You are on page 1of 22


Introduction to Computer Forensics

Introduction to Computer Forensics and Related

Ana Karen Moreno Serrano
Eydi Villanueva Arroyo

Instituto Tecnológico de Tuxtepec
Tutor: Ing. Meztli Valeriano Orozco
May 26
, 2014
Introduction to Computer Forensics


The value that information have achieve in recent years, it is increasingly important
for the rise of companies; consequential from the necessity to protect information
the forensic informatics obtains great importance and every time more significance.
That is why is essential to know forensic informatics, how we can use it, how it is
consisted and which is the purpose of forensic informatics, emphasizing
procedures to be taken into account to do a forensic analysis and the minimal legal
requirements to not infringe in any moment the rights of third persons that may be

Introduction to Computer Forensics


 Forensic

 Forensic analysis

 The infringement systems

 Forensic methodology

 Forensic experts
Introduction to Computer Forensics


In the year 1984, is created a program named magnetic media (CART), the special
agent named Michael Anderson, who is considered the father of computer
forensics, for his acclaimed work for the FBI and the Criminal Investigation
Division. After Michael Anderson founded one of the most important companies in
forensic firms, known as New Technologies. Over the years, the international
organization of computer evidence (1990) was established. It was thanks to all the
advances that computer forensics began to play an important role in agent’s law.
Computer forensics has been unfolding more and he has managed to peak in the
computer world, but the truth is that there is not much reliable information to enable
users to understand what it means, events, techniques and promising future this
Accordingly, this article search, to provide an overview of the technical and legal
expertise to enlighten readers on the general principles and legal bases for the
development of projects focused on computer forensics.
Introduction to Computer Forensics

Chapter 1. Computer Crimes

Computer crime in typical and atypical, meaning the first to "the typical behaviors,
anti-juridical and guilty that have computers as an instrument or order" and the
second "illicit attitudes that have computers as a tool or end”. (Tellez Valdéz, 2002)
Computer crime is any criminal wrongdoing in which computers, techniques and
functions play a role either as a method, middle or end. (Lima, 2006)

Dr. Julio Tellez Valdez, researcher at the Institute for Legal Research of the
UNAM, classifies cybercrime based on two criteria: As an instrument or medium.

Figure 1.2.1 Classification of cybercrime as the author Julio Tellez Valdez

Apply criminal behavior using computers as a method, or symbol means to commit
an unlawful act, such as falsifying documents digitally, the change in accounting
situation and intervention data communication lines or teleprocessing.

Where criminal behavior go against computer or programs as a physical entity
such as instructions that produce a partial or complete blockage of the system of
Are classified as:
Instrument or
End or Target
Introduction to Computer Forensics
programs destruction by any method and physical attack on the computer, its
accessories or media .

Chapter 2. Forensic Computer Science

The computer forensics, is set research techniques that identify a variety of keys
when analyzing certain elements of security incidents, and by which to reconstruct
the procedure performed for this purpose. (Rivas López, 2009)
According to the group Forensic and Associates Lawyers, computer forensics,
computer forensics, digital forensics and digital forensic examination are
synonymous and are defined as the application of scientific techniques to
specialized analytical and technological infrastructure to identify, preserve, analyze
and present data that are valid in a legal process. (Juristas Forenses y Asociados,

The importance of computer forensics is that it is a discipline that uses computer
techniques to reconstruct the right, examine residual data, authentication data, and
explain the technical features of use applied to the data and information assets.

The challenge of computer forensics is that through the use of technology can
make data extraction devices and to maintain the integrity of the data and the
processing thereof.

The aims of this discipline are numerous, but in general, the forensic computing
allows a company to provide services consisting pursue preventive objectives,
anticipating potential problems or objectives corrective to a favorable solution once
infringement and violations and have occurred.

