Computer forensics

Abstract

The internet is growing explosively, as is the number of crimes committed against or using
computers. As a response to growth of computer crime, the field of computer forensics as
emerged. The computer forensics involves carefully collecting and examining electronic
evidence how are you that not only assess the damage of computer as the result of an electronic
attack, but also to recover the lost information from such system to prosecute of criminal. With
the growing importance of computer security today and the seriousness of cybercrime, it is
important for computer professional to understand the technology that is used in computer
forensics. According to computer forensics defined as the process a identifying, collecting,
preserving, analyzing and presenting computer related evidence in a manner that is legally
acceptable by court. Common method used is reverse Steganography. In upcoming years
computers are playing a major role. The cybercrime cases has to be handled very carefully in
order to cull out the truth. Giving training for the police and judicial officers is very important.
India has to develop a lot in handling cybercrime cases. The cybercrime is also systematically
addressed in the National treaty of council of Europe`s convention on crime. It`s a multinational
treaty which has addressed the issue of cybercrime along with breach of the Right to Privacy. It
promotes the idea that the competent practice of computer forensics and awareness of applicable
laws is essential for today‘s organization

DEPT OF ISE,PDA COLLEGE OF ENGNEERING,KALABURAGI 1

 Computer forensics

Contents

DEPT OF ISE,PDA COLLEGE OF ENGNEERING,KALABURAGI 2

 Computer forensics

Introduction
The term forensics derives from the Latin “forensic”, which means “in open court or public”,
which itself comes from the Latin “of the forum”, referring to an actual location—a “public
squarer marketplace used for judicial and other business”. The term forensic science is “the
application of scientific techniques and principles to provide evidence to legal or related
investigations and determinations”.
Computer Forensics is the process of using scientific knowledge for collecting, analyzing, and
presenting evidence to the courts. Forensics deals primarily with the recovery and analysis of
latent evidence. Latent evidence can take many forms, from fingerprints left on a window to
DNA evidence recovered from blood stains to the files on a hard drive. Because computer
forensics is a new discipline, there is little standardization and consistency across the courts and
industry.
History of Cyber Forensics: Until the late 1990s, what became known as Cyber forensics was
commonly termed ‘computer forensics. The first cyber forensic technicians were law
enforcement officers who were also computer hobbyists. In the USA in 1984 work began in the
FBI Computer Analysis and Response Team (CART). One year later, in the UK, the
Metropolitan Police set up a computer crime unit under John Austen within what was then called
the Fraud Squad. A major change took place at the beginning of the 1990s. Investigators and
technical support operatives within the UK law enforcement agencies, along with outside
specialists, realized that cyber forensics (as with other fields) required standard techniques,
protocols and procedures. Apart from informal guidelines, these formalisms did not exist but
urgently needed to be developed. A series of conferences, initially convened by the Serious
Fraud Office and the Inland Revenue, took place at the Police Staff College at Bram shill in 1994
and 1995, during which the modern British cyber forensic methodology was established.
Overview of Computer Forensics Cyber forensics is used to help investigate cybercrime or
identify direct evidence of a computer-assisted crime. The concept of cyber forensics dates back
to late 1990s and early 2000s. The legal profession, law enforcement, policy makers, the
business community, education, and government all have a vested interest in CF. Cyber forensics
is often used in both criminal law and private investigation. It has been traditionally associated
with criminal law. It requires rigorous standards to stand up to cross examination in court. It is
becoming as a source of investigation because human expert witnesses are important since courts
will not recognize software tools such as Encase, Pasco, and Ethereal as an expert witness. Cyber
forensics is useful for many professionals like military, private sector and industry, academia,
and law. These areas have many needs including data protection, data acquisition, imaging,
extraction, interrogation, normalization, analysis, and reporting. It is important for all

