Computer Forensics

Investigation
A Presentation by
V.M. Thakkar
B.E., M.B.A., LL.B., P.G.D.C.P.A.,
M.A.(CCJA), M.Tech.(Pursuing)
Assistant Professor, CSED,
G.B. Pant Engineering College,
Ghurdauri, Pauri-Garhwal (Uttarakhand)
vmthakkar1@rediffmail.com
94121 13628, 78951 76121, (01368)228082
(R)
 Computer Forensics
Investigation
 Computer forensics otherwise known
as “digital forensics” is a process of
electronic discovery to acquire digital
evidence, analyse facts and report on
a case by examining digital devices
such as computers, hard drives or
any other storage media or network
conducted by a suitably trained
computer forensic analyst in order to
investigate a claim or allegation.
 Computer Forensics
4 Basic Steps
 1. Acquisition and collection of data
 2. Examination
 3. Analysis
 4. Reporting
 Forensic Investigator
 The forensic investigator must be
suitably trained to perform the
specific type of investigation
requested by the client who can be a
solicitor, private detective, company
manager, prosecuting agent or law
enforcing agency.
 Forensic Investigation
 A computer forensic specialist will initially
examine each computer forensic case to
determine the complexity level of the case
so that an appropriately trained digital
forensic investigator or team of
investigators is assigned to the job.
 It is at this level that all the costs, logistics
and duration of the investigation is
determined and communicated to the client.
 Depending on the case, there may be a
charge for the initial assessment which will
be agreed at the time of the computer
forensic service inquiry.
 Acquiring and Collecting
Digital Evidence
 Digital evidence can be collected
from many sources.
 Obvious sources include computers,
mobile phones, digital cameras, hard
drives, CD-ROM, USB memory sticks
and so on.
 Non-obvious sources include RFID
tags, and web pages which must be
preserved as they are subject to
change.
 Acquiring and Collecting
Digital Evidence (contd.)
 Special care should be taken when handling
computer evidence: most digital information is
volatile can be easily changed, and once
modified, it is usually difficult to detect the
changes or to revert the data back to its original
state. For this reason, a cryptographic hash of
digital evidence and record should be carried out
and calculated that hashes in a safe place to
prevent any digital evidence contamination. This
is essential as the computer forensic investigators
will be able to establish at a later stage whether
or not the original digital evidence has been
tampered with since the hash was initiated and
calculated.
 Imaging Electronic Media
Evidence
 As an initial stage of computer forensic
investigation, an exact duplicate of the original
evidentiary media may have to be created.
 A combination of standalone hard-drive
duplicators or software imaging tools should
be used so that the entire hard drive is fully
cloned.
 This should be done at the sector level,
making a bit-stream copy of every part of the
user-accessible areas of the hard drive, which
can physically store data, rather than
duplicating the file system.
 Imaging Electronic Media
Evidence (contd.)
 Then the original drive should be
transferred to secure storage to
prevent any tampering.
 During the imaging process, a write-
protection or write-blocking device or
application should be used to ensure
that no information is introduced
onto the evidentiary media during
the computer forensic investigation
process.
 Mobile Forensics
 Mobile Forensics is defined as “the
science of recovering digital
evidence from a mobile phone under
forensically sound conditions using
accepted methods and usefull under
law of evidence.”
 Mobile Forensics (contd.)
 Because there is no standard common
operating system for mobile phones
(unlike Windows in the world of
computers) there is no one perfect
solution. The software tools differ in the
supported models, connection types
and cost. Another criterion is whether
the evidence they recover can be
accepted in court. The ideal solution is
to have several different tools available
to use.
 Mobile Forensics (contd.)
 The ever-changing mobile phone
marked with new models released on
weekly basis poses a huge challenge
to the forensic examiner. Issues of
connective and compatibility arise.
 Mobile Forensics (contd.)
 Following services may be required
with any mobile devices of
GSM/CDMA/3G etc.
 SIM Card Forensics
 Memory Card Forensics
 Call Data Record Analysis
 Lost Data Recovery
 Forensic Data Recovery
 Forensic data recovery is a process which is
used to retrieve data which will be used for
legal purposes.
 This technique is classically used in criminal
or civil investigations which are designed to
yield information which can be used in court,
although forensic data recovery can also be
used by our auditing departments and in a
variety of other circumstances.
 This process is performed by trained
technicians who have studied computer
science, information technology, and
forensics.
 Forensic Data Recovery
 Forensic Electronic Data Recovery Plan
 Development of legal and technical
strategies
 Forensic Tactics
 Resources including expert forensic legal
consulting
 Assistance with Motion Drafting
 Electronic Evidence Precedent
Information
 Secure Data Eraser
 When you erase a file on your computer, the actual
data in the file is not overwritten. The space utilized
by that file is simply marked as “free” for use by
other data.
 Once other data is written in that space, the original
data becomes unrecoverable -- by most people.
 Those little bits of magnetic media that store 0’s and
1’s are a bit more complex, however. With sensitive
and sophisticated equipment, it is theoretically
possible to recover data even after it has been
written over.
