INTRODUCTION

ABSTRACT

Page | 1
INTRODUCTION

Far more information is retained on a computer than most people realize. It's also more difficult
to completely remove information than is generally thought. For these reasons (and many more),
computer forensics can often find evidence of, or even completely recover, lost or deleted
information, even if it was intentionally deleted

The main motto of computer forensic experts is not only to find the criminal but also to find out
the evidence and the presentation of the evidence in a manner that leads to legal action of the
culprit.

Data lost intentionally or accidentally can be recovered with the help of data recovery experts.
Computer forensic is one such type where the cause for data loss is identified.

There are many definitions of computer forensics however generally, computer forensic refers to
the detail investigation of the computers to carry out the required tasks. It performs the
investigation of the maintained data of the computer to check out what exactly happened to the
computer and who is responsible for it.

The investigation process starts from the analysis of the ground situation and moves on further to
the insides of the computer’s operating system.

Computer forensic is a broader concept which is mainly related to the crimes happening in
computer which is against law. Various laws have been imposed to check out the crimes but still
they exist and are difficult to find the criminal due to lack of evidence. All these difficulties can
be overcome with the help of computer forensics.

Page | 2
INTRODUCTION

HISTORY

Page | 3
INTRODUCTION

HISTORY OF COMPUTER FORENSICS

Prior to the 1980s crimes involving computers were dealt with using existing laws. The first
computer crimes were recognized in the 1978 Florida Computer Crimes Act which included
legislation against the unauthorized modification or deletion of data on a computer system. Over
the next few years the range of computer crimes being committed increased, and laws were
passed to deal with issues of copyright, privacy/harassment (e.g., cyber bullying, cyber stalking,
and online predators) and child pornography. It was not until the 1980s that federal laws began to
incorporate computer crime. Canada was the first country to pass legislation in 1983. This was
followed by the US Federal Computer Fraud and Abuse Act in 1986, Australian amendments to
their crimes acts in 1989 and the British Computer Abuse Act in 1990. More recently, concern
over cyber warfare and cyber terrorism has become an important issue. A February 2010 report
by the U.S. Joint Forces Command concluded:

"Through cyberspace, enemies will target industry, academia, government, as well as the
military in the air, land, maritime, and space domains. In much the same way that airpower
transformed the battlefield of World War II, cyberspace has fractured the physical barriers that
shield a nation from attacks on its commerce and communication."

In response to the growth in computer crime during the 1980s and 1990s law enforcement
agencies began to establish specialized investigative groups, usually at the national level.
Throughout the 1990s there was high demand for these resources, leading to the creation of
regional and even local units. During this period the science of digital forensics grew out of ad-
hoc tools and techniques developed by practitioners. This is in contrast to other forensics
disciplines, developed from work by the scientific community. The rapid development of the
discipline resulted in a lack of standardization and training. In his 1995 book, "High-Technology
Crime: Investigating Cases Involving Computers", K Rosenblatt writes: "Seizing, preserving,
and analyzing evidence stored on a computer is the greatest forensic challenge facing law
enforcement in the 1990s. Although most forensic tests, such as fingerprinting and DNA testing,

Page | 4
INTRODUCTION

are performed by specially trained experts the task of collecting and analyzing computer
evidence is often assigned to patrol officers and detectives"
In 2002, in response to this need, the Scientific Working Group on Digital Evidence (SWGDE)
published its "Best practices for Computer Forensics”. A subsequent 2005 ISO standard (ISO
17025 General requirements for the competence of testing and calibration laboratories) was
published and commercial companies began to offer certification and training programs.

Page | 5
INTRODUCTION

INTRODUCTION
TO
DIGITAL FORENSICS

Page | 6
INTRODUCTION

Digital forensics (sometimes Digital forensic science) is a branch of forensic science

encompassing the recovery and investigation of material found in digital devices, often in
relation to computer crime.
The term was originally used as a synonym for computer forensics but has expanded to cover
other devices capable of storing digital data. The discipline evolved in a haphazard manner
during the 1990s and it was not until the early 2000s that national policies were created.

Investigations often take one of three forms; forensic analysis (where evidence is recovered to
support or oppose a hypothesis before a criminal court), eDiscovery (a form of discovery related
to civil litigation) or intrusion investigation (which is a specialist investigation into the nature
and extent of an unauthorized network intrusion).

The science of digital forensics is divided into several sub-branches; computer forensics,
network forensics, database forensics and mobile device forensics.

As well as identifying direct evidence of a crime, digital forensics can be used to attribute
evidence to specific suspects, confirm alibis or statements, determine intent, identify sources (for
example, in copyright cases) or authenticate documents. Investigations are much broader in
scope than other areas of forensic analysis (where the usual aim is to provide answers to a series
of simpler questions) often involving complex time-lines or hypothesis.

Branches:

Digital forensics includes several sub-branches relating to the investigation of various types of
devices, media or artifacts.

Computer forensics
The goal of computer forensics is to explain the current state of a digital artifact; such as a
computer system, storage medium or electronic document. The discipline usually covers
computers, embedded systems (digital devices with rudimentary computing power and onboard
memory) and static memory (such as USB pen drives).

Page | 7
INTRODUCTION

Computer forensics can deal with a broad range of information; from logs (such as internet
history) through to the actual files on the drive. In 2007 prosecutors used a spreadsheet recovered
from the computer of Joseph E. Duncan III to show premeditation and secure the death penalty.
Sharon Lopatka's killer was identified in 2006 after email messages from him detailing torture
and death fantasies were found on her computer.

Mobile device forensics

Mobile phones in a UK Evidence bag

Mobile device forensics is a sub-branch of digital forensics relating to recovery of digital

evidence or data from a mobile device. It differs from Computer forensics in that a mobile device
will have an inbuilt communication system (e.g. GSM) and, usually, proprietary storage
mechanisms. Investigations usually focus on simple data such as call data and communications
(SMS/Email) rather than in-depth recovery of deleted data. SMS data from a mobile device
investigation helped to exonerate Patrick Lumumba in the murder of Meredith Kercher.
Mobile devices are also useful for providing location information; either from inbuilt
gps/location tracking or via cell site logs (which track the devices within their range). Such
information was used to track down the kidnappers of Thomas Onofri in 2006.

Network forensics

Page | 8
INTRODUCTION

Network forensics relates to the monitoring and analysis of computer network (both local
network and WAN/internet) traffic for the purposes of information gathering, legal evidence or
intrusion detection. Traffic is intercepted (usually at the packet level) and either stored for later
analysis with specialist tools or filtered in real time for relevant information. Unlike other areas
of digital forensics, network data is often volatile and seldom logged making the discipline often
reactionary.
In 2000 the FBI lured computer hackers Aleksey Ivanov and Gorshkov to the United States for a
fake job interview. By monitoring network traffic from the pairs computers they managed to

identify passwords which let them collect evidence directly from computers back in Russia.

