation also plays a vital
role.

7. CONCLUSION

With computers becoming more and more involved in our everyday lives, both professionally
and socially, there is a need for computer forensics. This field will enable crucial electronic
evidence to be found, whether it was lost, deleted, damaged, or hidden, and used to prosecute
individuals that believe they have successfully beaten the system.
The computer forensic needs and challenges can be accomplished only with the cooperation of
the private, public, and international sectors. All stakeholders must be more willing to exchange

vishal.more1@gmail.com Page 24
COMPUTER FORENSICS Seminar Report
information on the effect economic and cyber crime has on them and the methods they are using
to detect and prevent it.

REFERENCES

1.www.ijcttjournel.org

2.^ S. Mittal, "A survey of techniques for improving energy efficiency in embedded
computing systems", IJCAET, 6(4), 440–459, 2014.

3.^ a b "Power Management Techniques for Data Centers: A Survey", 2014.

4.^ E. Curry, B. Guyon, C. Sheridan, and B. Donnellan, “Developing a Sustainable IT

Capability: Lessons From Intel’s Journey,” MIS Quarterly Executive, vol. 11, no. 2, pp.
61–74, 2012.

5.^ "TCO takes the initiative in comparative product testing". May 3, 2008. Retrieved
May 3, 2008.

6.^ Full report: OECD Working Party on the Information Economy. "Towards Green ICT
strategies: Assessing Policies and Programmes on ICTs and the Environment" (PDF).
Summary: OECD Working Party on the Information Economy. "Executive summary of
OECD report" (PDF).

vishal.more1@gmail.com Page 25
COMPUTER FORENSICS Seminar Report

vishal.more1@gmail.com Page 26