DEPT OF ISE,PDA COLLEGE OF ENGNEERING,KALABURAGI 3

 Computer forensics

professionals working in the emerging field of cyber forensics to have a working and functioning
lexicon of terms like bookmarks, cookies, web hit etc., that are uniformly applied throughout the
profession and industry. The objective of Cyber forensics is to identify digital evidence for an
investigation with the scientific method to draw conclusions. The area of cyber forensics has
become prominent field of research because:
1. Forensics systems allow the administrator to diagnose errors
2. Intrusion detection systems are necessary in avoiding cyber crimes
3. Change detection can be possible with proactive forensics
Why is Computer Forensics Important? Computer forensics will help you ensure the overall
integrity and survivability of your network infrastructure. You can help your organization if you
consider computer forensics as a new basic element in what is known as a “defense-in-depth”
(“Defense in depth is designed on the principle that multiple layers of different types of
protection from different vendors provide substantially better protectionf”). Approach to
network and computer security. For instance, understanding the legal and technical aspects of
computer forensics will help you capture vital information if your network is compromised and
will help you prosecute the case if the intruder is caught. What happens if you ignore computer
forensics or practice it badly? You risk destroying vital evidence or having forensic evidence
ruled inadmissible in a court of law. Also, you or your organization may run afoul of new laws
that mandate regulatory compliance and assign liability if certain types of data are not adequately
protected. Recent legislation makes it possible to hold organizations liable in civil or criminal
court if they fail to protect customer data. Laws such as the Health Insurance Portability and
Accountability Act (HIPAA), Sarbanes-Oxley, California Act 1798, and others hold businesses
liable for breaches in the security or integrity of computer networks. Computer forensics is also
important because it can save your organization money. Many managers are allocating a greater
portion of their information technology budgets for computer and network security. International
Data Corporation (IDC) reported that the market for intrusion-detection and vulnerability-
assessment software will reach 1.45 billion dollars in 2006. In increasing numbers, organizations
are deploying network security devices such as intrusion detection systems (IDS), firewalls,
proxies, and the like, which all report on the security status of networks. From a technical
standpoint, the main goal of computer forensics is to identify, collect, preserve, and analyze data
in a way that preserves the integrity of the evidence collected so it can be used effectively in a
legal case. What are some typical aspects of a computer forensics investigation? First, those who
investigate computers have to understand the kind of potential evidence they are looking for in
order to structure their search. Crimes involving a computer can range across the spectrum of
criminal activity, from child pornography to theft of personal data to destruction of intellectual
property. Second, the investigator must pick the appropriate tools to use. Files may have been
deleted, damaged, or encrypted, and the investigator must be familiar with an array of methods
and software to prevent further damage in the recovery process.

DEPT OF ISE,PDA COLLEGE OF ENGNEERING,KALABURAGI 4

 Computer forensics

Objectives

DEPT OF ISE,PDA COLLEGE OF ENGNEERING,KALABURAGI 5

 Computer forensics

Architecture

DEPT OF ISE,PDA COLLEGE OF ENGNEERING,KALABURAGI 6

 Computer forensics

Identification

Preservation

Analysis

Documentation

Presentation

DEPT OF ISE,PDA COLLEGE OF ENGNEERING,KALABURAGI 7

 Computer forensics

Types of Computer Forensics:

There are numerous types of computer forensics techniques are there that are widely employed
by several forensics experts all over the world that employs them for obtaining sensitive pieces
of information from digital resources.  Some of the famous types of Computer forensics are
mentioned below:

 Network Forensics
 Email Forensics
 Malware Forensics
 Memory Forensics
 Mobile Phone Forensics
 Database Forensics
 Disk Forensics
Moreover, we have elaborated on the above-mentioned Methods and Techniques of Computer
Forensics in the following points one by one:

1. Network Forensics: It is a widely used technique to monitor network traffic to extract the
pieces of information from distinguished networks using some dedicated tools like a
firewall or intrusion detection system.
2. Email Forensics: The genuine process of analyzing and recovering emails and other
crucial attachments is comprised of the email platforms like contacts and schedules.
3. Malware Forensics: In this methodology, forensics experts sift through code to check for
potentially malicious programs and scrutinize their payload.  In addition, these particular
sorts of programs might comprise Trojan horses, ransomware, or several viruses.
4. Memory Forensics: This particular form of forensics range from Memory Forensics to
collecting data kept in a computer’s RAM (Random Access Memory) and cache files.
5. Mobile Phone Forensics: In this type of forensics, the team of forensic scientists or
experts examine the mobile devices to retrieve and scrutinize the datasets they possess
including contacts, geolocations, SMSs, images, audio & video files, and third-party apps
databases such as WhatsApp, Facebook, Twitter, etc.
6. Database Forensics: The process of examining the info comprised in the databases such
as data and the adjoining metadata is widely known as Database Forensics.