Introduction to Computer Forensics

Chapter 3. Forensic Analysis

Forensic analysis in a computer system is a modern science that allows us to
reconstruct what has happened in a system after a security incident. This analysis
can determine who, from where, how, when and what actions it has carried out an
intruder in the systems affected by a security incident. (Rivas López, 2009)

 Chain of Custody: Refers to the responsibility of the person handling the
evidence to ensure that the items are recorded and accounted for during the
time in which they are held, and are protected, keeping track of the names
of persons who handled the evidence or items with the lapse of time and
date of delivery and receipt.
 Forensic Image: Also called "Mirror", which is a bitwise copy of an
electronic storage medium. In the picture are recorded spaces on the files,
including hidden areas deleted partitions.
 File Analysis: Examine each discovered digital file and creates a database
of information related to the file as metadata; consisting inter alia in the file
signature or hash, author, size, name and path, and their creation, last
access and modification date.


Systems Network
Introduction to Computer Forensics

Figure 3.3. The different types of existing forensic analysis

In this type of analysis security incidents occurred are addressed in servers and
workstations with the different operating systems, as shown in Table 1.2.1.

Table 3.3.1 Operating Systems for forensic analysis
Operating System: Versions
Mac OS Mac OS X Server 1.0, Cheetah,
Panther, Puma, Jaguar, etc.
Microsoft (Windows) Windows 9X/Me, Windows 2000
server/workstation, Windows 2003
Server, Windows XP, Windows Vista,
Windows 2008 Server, etc.
UNIX Systems Sun OS, SCO, Unix, etc
GNU/LINUX Systems Debian, RedHat,Suse, Ubuntu, etc.

In this analysis, the analysis of different types of networks is included, such as:
wired, wireless, bluetooth, etc.

This type of analysis is based on the analysis of incidents in mobile devices, PDA,

An embedded system has a similar to that of a personal computer architecture.

Personal digital assistant. Small device that combines a computer, telephone/ fax, Internet and network
Introduction to Computer Forensics

According to the nature of the crimes and investigating behavior may occur in two
places: Crime Scene and Forensic Laboratory.

Figure 3.4. Steps to consider for forensic analysis

Phases that aim to protect the state of the scene so that it does not affect the
identification and collection of evidence are available. In the scene are the tests
that could be taken as digital evidence, therefore care should be taken to preserve
You also need to identify information systems that may contain relevant
information, all types of electronic device, CDs and DVDs. To collect evidence
should be treated as far as possible, minimize the impact on the original test,
making exact copies of the evidence for these to be used in forensic analysis and
original evidence is not altered.

The Forensic Laboratory stages are performed by experts in Digital Forensic
Science, starting preserve evidence documenting performing each activity and
Crime Scene
Introduction to Computer Forensics
procedure, performing forensic analysis following the methodology specialized for
results and presenting appropriately to make them valid legal process.

For proper forensics computer equipment 4 phases are raised to follow, as shown
in image 3.5

Figure 3.5. Forensics Process

It is important to know the history, current situation and the process to be followed
to make the best decision regarding the research strategy.
It should take into account the identification of computer good use within the
network, the beginning of the chain of custody, the review of the legal environment
that protects the good and support for decision making regarding the next step
once reviewed the results.

Includes review and generation of forensic images of evidence to perform the
Introduction to Computer Forensics
A forensic image, is the process that is required to generate copies "bit-abit" the
entire disc; is performed using the latest technology to maintain the integrity of the
evidence and the chain of custody is required. To avoid contamination of the hard
drive, hardware write blockers are normally occupy, which prevent contact with the
disc reading, causing undesired alteration in the media.

This phase must apply scientific and analytical techniques to duplicate through the
forensic process means to find evidence of certain behaviors.
Some examples of searches that can be performed are: strings, specific actions or
users of the machine such as the use of USB devices (make, model), search for
specific files, recovery and identification of emails recovery of the last visited
websites, recovering Internet browser cache, etc.

