ABSTRACT

Computer forensics is simply the application of disciplined investigative techniques in

the automated environment and the search, discovery, and analysis of potential evidence.
It is the method used to investigate and analyze data maintained on or retrieved from
electronic data storage media for the purposes of presentation in a court of law, civil or
administrative proceeding. Evidence may be sought in a wide range of computer crime or
misuse cases.

Computer forensics is rapidly becoming a science recognized on a par with other forensic
sciences by the legal and law enforcement communities. As this trend continues, it will
become even more important to handle and examine computer evidence properly. Not
every department or organization has the resources to have trained computer forensic
specialists on staff.

1
 Acknowledgement
The confidence one attains while performing a task that has great importance of its own
comes not only through one’s own constant efforts but rather is a result of ceaseless
cooperation, constant guidance and ever motivating tips of various experienced people.
An undertaking of study like this is never an outcome of efforts put in by a single person;
rather it bears imprint of number of persons who directly or indirectly helped me in
completing the study.
At the outset I would like to extend my sincere gratitude to Dr. D.V.Gupta, Director of
ACME, Mr. Jatin Verma Head of Department (CSE/IT), for providing the opportunity
to carry out the research and for providing guidance during the preparation of the report
whenever needed.
I would like to thank Mrs. Shabnam seminar coordinator, for providing the basic
knowledge on topic & the methodology to be used for preparing the report.
I would also like to thank the faculty members of the my institute with whom I had
fruitful interactions. I would like to thank specially to Mr. Gulshan who gave me
immense help and technical guidance during the seminar preparation.

(SAVITA)

2
 Introduction

Computer forensics is simply the application of disciplined investigative techniques in the

automated environment and the search, discovery, and analysis of potential evidence. It is the
method used to investigate and analyze data maintained on or retrieved from electronic data
storage media for the purposes of presentation in a court of law, civil or administrative
proceeding. Evidence may be sought in a wide range of computer crime or misuse cases.
Computer forensics is rapidly becoming a science recognized on a par with other forensic
sciences by the legal and law enforcement communities. As this trend continues, it will
become even more important to handle and examine computer evidence properly. Not every
department or organization has the resources to have trained computer forensic specialists on
staff.
Computer evidence has become a „fact of life' for essentially all law enforcement agencies
and many are just beginning to explore their options in dealing with this new venue. Almost
overnight, personal computers have changed the way the world does business. They have
also changed the worlds view of evidence because computers are used more and more as
tools in the commission of „traditional' crimes. Evidence relative to embezzlement, theft,
extortion and even murder has been discovered on personal computers. This new technology
twist in crime patterns has brought computer evidence to the forefront in law enforcement
circles.
Forensic science has been defined as “any science used for the purposes of the law...
[Providing] impartial scientific evidence for use in the courts of law, and in a criminal
investigation and trial”.
According to Marcus Ranum, “Network forensics is the capture, recording, and analysis of
network events in order to discover the source of security attacks or other problem incidents”.
We expand on these definitions to define computer forensics as:
“Computer forensics involves the preservation, identification, extraction, documentation,
and interpretation of computer media for evidentiary and/or root cause analysis.” These
activities are undertaken in the course of a computer forensic investigation of a perceived or
actual attack on computer resources. Evidence might be required for a wide range of
computer crimes and misuses.

3
Multiple methods of -
• Discovering data on computer system.

• Recovering deleted, encrypted, or damaged file information.

• Monitoring live activity.

• Detecting violations of corporate policy.

Information collected assists in arrests, prosecution, termination of employment, and

preventing future illegal activity.

What Constitutes Digital Evidence?

• Any information being subject to human intervention or not, that can be extracted
from a computer.

• Must be in human-readable format or capable of being interpreted by a person with

expertise in the subject.
Computer Forensics Examples
• Recovering thousands of deleted emails.

• Performing investigation post employment termination.

• Recovering evidence post formatting hard drive.

• Performing investigation after multiple users had taken over the system

4
 History of Computer Forensics

Michael Anderson
 “ Father of computer forensics”.

Special agent with IRS.