Database forensics
Database forensics is a branch of digital forensics relating to the forensic study of databases and
their metadata. Investigations use database contents, log files and in-RAM data in order to build
a time-line or recover relevant information.

Page | 9
INTRODUCTION

COMPUTER FORENSICS

Page | 10
INTRODUCTION

Computer forensics is the collection, preservation, analysis, and presentation of computer-

related evidence. Computer evidence can be useful in criminal cases, civil disputes, and human
resources/employment proceedings.

The main motto of computer forensic experts is not only to find the criminal but also to find out
the evidence and the presentation of the evidence in a manner that leads to legal action of the
culprit. The major reasons for criminal activity in computers are:

Unauthorized use of computers mainly stealing a username and password

Accessing the victims computer via the internet
Releasing a malicious computer program that is virus
Harassment and stalking in cyberspace
E-mail Fraud
Theft of company documents.

Computer forensic facilitates the organized and careful detection of computer related crime and
abuse cases. The computer forensics expert should have a great deal of knowledge of the data
recovery software as well as the hardware and should possess the qualification and knowledge
required to carry out the task.

Computer forensics (sometimes computer forensic science) is a branch of digital forensic

science pertaining to legal evidence found in computers and digital storage media.

The goal of computer forensics is to explain the current state of a digital artifact; such as a
computer system, storage medium (e.g. hard disk or CD-ROM), an electronic document (e.g. an
email message or JPEG image).The scope of a forensic analysis can vary from simple
information retrieval to reconstructing a series of events.

Basics of Computer Forensics:

Computer forensics is the art of finding the evidence which is valid in legal terms. Also there are
standards that need be followed to acquire the evidence. Computer crime is increasing at an
alarming rate and the procedures that are required for curbing the crime are not sufficient to have
a counter effect. Hence there are introduction of new laws to deal with the computer crime and
related issues.

Page | 11
INTRODUCTION

The basics things that are required for a computer forensics professional includes the proper
understanding of the computer hardware and software, understanding of the ethics and legalities,
a thorough knowledge of computer operating system as well as the file system. The first thing
the computer forensics professional must do when a case is handed over to him or his team is
detailed case study.

Crime Scene Investigation is also an important task which should have the priority. It is the
crime scene investigation over which further investigation is based. Computer forensics experts
must identify the suspects and the sources from where the evidence can be collected. Also they
are required to preserve the digital evidence and extract sufficient information from it that can be
produced before the court of law.

The next thing is the analysis of the evidence. A thorough analysis of the evidence is needed
before the case can be presented before the court. The findings should be then documented
properly and the all the information in the form of evidence should be presented before the
authority in concern.

The detailed things that need to be performed include acquisition of the electronic evidence as
well as the securing the data and relevant information including the machine. When the machine
is acquired then following tasks need be performed. Examination of the surroundings of the
machine and documentation of the same should be done.

The next thing is to record the open applications. When the machine is acquired, it is moved out
of the crime scene to a secluded place where the evidence cannot be tampered with. Hence it
should be powered down carefully. A proper investigation for the traps should be carried out so
that any unintentional action does not cause the deletion of data or information that could have
been proved vital in further proceedings.

The next thing that needs the concern is to document the hardware involved. It is desirable that
the documentation be carried out in the presence of a senior official. The best thing in any type
of investigation process is to completely copy the storage media device.

So that any further investigation of the media does not lead to damage of the original one.
Scanning of the emails also is an important task. There may reside a large quantity of email or
data in the computer that need be scanned. It is advisable for the computer forensics professional
to carry out the investigation from the visible and easily observable data and then proceed further

Page | 12
INTRODUCTION

in the depth of operating system files. Any piece of important information should not be
neglected.

Data Security
The computer forensics and the security of the data have a relation. Computer forensics can be
applied even in lieu for the purpose of data security. The computer forensics experts are required
to have a great deal of knowledge regarding the system administration as well. It is also the duty
of the system administrator to support and maintain the software tools so that can intrusion can
be detected at the earliest. The data security is important in any corporate organization.

The data security may be required over the individual single systems as well as the systems that
are connected over the network. The subject of the computer forensics also requires the
knowledge of the data recovery processes. The data security can be widely classified to have to
aspects one in the data corruption or data damage as well as in case of any damage or theft of the
information due to human interaction. In both the cases the services of the computer forensics
expert can be availed. Also the important thing is the legality of the process. The legislation in
various countries has a good support to the services of computer forensics.

The Information Systems or the Network Systems are easily prone to damage if the appropriate
measures are not taken at the beginning. The term forensics has its meaning in the primary
dealing of the recovery and analysis of the possible evidence. The evidence in case of the
computer crimes is the data or the information that can be effectively used in the legal
prosecution that may lead to the punishment of the culprit.

The evidence in computer forensics may take many forms. An analogy that can be drawn in
contrast is like the fingerprints that may have been left over a window or some thing else that can
be recorded as the evidence, or it may be like the DNA evidence that is recovered from blood
stains or samples. The same is the case in the computer forensics.

The difference is that the files over the storage media like the hard disk drives, floppy disks, tape
drives and the optical disks should be recovered and proper evidence should be made from that
information. Since the computer forensics is a new subject discipline, hence there exist little
standardization and consistency across the courts of law and industries. Although many steps

Page | 13
INTRODUCTION

have been taken and the government is providing the support required by forming new laws and
legislations.

In some cases it is possible that the storage media is damaged physically or the data storage
device is moved. If there is the theft of the storage device itself then the task is much tedious.
The data security is important in case where the information is considered as sensitive or secret
to the functioning of the organization.

In some cases it is also possible that there are disasters and natural calamities like the earth
quakes, volcanoes, fire, hurricanes etc. In such cases the computer forensics expert is required to
run the data recovery process to recover the data. The computer forensics services are availed
most in the cases of sabotage and manhandling of the data or information. The task of the
computer forensic expert becomes severe in the tracks are erased.

Computer Forensic Service

There are many different areas of computers where in the services of computer forensics is
employed. Most of computer forensics services provide useful services to an organization. It is
very much useful in professional environment where the requirement is quite high. Computer
forensics services also include investigative assistance. The computer forensics is also important
in corporate consulting. Forensic data recovery – FDR is also a part of computer forensics.
Incident Response Systems also play a part of computer forensics. The services of computer
forensics are availed in private as well as government organizations.

The secrecy or the privacy of organization is important in some cases where it is maintained as
per expectations. Some of important fields where in the services of computer forensics can be
applied include the following. Incident response systems and internal investigations can be done
using the computer forensics. Computer forensics is extensively used in criminal as well as civil
litigations. There are many laws that provide the support to a computer forensic.

Another aspect of computer forensics is the electronic document discovery. Data recovery in
itself is a large topic. But sometimes it is referred to as a part of computer forensic. Security risk
management can also be carried out using the computer forensic tools. The services provided by
the computer forensics are the development of the plans to gather the electronic evidence.
Computer forensic can be used for its services to support criminal and civil warrants.

