Unit II

Computer Forensics Technology

Introduction to Computer Forensics Technology
In the early 80s PCs became more popular and easily accessible to the general population,
this also led to the increased use of computers in all fields and criminal activities were no
exception to this. The word “forensics” means the use of science and technology to
investigate and establish facts in criminal or civil courts of law. Forensics is the process of
using scientific knowledge for analyzing and presenting evidence to the court.
Computer forensics is a branch of digital forensic science concerned with evidence found in
computers and digital storage media, it is defined as the discipline that combines elements of
law and computer science to collect and analyze data from wireless
communications, computer systems, networks, and storage devices in a way that is
permissible as evidence by the court. Because computer forensics is a new discipline, there
are not many standard rules or practices for it, there is little standardization and consistency
across the industry and courts.
Types of Computer Forensics:
There are multiple types of computer forensics depending on the field in which digital
investigation is needed. The fields are:
 Network forensics
 Email forensics
 Malware forensics
 Memory forensics
 Mobile Phone forensics
 Database forensics
 Disk forensics
Seven Types of Computer Forensics

Computer forensics is a broad field that encompasses various types of investigations. The
most common types of computer forensics include network, mobile device, and digital
forensics. Network forensics involves the analysis of network traffic to identify and
investigate security incidents, such as hacking attempts or data breaches. Mobile device
forensics consists of extracting and analyzing data from mobile devices, such as smartphones
and tablets, to investigate criminal activities or civil disputes.

Finally, digital forensics involves the analysis of digital data, such as emails, documents, and
images, to uncover evidence of criminal activities, such as fraud, cyberbullying, or
intellectual property theft. Read on to learn more about these and other types of computer
forensics.

Network forensics

Network forensics collects and analyzes network traffic data to investigate security incidents
or criminal activity. It involves the use of specialized tools and techniques to identify and
reconstruct network events that occur.

Email forensics

Email forensics involves investigating and analyzing email messages to gather evidence for
legal or investigative purposes. It often requires metadata analysis, email tracing, and email
content analysis.

Malware forensics

Malware forensics analyzes and investigates malicious software to determine its origin,
purpose, and potential impact risk. It involves using various techniques and tools to collect
and analyze data from infected systems to treat or prevent future malicious attacks.

Memory forensics

Memory forensics is a branch of digital forensics that involves analyzing the contents of a
computer’s memory. It can be used to investigate cyber attacks, malware infections, and other
security incidents.

Mobile Phone forensics

Mobile phone forensics is extracting and analyzing data from mobile devices for investigative
purposes and includes recovering deleted messages, call logs, and other digital evidence like
photos and videos.

Database forensics
Database forensics investigates and analyzes databases to uncover evidence of illegal or
unauthorized activities. It examines database logs, metadata, and other aspects to reconstruct
events and identify potential cybercrime suspects.

Disk forensics

Disk forensics analyzes digital storage devices to gather evidence for legal or investigative
purposes and includes recovering deleted files, identifying user activity, and detecting
malware.

Techniques used in Computer Forensic:

Computer forensics investigation normally follows the typical digital forensics procedure
which is the acquisition, examination, analysis, and reporting. These investigations are
mostly performed on static data (disk images) rather than live data or live systems, though in
early computer forensics days the investigators used to work on live data due to the lack of
tools.
Various kinds of techniques are used in computer forensics investigation such as:
 Cross-drive analysis: Cross-drive analysis (CDA) is a technique that allows an
investigator to quickly identify and correlate information from multiple data sources
or information across multiple drives. Existing approaches include multi-drive
correlation using text searches, e.g., email addresses, SSNs, message IDs, or credit
card numbers.
 Live analysis: It is used to examine the computers from within the OS using various
forensics and sysadmin tools to get the information from the device. In forensic
analysis, the collection of volatile data is very important like the installed software
packages, hardware information, etc. this approach is useful in the case where the
investigator is dealing with encrypted files. If the device is still active and running
when it’s handed to the investigator, the investigator should collect all the volatile
information from the device such as user login history, which TCP and UDP ports are
open, what services are currently in use, and running, etc.
 Deleted files recovery: It is a technique that is used to recover deleted files. The
deleted data can be recovered or craved out using forensic tools such as CrashPlan,
OnTrack EasyRecovery, Wise Data Recovery, etc.
 Stochastic forensics: It is a method to forensically re-establish the digital activities
that have insufficient digital artifacts, thus analyzing emerging patterns resulting from
the stochastic nature of modern-day computers.
 Steganography: Steganography is a technique of hiding the secret information inside
or on top of something, that something can be anything from an image to any type o
file. Computer forensics investigators can counter this by looking and comparing the
hash value of the altered file and original file, the hash value will be different for both
files even though they might appear identical on visual inspection.
Types of Military Computer Forensic Technology
The U.S. Department of Defense (DoD) cyber forensics includes evaluation and in-depth
examination of data related to both the trans- and post-cyberattack periods. Key objectives of
cyber forensics include rapid discovery of evidence, estimate of potential impact of the
malicious activity on the victim, and assessment of the intent and identity of the perpetrator.
Real-time tracking of potentially malicious activity is especially difficult when the pertinent
information has been intentionally or maliciously hidden, destroyed, or modified in order to
elude discovery.
The Information Directorate’s cyber forensic concepts are new and untested. The directorate
entered into a partnership with the National Institute of Justice via the auspices of the
National Law Enforcement and Corrections Technology Center (NLECTC) located in Rome,
New York, to test these new ideas and prototype tools. The Computer Forensics Experiment
2000 (CFX-2000) resulted from this partnership. This first-of-a-kind event represents a new
paradigm for transitioning cyber forensic technology from military research and development
(R&D) laboratories into the hands of law enforcement. The experiment used a realistic cyber
crime scenario specifically designed to exercise and show the value added of the directorate-
developed cyber forensic technology.
The central hypothesis of CFX-2000 examined the possibility of accurately determining the
motives, intent, targets, sophistication, identity, and location of cyber criminals and cyber
terrorists by deploying an integrated forensic analysis framework. The execution of CFX-
2000 required the development and simulation of a realistic, complex cyber crime scenario
exercising conventional, as well as R&D prototype, cyber forensic tools.
COMPUTER FORENSIC EXPERIMENT-2000 (CFX-2000)
CFX-2000 is an integrated forensic analysis framework. The central hypothesis of CFX-2000
is that it is possible to accurately determine the motives, intent, targets, sophistication,
identity, and location of cyber criminals and cyber terrorists by deploying an integrated
forensic analysis framework. The cyber forensic tools involved in CFX-2000 consisted of
commercial off-the-shelf software and directorate-sponsored R&D prototypes. CFX includes
SI-FI integration environment. The Synthesizing Information from Forensic Investigations
(SI-FI) integration environment supports the collection, examination, and analysis processes
employed during a cyber-forensic investigation. The SI-FI prototype uses digital evidence
bags (DEBs), which are secure and tamperproof containers used to store digital evidence.
Investigators can seal evidence in the DEBs and use the SI-FI implementation to collaborate
on complex investigations.
Authorized users can securely reopen the DEBs for examination, while automatic audit of all
actions ensures the continued integrity of their contents. The teams used other forensic tools
and prototypes to collect and analyze specific features of the digital evidence, perform case
management and time lining of digital events, automate event link analysis, and perform
steganography detection. The results of CFX-2000 verified that the hypothesis was largely
correct and that it is possible to ascertain the intent and identity of cyber criminals. As
electronic technology continues its explosive growth, researchers need to continue vigorous
R&D of cyber forensic technology in preparation for the onslaught of cyber reconnaissance
probes and attacks.
TYPES OF LAW ENFORCEMENT COMPUTER FORENSIC TECHNOLOGY