Meeting in 1988 (Portland, Oregon)

Creation of IACIS, the International Association of Computer Investigative Specialists.

The first Seized Computer Evidence Recovery Specialists (SCERS) classes held
History

5
 Steps of Computer Forensics

Computer Forensics is a four (4) step process

Acquisition
Physically or remotely obtaining possession of the computer, all network mappings from the
system, and external physical storage devices.
Identification
This step involves identifying what data could be recovered and electronically retrieving it by
running various Computer Forensic tools and software suites.
Evaluation
Evaluating the information/data recovered to determine if and how it could be used again the
suspect for employment termination or prosecution in court.
Presentation
This step involves the presentation of evidence discovered in a manner which is understood
by lawyers, non-technically staff/management, and suitable as evidence as determined by
United States and internal laws.

6
Computer forensics process

7
 Why is Computer Forensics Important?

Adding the ability to practice sound computer forensics will help you ensure the overall
integrity and survivability of your network infrastructure. You can help your organization
if you consider computer forensics as a new basic element in what is known as a
“defense-in-depth”1 approach to network and computer security. For instance,
understanding the legal and technical aspects of computer forensics will help you capture
vital information if your network is compromised and will help you prosecute the case if
the intruder is caught.
1 “Defense in depth is designed on the principle that multiple layers of different types of protection from
different vendors provide substantially better protection”
<http://netsecurity.about.com/cs/generalsecurity/a/aa112103.htm>.
Produced 2008 by US-CERT, a government organization. Updated 2008. 2
What happens if you ignore computer forensics or practice it badly? You risk destroying
vital evidence or having forensic evidence ruled inadmissible in a court of law. Also, you
or your organization may run afoul of new laws that mandate regulatory compliance and
assign liability if certain types of data are not adequately protected. Recent legislation
makes it possible to hold organizations liable in civil or criminal court if they fail to
protect customer data.2
Computer forensics is also important because it can save your organization money. Many
managers are allocating a greater portion of their information technology budgets for
computer and network security. International Data Corporation (IDC) reported that the
market for intrusion-detection and vulnerability-assessment software will reach 1.45
billion dollars in 2006. In increasing numbers, organizations are deploying network
security devices such as intrusion detection systems (IDS), firewalls, proxies, and the
like, which all report on the security status of networks.
From a technical standpoint, the main goal of computer forensics is to identify, collect,
preserve, and analyze data in a way that preserves the integrity of the evidence collected
so it can be used effectively in a legal case.
What are some typical aspects of a computer forensics investigation? First, those who

8
investigate computers have to understand the kind of potential evidence they are looking
for in order to structure their search.3 Crimes involving a computer can range across the
spectrum of criminal activity, from child pornography to theft of personal data to
destruction of intellectual property. Second, the investigator must pick the appropriate
tools to use. Files may have been deleted, damaged, or encrypted, and the investigator
must be familiar with an array of methods and software to prevent further damage in the
recovery process
Two basic types of data are collected in computer forensics. Persistent data is the data
that is stored on a local hard drive (or another medium) and is preserved when the
computer is turned off. Volatile data is any data that is stored in memory, or exists in
transit, that will be lost when the computer loses power or is turned off. Volatile data
resides in registries, cache, and random access memory (RAM). Since volatile data is
ephemeral, it is essential an investigator knows reliable ways to capture it.
System administrators and security personnel must also have a basic understanding of
how routine computer and network administrative tasks can affect both the forensic
process (the potential admissibility of evidence at court) and the subsequent ability to
recover data that may be critical to the identification and analysis of a security incident

9
 Reasons for Evidence
Wide range of computer crimes and misuses
Non-Business Environment: evidence collected by Federal, State and local authorities for
crimes relating to:
• Theft of trade secrets

• Frauda

• Extortion

• SPAM investigations

• Virus/Trojan distribution

• Homicide investigations

• Intellectual property breaches

• Unauthorized use of personal information

• Forgery

Computer related crime and violations include a range of activities including:

Business Environment:
• Theft of or destruction of intellectual property

• Unauthorized activity

• Tracking internet browsing habits

• Reconstructing Events

• Inferring intentions

• Selling company bandwidth

• Software Piracy

10
 Users Computer Forensics
Criminal
 Prosecutors
– Rely on evidence obtained from a computer to prosecute suspects and use as
evidence.
Civil
 Litigations
– Personal and business data discovered on a computer can be used in fraud, divorce,
harassment, or discrimination cases.
Insurance
 Companies
– Evidence discovered on computer can be used to mollify costs.
Private
 Corporations
– Obtained evidence from employee computers can be used as evidence in harassment,
fraud, and embezzlement cases.
Law
 Enforcement Officials
– Rely on computer forensics to backup search warrants and post-seizure handling.
Individual/Private
 Citizens
- Obtain the services of professional computer forensic specialists to support claims of
harassment, abuse, or wrongful termination from employment.

11
 Handling Evidence
Admissibility
 of Evidence
– Legal rules which determine whether potential evidence can be considered by a
court.

– Must be obtained in a manner which ensures the authenticity and validity and that no
tampering had taken place.
No possible evidence is damaged, destroyed, or otherwise compromised by the procedures
used to search the computer.

Preventing viruses from being introduced to a computer during the analysis process.

Extracted / relevant evidence is properly handled and protected from later mechanical or
electromagnetic damage.

Establishing and maintaining a continuing chain of custody.

Limiting the amount of time business operations are affected.

Not divulging and respecting any ethically [and legally] client-attorney information that is
inadvertently acquired during a forensic exploration.

12
 Handling Information

Information and data being sought after and collected in the investigation must be properly
handled.

Volatile
 Information
• Network Information
Communication between system and the network.
• Active Processes
Programs and daemons currently active on the system.
• Logged-on Users
Users/employees currently using system.
• Open Files
Libraries in use; hidden files; Trojans (root kit) loaded in system.
Non-Volatile
 Information
• This includes information, configuration settings, system files and registry settings
that are available after reboot.

• Accessed through drive mappings from system.

• This information should investigate and reviewed from a backup copy

13
 Evidence Processing Guidelines

Following are the 16 recommended steps in processing evidence

Step 1: Shut down the computer

– Considerations must be given to volatile information.
– Prevents remote access to machine and destruction of evidence (manual or ant-
forensic software).

Step2: Document the Hardware Configuration of the System.

– Note everything about the computer configuration prior to re-locating.

Step 3: Transport the Computer System to a Secure Location

– Do not leave the computer unattended unless it is locked in a secure location.

Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks.
Step 5: Mathematically Authenticate Data on All Storage Devices
– Must be able to prove that you did not alter any of the evidence after the computer
came into your possession.
Step 6: Document the System Date and Time.
Step 7: Make a List of Key Search Words.
Step 8: Evaluate the Windows Swap File.
Step 9: Evaluate File Slack
– File slack is a data storage area of which most computer users are unaware; a source
of significant security leakage.
Step 10: Evaluate Unallocated Space (Erased Files).
Step 11: Search Files, File Slack and Unallocated Space for Key Words.
Step 12: Document File Names, Dates and Times.
Step 13: Identify File, Program and Storage Anomalies.
Step 14: Evaluate Program Functionality.
Step 15: Document Your Findings.
Step 16: Retain Copies of Software Used.

14
 Methods of Hiding Data

To human eyes, data usually contains known forms, like images, e-mail, sounds, and text.
Most Internet data naturally includes gratuitous headers, too. These are media exploited using
new controversial logical encodings: steganography and marking.

Steganography:
 The art of storing information in such a way that the existence of the
information is hidden.

Watermarking:
 Hiding data within data
Information can be hidden in almost any file format.

File formats with more room for compression are best

– Image files (JPEG, GIF)

– Sound files (MP3, WAV)

– Video files (MPG, AVI)

The hidden information may be encrypted, but not necessarily.

Numerous software applications will do this for you: Many are freely available online.
Hard
 Drive/File System manipulation
Slack Space is the space between the logical end and the physical end of file and is called
the file slack. The logical end of a file comes before the physical end of the cluster in which it
is stored. The remaining bytes in the cluster are remnants of previous files or directories
stored in that cluster.
– Slack space can be accessed and written to directly using a hex editor.