Page | 14
INTRODUCTION

Also the computer forensics is useful in electronic discovery requests. Even computer forensics
investigation is beneficent for the purpose of identification, acquisition, preservation, analysis
and reporting of digital evidence. The digital evidence may be from desktop computers, laptops,
storage servers, or any type of removable storage devices. The services are also available for
dispute resolution and to provide an expert witness testimony. In the event of conducting the
audits also its services can be availed. These audits may involve remote or even network
analysis.

The compliance of proactive reviews as well as risk assessment and even for the investigation of
specific allegations the services of computer forensics can be availed. In case of corporate
consultations the services provided by the computer forensics professional include the
development of in house standards. Also the protection of intellectual property is a major service.

The protection of corporate assets is also a service of computer forensics. The consultation of
computer forensic can be provided to adhere to the legislation involving federal and provincial
privacy. The electronic file retention policies are also a part of consultancy services of computer
forensics.

Apart from all these services, the computer forensics can be even applied for individual case
studies involving personal issues. Even the services of computer forensics can be used for data
recovery problems. Intentional misuse of privacy or personal information can be considered as a
legal case with the help of computer forensics

Page | 15
INTRODUCTION

COMPUTER FORENSICS
PROCESS

Page | 16
INTRODUCTION

A digital forensic investigation commonly consists of 3 stages; acquisition or imaging of

exhibits, analysis and reporting.

The first stage, acquisition, involves creating an exact sector level duplicate (or "forensic
duplicate") of the media, often using a write blocking device to prevent modification. Both
acquired image and original media are hashed (using SHA-1 or MD5) and During the analysis
phase an investigator usually recovers evidence material using a number of different
methodologies (and tools). In 2002 the International Journal of Digital Evidence referred to this
stage as "an in-depth systematic search of evidence related to the suspected crime". In 2006,
forensics researcher Brian Carrie described a more "intuitive procedure" in which obvious
evidence is first identified after which "exhaustive searches are conducted to start filling in the
holes"

Once evidence is recovered the information is analyzed to reconstruct events or actions and to
reach conclusions, work that can often be performed by less specialist staff. When an
investigation is complete the investigator presents his data, usually in the form of a written
report, in lay person’s terms.

Evidence Tracking
The main function of any computer forensics professional is to track the evidence that can be
legally produced before a court of law. Evidence tracking can be based on examining and
observing the physical locations as well as based on thorough examination of data or
information. On the field experience is always different than the theoretical procedures. Anyhow
more of less the procedures that are required or that can be followed depends upon the situation
that is encountered.

The evidence tracking mechanisms usually start with the observations of the physical locations
of the crime scene investigation. Where the computer system is located and the how the
computer system can be accessed. The physical location in discussion is the address where the

Page | 17
INTRODUCTION

crime has been committed. Also physical location may also be used in discussion where it relates
to physical memory location.

The first step is to carefully observe and examine the location nearby the computer system. The
keyboard, mouse etc or any other peripherals can be subjected to DNA finger printing. More
over the hard disk drive as the secondary memory device and the operating system files are
studied in detail.

The information like whether it is a single system or a networked PC should also matters. Those
places where the evidence can be easily collected should also be examined. Some of places that
need the attention of the computer forensics team include the following. The first among them is
the computer system itself. The next in the line is the phone set.

The networks connections and the number of systems that are connected to them also matters in
the investigations. Even the sources that are external should also be examined in great detail. The
server if any present in the network and relation with the victim computer system should be
studied and analyzed. It is required for the computer forensics expert to visualize himself in the
footsteps of a criminal who might have committed the crime. For time sake it is needed for the
forensics expert to commit the crime. The components like the fax machines, modems, and all
other peripherals that may have some link with the computer should be analyzed.

Next the main part of the analysis starts with the study of the internals of the computer system
mainly the software like the operating system and the log files associated with them. There exist
many files that are used by the operating system that can provide vital evidence for the forensics
expert. If such files are deleted then the deleted data recovery process should be initiated for the
recovery of such files. Efforts should be made to analyze and collect the evidence from the
undeleted files. Some of the examples of the files that can be effectively used as evidence
include the following.

The major evidence can be collected from the log files that are generated each time an event
occurs due to the action from the user. These files may sometime store encrypted information
that should be decrypted. Next in line are the temp files (temporary), and the cookies. Also the
importance of the slack space files and the swap files is not ruled out. The cache can also prove
as important evidence. Usually some sorts of tool kits are used for the purpose of analysis of
evidence.

Digital evidence
Page | 18
INTRODUCTION

Digital evidence can come in a number of forms

Digital evidence Where it will be used in a court of law, digital evidence falls under the same
legal guidelines as other forms of evidence, courts do not usually require more stringent
guidelines. In the United States the Federal Rules of Evidence are used to evaluate the
admissibility of digital evidence, the United Kingdom PACE and Civil Evidence acts have
similar guidelines and many other countries have their own laws.

The ease with which digital media can be modified means that documenting the chain of custody
from the crime scene, through analysis and, ultimately, to the court, is important to establish the
authenticity of evidence. Attorneys have argued that because digital evidence can theoretically
be altered it undermines the reliability of the evidence. US judges are beginning to reject this
theory; in the case US v. Bonallo the court ruled that "the fact that it is possible to alter data
contained in a computer is plainly insufficient to establish untrustworthiness".

Digital investigators, particularly in criminal investigations, have to ensure that conclusions are
based upon factual evidence and their own expert knowledge. In the US, for example, Federal
Rules of Evidence state that a qualified expert may testify “in the form of an opinion or
otherwise” so long as:
“(1) The testimony is based upon sufficient facts or data, (2) the testimony is the product of
reliable principles and methods, and (3) the witness has applied the principles and methods
reliably to the facts of the case.”

Page | 19
INTRODUCTION

Many of the sub-branches of digital forensics have their own specific guidelines for handling and
investigating evidence. For example, mobile phones are often acquired inside a Faraday shield to
stop radio traffic to the device. Or, in the UK forensic examination of computers in criminal
matters is subject to ACPO guidelines.

A portable Tableau write-blocker attached to a Hard Drive

Data Analysis
Analysis of computer data is also an important part in computer forensics. A professional in
computer forensic is required to audit the data to get required evidence. The accuracy of the
organizations data need to be studied. Data analysis is a process which contains many steps in
order to carry out a proper investigation. There are even that can be used to carry out the steps in
data analysis for example the Computer Assisted Auditing Tools and Techniques – CAATT.
There is even a data analysis software helps and minimizes the time to carry out the task.

The functions that can be carried out by an auditor using the data analysis software include the
following: The data analysis software is used for passing the queries of the data. The next
important function that can be carried out is the stratification of data. The data analysis software
is even capable to perform extractions of the data. Statistical Analysis of data can also be carried
out. The missing sequences in the data segment can be identified with the help of data analysis
software. Specific calculations can also be performed. The steps in data analysis are discussed
below.