Computer forensics tools and techniques have become important resources for use in internal
investigations, civil lawsuits, and computer security risk management. Law enforcement and
military agencies have been involved in processing computer evidence for years.
CFX-2000 Schematic
1. Computer Evidence Processing Procedures
Processing procedures and methodologies should conform to federal computer evidence
processing standards.
A. Preservation of Evidence
 Computer evidence is fragile and susceptible to alteration or erasure by any number of
occurrences.
 Computer evidence can be useful in criminal cases, civil disputes, and human resources
B. Employment proceedings.
 Black box computer forensics software tools are good for some basic investigation
tasks, but they do not offer a full computer forensics solution.
 SafeBack software overcomes some of the evidence weaknesses inherent in black box
computer forensics approaches.
 SafeBack technology has become a worldwide standard in making mirror image backups
since 1990.
2. TROJAN HORSE PROGRAMS
 The computer forensic expert should be able to demonstrate his or her ability to avoid
destructive programs and traps that can be planted by computer users bent on destroying data
and evidence.
 Such programs can also be used to covertly capture sensitive information, passwords, and
network logons.
3. COMPUTER FORENSICS DOCUMENTATION
Without proper documentation, it is difficult to present findings.
 If the security or audit findings become the object of a lawsuit or a criminal investigation,
then documentation becomes even more important.
4. FILE SLACK
 Slack space in a file is the remnant area at the end of a file in the last assigned disk cluster,
that is unused by current file data, but once again, may be a possible site for previously
created and relevant evidence.
 Techniques and automated tools that are used by the experts to capture and evaluate file
slack.
5. DATA-HIDING TECHNIQUES
 Trade secret information and other sensitive data can easily be secreted using any number
of techniques. It is possible to hide diskettes within diskettes and to hide entire computer hard
disk drive partitions. Computer forensic experts should understand such issues and tools that
help in the identification of such anomalies.
 Net Threat Analyzer can be used to identify past Internet browsing and email activity done
through specific computers. The software analyzes a computer’s disk drives and other storage
areas that are generally unknown to or beyond the reach of most general computer users. Net
Threat Analyzer avail-able free of charge to computer crime specialists, school officials, and
police.
6. DUAL-PURPOSE PROGRAMS
 Programs can be designed to perform multiple processes and tasks at the same time.
Computer forensics experts must have hands-on experience with these programs.
TEXT SEARCH TECHNIQUES
 Tools that can be used to find targeted strings of text in files, file slack, unallocated file
space, and Windows swap files.
1. Fuzzy Logic Tools Used To Identify Unknown Text
 Computer evidence searches require that the computer specialist know what is being
searched for. Many times not all is known about what may be stored on a given computer
system.
 In such cases, fuzzy logic tools can provide valuable leads as to how the subject computer
was used.
2. Disk Structure
 Computer forensic experts must understand how computer hard disks and floppy diskettes
are structured and how computer evidence can reside at various levels within the structure of
the disk.
 They should also demonstrate their knowledge of how to modify the structure and hide
data in obscure places on floppy diskettes and hard disk drives.
3. Data Encryption
 Computer forensic experts should become familiar with the use of software to crack
security associated with the different file structures.
4. Matching a Diskette to a Computer
 Specialized techniques and tools that make it possible to conclusively tie a diskette to a
computer that was used to create or edit files stored on it. Computer forensic experts should
become familiar how to use special software tools to complete this process.
5. Data Compression
 Computer forensic experts should become familiar with how compression works and how
compression programs can be used to hide and disguise sensitive data and also learn how
password- protected compressed files can be broken.
6. Erased Files
 Computer forensic experts should become familiar with how previously erased files can be
recovered by using DOS programs and by manually using data-recovery technique & familiar
with cluster chaining.
7. Internet Abuse Identification and Detection
 Computer forensic experts should become familiar with how to use specialized software to
identify how a targeted computer has been used on the Internet.
This process will focus on computer forensics issues tied to data that the computer user
probably doesn’t realize exists (file slack, unallocated file space, and Windows swap files).
8. The Boot Process and Memory Resident Programs
 Computer forensic experts should become familiar with how the operating system can be
modified to change data and destroy data at the whim of the person who configured the
system.
 Such a technique could be used to covertly capture keyboard activity from corporate
executives, for example. For this reason, it is important that the experts understand these
potential risks and how to identify them.
TYPES OF BUSINESS COMPUTER FORENSIC TECHNOLOGY
The following are different types of business computer forensics technology:-
 Data Interception by Remote Transmission (DIRT) is a powerful remote control
monitoring tool that allows stealth monitoring of all activity on one or more target computers
simultaneously from a remote command center.
 No physical access is necessary. Application also allows agents to remotely seize and
secure digital evidence prior to physically entering suspect premises.
1. Creating trackable electronic documents