– This does not add any “used space” information to the drive.
Hidden drive space is non-partitioned space in-between partitions
The File Allocation Table (FAT) is modified to remove any reference to the non-partitioned
space.

o The address of the sectors must be known in order to read/write information to them.

15
Bad sectors occur when the OS attempts to read info from a sector unsuccessfully. After a
(specified) number of unsuccessful tries, it copies (if possible) the information to another
sector and marks (flags) the sector as bad so it is not read from/written to again.
– users can control the flagging of bad sectors.

– Flagged sectors can be read to /written from with direct reads and writes using a hex
editor.

Extra Tracks: most hard disks have more than the rated number of tracks to make up for
flaws in manufacturing (to keep from being thrown away because failure to meet minimum
number).
– Usually not required or used, but with direct (hex editor) reads and writes, they can
be used to hide/read data.
Change file names and extensions – i.e. rename a .doc file to a .dll file.

16
 Methods of Detecting/Recovering Data

• Steganalysis - the art of detecting and decoding hidden data.

– Hiding information within electronic media requires alterations of the media
properties that may introduce some form of degradation or unusual characteristics.

– The pattern of degradation or the unusual characteristic of a specific type of

steganography method is called a signature.

– Steganalysis software can be trained to look for a signature.

Steganalysis Methods - Detection

– Human Observation
• Opening a text document in a common word processor may show appended spaces and
“invisible” characters.

• Images and sound/video clips can be viewed or listened to and distortions may be found.

• Generally, this only occurs if the amount of data hidden inside the media is too large to be
successfully hidden within the media (15% rule).

– Software analysis
• Even small amounts of processing can filter out echoes and shadow noise within an
audio file to search for hidden information.

• If the original media file is available, hash values can easily detect modifications.

– Disk analysis utilities can search the hard drive for hidden tracks/sectors/data.
– RAM slack is the space from the end of the file to the end of the containing sector.
Before a sector is written to disk, it is stored in a buffer somewhere in RAM. If the
buffer is only partially filled with information before being committed to disk,
remnants from the end of the buffer will be written to disk. In this way, information
that was never "saved" can be found in RAM slack on disk.
– Firewall/Routing filters can be applied to search for hidden or invalid data in IP
datagram headers.

17
– Statistical Analysis
• Most steganographic algorithms that work on images assume that the Least
Significant Bit (LSB) is random

• If a filter is applied to an image, the LSB bits will produce a recognizable image, so
the assumption is wrong

• After inserting hidden information into an image, the LSB is no longer non-random
(especially with encrypted data). If you apply the same filter, it will no longer
produce a recognizable image

• Statistical analysis of the LSB will tell you if the LSB bits are random or not

• Can be applied to audio files as well (using LSB)

– Frequency scanning
• Software can search for high, inaudible frequencies.

Steganalysis methods –
Recovery
– Recovery of watermarked data is extremely hard.
• Currently, there are very few methods to recover hidden, encrypted data.
– Data hidden on disk is much easier to find. Once found, if unencrypted, it is already
recovered

– Deleted data can be reconstructed (even on hard drives that have been magnetically
wiped)

– Check swap files for passwords and encryption keys which are stored in the clear
(unencrypted)

