CYBER FORENSICS

23UCSS41/23UCYS41
 UNIT I
OVERVIEW OF COMPUTER FORENSIC TECHNOLOGY
WHAT IS COMPUTER FORENSICS?

 Computer Forensics is the process of methodically examining computer media

(hard disks, diskettes, tapes, etc.) for evidence. In other words, computer
forensics is the collection, preservation, analysis, and presentation of computer-
related evidence.
 Computer forensics also referred to as Computer Forensic Analysis, Electronic
Discovery, Electronic Evidence Discovery, Digital Discovery, Data Recovery,
Data Discovery, Computer Analysis, And Computer Examination.
 Computer evidence can be useful in criminal cases, civil disputes, and human
resources/ employment proceedings.
 USE OF COMPUTER FORENSICS IN LAW ENFORCEMENT

 Recovering deleted files such as documents, graphics, and photos.

 Searching unallocated space on the hard drive, places where an

abundance of data often resides.
 Tracing artifacts, those tidbits of data left behind by the operating
system. The experts know how to find these artifacts and, more
importantly, they know how to evaluate the value of the information
they find.
USE OF COMPUTER FORENSICS IN
LAW ENFORCEMENT
 Processing hidden files — files that are not visible or accessible
to the user — that contain past usage information. Often, this
process requires reconstructing and analyzing the date codes for
each file and determining when each file was created, last
modified, last accessed and when deleted.
• Running a string-search for e-mail, when no e-mail client is
obvious.
 COMPUTER FORENSICS ASSISTANCE TO HUMAN
RESOURCES / EMPLOYMENT PROCEEDINGS

• Computers can contain evidence in many types of

human resources proceedings,
including sexual harassment suits,
allegations of discrimination,
and wrongful termination claims.
• Evidence can be found in electronic mail systems, on network servers,
and on individual employee’s computers
EMPLOYER SAFEGUARD PROGRAM

• Employers must safeguard critical business information.

• An unfortunate concern today is the possibility that data could be

damaged, destroyed, or misappropriated by a discontented individual.

• Before an individual is informed of their termination, a computer

forensic specialist should come on-site and create an exact duplicate of
the data on the individual’s computer.

• In this way, should the employee choose to do anything to that data

before leaving, the employer is protected.
• Damaged or deleted data can be re-placed, and evidence can be recovered to
show what occurred.

• This method can also be used to bolster an employer’s case by showing the
removal of proprietary information or to protect the employer from false
charges made by the employee.

• should be equipped to find and interpret the clues that have been left behind.
This includes situations where files have been deleted, disks have been
reformatted, or other steps have been taken to conceal or destroy the
evidence.
 For example, did you know?

 What Web sites have been visited?

 What files have been downloaded?

 When files were last accessed?

 Of attempts to conceal or destroy evidence?

 Of attempts to fabricate evidence?

 That the electronic copy of a document can contain text that was removed from the final printed
version?
 That some fax machines can contain exact duplicates of the last several hundred pages received
 That faxes sent or received via computer may remain on the computer indefinitely?

 That email is rapidly becoming the communications medium of choice for businesses?

 That people tend to write things in email that they would never consider writing in a
memorandum or letter?

 That email has been used successfully in criminal cases as well as in civil litigation?

 That email is often backed up on tapes that are generally kept for months or years?

 That many people keep their financial records, including investments, on computers?
COMPUTER FORENSICS SERVICES
Computer Forensics professionals should be able to successfully perform complex evidence
recovery procedures with the skill and expertise that lends credibility to your case.

For example, they should be able to perform the following services:

1. DATA SEIZURE

 Following federal guidelines, Computer Forensics experts should act as the representative,
using their knowledge of data storage technologies to track down evidence.

 The experts should also be able to assist officials during the equipment seizure process.
COMPUTER FORENSICS SERVICES
2. DATA DUPLICATION/PRESERVATION

 When one party must seize data from another, two concerns must be addressed:
 the data must not be altered in any way
 the seizure must not put an undue burden on the responding party

 The Computer Forensics experts should acknowledge both of these

concerns by making an exact duplicate of the needed data.
 When experts works on the duplicate data, the integrity of the original is
maintained.
COMPUTER FORENSICS SERVICES
3. DATA RECOVERY
 Using proprietary tools, your Computer Forensics experts should be able to
safely recover and analyze otherwise inaccessible evidence.
 The ability to recover lost evidence is made possible by the expert’s
advanced understanding of storage technologies.

4. DOCUMENT SEARCHES

 Computer Forensics experts should also be able to search over 200,000

electronic documents in seconds rather than hours.
 The speed and efficiency of these searches make the discovery process less
complicated and less intrusive to all parties involved.
COMPUTER FORENSICS SERVICES
5. MEDIA CONVERSION

 Computer Forensics experts should extract the relevant data from old and un-
readable devices, convert it into readable formats, and place it onto new storage
media for analysis.