This phase should gather all the information obtained from the analysis for the
report and presentation to lawyers, generating an expert
and correct interpretation
without using jargon.

The infrastructure that can be analyzed may be all that you have a memory, so that
you can analyze the following devices shown in Table 3.6.

Table 3.6 Supported devices for forensic analysis
 Hard Drive from a Computer or

Formal structure of presentation of expert results suitable for their understanding and interpretation by
readers who are not specialists in the field.
Introduction to Computer Forensics

Supported devices for forensic
 Documentation relating the
 Logs security.
 Authentication Credentials
 Stroke of network packets.
 Mobile or Cellular Phone, some
cell phone.
 Electronic Agendas (PDA)
 GPS Devices.
 Printer
 USB Memory

Chapter 4. Legislation Related to Computer Forensics

To perform a proper analysis of Computer forensics a multidisciplinary team that
includes professional legal experts of IT
and technical experts in forensic
methodology is required.
This is because it is about ensuring compliance with both legal requirements and
the technical requirements derived from the forensic methodology. Similarly to
wear a proper forensic analysis are multiple and varied national and international
laws related to computer crime and digital level.


Information Technologies.
Introduction to Computer Forensics
 Law on Transparency and Access to Public Information which
guarantees the fundamental right of people to freely access information of
public sector entities, all of which must publish information about the internal
 Law on Electronic Commerce, Electronic Signatures and Message
Data: Controls data messages, electronic signatures, certification services,
electronics and telematics recruitment, electronic service delivery through
information networks, including the trade address and protect users of these
 Intellectual Property Law: Guarantees and acknowledge copyright and
other rights holders in their works. The theft of digital information can be
treated as a violation of intellectual property, and that it would be personal
and of great importance to its owner.
 Special Telecommunications Law aims to regulate the country in the
installation, operation, use and development of any transmission, emission
or reception of signs, signals, pictures, sounds and information of any nature
by wire, radio, optical or other electromagnetic systems.
 Law of Constitutional Control: which states that any person or entity
whether local or foreign, and seeking access to documents, databases and
reports in the possession of public entities, private individuals or
corporations, may file an appeal for habeas data
to require answers and
enforce custodial measures prescribed in this Act, by persons holding such
data or information.

Internationally there are several countries that have developed laws related to
cybercrime and hence computer forensics, among the most prominent are:

Action constitutional law for any person to be supplied to existing information about yourself.
Introduction to Computer Forensics
 "Computer Crime Law" issued in Chile on May 28, 1993 It should be
noted that it was the first country to issue such a law, which consists of four
articles that unlawful conduct is punished as the destruction of an
information processing system, as interference, interception or access to an
information system in order to seize data stored in it, also the damage or
destruction of data, as well as disclosure or dissemination of data a system
contained in a malicious manner.
 "Act 1273" issued in Colombia, the January 5, 2009. Amended the penal
code by adding new penalties related to computer crime cases, seeking to
protect and preserve the information systems of information and
communication technologies.
 Act Computer Fraud and Abuse, issued in the U.S. in 1986. Where
federal computer-related offenses are punishable.
 (USA PATRIOT Act 2001), issued in the USA in 2001 in which punishes
the person who knowingly accesses a computer without authorization and
access data from financial institutions; as well as if accessing a computer
does not publish without government permission.
 Second Economic Crimes Act, issued in Germany on May 15, 1986.
Which amended the Criminal Code to contemplate the data espionage,
computer fraud, falsification of evidence, alteration of data, computer
sabotage, etc.
 Reform Act Criminal Code, issued in Austria on December 22, 1987.
Sanctioned the destruction of non-personal data includes personal data, and
software, and computer fraud which punishes those who cause prejudice to
third parties.
 Law No. 88-19, issued in France on January 5, 1988. Sanctioned
fraudulent intrusion to remove or modify data, obstruction or alteration of a
system of automatic data processing, computer sabotage and forgery.
 Penal Code of Spain. It is the country's most experienced cybercrime in
Europe; that through the criminal code punishes damage, alteration or
Introduction to Computer Forensics
mutilation of data, programs or electronic documents outside, violation of
secrets, espionage, disclosure, fraud using computer manipulation.