The first step in data analysis is called as scoping where in the auditor can determine the
objectives and is capable of identifying the organizational systems. The analysis should be done
in order to identify the information over the systems that have some potential information. The
Page | 20
INTRODUCTION

next step is to request the information from the concerned organization. The information that is
requested from the organization should be sufficient, relevant, as well as reliable.

The next step comprises the procedures to extract the data. Extracting the key information from
the given data that forms the valid evidence is an important task that needs to be carried out. The
extracted information should be providing relevant evidence. In short only the information that
provides sufficient and relevant part need be considered, all else is just ignored. Next step
involves data importation where in the computer forensics professional is required to determine
the authenticity of the data and verify the credentials of the information by appropriate
investigations.

The next in the data analysis procedures include data profiling. It is step to find out whether the
information provided by the organization is valid. Is the information provided has any false
information regarding the behavior and dealing of organization. It includes for example the
valuation of credit and debit. An overall conclusions of the data that has been collected so far
needs to carried out. The reporting of this data is carried out in the next step.

The outcome results of the audits must be reported. The reporting can be carried to have
discussions with the team members or even higher ups. When all the above steps are carried in
complete satisfaction and the information is collected so far. Documentation can be carried in the
research sheets, work papers as well as the presentations. Other techniques that are worth
mentioning include comparative analysis or data, histograms and modeling. One of the
noticeable things in data analysis is continuous monitoring of information.

Data Encryption
The encryption of any information in a computer system is done to maintain the privacy or
secrecy of the subject. The encrypted file is stored in some location that is not easily identifiable.
This is done so that there is no leakage of the file. Even in extreme cases when a file is found and
opened by any person then also person should not be able to read to the file.

The contents of the file or data after encryption are not in a readable format. But it is also desired
for the person who is encrypting the file to again decrypt it. The file should be decrypted before
it can be read. The information regarding the decryption is available only to the person who is
authorized for reading the information.

Page | 21
INTRODUCTION

A cipher is the algorithm that is used to encrypt the file. There are many ciphers that are used for
encryption of the information. The ciphers can be classified as Classical ciphers, Rotor Machines
and finally as Modern Ciphers. The classical ciphers are again classified as Substitution ciphers
and Transposition ciphers. The Modern ciphers are classified as Public key and Private Key.

The private key ciphers are again classified as stream and block ciphers. Below mentioned are
some of the classical ciphers used in cryptography. These are the algorithms that are employed
for the encryption of information. They are Auto key cipher, Play air cipher by Charles
Wheatstone, Permutation cipher, Polyalphabetic substitution - Hill cipher and Viennese cipher.

The example in case of substitution ciphers includes the following Caesar cipher - ROT13,
Affine cipher and at bash cipher. In case of transposition ciphers the examples are Scytale, Grille
cipher, as well as VIC cipher. There are even attacks that are carried out over the classical
ciphers like for example the Frequency analysis and Index of coincidence.

In the earlier part of the 20th century; encryption of the text was done using some more
sophisticated machines called as rotor machines. These machines were complex than the earlier
encryption techniques. The encryption methods can be divided into symmetric key algorithms
and asymmetric key algorithms. The examples of symmetric key algorithm include DES – Data
Encryption Standard as well as the AES – Advanced Encryption Standard.

In both the cases the sender and receiver are required to have a shared key. The shared key
should be known to both of them in advance. It is required for both the parties in communication
to keep the information secret from the parties that are involved in the communication. The
sender uses this key for providing the encryption. And then the receiver uses the same key for the
purpose of decryption and reading of the information that is passed over.

In the case of asymmetric key algorithm, for example RSA there are usually two separate keys
public and private. The public key is shared; whereas the private key is not shared with others
except the two parties. The Symmetric key ciphers there are two different types of encryptions
used. They are classified depending on fixed size - block ciphers or in a continuous stream of
symbols - stream ciphers.

Data Security
The computer forensics and the security of the data have a relation. Computer forensics can be
applied even in lieu for the purpose of data security. The computer forensics experts are required

Page | 22
INTRODUCTION

to have a great deal of knowledge regarding the system administration as well. It is also the duty
of the system administrator to support and maintain the software tools so that can intrusion can
be detected at the earliest. The data security is important in any corporate organization.

The data security may be required over the individual single systems as well as the systems that
are connected over the network. The subject of the computer forensics also requires the
knowledge of the data recovery processes. The data security can be widely classified to have to
aspects one in the data corruption or data damage as well as in case of any damage or theft of the
information due to human interaction. In both the cases the services of the computer forensics
expert can be availed. Also the important thing is the legality of the process. The legislation in
various countries has a good support to the services of computer forensics.

The Information Systems or the Network Systems are easily prone to damage if the appropriate
measures are not taken at the beginning. The term forensics has its meaning in the primary
dealing of the recovery and analysis of the possible evidence. The evidence in case of the
computer crimes is the data or the information that can be effectively used in the legal
prosecution that may lead to the punishment of the culprit.

The evidence in computer forensics may take many forms. An analogy that can be drawn in
contrast is like the fingerprints that may have been left over a window or something else that can
be recorded as the evidence, or it may be like the DNA evidence that is recovered from blood
stains or samples. The same is the case in the computer forensics.

The difference is that the files over the storage media like the hard disk drives, floppy disks, tape
drives and the optical disks should be recovered and proper evidence should be made from that
information. Since the computer forensics is a new subject discipline, hence there exist little
standardization and consistency across the courts of law and industries. Although many steps
have been taken and the government is providing the support required by forming new laws and
legislations.

In some cases it is possible that the storage media is damaged physically or the data storage
device is moved. If there is the theft of the storage device itself then the task is much tedious.
The data security is important in case where the information is considered as sensitive or secret
to the functioning of the organization.

In some cases it is also possible that there are disasters and natural calamities like the earth
quakes, volcanoes, fire, hurricanes etc. In such cases the computer forensics expert is required to
Page | 23
INTRODUCTION

run the data recovery process to recover the data. The computer forensics services are availed
most in the cases of sabotage and manhandling of the data or information. The task of the
computer forensic expert becomes severe in the tracks are erased.

Crime Scene Investigation

The fist and the most important part of any forensic investigation is the crime scene investigation
CSI. The investigative results should be such that the crime scene should be recreated. The
investigative professional is usually an officer appointed by the authority. Some of qualities that
are required from a crime scene investigation professional are mentioned below. The crime scene
investigation professional is required part of the computer forensics team.

