Computer Forensics

Computer Forensics

Computer Forensics

A process of applying scientific and analytical

techniques to computer Operating Systems

and File Structures to determining the

potential Legal Evidence.

Computer Forensics

It is the practice of lawfully establishing evidence and facts.

This is science involving legal evidence that is found in digital storage mediums and in computers.

Subdivisions: -Disk forensicsNetwork forensicsMobile forensics

Role of Computer forensic investigator

Evidence Collection and Chain of Custody

Who Who handled the evidence? What What procedures were performed on

the evidence? When When was the evidence collected

and/or transferred to another party? Where Where was the evidence collected

and stored? How How was the evidence collected and

stored? Why For what purpose was the evidence

collected?

Acquire data to be examined

Photographs

Make an image

Review of logical file structure

Review of unallocated space and file slack

Recover deleted data (If any)

Report

Expert testimony

Forensics process

Importance of Evidence

"Evidence" is anything the judge allows a jury to

consider in reaching a verdict.

This can include the testimony of witnesses,

photographs of the scene and "demonstrative evidence"

such as charts or sample equipment.

Source of Evidence

Slack, Free, Swap, Recycle Bin

Event Logs

Registry

Application files, temp files

E-mail

Browser history and cache

Live Forensics Non - Live Forensics

Post Acquisition Analysis Technologies

Types of Forensics

Live Forensics •Recovery of volatile data•Gathering system information•Gathering USB device history•System Explorer•Imaging and Cloning

Non - Live Forensics•Imaging •Cloning

Post Acquisition Analysis

•Mathematical authentication of data (Hash)•Virtualization•Malware analysis•Detection of obscene content•Image ballistics •Use of spyware (keyloggers) in investigations•Digital Evidence Analysis

Forensic Imaging & Cloning

Select source medium

Select source medium

Select destination for the image file

Post Acquisition Analysis

Mathematical Authentication of Data

Mathematical Authentication of Data

Select the algorithm

•The Information Technology (Certifying Authorities) Amendment Rules, 2009 amended Rule 6 of the Information Technology (Certifying Authorities) Rules, 2000

•It is advised that mathematical authentication of digital evidence must be done using either SHA-1 or SHA-2.

•MD5 must not be used as such evidence may be unacceptable in a court of law.

Mathematical authentication of digital evidence achieved by using SHA-2.

Mathematical authentication of data

Input SHA1 Hash Digest

Apple 476432a3e85a0aa21c23f5abd2975a89b6820d63

apple d0be2dc421be4fcd0172e5afceea3970e2f3d940

Apple 476432a3e85a0aa21c23f5abd2975a89b6820d63

a 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8

Mathematical Authentication of Data

www.crypo.com

Virtualization

Life Cycle of Computer Evidence

Destroy

Create Capture Preserve Collect Process Review Produce

Evidence Life Cycle Management

Electronic Discovery ServicesDocument Management

Enterprise Repositori

es

Evidence Repository

Document Creation Preservation Obligation Document Production Request

Evidence Rule

Admissible

Reliable

Authentic

Complete (no tunnel vision)

Believable

Types of Evidence

Direct Evidence

Real Evidence

Documentary Evidence

Demonstrative Evidence

Computer Evidence Processing Guidelines

Pull the Plug

Document the Hardware Configuration of the

System

Transport the Computer System to a Secure

Location (Forensics lab)

Make Bit Stream Backups of Hard Disks and

Floppy Disks

Mathematically Authenticate Data on

all storage devices (Hash)

Document the System Date and Time

Make a List of Key Search Words

Evaluate the Windows Swap File

Evaluate File Slack

Computer Evidence Processing Guidelines

Evaluate Unallocated Space (Erased

Files)

Search Files, File Slack and

Unallocated Space for Key Words

Document File Names, Dates and

Times

Identify File, Program and Storage

Anomalies

Computer Evidence Processing Guidelines

Evaluate Program

Functionality

Document Your Findings

Retain Copies of Software

Used

Computer Evidence Processing Guidelines

Incidence Response

Computer security Incident

Confirms or dispels whether an incident occurred

Promotes accumulation of accurate information

Establishes controls for proper retrieval and handling

of evidence

Protects privacy rights established by law and policy

Minimizes disruption to business and network

operations

Why forensics?

Why forensics?

Allows for criminal or civil action against perpetrators

Provides accurate reports and useful recommendations

Provides rapid detection and containment

Minimizes exposure and compromise of proprietary data

Why forensics?

Protects your organization’s reputation and assets

Educates senior management

Promotes rapid detection and/or prevention of such incidents in the future (via lessons learned, policy changes, and so on)

Cyber Crime Investigation Lifecycle

Incident Awareness Consultation

Preliminary Analysis

ImageAcquisition/

Recovery

Detailed Analysis

Preliminary/Final Report

Containment

Expert WitnessTestimony

Deposition/Affidavit

Presentation

PreventionTechnologies

Improved ProcessesNew Security Policies

Improved Configurations