Introduction to Computer Forensics

To research this article, a search method, given that the primary function for which
it was developed is used for information only.
The search method that adheres research is the method of finding information on
the Internet, which is explained below:
On the internet there are so many documents that are difficult to quantify , this has
led to the solution of problems related to efficient search methods is an important
research topic , so it is difficult to acquire a knowledge of different tools that gives
us the Internet ; such as search engines.
Search engines are defined as a software or tool support to users, which allows
them to seek information about a topic; this tool works so that searches databases
that contain information about the web sites published and indexes the range of
possible outcomes related to the topic or keywords you entered.
His techniques using this method are:
 Techniques exact words: to locate words in a precise order, insert in the
box that phrase in double quotes.
- AND (+): retrieve all documents containing the keywords separated
by the operator. Example: AND Quijote Cervantes finds documents
where both the term and the term Quijote Cervantes are present.
- AND NOT (-) search excludes documents that contain the keyword
specified after the operator. Example: AND NOT Quijote Cervantes
finds documents where the term Cervantes is present, but not the
term Quijote.
- OR: presents documents that have some of the keywords that
separates the operator. Example: OR Quixote Cervantes, where the
documents are located at least one of the two terms (or Cervantes, or
Quijote), including those that also contain both.
Introduction to Computer Forensics
- XOR: like OR, but the result excludes documents that contain both
- ADJ: terms are together, regardless of the order. Example: car racing
ADJ submit documents with the terms race cars or race cars.

 Advanced search by file type: Especially Google has this feature that
allows delineation of exploration of different types of formats (text,
spreadsheets, animations, presentations, videos) for it only requires the file
type command: followed the type of format.

 Thematic Indices: These systems subject search or hierarchical
categories. They have a boating theme directory. Within each directory you
can find pages related to that topic.

Introduction to Computer Forensics

The preparation of this article was conducted with the purpose of showing an
overview of computer forensics focused legal framework; which as observed, is an
area that has become very important in recent years and that a great future is
Given that in Mexico there is little reliable information about computer forensics, is
that the development of this paper the most important points that are required for
the reader to understand and has the necessary knowledge of this science are
discussed, and likewise create a perspective of what could be vulnerable to
information, even when it is created that is protected or removed.
The carry out the development of this article about computer forensics is because it
is an issue of great relevance, because nowadays society has changed the way we
communicate and perform certain activities of daily living; only in Mexico, it is
estimated that 80% of households have one or more cell phones, cell on average
1.9 per household. On the other hand, 37% of households own at least one
computer and October 7 internet access.
Therefore, due to the large use of electronic devices must be some security in
them, but in this area the numbers are not the most encouraging, the research was
obtained that Mexico ranks last in computer security, as a member country OECD
(Organization for economic Cooperation and development), where we find that at
least 45% of people jeopardizes their cyber identity due to neglect of information as
personal data, passwords, accounts, etc.
In analyzing these data, we find that computer crimes are increasing as more and
have only the year 2011 to date increased by 41%, around 403 million threats and
cybercrime. Therefore, the use of computer forensics will hand to detect evidence
to help checking the guilt of these crimes; only by examining data recorded cases
of computer forensics Mexico obtained the following categories:
Introduction to Computer Forensics