DEPT OF ISE,PDA COLLEGE OF ENGNEERING,KALABURAGI 8

 Computer forensics

7. Disk Forensics: In this particular case, forensic experts try to obtain crucial pieces of
information from digital data storage media like Hard Disk, USB devices, Firewire
devices, CDs, DVDs, Flash Drives, Floppies, etc.

Top20 countries used cyber forensics:

DEPT OF ISE,PDA COLLEGE OF ENGNEERING,KALABURAGI 9

 Computer forensics

Computer forensics techniques

Computer forensics investigation normally follows the typical digital forensics procedure
which is the acquisition, examination, analysis and reporting. These investigations are mostly
performed on static data (disk images) rather than live data or live systems, though in early
computer forensics days the investigators used to work on live data due to the lack of tools.
Various kinds of techniques are used in computer forensics investigation such as:
 Cross-drive analysis: Cross-drive analysis (CDA) is a technique that allows an investigator
to quickly identify and correlate information from multiple data sources or information
across multiple drives. Existing approaches include multi-drive correlation using text
searches, e.g., email addresses, SSNs, message IDs, or credit card numbers.
 Live analysis: It is used to examine the computers from within the OS using various
forensics and sysadmin tools to get the information from the device. In forensic analysis,
the collection of volatile data is very important like the installed software packages,
hardware information, etc. this approach is useful in the case where the investigator is
dealing with encrypted files. If the device is still active and running when it’s handed to the
investigator, the investigator should collect all the volatile information from the device
such as user login history, which TCP and UDP ports are open, what services are currently
in use, and running, etc.
 Deleted files recovery: It is a technique that is used to recover deleted files. The deleted
data can be recovered or craved out using forensic tools such as CrashPlan, OnTrack
EasyRecovery, Wise Data Recovery, etc.
 Stochastic forensics: It is a method to forensically re-establish the digital activities that
have insufficient digital artifacts, thus analyzing emerging patterns resulting from the
stochastic nature of modern-day computers.
 Steganography: Steganography is a technique of hiding the secret information inside or on
top of something, that something can be anything from an image to any type o file. Computer
forensics investigators can counter this by looking and comparing the hash value of the
altered file and original file, the hash value will be different for both files even though they
might appear identical on visual inspection.

DEPT OF ISE,PDA COLLEGE OF ENGNEERING,KALABURAGI 10

 Computer forensics

Phases of forensics investigation:

1. Acquisition of data
2. Authentication of data
3. Analysis of data

1. Acquisition of data:
 Computer are unplugged to save temporary files and virtual memory.
 Hard drive is duplicated
 Analysis is done on duplicated copies so as not to destroy original.

2. Authentication of data:
 Data must be collected in accordance with the law
 Duplicated must be exact replicas of the original

3. Analysis of data:
 Determines value of forensics evaluation

DEPT OF ISE,PDA COLLEGE OF ENGNEERING,KALABURAGI 11

 Computer forensics

Forensics Tools:

1. Encase
 Allows imaging and examination of hard drives and removable media.

2. Vogon
 Imaging and non-repudiation of hard drives.
 Introduce write-protection of target hard drive.

3. PTK Forensics
 PTK runs as a GUI interface for The Sleuth Kit.
 Acquires and indexing digital media for investigation.
 PTK calculates a hash signature for acquired media for verification and consistency
purpose.

DEPT OF ISE,PDA COLLEGE OF ENGNEERING,KALABURAGI 12

 Computer forensics

Advantages:
1. Allows for analysis of digital evidence
As the world increasingly depends on computers, so too do criminals. Computer forensics is the
application of investigation and analysis techniques to gather and preserve evidence from a
particular computing device in a way that is suitable for presentation in a court of law. The goal
of computer forensics is to be able to identify, track, and prosecute those who have committed
crimes involving computers.
One advantage is that it can help investigators find hidden or deleted files that may contain
evidence of a crime. Another advantage is that computer forensics can be used to reconstruct past
events, such as what happened immediately before and after a crime was committed. This can be
helpful in determining motives and identifying suspects.