6. EXPERT WITNESS SERVICES

 Computer Forensics experts should be able to explain complex technical
processes in an easy-to- understand fashion.

 This should help judges and juries comprehend how computer evidence is
found, what it consists of, and how it is relevant to a specific situation.
 COMPUTER FORENSICS SERVICES
7. COMPUTER EVIDENCE SERVICE OPTIONS
Computer Forensics experts should offer various levels of service,
each designed to suit your individual investigative needs. For example, they
should be able to offer the following services:

 Standard service: Computer Forensics experts should be able to work on

your case during nor-mal business hours until your critical electronic
evidence is found.
 On-site service: Computer Forensics experts should be able to travel to
your location to perform complete computer evidence services. While
on-site, the experts should quickly be able to produce exact duplicates
COMPUTER FORENSICS SERVICES
Emergency service: Your Computer Forensics experts should be able to give
your case the highest priority in their laboratories. They should be able to
work on it without interruption until your evidence objectives are met.

Priority service: Dedicated Computer Forensics experts should be able to

work on your case during normal business hours (8:00 A.M. to 5:00 P.M.,
Monday through Friday) until the evidence is found. Priority service typically
cuts your turnaround time in half.

Weekend service: Computer Forensics experts should be able to work from

8:00 A.M. to 5:00 P.M., Saturday and Sunday, to locate the needed electronic
evidence and will continue 14 Computer Forensics, Second Edition working
on your case until your evidence objectives are met.
COMPUTER FORENSICS SERVICES
8.OTHER MISCELLANEOUS SERVICES
Computer Forensics experts should also be able to provide extended services.
These services include:
• Analysis of computers and data in criminal investigations
• On-site seizure of computer data in criminal investigations
• Analysis of computers and data in civil litigation.
• On-site seizure of computer data in civil litigation
• Analysis of company computers to determine employee activity
• Assistance in preparing electronic discovery requests
• Reporting in a comprehensive and readily understandable manner
• Court-recognized computer expert witness testimony
• Computer Forensics on both PC and Mac platforms
• Fast turnaround time
BENEFITS OF PROFESSIONAL FORENSIC
METHODOLOGY

A knowledgeable Computer Forensics professional should ensure that a subject

computer system is carefully handled to ensure that:
1. No possible evidence is damaged, destroyed, or otherwise compromised by
the procedures used to investigate the computer.
2. No possible computer virus is introduced to a subject computer during the
analysis process.
3. Extracted and possibly relevant evidence is properly handled and protected
from later mechanical or electromagnetic damage.
4. A continuing chain of custody is established and maintained.
5. Business operations are affected for a limited amount of time, if at all.
6. Any client-attorney information that is inadvertently acquired during a
forensic exploration is ethically and legally respected and not divulged.
STEPS TAKEN BY COMPUTER
FORENSICS SPECIALISTS
The Computer Forensics specialist should take several careful steps to identify and
attempt to retrieve possible evidence that may exist on a subject’s computer system.

For example, the following steps should be taken:

1. Protect the subject computer system during the forensic examination from
any possible alteration, damage, data corruption, or virus introduction.
2. Discover all files on the subject system. This includes existing normal files,
deleted yet remaining files, hidden files, password-protected files, and
encrypted files.
3. Recover all of discovered deleted files.
4. Reveal the contents of hidden files as well as temporary or swap files used
by both the application programs and the operating system.
5. Access the contents of protected or encrypted files.
STEPS TAKEN BY COMPUTER
FORENSICS SPECIALISTS
6. Analyze all possibly relevant data found in special areas of a disk. This
includes but is not limited to what is called unallocated space on a disk, as well as
slack space in a file (the remnant area at the end of a file in the last assigned disk
cluster, that is unused by current file data, but once again, may be a possible site for
previously created and relevant evidence).

7. Print out an overall analysis of the subject computer system, as well as a listing
of all possibly relevant files and discovered file data.

8. Provide an opinion of the system layout; the file structures discovered; any
discovered data and authorship information; any attempts to hide, delete,
protect, and encrypt information; and anything else that has been discovered and
appears to be relevant to the overall computer system examination.
 TYPES OF COMPUTER
FORENSIC TECHNOLOGY
TYPES OF MILITARY COMPUTER
FORENSIC TECHNOLOGY
 Key objectives of Cyber Forensics include rapid discovery of evidence,
estimation of potential impact of the malicious activity on the victim, and
assessment of the intent and identity of the perpetrator.

 Real-time tracking of potentially malicious activity is especially difficult when

the pertinent information has been intentionally hidden, destroyed, or modified in
order to elude discovery.

