COMPUTER
FORENSICS
COMPUTER
FORENSICS
Definition:
‘Forensics’ which means that "of or before the forum” as in
olden days.
It entered the English vocabulary in the 17th century as the
term “forensics”.(The word forensics means “to bring to the
court” )
Forensics is the process of using scientific knowledge for
collecting, analyzing, and presenting evidence to the courts
courts.
STACK HOLDERS OF CF
• Victim or Criminal
• First Responder (From Law Enforcement )
• Computer Forensics Expert and
• Judiciary
WHY IT IS IMPORTANT
• Legal action against the criminal based on severity of the incident
• To File a case, we need have to preserve the evidence
• It should be admissible in the court of law
Electronic evidence and information gathering have become central
issues in an increasing number of conflicts and crimes.
Electronic or computer evidence used to mean the regular print-out from
a computer—and a great deal of computer exhibits in court are just that.
computer forensics, though some people also use the term to include the
use of computers to analyze complex data (for example, connections
between individuals by examination of telephone logs or bank account
transactions).
COMPUTER FORENSICS
FUNDAMENTALS
what actually is computer forensics?
… Computer forensics is about evidence from computers that is sufficiently reliable
to stand up in court and be convincing.
… Computer forensics, also referred to as computer forensic analysis, electronic
discovery, electronic evidence discovery, digital discovery, data recovery, data
discovery, computer analysis, and computer examination, is the process of
methodically examining computer media (hard disks, diskettes, tapes, etc.) for
evidence.
… Computer crime has forced the computer and law enforcement professions to
develop new areas of expertise and avenues of collecting and analyzing evidence.
This is what has developed into the science of computer forensics.
… The process of acquiring, examining, and applying digital evidence is crucial to
the success of prosecuting a cyber criminal.
The professionals involved in the process, as well as the following
subject matter:
… Computer crime
… The computer forensic objective
… The computer forensic priority
… The accuracy versus speed conflict
… The need for computer forensics
… The double tier approach
… Requirements for the double tier approach
… The computer forensics specialist
COMPUTER FORENSICS IN LAW ENFORCEMENT
computer on the premises of a crime scene, the chances are very good
that there is valuable evidence on that computer. If the computer and its
contents are examined (even if very briefly) by anyone other than a
trained and experienced computer forensics specialist, the usefulness and
credibility of that evidence will be tainted.
COMPUTER FORENSICS ASSISTANCE TO HUMAN
RESOURCES/EMPLOYMENT PROCEEDINGS
Computers can contain evidence in many types of human resources
proceedings, including sexual harassment suits, allegations of discrimination,
and wrongful termination claims.
Evidence can be found in electronic mail systems, on network servers,
On individual employee’s computers. However, due to the ease with which
computer
Data can be manipulated, if the search and analysis is not performed by a
trained computer forensics specialist, it could likely be thrown out of court.
Employer Safeguard Program : computers become more prevalent in
businesses, employers must safeguard critical business information. An
unfortunate concern today is the possibility that data could be damaged,
destroyed, or misappropriated by a discontented individual.
This includes situations where files have been deleted, disks have been reformatted, or other
steps have been taken to conceal or destroy the evidence. For example, did you know
… What Web sites have been visited , What files have been downloaded , When files were last
accessed
… Of attempts to conceal or destroy evidence ,Of attempts to fabricate evidence
… That the electronic copy of a document can contain text that was removed from the final printed
version
… That some fax machines can contain exact duplicates of the last several hundred pages received
… That faxes sent or received via computer may remain on the computer indefinitely
… That email is rapidly becoming the communications medium of choice for businesses
… That people tend to write things in email that they would never consider writing in a
memorandum or letter
… That email has been used successfully in criminal cases as well as in civil litigation
… That email is often backed up on tapes that are generally kept for months or years
… That many people keep their financial records, including investments, on computers
COMPUTER FORENSICS SERVICES
A computer forensics professional does more than turn on a computer, make a
directory listing, and search through files. Your forensics professionals should be able
to successfully perform complex evidence recovery procedures with the skill and
expertise that lends credibility to your case.
For example, to perform the following services:
… Data seizure
… Data duplication and preservation
… Data recovery
… Document searches
… Media conversion
… Expert witness services
… Computer evidence service options
… Other miscellaneous services
Data Seizure : inspect and copy designated documents or data compilations that may contain
evidence.