 The method to securely erase data is to write over
the same physical spot on the hard disk multiple
times with different patterns, effectively obliterating
the magnetic signatures of the data which was once
there.
Secure Data Erasure Services
 Wipe entire drive,
 Clean unused space on your hard disk
 Remove Internet activities (History,
Cookies, Favourites, Temporary
Internet Files etc),
 Erase System traces and Application
traces (MS applications, Email &
News, Chat messengers, NetMeeting
etc) from computer
 Data Recovery
 Remote Data Recovery- Online Data
Recovery Services to recover data
remotely from your computer system.
 Evidence Recovery - Providing evidence
recovery services to recover all sorts of
evidences from the computer system.
 Laptop Data Recovery - Laptop data
recovery services recover your data
from crashed laptop hard drives.
Secure Data Erasure Services
 Secure Data Erasure Services are an extremely
powerful and effective file and data cleansing
software.
 Secure Data Erasure helps you to erases only
selected files that you want to erase from your
hard disk.
 Secure Data Erasure Service ensures complete
data destruction by removing previously deleted
files / folders. The file eraser utility also wipes
free space (unused space) on the hard drive
ensuring complete Data Destruction. As many as
data or files and folders should be wiped in one
go as possible.
Secure Data Erasure Services
 To protect organization’s confidential
data or personal privacy, trust on
Recover Data as Secure data Erasure
would ensure erasure from any kind
of storage media and acts as a
complete hard drive cleansing
solution.
 Features - Secure Data Erasure
 Provides Total Cleaning of Unused
Space on Hard Drive
Secure Data Erasure Services
 Secure Data Erasure securely wipes the unused
space on your hard disk beyond data recovery
capability to avoid all kind of attempts regarding
recovery of wiped data through which you can
access previously deleted files.
 Using highly Secured Data Erasure Service will
help you to improve Hard drive efficiency due to
cleansed hard drive.
 Provides Secure Overwriting of Files & Folders
and Entire Logical Drive
 Destroys or erases multiple files and folders
through pre-defined task, acting like a Complete
Data/File Wiper.
Secure Data Erasure Services
 Drive Erasure feature cleans entire logical
drives for safe disposal and reuse. Boot drive
cannot be wiped.
 Completely Wipes Application Traces
 Completely erase the information stored in
the system when an application is used.
 Maintain the confidentiality of the System
usage, Files and Applications recently
accessed.
 Traces of Microsoft Applications, including MS
office, MS WordPad, Windows Media Player,
Imaging, MS Management Console and
NetMeeting can be completely wiped out.
Secure Data Erasure Services
 Traces of file sharing applications are
erased to secure the system.
 Traces of Email & News Applications
such as Outlook Express, which
include address book, sent mails,
deleted mails, outlook express news
rule etc.
 Chat Messengers
 Completely Wipe Internet Traces
Secure Data Erasure Services
 Wipe temporary Internet files, which store
content Internet pages visited, providing
complete Internet privacy.
 Delete cookies, which are small files stored
in the system for identification purpose.
 Completely Erase auto-fill information
entered by user on auto complete forms
(username, password and other personal
information) and previous search text from
search engine boxes.
 Wipes History information, which stores
links to internet sites recently visited.
Secure Data Erasure Services
 Erase the list of all the frequently typed URLs.
 Delete/Remove the pages added to the favorite
list.
 Completely Wipe System Traces
 Wipe list of recently used documents,
 Wipe Utility removes the list of programs
executed in the Run command.
 Data moved to the recycle bin is permanently
erased beyond recovery.
 Wipe Utility provides complete erasure of your
system traces by deleting temporary files created
by operating system and application programs.
 E-Discovery
 E-discovery namely Electronic discovery
refers to any process in which electronic
data is sought, located, secured, and
searched with the intent of using it as
evidence in a civil or criminal legal case.
 E-discovery can be carried out offline on a
particular computer or it can be done in a
network.
 Court-ordered or government sanctioned
hacking for the purpose of obtaining critical
evidence is also a type of e-discovery.
 E-Discovery (contd.)
 The nature of digital data makes it extremely
well-suited to investigation.
 For one thing, digital data can be electronically
searched with ease, whereas paper documents
must be scrutinized manually.
 Furthermore, digital data is difficult or impossible
to completely destroy, particularly if it gets into a
network.
 This is because the data appears on multiple hard
drives and because digital files, even if deleted,
can be undeleted.
 In fact, the only reliable way to destroy a
computer file is to physically destroy every hard
drive where the file has been stored.
 E-Discovery (contd.)
 In the process of electronic discovery, data of
all types can serve as evidence.
 This can include text, images, calendar files,
databases, spreadsheets, audio files,
animation, Web sites and computer
programs.
 Even malware such as viruses, Trojans and
malware can be secured and investigated.
 Email can be an especially valuable source of
evidence in civil or criminal litigation,
because people are often less careful in these
exchanges than in hard copy correspondence
such as written memos and postal letters.
