computer forensics and its role
TRANSCRIPT
Computer Forensics
Topics to be covered
• Defining Computer Forensics• Who uses Computer Forensics• Laws• Reasons for gathering evidence• Evidence processing guidelines• Requirements• Steps of Computer Forensics• Forensics recovery• Examples• Anti-forensics• Conclusion• Acknowledgement
• The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable.” (McKemmish, 1999)
• “Gathering and analyzing data in a manner as freedom distortion or bias as possible to reconstruct data or what has happened in the past on a system.” (Farmer & Vennema,1999)
• Computer forensics is the application of computer investigation and analysis techniques in the interests of determining potential legal evidence.
• Forensic Computing, also known as Evidential Computing and even sometimes Data Recovery, is the specialist process of imaging and processing computer data which is reliable enough to be used as evidence in court
What is Computer Forensics?(Some definitions)
What will Computer Forensics do?• Computer forensics, innovators of image copying technology, defined the
principles of the science of computer forensics and formalized an approved and accepted methodology to COLLECT, ANALYSE and PRESENT suspect data to a Court of Law.
• Computer forensics evidence is frequently sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud.
• Computer forensics specialists draw on an array of methods for discovering data that resides in a computer system.
• Experts in forensics computing can frequently recover files that have been deleted, encrypted, or damaged, sometimes as long as years earlier.
• Evidence gathered by computer forensics experts is useful and often necessary during discovery, depositions, and actual litigation.
Who Uses Computer Forensics?• Criminal Prosecutors• -Rely on evidence obtained from a computer to prosecute suspects and use as
evidence
• Civil Litigations• -Personal and business data discovered on a computer can be used in fraud, divorce,
harassment, or discrimination cases
• Insurance Companies• -Evidence discovered on computer can be
used to mollify costs (fraud, worker’s compensation, arson, etc)
• Private Corporations• -Obtained evidence from employee computers can
be used as evidence in harassment, fraud, and embezzlement cases
FBI Computer Forensic Services
• Content• Comparison again known data• Transaction sequencing• Extraction of data• Recovering deleted data files• Format conversion• Keyword searching• Decrypting passwords
• Analyzing and comparing limited source code
KNOW THE LAW...
• The US DOJ maintains a website with guidelines and case law pertaining to seizing and searching computers. It's the best place to start putting together a legal case that will be based on evidence obtained from a computer system.
The US DOJ website is: http://www.usdoj.gov/criminal/cybercrime/searching.html
They also have a wealth of "cyber-crime" information online at: http://www.usdoj.gov/criminal/cybercrime/
Reasons For Evidence• Wide range of computer crimes and misuses
• Non-Business Environment: evidence collected by Federal, State and local authorities for crimes relating to:
– -Theft of trade secrets– -Fraud– -Extortion– -Industrial espionage– -Position of pornography– -SPAM investigations– -Virus/Trojan distribution– -Intellectual property breaches– -Unauthorized use of personal information– -Perjury
• Computer related crime and violations include a range of activities including:
• Business Environment:
• -Theft of or destruction of intellectual property• -Unauthorized activity• -Tracking internet browsing habits• -Reconstructing Events• -Inferring intentions• -Selling company bandwidth• -Wrongful dismissal claims• -Software Piracy
Reasons For Evidence (cont)
Evidence Processing Guidelines
• New Technologies Inc. recommends following 16 steps in processing evidence
• They offer training on properly handling each step– Step 1: Shut down the computer
• Considerations must be given to volatile information• Prevents remote access to machine and destruction of evidence (manual
or ant-forensic software)
– Step 2: • Document the Hardware Configuration
of The System
• Note everything about the computer configuration prior to re-locating
Evidence Processing Guidelines (cont)
• Step 3: Transport the Computer System to A Secure Location– Do not leave the computer unattended unless it is locked in a secure
location• Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks
• Step 5: Mathematically Authenticate Data on All Storage Devices– Must be able to prove that you did not alter
any of the evidence after the computer came into your possession
• Step 6: Document the System Date and Time• Step 7: Make a List of Key Search Words• Step 8: Evaluate the Windows Swap File
Evidence Processing Guidelines (cont)
• Step 9: Evaluate File Slack– The DOS file system file allocation table (FAT) was never designed to
handle storage device with more than 32767 units of data. 32767 is the largest number that can be represented with 16 bits.
– Data is written in sectors of 512 bytes (hard drives, floppy), or 2048 bytes (CD-ROM).
– This set an arbitrary limit on disk storage devices of 512x32767 = 16MB.
– To accommodate larger drives the concept of “clusters” was invented. Clusters are a group of sectors written as a single atomic unit. With clustering came file slack.
Evidence Processing Guidelines (cont)
• RAM SlackIf the file you are writing is shorter than the number of bytes in the clusters
you have allocated for your file, the file system will pad the data out to the end of the current sector with “RAM slack”. RAM slack is random data that happens to be in RAM memory at the time the file is written. It can contain any data that you were working
on since you last booted the PC. Such as emails, word documents, graphics, etc.• Drive Slack
Unlike RAM slack which comes from working storage, “drive slack” is data left on the drive from a previous file. After completing the last partial sector with RAM slack, subsequent whole sectors in the last cluster are left as is with whatever data was written there previously.