The first thing that should be borne in mind before starting the investigation is to behave with the
mindset of how the criminal would have committed the crime. And to analyze the possibilities of
the clues he might have left behind. Hence it is required to have a criminal mindset and the
things that can lead to the vulnerability of the organization that is the victim of the crime. It is
expected that the person is well versed with the photographic equipments and the processes that
needs to carried out during the process. He should be capable of preparing the diagrams and the
collecting evidence with greatest observations. Detail reports can then be drawn based on the
finding of the preliminary investigation.

The crime scene investigation in case of computer crime is similar to the crime scene
investigation carried out in the other cases like murder, robbery etc. The finger prints over the
equipments like the victim computer etc can be mapped to find the person who might have
accessed the system. An important difference that should be noted here is that the evidence to
prove that the person who have accessed the system have committed the crime is difficult to
prove in the court of law.

The usage of incident response systems is quite useful. There different positions and categories
in the computer crime scene investigation like crime scene analysts, crime scene technicians etc.
The CSI tools are also available and the expert should be proficient in the usage of these tools.
The computer forensics has a part known as crime scene investigation. The software tools can be
used to track the changes that are made during the crime. The basis of further investigation is
dependent over the crime scene investigations.

Page | 24
INTRODUCTION

The access to the computer system and the networking areas also need to be looked thoroughly.
Crime scene investigation is based on the principle of first hand information and the observation
power of the professional. The capacity of the professional to check the evidence and produce it
legally in the court of law matters a lot. The key logger programs can be used to trace the habits
of the criminal. A thorough study of the key words that are entered makes way for the computer
forensics experts to nail the criminal.

The tendency of the key logger program to record each and every key word including the
usernames and the passwords or any other key gives some specific information about the
criminal and the time stamp of when the crime might have been committed. The task involved in
studying the key logger program is tedious since the junk information also needs to be scanned a
lot. To find the relative information after investigating the personnel and witnesses is also a part
of computer crime scene investigation computer forensics.

Log File Recovery

For a computer forensic professional recovery of the log files is an important task. Most of the
computer forensics is dependent on the log files. Let us try to discuss the importance of the log
files. Log files are those files that are created by the user’s operating system whenever a task is
performed.

From the starting of the operating system and loading the personnel settings of the user there
exists a Big Brother kernel that is responsible for monitoring the user activities. Log files are the
system files that provide the information about the activities of the user. Log files contain the
date and the time stamps to show the record of the user’s activities.

If the computer criminal is intelligent one not to live any evidence then it is also possible that he
may delete the log files. Or corrupt the log files. The log files are important not only in
investigation but more important in proving the point in the court of law.

Whatever may be the truth but the evidence matters a lot in the court of law. Hence the log files
play an important role in determining the fate of the computer criminal. If in case the log files are
lost then the data recovery process to recover the log files should be initiated. Log files are not
only created by the operating system but some other application software as well. For example
the database application software requires a mandatory login with a password prompt.

Page | 25
INTRODUCTION

The database applications are so designed to record in a simple text file the activities of the user.
This helps in tracking the changes that are made to the database.

Most of the log files are usually stored in the text format. If the computer administrator is clever
enough to employ a key logger program then the task of computer forensics professional
becomes much simpler. The computer forensics professional uses this key logger text file and
scans the contents to read the information and the actions carried out by the user.

The key logger program’s trick is to store each of the key strokes of the key board into a text file.
But a disadvantage regarding the key logger program is that the forensics professional is left with
the task of studying most of the irrelevant information since all the key strokes are recorded.

It is also possible that the log files may be in some cases in the encrypted format. The computer
forensics professional should be well versed with all the techniques and the different types of the
log files. It is required for him to decrypt the encrypted log files.

There are even hard ware key loggers that can be used to record the information. The hard ware
key logger’s example is ‘Key Ghost’ key logger. It is a small device that can store some 5 mega
bytes of data in the text format. It is connected in between the keyboard and the computer. The
log files play an important in the tracking the culprit of computer crime.

If they are lost and could not be recovered then the task of a computer forensics expert is very
much difficult. Hence utmost care must be taken to preserve the log files with our tampering the
data in it.

Examples:
Computer forensics has played a pivotal role in many cases.

BTK Killer
Dennis Rader was convicted of a string of serial killings that occurred over a period of
sixteen years. Towards the end of this period, Rader sent letters to the police on a floppy
disk. Metadata within the documents implicated an author named "Dennis" at "Christ
Lutheran Church"; this evidence helped lead to Rader's arrest.

Page | 26
INTRODUCTION

Joseph E. Duncan III

A spreadsheet recovered from Duncan's computer contained evidence which showed him
planning his crimes. Prosecutors used this to show premeditation and secure the death
penalty.
Sharon Lopatka
Hundreds of emails on Lopatka's computer lead investigators to her killer, Robert Glass.]

COMPUTER FORENSICS
TOOLS
Page | 27
INTRODUCTION

Tools:
No matter how limited a department's budget is, no credible investigator would stoop to
wrenching open a computer to find clues.

Programmers have created many computer forensics applications. For many police departments,
the choice of tools depends on department budgets and available expertise.

Here are a few computer forensics programs and devices that make computer investigations
possible:

Disk imaging software records the structure and contents of a hard drive. With such software,
it's possible to not only copy the information in a drive, but also preserve the way files are
organized and their relationship to one another.

Page | 28
INTRODUCTION

Software or hardware write tools copy and reconstruct hard drives bit by bit. Both the software
and hardware tools avoid changing any information. Some tools require investigators to remove
hard drives from the suspect's computer first before making a copy.

Hashing tools compare original hard disks to copies. The tools analyze data and assign it a
unique number. If the hash numbers on an original and a copy match, the copy is a perfect
replica of the original.

Investigators use files recovery programs to search for and restore deleted data. These
programs locate data that the computer has marked for deletion but has not yet overwritten.
Sometimes this results in an incomplete file, which can be more difficult to analyze.

There are several programs designed to preserve the information in a computer's random access
memory (RAM). Unlike information on a hard drive, the data in RAM ceases to exist once
someone shuts off the computer. Without the right software, this information could be lost easily.
Analysis software sifts through all the information on a hard drive, looking for specific content.
Because modern computers can hold gigabytes of information, it's very difficult and time
consuming to search computer files manually. For example, some analysis programs search and
evaluate Internet cookies, which can help tell investigators about the suspect's Internet activities.
Other programs let investigators search for specific content that may be on the suspect's
computer system.
Encryption decoding software and password cracking software are useful for accessing protected
data.
Phoning It In Cell phones can contain important information on them. A cell phone is essentially
a small computer. A few computer forensics vendors offer devices that can copy all the contents
in a cell phone's memory and print up a comprehensive report. These devices retrieve everything
from text messages to ring tones.
These tools are only useful as long as investigators follow the right procedures. Otherwise, a
good defense lawyer could suggest that any evidence gathered in the computer investigation isn't
reliable. Of course, a few anti-forensics experts argue that no computer evidence is completely
reliable.