18
– Software Tools
• Scan for and reconstruct deleted data

• Break encryption

19
 Example:
GetFree - Forensic Data Capture Tool When files are 'deleted' in DOS, Windows, Windows
95 and Windows 98, the data associated with the file is not actually eliminated. It is simply
reassigned to unallocated storage space where it may eventually be overwritten by the
creation of new files over time. Such data can provide the computer forensics investigator
with valuable leads and evidence.
GetSlack - Forensic Data Capture Utility this software is used to capture all of the file slack
contained on a logical hard disk drive or floppy diskette on a DOS, Windows, Windows 95
and/or Windows 98 computer system. The resulting output from GetSlack can be analyzed
with standard computer utilities or with special NTI tools, e.g., Filter_I and Net Threat
Analyzer software.
Forensic Graphics File Extractor - NTI's Forensic Graphics Image File Extractor is a
computer forensics software tool which was designed to automatically extract exact
copies of graphics file images from ambient data sources and from SafeBack bit stream
image backup files. The latter process has the potential of quickly identifying all graphics
file images stored on a computers hard disk drive. The resulting output image files can be
quickly evaluated using a graphics file viewer.
Disk Scrub - Hard Drive Data Elimination Software It is becoming standard practice in
corporations, government agencies, law firms and accounting firms to reassign computers
and to donate older computers to charity. Millions of personal computers have been put to
use since 1981 when the IBM Personal Computer came into existence. Many of the older
personal computers have been reassigned or donated to charity and many more will fall into
this category in the future. However, data security is often ignored when computers change
hands. You must be aware that personal computers were never designed with security in
mind. Potentially anything that transpired on a used computer still exists. Multiply that by the
number of computers your organization will reassign or surplus this year, and you get the
point. Computers should be reassigned and donated to charity but the contents of the hard
disk drives should not be ignored. With computer technology changing almost daily,
corporations and government agencies have to stay current while still making the best uses of
aging computer resources. Advancements in hard disk drive storage capacities, operating

20
systems and software applications cause corporations to buy or lease new computers every
year.
But what is done with the old computers? What is done about the sensitive data still
Existing, essentially "stored" on these computers when they are sold, transferred or donated?
That is a serious problem, and NTI's Disk Scrub software was specifically designed to deal
with these risks, for corporations, government agencies, hospitals, financial institutions, law
firms and accounting firms.

21
 Advantages of Computer Forensics
It has an ability to search through a massive amount of data
Quickly

Easily

Thoroughly

In any language

22
 Disadvantages of Computer Forensics
• Digital evidence accepted into court
Must prove that there is no tampering.

All evidence must be fully accounted for.

Computer forensic specialists must have complete knowledge of legal requirements,

evidence handling and storage and documentation procedures Costs.

Producing electronic records & preserving them is extremely costly.

• Presents the potential for exposing privileged documents.

• Legal practitioners must have extensive computer knowledge.

23
 Conclusion

Practical investigations tend to rely on multiple streams of evidence which corroborate each
other - each stream may have its weaknesses, but taken together may point to a single
conclusion. Disk forensics may remain for some time the single most important form of
digital evidence .Increasing number of computer crime means increasing demand for
computer forensics services. In doing computer forensics investigation, choosing the right
disk imaging tool is very important. There is no standard conformity of computer forensic
imaging methodology or tool. This paper only provides guidance and suggestions regarding
imaging tool. It should not be constructed as mandatory requirement.
Today, everyone is exposed to potential attacks and has a responsibility to its network
neighbors to minimize their own vulnerabilities in an effort to provide a more secure and
stable network. As the enormity of the problem unfolds, we will better comprehend how vital
it is to work towards dramatic changes in research, prevention, detection and reporting, and
computer crime investigation. Security can no longer be thought of as an impediment to
accomplishing the mission, but rather a basic requirement that is properly resourced.
Our focus has been to implement the newest and most advanced technology, but little has
prepared us for the gaping security holes we‟ve neglected to mend along the way. From the
ranks of management to every employee that works behind each terminal, the policies that
protect and mitigate risks must be current, understood, and aggressively enforced. Reporting
must be standard operating procedure so that everyone can realize the total impact and define
what is required for a secure cyber environment. The responsibility belongs to everyone and
it is with that effort we will be able to harness the security of this new technological age. An
enormous challenge lies before us and we must attack it with the same enthusiasm and
determination that brought us to this new frontier.

24
 References

http://www.allstateinvestigation.com/ComputerForensicServices.htm

Computer
 Forensics, Inc. http://www.forensics.com/

http://www.computer-forensic.com/index.html

Middlesex
 County Computer Technology. January 2005.
http://www.respond.com/countyguides/1800000002/NJ/023

Virtue,
 Emily. “Computer Forensics: Implications for Litigation and Dispute
Resolutions.” April 2003. http://ncf.canberra.edu.au/publications/emilyvirtue1.pdf

25
26