This document discusses computer forensics and its importance in investigating cybercrimes. It defines computer forensics as the scientific analysis of computers and digital evidence to be used in legal proceedings. The process involves acquiring digital evidence without altering it, analyzing the evidence using forensic tools to find relevant files and data, and presenting the findings in court. Computer forensics experts help investigate various cybercrimes and security breaches.
This document discusses computer forensics and its importance in investigating cybercrimes. It defines computer forensics as the scientific analysis of computers and digital evidence to be used in legal proceedings. The process involves acquiring digital evidence without altering it, analyzing the evidence using forensic tools to find relevant files and data, and presenting the findings in court. Computer forensics experts help investigate various cybercrimes and security breaches.
This document discusses computer forensics and its importance in investigating cybercrimes. It defines computer forensics as the scientific analysis of computers and digital evidence to be used in legal proceedings. The process involves acquiring digital evidence without altering it, analyzing the evidence using forensic tools to find relevant files and data, and presenting the findings in court. Computer forensics experts help investigate various cybercrimes and security breaches.
Abstract: court. Computer forensics, sometimes called digital forensics. But it specializes in the The continuing technological scientific analysis of computer revolution in communications and communications and the data on computer information exchange has created an storage devices, such as disks and CD- entirely new form of crime, cyber crime. ROMs. Consequently, computer forensics Cyber crime has forced the computer and experts are often called "Cyber Cops", law enforcement professions to develop new "Cyber Investigators" or "Digital areas of expertise and avenues of collecting Detectives". Investigators use a variety of and analyzing evidence. This has developed techniques and proprietary forensic into a science called computer forensics. applications to examine the hard drive copy. The process of acquiring, examining, and After physically isolating the computer in applying digital evidence is crucial in the question to make sure it cannot be success of prosecuting a cyber criminal. accidentally contaminated, investigators With the continuous evolution of technology, make a digital copy of the hard drive. Once it is difficult for law enforcement and the original hard drive has been copied, it is computer professionals to stay one step locked in a safe or other secure storage ahead of the technologically savvy facility to maintain its pristine condition. All criminals. To effectively combat cyber investigation is done on the digital copy, crime, greater emphasis must be placed in searching hidden folders and unallocated the computer forensic field of study, disk space for copies of deleted, encrypted, including but not limited to financial or damaged files. Any evidence found on the support, international guidelines and laws, digital copy is carefully documented in a and training of the professionals involved in "finding report" and verified with the the process. original in preparation for legal proceedings that involve discovery, depositions, or actual The primary goal of this track will litigation. In a homicide forensics be to provide a forum for researchers, investigation, law enforcement agencies practitioners, and educators interested in present photographic and physical evidence. Computer Forensics in order to advance Similarly, in Computer Forensics, after research and educational methods in this initiation of the special boot procedure of increasingly challenging field. We expect computer, the investigator utilizes computer that people from academia, industry, forensic software to create a bit-stream government, and law enforcement will share image or “exact snapshot” of the target hard their previously unpublished ideas on drive and all other external media, such as research, education, and practice through floppy or zip disks, which are subject to the this track. investigation.