Page | 29
INTRODUCTION

Whether courts continue to accept computer evidence as reliable remains to be seen. Anti-
forensics experts argue that it's only a matter of time before someone proves in a court of law
that manipulating computer data without being detected is both possible and plausible. If that's
the case, courts may have a hard time justifying the inclusion of computer evidence in a trial or
investigation.

Techniques:
One of the first things that you'd need to do is take the compromised system out of the picture.
Live View, an open source utility, creates a virtual machine out of the existing system. And if it
doesn't detect Workstation 5.5 or VMware Server 1.x, it will download it for you.

Live View creates a virtual disk out of the system that allows you to then safely investigate a
copy of the system without interfering with anything installed. On another basis, you could use
VMware Converter to create a vmdk (virtual machine disk) to use in more recent versions of
Server or Workstation.

Once you've rebooted the system you can then go to Merijn and download Startup List. This is
a great way to start the investigation of a system and determine what things might have
potentially been put on the system to restart each time the system does. Of course, you can use
Hijack. This as an additional tool and rule out obvious malware or other items that tie themselves
into the registry.

The next trick is to determine what additional files, other than the usual, are open. In Linux we
use lsof, which lists open files but for Windows, by default, there is no similar command.
Instead, there is OpenFilesView, a Windows executable that lists all the files and processes –
both local and network based – on the system.

While that's running, Wire shark can let you review all network traffic to see if anything
unexpected is being sent out to another location. If there is, it's worthwhile to enable a firewall to
block the traffic or better yet, just yank out the network cable to avoid the possibility of
intellectual property from being stolen from the system.

This allows us to determine if anything suspicious exists in the system while it's running live.
Once this has been completed, you can look into determining what has been changed.

Page | 30
INTRODUCTION

Helix 3, a newly updated version of the live Linux forensics tool, can be used to examine the
disk safely to see what has been finally changed. Forensics of a system is critical to know what
has been compromised. It is one thing to know if we've been attacked but it's another to find out
what those attackers have done to the system.

If we don't look into what happened we may miss out on critical data being compromised or
learn how the system was first broken into. Once this investigation is done, we can then rebuild
the system with appropriate additional security in place to prevent the attack from happen.

And we can do this all at minimal cost, an important factor to consider in this day and age of
economic belt-tightening.

Live view:

Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of
a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the
image or disk and gain an interactive, user-level perspective of the environment, all without
modifying the underlying image or disk. Because all changes made to the disk are written to a
separate file, the examiner can instantly revert all of his or her changes back to the original
pristine state of the disk. The end result is that one need not create extra "throw away" copies of
the disk or image to create the virtual machine.

Live View is capable of booting

Full disk raw images

Bootable partition raw images
Physical Disks (attached via a USB or Firewire bridge)
Specialized and closed image formats (using 3rd party image mounting software)

Containing the following operating systems

Windows 2008, Vista, 2003, XP, 2000, NT, Me, 98

Linux (limited support)

Behind the scenes, Live View automates a wide array of technical tasks. Some of these include:
resolving hardware conflicts resulting from booting on hardware other than that on which the OS

Page | 31
INTRODUCTION

was originally installed; creating a customized MBR for partition-only images; and correctly
specifying a virtual disk to match the original image or physical disk.

Live View is developed by CERT, Software Engineering Institute

OpenedFilesView:

OpenedFilesView displays the list of all opened files on your system. For each opened file,
additional information is displayed: handle value, read/write/delete access, file position, the
process that opened the file, and more...
Optionally, you can also close one or more opened files, or close the process that opened these
files.

This utility is especially useful if you try to delete/move/open a file and you get one of the
following error messages:

Cannot delete [filename]: There has been a sharing violation. The source or destination file may
be in use.
Cannot delete [filename]: It is being used by another person or program. Close any programs that
might be using the file and try again.
When you get one of these error messages, OpenedFilesView will show you which process lock
your file. Closing the right process will solve this problem. optionally, you can also release the
file by closing the handle from OpenedFilesView utility. However, be aware that after closing a
file in this way, the program that opened the file may become unstable, and even crash.

Page | 32
INTRODUCTION

w w w .nirsoft.net
System Requirements

This utility works properly on Windows 2000, Windows XP, Windows 2003/2008, Windows
Vista, and Windows 7 (32-bit only!). Older versions of Windows (NT/9x/ME) are not
supported. Also, you must have administrative privilege in order to run this utility. There is also
a separated version for x64 systems, see the remark below.

OpenedFilesView on x64 system

There is a separated download for x64 (64-bit) version of OpenedFilesView. However, on
Windows 7/Vista/2008, this utility can only work if you turn on the driver signing test mode.
For more information.
OpenedFilesView cannot close files opened by Windows kernel.

How does it work?

OpenedFilesView uses the NtQuerySystemInformation API to enumerate all handles in the
system. After filtering non-file handles, it uses a temporary device driver -
NirSoftOpenedFilesDriver.sys for reading the information about each handle from the kernel
memory. This device driver is automatically unloaded from the system when you exit from
OpenedFilesView utility.

Page | 33
INTRODUCTION

Using OpenedFilesView
OpenedFilesView doesn't require any installation process or additional DLLs. In order to start
using it, just run the executable file - OpenedFilesView.exe
The main window of OpenedFilesView display the list of all files currently opened in your
system. In order to refresh the list of opened files, press F5, or alternatively, use the Auto
Refresh feature (Options -> Auto Refresh -> Every x seconds) in order to automatically refresh
the opened files list every 1 - 5 seconds.

Explorer Context Menu

Starting from version 1.10, you can launch OpenedFilesView directly from Windows Explorer,
and view only the handles of the file or folder that you want to inspect.
In order to enable this feature, check the 'Enable Explorer Context Menu' under the Options
menu. After you enable this feature, you can right-click on any file or folder on Windows
Explorer, and choose the 'OpenedFilesView' item from the menu.
If you run the OpenedFilesView option for a folder, it'll display all opened files inside that
folder.
If you run the OpenedFilesView option for a file, it'll display all opened handles for that file.

Translating OpenedFilesView to Another Language

Page | 34
INTRODUCTION

OpenedFilesView allows you to easily translate all menus, dialog-boxes, and other strings to
other languages.
In order to do that, follow the instructions below:
Run OpenedFilesView with /savelangfile parameter:
OpenedFilesView.exe /savelangfile
A file named OpenedFilesView_lng.ini will be created in the folder of OpenedFilesView utility.
Open the created language file in Notepad or in any other text editor.
Translate all menus, dialog-boxes, and string entries to the desired language.
After you finish the translation, Run OpenedFilesView, and all translated strings will be loaded
from the language file.
If you want to run OpenedFilesView without the translation, simply rename the language file, or
move it to another folder.

OpenedFilesView is also available in other languages. In order to change the language of

OpenedFilesView, download the appropriate language zip file, extract the
'openedfilesview_lng.ini', and put it in the same folder that you Installed OpenedFilesView
utility.