 National Law Enforcement and Corrections Technology Center (NLECTC)

works with criminal justice professionals to identify urgent and emerging
technology needs.
TYPES OF MILITARY COMPUTER
FORENSIC TECHNOLOGY

 National Institute of Justice (NIJ) sponsors research and development or

identifies best practices to address those needs.

 The information directorate entered into a partnership with the NIJ via the
auspices of the NLECTC, to test the new ideas and prototype tools. The
Computer Forensics Experiment 2000 (CFX-2000) resulted from this
partnership.

 NLECTC centers demonstrate new technologies, test commercially available

technologies and publish results — linking research and practice.
COMPUTER FORENSIC EXPERIMENT-2000 (CFX-2000)

 CFX-2000 is an integrated forensic analysis framework.

 The central hypothesis of CFX-2000 is that it is possible to accurately determine the motives,
intent, targets, sophistication, identity, and location of cyber criminals and cyber terrorists by
deploying an integrated forensic analysis framework.
 The cyber forensic tools involved in CFX-2000 consisted of commercial off-the-shelf software
and directorate-sponsored R&D prototypes. CFX includes SI-FI integration environment.
 The Synthesizing Information from Forensic Investigations (SI-FI) integration environment
supports the collection, examination, and analysis processes employed during a cyber-forensic
investigation.
COMPUTER FORENSIC EXPERIMENT-2000 (CFX-2000)

 The SI-FI prototype uses digital evidence bags (DEBs), which are
secure and tamperproof containers used to store digital evidence.
 Investigators can seal evidence in the DEBs and use the SI-FI
implementation to collaborate on complex investigations.
 Authorized users can securely reopen the DEBs for examination, while
automatic audit of all actions ensures the continued integrity of their
contents.
COMPUTER FORENSIC EXPERIMENT-2000 (CFX-2000)

 The teams used other forensic tools and prototypes to collect and
analyze specific features of the digital evidence, perform case
management and time lining of digital events, automate event link
analysis, and perform steganography detection.
 The results of CFX-2000 verified that the hypothesis was largely
correct and that it is possible to ascertain the intent and identity of
cyber criminals.
 As electronic technology continues its explosive growth, researchers need to
continue vigorous R&D of cyber forensic technology in preparation for the
onslaught of cyber reconnaissance probes and attacks.
 TYPES OF LAW ENFORCEMENT
COMPUTER FORENSIC TECHNOLOGY
Computer Forensics tools and techniques have become important
resources for use in internal investigations, civil lawsuits, and
computer security risk management. Law enforcement and
military agencies have been involved in processing computer
evidence for years.
Computer Evidence Processing Procedures

• Processing procedures and methodologies should conform to

federal computer evidence processing standards.
 TYPES OF LAW ENFORCEMENT
COMPUTER FORENSIC TECHNOLOGY
Preservation of Evidence
 Computer evidence is fragile and susceptible to alteration or
erasure by any number of occurrences.
 Computer evidence can be useful in criminal cases, civil disputes,
and human resources employment proceedings.
 Black box Computer Forensics software tools are good for some
basic investigation tasks, but they do not offer a full Computer
Forensics solution.
 TYPES OF LAW ENFORCEMENT
COMPUTER FORENSIC TECHNOLOGY

Preservation of Evidence

 SafeBack software overcomes some of the evidence weaknesses

inherent in black box Computer Forensics approaches.
 SafeBack technology has become a worldwide standard in
making mirror image backups since 1990.
• TROJAN HORSE PROGRAMS

 The computer forensic expert should be able to demonstrate his

or her ability to avoid destructive programs and traps that can be
planted by computer users bent on destroying data and
evidence.
 Such programs can also be used to covertly capture sensitive
information, passwords, and network logons.
• COMPUTER FORENSICS DOCUMENTATION
 Without proper documentation, it is difficult to present findings.

 If the security or audit findings become the object of a lawsuit or a criminal

investigation, then documentation becomes even more important.

• FILE SLACK

 Slack space in a file is the remnant area at the end of a file in the last assigned
disk cluster, that is unused by current file data, but once again, may be a
possible site for previously created and relevant evidence.
 Techniques and automated tools that are used by the experts to capture and
evaluate file slack.
• DATA-HIDING TECHNIQUES

 Trade secret information and other sensitive data can easily be secreted using
any number of techniques. It is possible to hide diskettes within diskettes and
to hide entire computer hard disk drive partitions. Computer forensic experts
should understand such issues and tools that help in the identification of such
anomalies.E

