Computer Forensics

ISM09204

Dr. Nicodemus M. M.
Computer Forensics - Overview

• The Internet and emerging technologies have propelled us into an era of

unprecedented progress and connectivity

• Unfortunately, this digital revolution has a downside;

• It has led to criminal innovation and created a new forum for both terrorist
activities and criminal behavior.

• It has led to exacerbating the vulnerabilities of government, organizations,

institutions, and individuals alike.
WannaCry

• The WannaCry ransomware attack was a

worldwide cyberattack in May 2017 by the
WannaCry ransomware cryptoworm.

• It was designed to exploit a security vulnerability in

Windows OS that was created by the NSA and
leaked by the Shadow Brokers hacker group.

• WannaCry a ected 230,000 computers worldwide.

The attack hit one-third of all NHS hospitals in the
UK, causing estimated damages of 92 million
pounds.

• Users were locked out and a ransom payable in

Bitcoin was demanded.

• The worldwide nancial damage caused by

WannaCry was approximately US$4 billion.
ff
fi
Computer Forensics
Teaches You

• How computers, mobile devices, and networks work.

• How data is stored and accessed, how it travels over the internet, how it is
stored on our devices on our phones, and in the cloud

• How to manage large amount of data e ciently, so that we can nd what we

are looking for much easier

• How to think logically, because we are investigating, we have to go though the

logical process to put evidence together to accept or deny hypothesis
(evidence based reasoning)

• How to write and communicate e ectively.

ff
ffi
fi
Computer Forensics - Definition

• Computer forensics is a branch of forensic science focused on the

investigation, recovery, and analysis of digital evidence from electronic
devices and digital media to uncover information related to computer crimes,
cybersecurity incidents, or other legal matters.

• It involves the systematic examination of digital artifacts such as les, emails,

logs, network tra c, and metadata to reconstruct events, identify
perpetrators, and provide evidence for legal proceedings.
ffi
fi
Digital Crime

• Digital crime refers to any criminal activity that involves the use of digital devices
or digital technologies.

• This can include crimes committed using computers, smartphones, tablets, or

any other electronic devices.

• Digital crimes may encompass a wide range of illegal activities, including but not
limited to fraud, identity theft, intellectual property theft, unauthorized access to
computer systems, and distribution of illegal content (e.g., piracy, child
exploitation materials).

• Digital crime can occur both online and o ine, as long as it involves the use of
digital technologies.
ffl
Cyber-Crime

• Cybercrime speci cally refers to criminal activities that are conducted over
the internet or through computer networks.

• It involves the use of computers, networks, and internet-based technologies

to commit unlawful acts.

• Cybercrime often involves the exploitation of vulnerabilities in computer

systems or networks for malicious purposes, such as hacking, malware
distribution, phishing, ransomware attacks, denial-of-service (DoS) attacks,
and data breaches.
fi
Importance of CF in Modern Investigation
Digital Evidence Recovery

• Digital devices often hold critical evidence in various forms such as emails,
documents, photos, and chat logs.

• Example: In the case of a nancial fraud investigation, emails exchanged

between parties involved can serve as crucial evidence for prosecution.
fi
 Importance of CF in Modern Investigation
Crime Reconstruction and Timeline Establishment

• Digital artifacts help reconstruct events, establish timelines, and identify

perpetrators.

• Example: In a cyberbullying case, examining social media posts, timestamps,

and IP addresses can help reconstruct the sequence of events and identify
the originator of the bullying.
Store
💡Case Scenario 🗼 🏪 🗼
🤵At the o ce 3Km
- Timecard 2Km 🗼
- Mobile phone 🏢
🗼 🤵 Dead at home
5Km
🏡 - Neighbor calls the police
🗼
🗼
ffi
Importance of CF in Modern Investigation
Identi cation of Suspects and Victims

• Computer forensics aids in

identifying both suspects and
victims through digital footprints
left behind on various platforms.