2. Helps to identify criminals

Computer forensics can be a valuable tool in identifying criminals. By analyzing data found on
computers and other digital devices, law enforcement officials can often track down suspects and
piece together evidence to prosecute them.
Additionally, computer forensics is not always reliable, and investigators may come to false
conclusions if they do not have a strong understanding of how to interpret the data they find.
Finally, criminals who are aware of how computer forensics works may take steps to avoid
leaving behind any digital evidence that could incriminate them.

3. Can be used to recover deleted data

When it comes to deleted data, computer forensics can be a helpful tool in recovering what has
been lost. However, there are also some disadvantages to using this method that should be
considered.
One advantage of using computer forensics to recover deleted data is that it can be done
relatively easily. In most cases, all you need is the right software and a bit of know-how. This
means that even if you’re not an expert in the field, you can still get your lost data back.
However, one downside is that computer forensics can be time-consuming. If you have a lot of
data to recover, it could take days or even weeks to go through everything. Additionally, if the
data is particularly sensitive, you may need to hire a professional to help you with the recovery
process.

4. Provides insight into how crimes are committed

Crimes are committed every day, but have you ever wondered how they’re committed?
Computer forensics provides insight into how crimes are committed by analyzing digital
evidence.

DEPT OF ISE,PDA COLLEGE OF ENGNEERING,KALABURAGI 13

 Computer forensics

5. Can be used to prevent future crimes

Computer forensics can be used to prevent future crimes in a number of ways. By understanding
how criminals use computers to commit crimes, law enforcement can better target their
investigative efforts. Additionally, computer forensics can be used to identify new trends in
criminal activity and develop strategies to thwart these activities.

Disadvantages:
1. Time-consuming process
Computer forensics is a time-consuming process. It can take days or weeks to collect and analyze
all the data. This can be a problem if you’re trying to solve a crime that’s already been
committed. You need specialized software and hardware, and you have to pay for someone to do
the analysis. Computer forensics can help you catch criminals who would otherwise get away
with their crimes. And it can give you evidence that would be difficult or impossible to get any
other way.

2. Requires specialized skills and knowledge

Computer forensics is a process that uses specialized skills and knowledge to collect, examine
and report on digital evidence. This process can be used to investigate crimes, track down
missing persons and solve other mysteries.

3. Can be expensive
Computer forensics can be expensive because it requires special equipment and software, and
often needs to be done by a specialist. It can also take a long time to do, which can add to the
cost. However, it can also be very helpful in catching criminals and recovering evidence that
might otherwise be lost.

4. May require court order to obtain evidence

One advantage is that it can help obtain evidence that may be otherwise difficult to obtain. For
example, if a crime was committed using a computer, the forensic investigator can examine the
computer for evidence of the crime. This can be helpful in cases where there is no other physical
evidence or eyewitnesses. However, one disadvantage is that it may require a court order to
obtain the evidence. This means that there may be a delay in getting the evidence, which could
allow the perpetrator to destroy or tamper with it. Additionally, court orders can be difficult to
obtain, and sometimes investigators are not able to get them in time.

5. Evidence can be easily destroyed or tampered

One of the biggest problems with computer forensics is that evidence can be easily destroyed or
tampered with. If a suspect knows that he or she is under investigation, they may try to delete

DEPT OF ISE,PDA COLLEGE OF ENGNEERING,KALABURAGI 14

 Computer forensics

files or destroy their hard drive in order to prevent investigators from finding any incriminating
evidence. Even if investigators are able to recover deleted files or damaged hard drives, there is
no guarantee that the evidence has not been tampered with in some way.
Another issue with computer forensics is that it can be time-consuming and expensive. In order
to do a thorough analysis of a suspect’s computer, investigators need to have specialized training
and access to expensive software and equipment.

Application:

DEPT OF ISE,PDA COLLEGE OF ENGNEERING,KALABURAGI 15

 Computer forensics

DEPT OF ISE,PDA COLLEGE OF ENGNEERING,KALABURAGI 16