• E-COMMERCE INVESTIGATIONS
 Net Threat Analyzer can be used to identify past Internet browsing and email activity done
through specific computers. The software analyzes a computer’s disk drives and other storage areas
that are generally unknown to or beyond the reach of most general computer users. Net Threat
Analyzer avail-able free of charge to computer crime specialists, school officials, and police.
• DUAL-PURPOSE PROGRAMS
 Programs can be designed to perform multiple processes and tasks at the same time.
Computer Forensics experts must have hands-on experience with these programs.
• TEXT SEARCH TECHNIQUES
 Tools that can be used to find targeted strings of text in files, file slack, unallocated
file space, and Windows swap files.
• FUZZY LOGIC TOOLS USED TO IDENTIFY UNKNOWN
TEXT
 Computer evidence searches require that the computer specialist know what is being
searched for. Many times not all is known about what may be stored on a given
computer system.
 In such cases, fuzzy logic tools can provide valuable leads as to how the subject
computer was used.
• Disk Structure
 Computer forensic experts must understand how computer hard disks and floppy
diskettes are structured and how computer evidence can reside at various levels
within the structure of the disk.
 They should also demonstrate their knowledge of how to modify the structure and
hide data in obscure places on floppy diskettes and hard disk drives.

• Data Encryption
 Computer forensic experts should become familiar with the use of software to
crack security associated with the different file structures.
• Matching a Diskette to a Computer
 Specialized techniques and tools that make it possible to conclusively tie a diskette to a
computer that was used to create or edit files stored on it. Computer forensic experts should
become familiar how to use special software tools to complete this process.

• Data Compression
 Computer forensic experts should become familiar with how compression works and how
compression programs can be used to hide and disguise sensitive data and also learn how
password- protected compressed files can be broken.

• Erased Files
 Computer forensic experts should become familiar with how previously erased files can be
recovered by using DOS programs and by manually using data-recovery technique & familiar
with cluster chaining.
• Internet Abuse Identification and Detection

 Computer forensic experts should become familiar with how to use specialized
software to identify how a targeted computer has been used on the Internet.
 This process will focus on Computer Forensics issues tied to data that the
computer user probably doesn’t realize exists (file slack, unallocated file space,
and Windows swap files).

• The Boot Process and Memory Resident Programs

 Computer forensic experts should become familiar with how the operating
system can be modified to change data and destroy data at the whim of the
person who configured the system.
 Such a technique could be used to covertly capture keyboard activity from
corporate executives, for example. For this reason, it is important that the experts
understand these potential risks and how to identify them.
 TYPES OF BUSINESS COMPUTER FORENSIC
TECHNOLOGY
• REMOTE MONITORING OF TARGET COMPUTERS

 Data Interception by Remote Transmission (DIRT) is a powerful

remote control monitoring tool that allows stealth monitoring of
all activity on one or more target computers simultaneously
from a remote command center.
 No physical access is necessary. Application also allows agents
to remotely seize and secure digital evidence prior to physically
entering suspect premises.
 TYPES OF BUSINESS COMPUTER FORENSIC
TECHNOLOGY
• CREATING TRACKABLE ELECTRONIC DOCUMENTS

 Binary Audit Identification Transfer (BAIT) is a powerful intrusion

detection tool that allows users to create trackable electronic documents.

 BAIT identifies (including their location) unauthorized intruders who

access, download, and view these tagged documents.

 BAIT also allows security personnel to trace the chain of custody and
chain of command of all who possess the stolen electronic documents.
 TYPES OF BUSINESS COMPUTER FORENSIC
TECHNOLOGY
• THEFT RECOVERY SOFTWARE FOR LAPTOPS AND PCS
What it really costs to replace a stolen computer:
The price of the replacement hardware & software.

The cost of recreating data, lost production time or instruction time,

reporting and investigating the theft, filing police reports and insurance
claims, increased insurance, processing and ordering replacements,
cutting a check, and the like.

The loss of customer goodwill.

If a thief is ever caught, the cost of time involved in prosecution.

 TYPES OF BUSINESS COMPUTER FORENSIC
TECHNOLOGY
 PC PHONEHOME
 PC PhoneHome is a software application that will track and locate a
lost or stolen PC or laptop any-where in the world. It is easy to install. It
is also completely transparent to the user.
 If your PC PhoneHome-protected computer is lost or stolen, all you
need to do is make a report to the local police and call CD’s 24-hour
command center. CD’s recovery specialists will assist local law
enforcement in the recovery of your property.
 FORENSIC SERVICES AVAILABLE

Services include but are not limited to:

 Lost password and file recovery

 Location and retrieval of deleted and hidden files

 File and email decryption

 Email supervision and authentication

 Threatening email traced to source


 FORENSIC SERVICES AVAILABLE

Services include but are not limited to:

 Computer usage policy and supervision

 Remote PC and network monitoring

 Tracking and location of stolen electronic files

 Honeypot sting operations

 Location and identity of unauthorized software users

 FORENSIC SERVICES AVAILABLE

Services include but are not limited to:

 Theft recovery software for laptops and PCs

 Investigative and security software creation

 Protection from hackers and viruses.