Evidence Processing Guidelines (cont)
• Step 10: Evaluate Unallocated Space (Erased Files)• Step 11: Search Files, File Slack and Unallocated Space for Key
Words• Step 12: Document File Names, Dates and Times• Step 13: Identify File, Program and Storage
Anomalies• Step 14: Evaluate Program Functionality• Step 15: Document Your Findings• Step 16: Retain Copies of Software Used
Computer Forensic Requirements
Hardware– Familiarity with all internal and external devices/components of a computer– Thorough understanding of hard drives and settings– Understanding motherboards and the various chipsets used– Power connections– Memory
BIOS– Understanding how the BIOS works– Familiarity with the various settings and limitations of the BIOS
Computer Forensic Requirements (cont)
• .Operation Systems– Windows 3.1/95/98/ME/NT/2000/2003/XP– DOS– UNIX– LINUX– VAX/VMS
Software– Familiarity with most popular software packages
such as Office
Forensic Tools– Familiarity with computer forensic techniques and the software packages that could be
used
Steps Of Computer Forensics
• .According to many professionals, Computer Forensics is a four (4) step process Acquisition
– Physically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices
Identification -This step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites
Evaluation– Evaluating the information/data recovered to
determine if and how it could be used again the suspect for employment termination or prosecution in court
Steps Of Computer Forensics (cont)
• .Presentation
– This step involves the presentation of evidence discovered in a manner which is understood by lawyers, non-technically staff/management, and suitable as evidence as determined by United States and internal laws
Handling Evidence
• No possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to search the computer
• Preventing viruses from being introduced to a computer during the analysis process
• Establishing and maintaining a continuing chain of custody
• Limiting the amount of time business operations are affected
Initiating An Investigation
• DO NOT begin by exploring files on system randomly
• Establish evidence custodian - start a detailed journal with the date and time and date/information discovered
• If possible, designate suspected equipment as “off-limits” to normal activity. This includes back-ups, remotely or locally scheduled house-keeping, and configuration changes
• Collect email, DNS, and other network service logs
Incidence Response
• Identify, designate, or become evidence custodian• Review any existing journal of what has been done to system
already and/or how intrusion was detected• Begin new or maintain existing journal• Install monitoring tools (sniffers, port detectors, etc.)• Without rebooting or affecting running processes, perform a
copy of physical disk• Capture network information
Forensic Recovery
Take pictures to document area around the computer. You may find removable media, or clues to your subject’s passwords in your photos.
Forensic Recovery
• .
Tip #3: Don’t assume system will boot first from the floppy drive.Always go into setup first and make sure the system will boot first from where you expect it to. Ex. Floppy or CD-ROM.
Forensic Recovery
• .
Take screen shots to preserve evidence.In this case documented “buddies list” in ICQ and Yahoo! Messenger.Used FTK to find emails to / from same buddies. And their solicitations on Internet adult meeting sites.
EXAMPLES
• 1.Hot Hard Drives: In an arson and murder investigation, computer forensic
investigators were asked to analyze hard drives recovered from a burned house which were charred and covered with ash and soot. When experienced engineers opened the drives in a sterile cleanroom – designed for repairing damaged computer media – they discovered the data contained on the individual data platters was not subjected to a high enough heat to cause permanent data loss. Relying on years of experience with fire-damaged computer media, engineers recovered and produced all of the data to the prosecutor’s office for analysis. The evidence contained on the hard drives helped the prosecutors build their case against the charged individual.
EXAMPLES
• 2.Usurping USB Drives:
On behalf of a bank, a computer forensic investigation was undertaken focusing on several computers owned by a bank customer suspected in a money laundering scheme. The initial review of the computers revealed that a large capacity USB drive was installed on the machine one day prior to turning over the computers pursuant to the court order. Upon further review of the USB drive, the engineers proved the individual had engaged in corporate financial fraud, stolen business funds and moved the money in foreign back accounts.
Anti-Forensics
• Software that limits and/or corrupts evidence that could be collected by an investigator
• Performs data hiding and distortion
• Exploits limitations of known and used forensic tools
• Works both on Windows and LINUX based systems
• In place prior to or post system acquisition
Methods Of Hiding Data
To human eyes, data usually contains known forms, like images, e-mail, sounds, and text. Most Internet data naturally includes gratuitous headers, too. These are media exploited using new controversial logical encodings: steganography and marking.
– Steganography: The art of storing information in such a way that the existence of the information is hidden.
Methods Of Hiding Data
• 1To human eyes, data usually contains known forms, like images, e-mail, sounds, and text. Most Internet data naturally includes gratuitous headers, too. These are media exploited using new controversial logical encodings: steganography and marking.
The duck flies at midnight. Tame uncle Sam
Simple but effective when done well
Methods Of Hiding Data
Watermarking: Hiding data within data– Information can be hidden in almost any file format. – File formats with more room for compression are best
• Image files (JPEG, GIF)• Sound files (MP3, WAV)• Video files (MPG, AVI)
– The hidden information may be encrypted, but not necessarily
– Numerous software applications will do this for you: Many are freely available online
CONCLUSION
• Use a systematic approach to investigations• Plan a case by taking into account:
– Nature of the case– Case requirements– Gathering evidence techniques
• Do not forget that every case can go to court• Apply standard problem-solving techniques• Keep track of the chain of custody of your evidence• Produce a final report detailing what you did and found
ACKNOWLEDGEMENT
• .I wish to thank my faculty members of CSE department ,Dr. Sudhir Chandra Sur Degree Engineering College for guidance and useful suggestions, which helped us a lot in completing the presentation work, in time.We also took help from internet for ideas which made us able to complete this presentation.
• .
THANK YOU.
• .
PRESENTED BY:
OIESWARYA BHOWMIK SUDESHNA BASAK