Dat
Language Translated By Version
e
11/
11/
Brazil Portuguese
20
10
17/
12/
Czech czRoPa
20
08
Dutch Sander Lambregts 18/ 1.35
04/
20

Page | 35
INTRODUCTION

09
17/
09/
Dutch Jan Verheijen 1.45
20
09
01/
07/
French Eric FICHOT 1.40
20
09
22/
07/
French Labbaipierre
20
06
21/
Xosé Antón Vicente 01/
Galician
Rodríguez 20
08
10/
11/
German «Latino» auf WinTotal.de 1.47
20
10
02/
Dura Soft - Gasparics 10/
Hungarian
Sándor 20
08
02/
04/
Italian Giacomo Margarito
20
06
15/
Japanese Nardog
07/

Page | 36
INTRODUCTION

20
06
12/
04/
Korean ±Û¹ú·¹
20
09
01/
09/
Persian NAHCI 13
20
07
11/
11/
Polish Hightower
20
10
01/
09/
Russian solokot
20
09
02/
09/
Simplified Chinese renda
20
09
16/
11/
Simplified Chinese Lewen-²©ÑÅÓîÐù 1.46
20
09
01/
09/
Slovenian
20
09
Spanish Omi 17/ 1.45

Page | 37
INTRODUCTION

10/
20
09
06/
05/
Spanish Paco Fdez 1.35
20
09
22/
»OÆW¦@©M°ê Republic 01/
Taiwanese
of Taiwan 20
09
02/
07/
Traditional Chinese µo¹Ú King 1.40
20
09
26/
03/
Thai »ÃÐÊÔ·¸Ôì á¤ÀÙà¢ÕÂÇ
20
08
09/
10/
Ukrainian Alexander Shpek
20
09
01/
10/
Valencian vjatv
20
08

Page | 38
INTRODUCTION

COMPUTER FORENSICS
IMPACT

Page | 39
INTRODUCTION

The impact of the computer forensics leads to the criminals and the subsequent punishment fro
them. The culprit in the computer crimes can be easily detected and put to trial. Suppose in any
organization there is a computer crime committed and the data has been lost or there is any theft
of the data or secret information; then in such a situation the computer forensics can be
effectively used for the purpose of tracking the person behind the crime.

The impact and the result of a successful forensic solution will lead the culprit or the criminal to
the court that may provide the punishment. Punishment always results in decrement of the crime
rate. There are many companies that deal specifically in providing security to the customers or
the clientele.

The basic procedures of the usage of firewalls and the anti spy ware are not sufficient for the
purpose of providing the adequate support to the computer system or the data and the
information related to the computers. Hence it is required for the company to avail the services
of such companies that specialize and expertise in providing the security.

In the case if the computer forensics are ignored then that may result in risking the vital clues and
the loss of information. If the computer forensics is not performed up to the expectations then it
is also possible that the forensic evidence may be ruled out as inadmissible in a court of law. It is
also possible that the organization may befall in legal wrangles.

That is the organization in case may run afoul of some new laws that require the mandate of
regulatory compliance. The mandate may be applied in negative if certain types of data are not
appropriately protected. It is also possible to hold the organizations to the criminal court if they
fail to protect customer data. The International Data Corporation or the IDC reported the market
for computer forensics and the software that is provided for the purpose of detecting intrusions
that is intrusion detection software will reach a new high.

The will also be increase in the market capitalization for the software like vulnerability
assessment etc. Most of the organizations are taking precautionary measures to install and
deploying the security devices. The most popular among the security systems is the usage of the
IDC - Intrusion Detection Systems. The other forms of security devices also include the
firewalls, proxies, anti spy ware etc. To some extent the anti virus software also acts as the
security measure. Most of the software reports the security status of the networks.

There are legal impacts as well in regard with the computer forensics. The governments of
various countries have taken many initiatives in supporting and upgrading the computer
Page | 40
INTRODUCTION

forensics. Moreover there are many departments run by the government especially for the
computer forensics.

These departments work in contrast like the police authorities by registering the complaints of
the users and the investigating the matter to produce before the court of law. Also there are many
private computer forensic companies that deal in this regard. There are many laws and
legislations to support the computer forensics.

Need for Computer Forensics

The purpose of computer forensics is mainly due to the wide variety of computer crimes that take
place. In the present technological advancements it is common for every organization to employ
the services of the computer forensics experts. There are various computer crimes that occur on
small scale as well as large scale. The loss caused is dependent upon the sensitivity of the
computer data or the information for which the crime has been committed.

The computer forensics has become vital in the corporate world. There can be theft of the data
from an organization in which case the organization may sustain heavy losses. For this purpose
computer forensics are used as they help in tracking the criminal.

The need in the present age can be considered as much severe due to the internet advancements
and the dependency on the internet. The people that gain access to the computer systems with out
proper authorization should be dealt in. The network security is an important issue related to the
computer world. The computer forensics is a threat against the wrong doers and the people with
the negative mindsets.

The computer forensics is also efficient where in the data is stored in a single system for the
backup. The data theft and the intentional damage of the data in a single system can also be
minimized with the computer forensics. There are hardware and software that employ the
security measures in order to track the changes and the updating of the data or the information.
The user information is provided in the log files that can be effectively used to produce the
evidence in case of any crime a legal manner.

The main purpose of the computer forensics is to produce evidence in the court that can lead to
the punishment of the actual. The forensic science is actually the process of utilizing the
scientific knowledge for the purpose of collection, analysis, and most importantly the

Page | 41
INTRODUCTION

presentation of the evidence in the court of law. The word forensic itself means to bring to the
court.

The need or the importance of the computer forensics is to ensure the integrity of the computer
system. The system with some small measures can avoid the cost of operating and maintaining
the security. The subject provides in depth knowledge for the understanding of the legal as well
as the technical aspects of computer crime. It is very much useful from a technical stand point,
view.

The importance of computer forensics is evident in tracking the cases of the child pornography
and email spamming. The computer forensics has been efficiently used to track down the
terrorists from the various parts of the world. The terrorists using the internet as the medium of
communication can be tracked down and their plans can be known.

There are many tools that can be used in combination with the computer forensics to find out the
geographical information and the hide outs of the criminals. The IP address plays an important
role to find out the geographical position of the terrorists. The security personnel deploy the
effective measures using the computer forensics. The Intrusion Detecting Systems are used for
that purpose.

Page | 42
INTRODUCTION

Advantages Computer Forensics

Computer forensic is an elaborate topic and requires a vast amount of knowledge. Asit is a wide
topic it has many advantages in it. There are even qualifications awarded by the council of
computer forensics. Computer forensics professional should possess the knowledge of the
hardware as well as the software tools that can be utilized for the purpose.