Introduction: Computer Forensics software allows
the investigator to recover all deleted files Computer forensics is a branch of that have not been overwritten, as well as forensic science. Forensics is the scientific other forms of unallocated or temporary analysis of people, places and things to data. Information contained in swap files, collect evidence during crime investigations printer spooler files, file stack and other that helps to prove innocence or guilt in temporary or buffer files are examples of data residing on a computer drive that are Some of the typical applications of not normally visible to the user. Computer Forensics are:
What is Computer Forensics? Investigate and uncover evidence
of illegal activities conducted via Judd Robbins, a prominent computer computer, such as credit-card fraud, forensics investigator, defines computer intellectual-property theft, pedophilia, forensics as “the application of computer terrorism and computer system investigation and analysis techniques in the intrusion (hacking). Illegal activities interests of determining potential legal conducted via computer are generally evidence.” Other experts have taken the referred to as "computer crimes" or definition a step further, believing computer "cyber crimes". forensics has evolved into a science. Noblett Investigate and uncover evidence of et al., as well as the FBI, define computer crimes that weren't directly forensic science as “the science of acquiring, committed via computer, but for preserving, retrieving, and presenting data which the accused might have stored that has been processed electronically and evidence on computer data storage stored on computer media.” Basically, devices computer forensics is digital detective work. It is searching a digital crime scene for Detect and close computer system evidence, containing and preserving the security holes through "legal" evidence, analyzing the evidence, often hacking. times in a certified lab environment, and then finally presenting the findings in legal Digital forensic analysis: proceedings and court. In other words, it is similar to performing an autopsy, except on In general, the goal of digital a digital device versus a human body. forensic analysis is to identify digital evidence for an investigation. An Computer Forensics, importance: investigation typically uses both physical and digital evidence with the scientific The concept of storing and method to draw conclusions. Examples of processing information at incredible speeds investigations that use digital forensics and across vast distances has generated an include computer intrusion, unauthorized environment where the mysteries of use of corporate computers, child technology can propagate a clouded pornography, and any physical crime whose perception that leads to a lack of trust and suspect had a computer. At the most basic market confidence. Data theft, industrial level, digital forensics has three major espionage, employee misconduct and phases: intellectual property theft are among other computer security incidents that increasingly o Acquisition plague corporate organizations. Additionally, o Analysis the vast majority of information in the workplace is now stored on PCs and servers, o Presentation meaning that no internal investigation of any form should ignore computer evidence. Acquisition Phase: The Acquisition Phase saves the state on the evidence that was found. Tools in this of a digital system so that it can be later phase will analyze a file system to list analyzed. This is analogous to taking directory contents and names of deleted photographs, fingerprints, blood samples, or files; perform deleted file recovery, and tire patterns from a crime scene. As in the present data in a format that is most useful. physical world, it is unknown which data This phase should use an exact copy of the will be used as digital evidence so the goal original, which can be verified by of this phase is to save all digital values. calculating an MD5 checksum. It is Tools are used in the acquisition phase to important that these tools show all data that copy data from the suspect storage device to exists in an image. Regardless of the a trusted device. These tools must modify investigation setting (corporate, federal, or the suspect device as little as possible and military), the steps performed in the copy all data. acquisition and analysis phases are similar because they are dominated by technical Analysis Phase: issues, rather than legal.
The Analysis Phase takes the Presentation Phase:
acquired data and examines it to identify pieces of evidence. There are three major The Presentation Phase though is categories of evidence we are looking for. based entirely on policy and law, which are different for each setting. This phase Inculpatory Evidence: presents the conclusions and corresponding evidence from the investigation. In a Evidence which supports a given corporate investigation, the audience theory is nothing but Inculpatory Evidence. typically includes the general counsel, human resources, and executives. Exculpatory Evidence: Privacy laws and corporate policies Evidence which contradicts a given dictate what is presented. In a legal setting, theory is an Exculpatory Evidence. the audience is typically a judge and jury, but lawyers must first evaluate the evidence Evidence of tampering: before it is entered. In order to be admissible in a United States legal proceeding, Evidence which cannot be related to scientific evidence must pass the so-called any theory, but shows that the system was “Daubert Test”, which stems from the U.S. tampered with to avoid identification is Supreme .Previously, under the “Frye Test”, Evidence of Tampering. courts placed responsibility of identifying acceptable procedures on the scientific This phase includes examining file community using peer-reviewed journals. and directory contents and recovering However, as not every field has peer- deleted content. The scientific method is reviewed journals, the Daubert Test offered used in this phase to draw conclusions based additional methods of testing the quality of evidence. Benefits of professional forensic identifying more possibilities that can be methodology: requested as possibly relevant evidence. In addition, during on-site premises The impartial computer expert who inspections, for cases where computer disks helps during discovery will typically have are not actually seized or forensically experience on a wide range of computer copied, the forensics expert can more hardware and software. This is always quickly identify places to look, signs to look beneficial when your case involves for, and additional information sources for hardware and software with which this relevant evidence. expert is directly familiar. But fundamental computer design and software These may take the form of earlier implementation is often quite similar from versions of data files (e.g. memos, one system to another, and experience in one spreadsheets) that still exist on the application or operating system area is often computer's disk or on backup media, or easily transferable to a new system unlike differently formatted versions of data, either paper evidence, computer evidence can created or treated by other application often exist in many forms, with earlier programs (e.g. word processing, versions still accessible on a computer disk. spreadsheet, e-mail, timeline, scheduling, or Knowing the possibility of their existence, graphic).Protection of evidence is critical. A even alternate formats of the same data can knowledgeable computer forensics be discovered. The discovery process can be professional will ensure that a subject served well by a knowledgeable expert computer system is carefully handled to ensure that: No possible evidence is damaged, Recovers all (or as much as destroyed, or otherwise possible) of discovered deleted files. compromised by the procedures used to investigate the computer. Reveals (to the extent possible) the No possible computer virus is contents of hidden files as well as introduced to a subject computer temporary or swap files used by both during the analysis process. the application programs and the operating system. Extracted and possibly relevant evidence is properly handled and Accesses (if possible and if legally protected from later mechanical or appropriate) the contents of protected electromagnetic damage. or encrypted files.