Image 1. Cases Registered in computer forensics labs according Recovery studies

As shown in figure 1, 47% of cases are about fraudulent crimes like forgery and
computer fraud; 43% of cases are concerning offenses against the confidentiality,
integrity and availability of computer data and systems, such as criminal behavior
related to interference in the operation of a system; and finally 10% of cases are
Crimes of content such as pornographic content acquisition through computer
Also, when considering the above data it is determined that computer forensics is
in great demand in the country, although it is true that there are few experts in this
area, as the statistics make it in the country only 10% professionals computing
area specialize in this science; so for future professionals, this area could be very
promising. Similarly it was found that from 2011, Mexico joined the penal code laws
that allow punish computer crimes that are committed and the use of computer
forensics to detect evidence against those who perform it; but even the laws
passed are not enough to condemn all crimes committed, much less allow the
science of computer forensics data extraction in at least 50 % of cases prosecuted.
Cases in Computer Forensics in Mexico
Fraud Offenses
Offenses against the confidentiality, integrity and availability of data and computer systems
Offenses related content
Introduction to Computer Forensics

Currently, the value of the information acquired is increasing, so we should be
more concerned to take steps to protect it. Therefore, the computer forensics is
born in result of this concern, looking both prevention and correction reaction to
problems that may affect information systems.
Based on the results obtained and analyzed in our research, we can conclude that:
Computer crimes are on the rise; today most people do not have a good
knowledge on how to protect your information, so it is vulnerable to intruder and
victims of various crimes become. Also, most people do not possess the
knowledge that there is a science of computer forensics to detect evidence
required for a judgment on any device that has a storage memory, even if the
information was deleted.
In Mexico, the science of computer forensics is still in development, compared to
countries such as Spain or the United States; it is still much room for improvement
in the legal and human resources; themselves that are essential to meet the high
demand for offenses where devices are involved in the crime scene.
In our country, when it comes to the workplace, few professionals in the area of
computing that are specialized in computer forensics, as being important in the
world in recent times and with a promising future area; so that future students
could be a choice for a study area and workplace.
Regarding the legal framework in the country, there is still insufficient, namely,
there are few laws in the Mexican penal code that support computer forensics
when developing and presenting evidence to prove or disprove one guilt.
The legal field is of vital importance for computer forensics, because it is known
that for everything done in this science to be successful, it is necessary that legal
regulations that penalize attackers and can be sentenced for the crimes they have.
Also, each country needs to recognize the value of information and protect its
Introduction to Computer Forensics
citizens through laws that would achieve that all computer crimes do not go
Introduction to Computer Forensics

Acurio del Pino, S. (s.f.). Delitos informáticos: Generalidades. Spain: Puce.
Obtained de OAS.
Borghello, C. (2009). Seguridad de la Información. Obtained de Seguridad de la Información:
Calderón Valdiviezo., R. G., Guzmán Reyes., G. S., & Salinas González., J. M.
(2011). Diseño y plan de implementación de un laboratorio de ciencias
forenses digitales. Guayaquil-Ecuador: Escuela superior del politécnica de
Carrier, B. (2005). File System Forensic Analysis. United States: Pearson
Contraloría Universitaria. (Julio de 2007). Udec. Obtained of Udec:
Juristas Forenses y Asociados. (15 de Marzo de 2012). Forenses Informáticos.
Obtained of Forenses Informáticos:
Lima, M. d. (2006). Criminalia N° 1-6 Año L. Delitos Electrónicos. México:
Ediciones Porrua.
Pérez, J. C. (18 de Junio de 2011). Cómputo forense y delitos informáticos en la
legislación mexicana. Obtained of Cómputo forense y delitos informáticos
en la legislación mexicana:
Recovery Labs. (2012). Division Computer Forensic. Obtained of Division
Computer Forensic:
Rivas López, J. (2009). Análisis Forense de Sistemas Informáticos. Barcelona:
Eureca Media.
Santes Galván., L. (2009). Propuesta de una metodología forense para depositos
de telefonía celular. México, DF: Instituto Politécnico Nacional.
Tellez Valdéz, J. (2002). Derecho Informático. En J. Tellez Valdéz, Derecho
Informático (págs. 103-104). México: Mc Graw Hill.