 E-Discovery (contd.)
 It should be ensured that all messages including emails,
blogs, meeting notes as well as associated content and
data are related to business topics around which
intellectual work is done, decisions, made, or information
reported.
 These topics and their content can be further categorized
according to standard corporate records management
classifications.
 This pre-contextualization of information is used to provide
discovery services where finding a specific piece of content
immediately translates into discovering all related emails,
meeting notes, and documents in an instant.
 A further advancement i.e. A Complete computer forensics
also can be carried out along the incident and corrective
actions can be taken in accordance to law of the land.
 Cyber Crime Investigation
Computer Fraud Investigations:
 • Account data from online auctions
 • Credit card data
 • Accounting software and files
 • Databases
 • Address books
 • Digital camera software
 • Calendar
 • E­mail, notes and letters
 • Chat Logs
 • Financial and asset records
 • Customer information
 Child Abuse and Pornography
Investigations
• Chat logs
 • Images
 • Digital camera software
 • Internet activity logs
 • E­mails, notes and letters
 • Movie files
 • Games
 • User created directory and file names
 • Graphic editing and viewing software
which classify images
Network Intrusion Investigations
 • Address books
 • Internet protocol address & usernames
 • Configuration files
 • Internet relay chat logs
 • E­mails, notes and letters
 • Source code
 • Executable programs
 • Text files and documents with
 • Internet activity logs
 • Usernames and passwords
 Homicide Investigations
 • Address books
 • Telephone records
 • E­mails, notes and letters
 • Diaries
 • Financial asset records
 • Maps
 • Internet activity logs
 • Photos of victim / suspect
 • Legal documents and wills
 • Trophy photos
 • Medical records
 Domestic Violence
Investigations
 • Address books
 • Financial asset records
 • Diaries
 • Telephone records
 • E­mails, notes and letters
 Financial Fraud and
Counterfeiting Investigations
 • Address books
 • Financial asset records
 • Calendar
 • Images of signatures
 • Currency images
 • Internet activity logs
 • Check and money order images
 • On­line banking software
 • Customer information
 • Counterfeit currency images
 • Databases
 • Bank logs
 • E­mails, notes and letters
 • Credit card numbers
 • False identification
 E­
Mail Threats, Harassment and St
alking Investigations
 • Address books
 • Internet activity logs
 • Diaries
 • Legal documents
 • E­mails, notes and letters
 • Telephone records
 • Financial asset records
 • Victim background research
 • Images
 • Maps to victim locations
 Narcotics Investigations:
 • Address books
 • False ID
 • Calendar
 • Financial asset records
 • Databases
 • Internet activity logs
 • Drug recipes
 • Prescription form images
 • E­mails, notes and letters
 Software Piracy Investigations
 • Chat logs
 • Software serial numbers
 • E­mails, notes and letters
 • Software cracking utilities
 •Image files of software certificates
 •
User created directories and file names
 •Internet activity logswhich classify co
pyrighted software
 Telecommunication Fraud
Investigations
 • Cloning software
 • E­mails, notes and letters
 • Customer database records
 • Financial asset records
 • Electronic serial numbers
 • Internet activity logs
 • Mobile identification numbers
 E-mail Investigation
 An email investigation is precisely
what the name implies: an
investigation into someone’s email,
to discover who is using it and where
that person is. What you can
discover via investigating an email
account can be boiled down to a few
categories.
 Internet Profiling
 Investigators who specialize in internet
profiling are able to use an online search
through myriad engines to attempt to uncover
any online activity that can be associated with
a specific email.
 Social networking sites and online message
boards are another place an investigator will
typically check, and through all of these
combined, the investigator will begin to
develop a personality profile of the name
attached to the address.
 Online Infidelity
 Online infidelity investigation is a
specific investigation that takes an
email address and locates all the
online dating service memberships
associated with that email.
 Identification
 This type of investigation occurs
when a client provides an email
address and would like to have
identified the real name, address,
and/or phone number of the person
who is using the address.
 These sorts of investigations usually
occur when a person has been
harassed or threatened online.
 Locate
 A location-based investigation is the
sort of investigation you want when
you already have a name to
associate with an email address but
require further information - usually,
an address to match the name to.
 These are especially useful in
locating teenage runaways or non-
custodial parental kidnappings.
 Online Risk Assessment
 A bit of a reversal from everything
mentioned above, assessment of online
risk occurs when a client wants to
protect their own cyber-safety and
seeks protection against, say, identity
theft. Thus, you allow a private
investigator to do a web search and see
what they are able to discover about
you. The results can often be shocking!
 Conclusion
 These are simply a few of the more
common types of online investigations,
and as you can appreciate, there is a great
breadth of information that can be sought
out even if all that is provided is an email
address!
 In many instances, an individual feels
threatened because the email they
received was an anonymous one from
Yahoo!, Gmail, Hotmail, etc.
 “Always bear in mind that anything online
can be traced and an email address can
lead to its owner.”