 Binary Audit Identification Transfer (BAIT) is a powerful intrusion detection tool that
allows users to create trackable electronic documents.
 BAIT identifies (including their location) unauthorized intruders who access, download,
and view these tagged documents.
 BAIT also allows security personnel to trace the chain of custody and chain of command
of all who possess the stolen electronic documents.
2. Theft recovery software for laptops and pcs

What it really costs to replace a stolen computer:

The price of the replacement hardware & software.
 The cost of recreating data, lost production time or instruction time, reporting and
investigating the theft, filing police reports and insurance claims, increased insurance,
processing and ordering replacements, cutting a check, and the like.
The loss of customer goodwill.
If a thief is ever caught, the cost of time involved in prosecution.
3. Pc phone home

PC PhoneHome is a software application that will track and locate a lost or stolen PC or
laptop any-where in the world. It is easy to install. It is also completely transparent to the
user.
If your PC Phone Home-protected computer is lost or stolen, all you need to do is make a
report to the local police and call CD’s 24-hour command center. CD’s recovery specialists
will assist local law enforcement in the recovery of your property
Forensic services available

Services include but are not limited to:

 Lost password and file recovery
 Location and retrieval of deleted and hidden files
 File and email decryption
 Email supervision and authentication
 Threatening email traced to source
 Identification of Internet activity
 Computer usage policy and supervision
 Remote PC and network monitoring
 Tracking and location of stolen electronic files
 Honeypot sting operations
 Location and identity of unauthorized software users
 Theft recovery software for laptops and PCs
 Investigative and security software creation
 Protection from hackers and viruses.

Digital Forensics: Can You Find Hidden Data?

Digital forensics are. Here are some ways that data can be hidden within storage
media:
Example 1: Deleted Files and Slack Space: Recently deleted files leave slack
space. The files are still there, but the area is marked unallocated. Those unallocated
sectors are eventually overwritten, permanently “deleting” prior data in the sector

Example 2: Hiding data in HPA on disk: Host Protected Areas on disks are not
visible to the operating system. Boot diagnostics, BIOS support, and other
manufacturer tools are generally loaded there in the host protected area. Rootkits
can write to that space, which makes them difficult to detect because the operating
system and anti-virus cannot see those rootkits

Example 3: Hiding data by marking sectors that contain data as “bad” and
therefore unreadable by end user software: This process forces the operating
system to think a sector is bad, and therefore it will ignore it. It requires creating bad
blocks on the file system where data is logically located to “hide” it. This is generally
reversible by unmarking bad blocks and making them visible to the operating
system.

Hidden Data Detection Methods:

Forensic tools such as FTK, EnCase, Coroner’s Toolkit perform sector by sector
analysis for existence of non-zero data in reserved file system spaces. Dd/hex
viewer/editors also use this methodology

What are the most effective forensic tools and techniques for recovering deleted or hidden data?

1. Data recovery basics

2. Forensic imaging
3. File carving
4. Data hiding detection
5. Data analysis and presentation
When you need to investigate a cyber-incident, recover deleted or hidden data, or analyze a
suspect's device, you need to use the right forensic tools and techniques. Forensic tools are
software or hardware that help you collect, preserve, analyze, and present digital evidence.
Forensic techniques are methods or procedures that help you perform forensic tasks, such as
carving, hashing, imaging, or wiping. In this article, you will learn about some of the most
effective forensic tools and techniques for recovering deleted or hidden data, and how to use
them in different scenarios.

1. Data recovery basics: Deleted or hidden data is not necessarily gone forever. Depending
on how the data was deleted or hidden, and how the storage device was used afterwards, you
may be able to recover some or all of the data using forensic tools and techniques. The first
step is to understand how data is stored and deleted on different types of devices, such as hard
disks, solid state drives, flash drives, memory cards, or mobile phones. The second step is to
identify the potential sources of deleted or hidden data, such as file systems, unallocated
space, slack space, recycle bin, temporary files, swap files, or hidden partitions. The third
step is to choose the appropriate forensic tool and technique for the specific device and data
source.
2. Forensic imaging: One of the most important forensic techniques for recovering deleted or
hidden data is forensic imaging. Forensic imaging is the process of creating an exact copy of
a storage device or a part of it, such as a disk, a partition, or a file. Forensic imaging
preserves the original data and its integrity, and allows you to perform analysis on the copy
without affecting the original. Forensic imaging also helps you overcome challenges such as
encryption, passwords, or damaged sectors. Forensic imaging can be done using hardware
devices, such as write blockers or duplicators, or software tools, such as FTK Imager, dd, or
EnCase

3. File carving: Another effective forensic technique for recovering deleted or hidden data is
file carving. File carving is the process of extracting files from raw data, without relying on
file system metadata, such as file names, locations, or sizes. File carving can help you recover
files that have been deleted, overwritten, corrupted, or encrypted. File carving can also help
you recover files from unsupported or unknown file systems, or from devices that have been
formatted or wiped. File carving can be done using software tools, such as Scalpel, Foremost,
or PhotoRec.