The main task or the advantage from the computer forensic is to catch the culprit or the criminal
who is involved in the crime related to the computers. The information of the computer is
advantageous in case where the involvement of hardware and software with which forensics
expert is familiar. The basics of the computer design and architecture play a prominent role and
the expert professional should have a great deal of knowledge about the fundamental software
design and implementation.

This is quite often similar from one computer system to the other. Experience of one application,
software, file system or the operating system can be applied to gain the results in the other
aspects of the case. The computer crime exists in many forms.

Computer Forensics deals extensively to find the evidence in order to prove the crime and the
culprit behind it in a court of law. The forensics provides the organization with a support and
helps them recover their loss. If it is known that the data exists then the alternate formats of the
same data or the information can also be recovered. The discovery of the data or the information
that can provide vital clues in the prosecution of the criminal is itself a process.

A forensics expert always identifies many possibilities that to get a relevant evidence. In addition
to all the benefits of utilizing the services of the computer forensics, the professional may also
undertake the inspections of the location during on site premises. This may be required in the
cases where the signs or clues of the physical movement are required. Some cases may also
involve additional information regarding the earlier versions or the method of backups, formatted
versions of data or information, which is either created or treated by the other application
programs.

Page | 43
INTRODUCTION

The application programs may have different formats also. Some of the application programs
include the word processors, spreadsheets, email, timeline and scheduling applications and even
the usage of graphical applications.

The important thing and the major advantage regarding the computer forensics is the
preservation of the evidence that is collected during the process. The protection of evidence can
be considered as critical. A computer forensics professional expert should ensure that computer
system that is being dealt with is handled carefully. Since the subject is legalized and there are
many laws hence the computer forensic professionals maintain a code of ethics.

The ethicality can be considered as an advantage of the forensics in computer systems. At last
the computer forensics has emerged as important part in the disaster recovery management. Most
of the organizations some time or the other employs the services of the computer forensics
experts. The cost of operations is also lower in comparison with the security measures that are
applied.

Disadvantages of Computer Forensics

Everything that has an advantage obviously has some disadvantages as well. But the
disadvantages in case of the computer forensics can be considered as the limitations of the
subject. The major disadvantage of the computer forensics is the privacy concern. It may happen
in some cases that the privacy of the client is compromised.

It is the duty of the computer forensics expert to maintain the high standards and the keep in
mind the sensitivity of the case and maintain the privacy and secrecy of the data or the
information of the client’s interests. But in some circumstances it becomes almost impossible for
the computer forensics professional to maintain the secrecy of the data or the information. This
may happen if the information is necessary to prove the crime and should be produced as the
evidence in the court of law in order to prove the crime.

There are other disadvantages as well regarding the computer forensics. It is also possible that
some sensitive data or information that is important to the client may be lost in order to find the
evidence. The forensics professional must maintain the concern that the data information or the
possible evidence is not destroyed, damaged, or even otherwise be compromised by the
procedures that are utilized for the purpose of investigating a computer system.

Page | 44
INTRODUCTION

There are also the chances of introduction of some malicious programs in the computer system
that may corrupt the data at a later stage of time. During the analysis process care should be
taken that no possible computer virus is released or introduced in the computer system. IT is also
possible that the hardware of the computer system is damaged physically.

The evidence that is physically extracted and the relevant evidence should be properly handled as
well as protected from later damage that may either mechanical or electromagnetic in nature. The
integrity of the data and the information that is acquired should be preserved. The custody of the
data that is acquired as the evidence is the responsibility of the computer forensics team.

During the time case is solved; it may be required that the data or the information is stored in the
court. In some cases it is also possible that the data is in dispute and neither of the disputing
parties can use the data. Due to this reason the business operations may also be affected. The
duty of the computer forensics expert is to ensure that justice is delivered as fast as possible so
that the inconvenience and the subsequent loss to the organization can be avoided.

It is also important the information that is acquired during the forensic exploration is ethically
and legally respected. More over despite some of the limitations of the Computer Forensics the
subject is still perceived. Also the advantages and the benefits of the subject have wide
applications in various situations. Measures should be taken and the care of the professional
employed for the computer forensics is a must to avoid any subsequent damage to the computer
system. It is also possible in cases that the operations cost may exceed. Steps should be taken to
minimize the cost.

Page | 45
INTRODUCTION

CONCLUSION

In the computer forensics IRS - Incident Response Systems are the software or hardware
products that can alert the user about any type of intrusion to the system or the computer
network. Most of the companies or organizations employ the services of Incident Response
Systems. It is done to establish a reasonable plan that can address the security breach. The
response is completely automated.

This reduces the task of the system administrator. Because of it an alert is generated whenever
there is a violation of security. Some of the important features of Incident Response Systems are
discussed below. The first among them is Alert Response. The Incident Response Systems lets

Page | 46
INTRODUCTION

you to respond to those incidents that are over the network or the computer system. The alert is
generated the moment it occurs. It is not affected by any size or type of the event.

Incident Response Systems is integrated with the software and hardware technologies that can
monitor and delivers critical information. For the investigators it can help out in timely as well as
an efficient manner. Computer forensics investigators can quickly ascertain the things or events
that might have taken place.

Those events that might have occurred or those that are presently occurring. It is possible to
make them active over a single machine or even a group of machines. Incident Response
Systems make the analysis of volatile data very easy. It is possible via an IRS to take the action
immediately and generate the action based on that information.

It is also possible to even quickly identify all those applications that are running over the system
or the machine. Scanning of those applications as well as the ports that are opened is also
possible through Incident Response Systems. Any malicious activity can be detected
immediately and the action can be taken over it. The action can be manual or automatic
depending upon the preference of computer forensics investigator.

Incident Response Systems are capable of integration. A large number of monitoring tools can be
integrated via the IRS. These monitoring tools are useless until an alert is generated. There are
many manual techniques by the usage of which computer forensics professional can tune the
intrusion detection systems. Incident Response Systems can be effective only when intrusion
detection systems have already detected some sort of activity.

There are advanced Incident Response Systems which are capable of even detecting any type of
intrusions. There can take the action depending upon the type of intrusion. The automated
response of Incident Response Systems can be of the type like to store the volatile information
from the source if the source is available to the database. Same can be done for destination
machines to store it in a database.

The use of the IRS will reduce the causes for the computer forensics which may reduce the
impact of computer crimes.

Page | 47
INTRODUCTION

BIBLIOGRAPHY

Page | 48
INTRODUCTION

References
• http://www.computerforensics.com

• www.digitalforensics.com

• Perlustro eDiscovery Suite - iLookIX, iVault, iSeek, iTar

http://www.perlustro.com/

• http://www.Andy Rosen - SMART & Expert Witness.com

• www.ProDiscover.com

• www.Paraben P2 Commander .com

• www.EnCase .com

• http://www.FTK .com

• http://www.PTK Forensics .com

• www.The Sleuth Kit .com

• http://www.The Coroner's Toolkit .com

• http://www.COFEE / DECAF .com

• www.Selective file dumper.com

Page | 49