A continuing chain of custody is Analyzes all possibly relevant data
established and maintained. found in special (and typically inaccessible) areas of a disk. This Business operations are affected for includes but is not limited to what is a limited amount of time, if at all. called 'unallocated' space on a disk (currently unused, but possibly the Any client-attorney information that repository of previous data that is is inadvertently acquired during a relevant evidence), as well as 'slack' forensic exploration is ethically and space in a file (the remnant area at legally respected and not divulged. the end of a file, in the last assigned disk cluster, that is unused by current Steps taken by computer forensics file data, but once again may be a specialists: possible site for previously created and relevant evidence). Provides expert consultation and/or testimony, as required. The Prints out an overall analysis of computer forensics specialist will the subject computer system, as well take several careful steps to identify as a listing of all possibly relevant and attempt to retrieve possible files and discovered file data. evidence that may exist on a subject Further, provides an opinion of the computer system: system layout, the file structures Protects the subject computer discovered, any discovered data and system during the forensic authorship information, any attempts examination from any possible to hide, delete, protect, encrypt alteration, damage, data corruption, information, and anything else that or virus introduction. has been discovered and appears to be relevant to the overall computer Discovers all files on the subject system examination. system: This includes existing normal files, deleted yet remaining Who can use computer forensic files, hidden files, password- evidence? protected files, and encrypted files. Many types of criminal and civil Example One: In the case about Chandra proceedings can and do make use of Levy a Washington intern whose evidence revealed by computer forensics disappearance caused great stir within the specialists: community. She went missing on April 30, 2001. While her whereabouts were Criminal Prosecutors use computer unknown, she had used the Internet as well evidence in a variety of crimes where as e-mail to organize travel arrangements incriminating documents can be and to communicate with her parents. The found: homicides, financial fraud, use of this technology helped a computer drug and embezzlement record- criminalist to trace her whereabouts. The keeping, and child pornography. information found on her computer lead the Civil litigations can readily make police to this location, even though she had use of personal and business records been missing for one year. found on computer systems that bear on: fraud, divorce, discrimination, Example Two: A final example of how and harassment cases. computer forensics is affecting the current workplace is the aspect of security. Insurance Companies may be able Employees work computers are now being to mitigate costs by using discovered monitored to ensure no illegal actions are computer evidence of possible fraud taking place in the office. They also have in accident, arson, and workman's heightened security so outsiders cannot compensation cases. access a company’s confidential files. If this security is broken a company is then able to Corporations often hire computer use computer forensics to trace back to forensics specialists to ascertain which computer was being tampered with evidence relating to: sexual and what information was extracted from it, harassment, embezzlement, theft or possibly leading to the guilty parties and misappropriation of trade secrets and other potential parties involved. other internal/confidential information. Conclusion: Law Enforcement Officials Computers are not going away, and frequently require assistance in pre- neither is computer forensics. Its usage is search warrant preparations and post- significant for protecting the innocent as seizure handling of the computer well as prosecuting the guilty. The law equipment. enforcement community has made a major commitment in resources and funds to Individuals sometimes hire increase the use of computer forensics in computer forensics specialists in investigations. Attorneys today, therefore, support of possible claims of: should have at least a basic understanding of wrongful termination, sexual computer forensics and when its use is harassment, or age discrimination practical. Finally, Computer forensics has become its own area of scientific expertise, Computer forensics examples: with accompanying coursework and certification. References: www.ncfs.ucf.edu