4. Data hiding detection: Sometimes, deleted or hidden data is not accidental, but
intentional. Data hiding is the process of concealing data within other data, such as files,
partitions, or network traffic. Data hiding can be used for malicious purposes, such as hiding
malware, exfiltrating data, or evading detection. Data hiding can also be used for legitimate
purposes, such as protecting privacy, securing communication, or preserving evidence. Data
hiding detection is the process of identifying and revealing hidden data using forensic tools
and techniques. Data hiding detection can be done using software tools, such as StegDetect,
StegExpose, or Autopsy.

5. Data analysis and presentation: The final step in recovering deleted or hidden data is to
analyze and present the data using forensic tools and techniques. Data analysis is the process
of examining, interpreting, and verifying the data using various methods, such as keyword
searches, hash comparisons, timeline analysis, or anomaly detection. Data analysis can help
you find relevant, reliable, and accurate evidence for your investigation. Data presentation is
the process of organizing, summarizing, and reporting the data using various formats, such as
tables, charts, graphs, or reports. Data presentation can help you communicate your findings,
conclusions, and recommendations to your audience. Data analysis and presentation can be
done using software tools, such as X-Ways, Cellebrite, or Magnet AXIOM.

What is spyware?
Despite its name, the term "spyware" doesn't refer to something used by undercover
operatives, but rather by the advertising industry. In fact, spyware is also known as "adware."
It refers to a category of software that, when installed on your computer, may send you pop-
up ads, redirect your browser to certain web sites, or monitor the web sites that you visit.
Some extreme, invasive versions of spyware may track exactly what keys you type. Attackers
may also use spyware for malicious purposes.

Because of the extra processing, spyware may cause your computer to become slow or
sluggish. There are also privacy implications:

 What information is being gathered?

 Who is receiving it?
  How is it being used?
How do you know if there is spyware on your computer?

The following symptoms may indicate that spyware is installed on your computer:

 you are subjected to endless pop-up windows

 you are redirected to web sites other than the one you typed into your browser
 new, unexpected toolbars appear in your web browser
 new, unexpected icons appear in the task tray at the bottom of your screen
 your browser's home page suddenly changed
 the search engine your browser opens when you click "search" has been
changed
 certain keys fail to work in your browser (e.g., the tab key doesn't work when
you are moving to the next field within a form)
 random Windows error messages begin to appear
 your computer suddenly seems very slow when opening programs or
processing tasks (saving files, etc.)
How can you prevent spyware from installing on your computer?

To avoid unintentionally installing it yourself, follow these good security practices:

 Don't click on links within pop-up windows - Because pop-up windows are
often a product of spyware, clicking on the window may install spyware software on
your computer. To close the pop-up window, click on the "X" icon in the titlebar
instead of a "close" link within the window.
 Choose "no" when asked unexpected questions - Be wary of unexpected
dialog boxes asking whether you want to run a particular program or perform another
type of task. Always select "no" or "cancel," or close the dialog box by clicking the
"X" icon in the titlebar.
 Be wary of free downloadable software - There are many sites that offer
customized toolbars or other features that appeal to users. Don't download programs
from sites you don't trust, and realize that you may be exposing your computer to
spyware by downloading some of these programs.
 Don't follow email links claiming to offer anti-spyware software - Like
email viruses, the links may serve the opposite purpose and actually install the
spyware it claims to be eliminating.
As an additional good security practice, especially if you are concerned that you might have
spyware on your machine and want to minimize the impact, consider taking the following
action:

 Adjust your browser preferences to limit pop-up windows and cookies -

Pop-up windows are often generated by some kind of scripting or active content.
Adjusting the settings within your browser to reduce or prevent scripting or active
content may reduce the number of pop-up windows that appear. Some browsers offer
a specific option to block or limit pop-up windows. Certain types of cookies are
sometimes considered spyware because they reveal what web pages you have visited.
You can adjust your privacy settings to only allow cookies for the web site you are
visiting.
How do you remove spyware?

 Run a full scan on your computer with your anti-virus software - Some
anti-virus software will find and remove spyware, but it may not find the spyware
when it is monitoring your computer in real time. Set your anti-virus software to
prompt you to run a full scan periodically (see Understanding Anti-Virus Software for
more information).
 Run a legitimate product specifically designed to remove spyware - Many
vendors offer products that will scan your computer for spyware and remove any
spyware software. Popular products include Lavasoft's Ad-Aware, Microsoft's
Window Defender, Webroot's SpySweeper, and Spybot Search and Destroy.
 Make sure that your anti-virus and anti-spyware software are
compatible - Take a phased approach to installing the software to ensure that you
don't unintentionally introduce problems (see Protecting Against Malicious Code for
more information).