• Example: In a kidnapping case,

tracking the location data from the
victim's mobile device can assist
law enforcement in locating the
victim and apprehending the
perpetrator.
fi
Importance of CF in Modern Investigation
Corroboration of Witness Testimony

• Digital evidence can corroborate or

refute witness testimony,
strengthening the credibility of
statements.

• Example: In a hit-and-run accident,

surveillance footage retrieved from
nearby cameras can corroborate
witness statements regarding the
make and model of the vehicle
involved.
Importance of CF in Modern Investigation
Uncovering Hidden Information

• Computer forensics techniques can reveal hidden or deleted information that

perpetrators attempt to conceal.

• Example: In a corporate espionage case, forensic analysis of a suspect's

computer might uncover deleted les containing sensitive company data.

• Example: Uncovering information hidden in partition gap

fi
 Importance of CF in Modern Investigation
Admissible Evidence in Court

• Properly collected and analyzed digital evidence is admissible in court, aiding

in the prosecution or defense of legal cases.

• Example: In a cybercrime trial, digital evidence such as logs of unauthorized

access to a network can be presented to support the charges against the
defendant.
Digital Forensics - Subfields
Computer Forensics

• This sub eld focuses on the investigation

of computers and computing devices
such as desktops, laptops, servers, and
mobile devices.

• It involves the examination of hard drives,

memory, operating systems, and
applications to recover data and traces of
activities relevant to the investigation.
fi
Digital Forensics - Subfields
Network Forensics

• Network forensics involves the monitoring

and analysis of network tra c to
`investigate security incidents, intrusions, or
unauthorized activities.

• It aims to reconstruct network activities,

identify sources of attacks, and gather
evidence related to network-based crimes.
ffi
Possible Computer Forensics Career Paths

• Computer investigations and

forensics falls into two distinct
categories
1. Public investigations
2. Private or corporate
investigations
Possible Computer Forensics Career Paths
Public Investigations

• Involves government agencies responsible for

criminal investigation and prosecution

• Organization must observe legal guidelines.

• Examples:
• TZ- CID (Criminal Investigation Division)
• USA - CIA ( Criminal Investigation Agency)
• USA - FBI ( Federal Bureau of Investigation)
Possible Computer Forensics Career Paths
Private or Cooperate Investigations

• Deals with private companies, non-law-enforcement government agencies,

and lawyers.

• Aren’t governed directly by criminal law but cooperate policies

• Governed by internal policies that de ne expected employee behavior and
conduct in the workplace.

• Examples:
• TZ - BOT, CRDB, NMB, TCRA
• International - KROLL
fi
Computer Forensic Process
4 Stages

• Assess the Situation: Anaylyze

the scope of the investigation and
the action to be taken

• Acquire the Data: Gather,

protect, and preserve the original
evidence.
Computer Forensic Process
4 Stages

• Analyze the data: Examine and

correlate digital evidence with
events of interest that will help
you make a case

• Report the Investigation: Gather

and organize collected
information and write nal report
fi
Computer Forensic Process
Assess the Situation

• To conduct an investigation, you rst need to

obtain proper authorization unless existing
policies and procedures provide incident
response authorization.

• It is also important to understand the laws that

might apply to the investigation as well as any
internal organization policies that might exist.

• Determining who should respond to an incident

is important to conducting a successful
investigation.
fi
Computer Forensic Process
Assess the Situation

• A thorough, clearly documented assessment of

the situation is required to prioritize your actions
and justify the resources for the internal
investigation.

• A detailed document containing all information

you consider relevant provides a starting point
for the next phase and for the nal report
preparation.
fi
 Computer Forensic Process
Documentation

• Thorough documentation of the forensic process is

essential to ensure transparency, repeatability,
and admissibility of evidence in court.

• This includes documenting the procedures

followed, tools used, ndings, observations, and
conclusions reached during the investigation.

• Creating consistent, accurate, and detailed

documentation throughout the investigation
process will help with the ongoing investigation.

• Before you begin the next phase, ensure that you

have obtained a responsible decision maker's
signo on the documentation that you created on
the previous phase
ff
fi
Computer Forensic Process
Acquire the Data

• You need a collection of hardware and software

tools to acquire data during an investigation.