Data Duplication and Preservation : computer forensics experts should acknowledge both of
these concerns by making an exact duplicate of the needed data. Because duplication is fast,
the responding party can quickly resume its normal business functions, and, because your
experts work on the duplicated data, the integrity of the original data is maintained.
Data Recovery : computer forensics experts should be able to safely recover and analyze
otherwise inaccessible evidence. The ability to recover lost evidence is made possible by the
expert’s advanced understanding of storage technologies.
Document Searches : computer forensics experts should also be able to search over 200,000
electronic documents in seconds rather than hours. The speed and efficiency of these searches
make the discovery process less complicated and less intrusive to all parties involved.
Media Conversion : Some clients need to obtain and investigate computer data stored on old
and unreadable devices. Your computer forensics experts should extract the relevant data from
these devices, convert it into readable formats, and place it onto new storage media for
analysis.
Expert Witness Services : Computer forensics experts should be able to explain complex
technical processes in an easy-to-understand fashion. This should help judges and juries
comprehend how computer evidence is found, what it consists of, and how it is relevant to a
specific situation
Computer Evidence Service Options : computer forensics experts should
offer various levels of service, each designed to suit your individual
investigative needs. For example, they should be able to offer the following
services:
… Standard service : computer forensics experts should be able to work on your
case during normal business hours until your critical electronic evidence is found.
… On-site service : computer forensics experts services should then be performed
on the duplicate, minimizing the disruption to business and the computer system.
Your experts should also be able to help federal marshals seize computer data and
be very familiar with the Federal Guidelines for Searching and Seizing
Computers.
… Emergency service : computer forensics experts should be able to work on it
without interruption until your evidence objectives are met.
… Priority service : Priority service typically cuts your turnaround time in half.
… Weekend service : (Saturday and Sunday )the needed electronic evidence and
will continue working on your case until your evidence objectives are met.
Other Miscellaneous Services :
Computer forensics experts should also be able to provide extended services. These
services include
… Analysis of computers and data in criminal investigations
… On-site seizure of computer data in criminal investigations
… Analysis of computers and data in civil litigation.
… On-site seizure of computer data in civil litigation
… Analysis of company computers to determine employee activity
… Assistance in preparing electronic discovery requests
… Reporting in a comprehensive and readily understandable manner
… Court-recognized computer expert witness testimony
… Computer forensics on both PC and Mac platforms
… Fast turnaround time
Recover Data You Thought Was Lost Forever : The loss of your critical data.
You may think it’s lost forever, but computer forensics experts should be able to
employ the latest tools and techniques to recover your data.
Advise You on How to Keep Your Data and Information Safe from Theft or
Accidental Loss : Computer forensics experts should advise you on how to
safeguard your data by such methods as encryption and back-up.
Examine a Computer to Find Out What Its User Has Been Doing : computer
forensics experts should be equipped to find and interpret the clues that have been
left behind. This includes situations where files have been deleted, disks have
been reformatted, or other steps have been taken to conceal or destroy evidence.
Sweep Your Office for Listening Devices : computer forensics experts should
have the equipment and expertise to conduct thorough electronic counter
measures (ECM) sweeps of your premises.
High-Tech Investigations
BENEFITS OF PROFESSIONAL
FORENSICS METHODOLOGY
computer forensics professional should ensure that a subject computer
system is carefully handled to ensure that
… No possible evidence is damaged, destroyed, or otherwise compromised by
the procedures used to investigate the computer.
… No possible computer virus is introduced to a subject computer during the
analysis process
… Extracted and possibly relevant evidence is properly handled and protected
from later mechanical or electromagnetic damage
STEPS TAKEN BY COMPUTER
FORENSICS SPECIALISTS
Product the subject’s computer system during the forensics examination from
any possible alteration, damage, data corruption or virus introduction .
Discover all files on the subject system.
Recover all discovered deleted files.
Reveal the contents of hidden files as well as temporary or swap files used
by both the application programs and operating system.
Access the content of protected or encrypted files.
Analyze all possible relevant data in special areas of a disk.
Print out and over all analysis of the subject computer system.
Provide an opinion of the system layout
Provide expert consultation and/or testimony, as required.