• Collect data either locally or over a network.

Acquiring the data locally has the advantage of
greater control over the computer(s) and data
involved.

• When evidence is collected and ready for

analysis, it is important to store and archive the
evidence in a way that ensures its safety and
integrity.
 Computer Forensic Process
Analyze the Data

• Analyzing network data involves the

examination of various aspects of network
tra c and communication patterns to uncover
evidence of security breaches, unauthorized
access, or malicious activities.

• The goal is to uncover valuable insights,

identify the root cause of security incidents,
and support e ective incident response and
remediation e orts.
ffi
ff
ff
Computer Forensic Process
Analyze the Data

• Analysis of host data in forensic investigation

involves examining the digital information
stored on individual computers, servers, or
other devices to uncover evidence relevant to
a speci c incident or investigation.
fi
 Digital Forensic Process
Analyze the Data

• The storage media you collected during the

Acquire the Data phase will contain many
les.

• You need to analyze these les to determine

their relevance to the incident, which can be a
daunting task because storage media such as
hard disks and backup tapes often contain
hundreds of thousands of les.
fi
fi
fi
Computer Forensic Process
Reporting

• A comprehensive forensic report is generated to summarize the ndings of

the investigation and present the evidence in a clear, organized, and
understandable manner.

• The report typically includes an;

- Executive summary,
- detailed analysis of ndings,
- methodologies employed, and
- conclusions drawn.
fi
fi
Computer Forensics - Key Challenges

• Encrypted data can be di cult to access and decrypt, making it harder for
forensic investigators to collect evidence.

• Criminals may attempt to destroy digital evidence by wiping or destroying

devices, requiring specialized data recovery techniques

• Criminals use anti-forensic techniques to hide, alter, or remove traces of

their crimes, making it more challenging for investigators to gather evidence

• There are often no clear guidelines or standards for dealing with digital
evidence in court, and the admissibility of evidence can be limited
ffi
Computer Forensics - Key Challenges

• Rapid changes in technology, operating systems, and application software

can make it di cult to read digital evidence from older versions to support
newer versions

• Producing electronic records and storing them can be extremely costly, and
legal practitioners must have extensive computer knowledge to produce
authentic and convincing evidence

• The lack of technical knowledge by investigating o cers can result in the

desired outcome not being achieved

• Limited resources, such as time and budget, can hinder the investigation
process
ffi
ffi
 Computer Forensics - Techniques
Cross-Drive Analysis

• Cross-drive analysis is a powerful

forensic technique that enables
examiners to uncover hidden
relationships, patterns, and evidence
across multiple digital storage devices.

• This approach involves comparing the

contents, metadata, and other
attributes of les or data across
di erent drives to identify patterns, https://www.bit4law.com/en/
connections, or inconsistencies that
may be relevant to an investigation. Read if interested

Such techniques have the potential to identify drives of interest from a large set
ff
fi
Computer Forensics - Techniques
Live Analysis

• Live analysis, also known as live forensics or volatile data analysis, is a digital
forensic technique that involves the real-time examination and analysis of
data residing in the volatile memory (RAM) of a running computer system.

• Live analysis deals with data that is actively present in the computer's
memory and is lost when the system is powered o or restarted.

ff
 Computer Forensics - Techniques
Recovery of Deleted Files

• A common technique used in computer forensics is the recovery of deleted

les.

• Modern forensic software have their own tools for recovering or carving out
deleted data.

• Most operating systems and le systems do not always erase physical le

data, allowing investigators to reconstruct it from the physical disk sectors.

• File carving involves searching for known le headers within the disk image
and reconstructing deleted materials.
fi
fi
fi
fi
 Computer Forensics - Techniques
Steganography
• Steganography is the practice of
concealing secret information within a
carrier medium, such as an image, audio
le, video, or text, without attracting
attention to the existence of the hidden
data

• Unlike encryption, which focuses on

making the content of a message
unintelligible to unauthorized users,
steganography aims to hide the
existence of the communication itself.
fi