You are on page 1of 20

What is Computer Forensics?

Acquisition of Computer Evidence

Court Presentation

What constitutes digital evidence?

Any information being subject to human
intervention or not, that can be extracted from
a computer.
Must be in human-readable format or capable
of being interpreted by a person with expertise
in the subject.

History & Development

Francis Galton (1822-1911)
First definitive study of fingerprints
Leone Lattes (1887-1954)
Discovered blood groupings (A,B,AB, & 0)
Calvin Goddard (1891-1955)
Firearms and bullet comparison
Albert Osborn (1858-1946)
Developed principles of document examination
Hans Gross (1847-1915)
First treatise on using scientific disciplines in
criminal investigations.

Computer Forensics examples

Recovering thousands of deleted emails
Performing investigation post employment
Recovering evidence post formatting hard
Performing investigation after multiple
users had taken over the system

Types of Cyber crime

Unauthorized Access
Denial of Service
Spoofing or Imposter
Computer Fraud
Copyright Violation
Cyber terrorism

Forgery and
Internet Fraud
SEC Fraud and Stock
Child Pornography
Stalking & Harassment
Credit Card Fraud &
Identity theft
Tsunami fraud

Types of Computer Forensics

Disk (data) Forensics

Network Forensics
Email Forensics
Internet Forensics
Portable Device Forensics (flash cards,
PDAs, Blackberries, email, pagers, cell
phones, IM devices, etc.)

Disk Forensics
Disk forensics is the process of
acquiring and analyzing the data stored
on some form of physical storage
Includes the recovery of hidden and
deleted data.

Network Forensics
Network forensics is the process of
examining network traffic.
After-the-fact analysis of transaction
Real-time analysis via network
2.Real-time tracing

Email Forensics
Email forensics is the study of source and
content of electronic mail as evidence.
identifying the actual sender and
recipient of a message, date/time it was
Often email is very incriminating.

Tracking down the email evidence

Reading Email Headers
How to interpret Email Headers
How do I get my email program to reveal
the full, unmodified email?

Internet Forensics
Internet or Web forensics is the process
of piecing together where and when a
user has been on the Internet.
E.g., Scott Peterson,
Michael Jackson

Source Code Forensics

To determine software ownership or software
liability issues.
Review of actual source code.
Examination of the entire development
e.g., development procedures,
documentation review, and review of source
code revisions.

Computer Forensics evidence

processing guidelines
1. Understand the suspects
2. Electronic evidence considerations
3. Secure the machine and the data
4. Examine the Live System and record
open applications

5. Power down carefully

6. Inspect for traps
7. Fully document hardware
8. Duplicate the hard drives
9. E-mail review

Who Uses Computer Forensics?

Criminal Prosecutors
Rely on evidence obtained from a computer to
prosecute suspects and use as evidence

Civil Litigations
Personal and business data discovered on a
computer can be used in fraud, divorce, harassment,
or discrimination cases

Insurance Companies
Evidence discovered on computer can be
used to mollify costs (fraud, workers
compensation, arson, etc)

Private Corporations
Obtained evidence from employee computers can
be used as evidence in harassment, fraud, and
embezzlement cases

Law Enforcement Officials

Rely on computer forensics to backup search
warrants and post-seizure handling

Individual/Private Citizens
Obtain the services of professional computer
forensic specialists to support claims of
harassment, abuse, or wrongful termination from

Computer Forensics requirements

Familiarity with all internal and external
devices/components of a computer
Thorough understanding of hard drives and settings
Understanding motherboards and the various
chipsets used
Power connections

Understanding how the BIOS works
Familiarity with the various settings and limitations of
the BIOS

Operation Systems

Windows 3.1/95/98/ME/NT/2000/2003/XP

Familiarity with most popular software packages
such as Office

Forensic Tools
Familiarity with computer forensic techniques and the
software packages that could be used

E-evidence todays fingerprint and

smoking gun
Zacarias Moussaoui
20th hijacker in the 9/11 terrorist
attacks against the U.S.
his laptop, 4 computers, and several
email accounts (
Zacarias Moussaoui passing were
through a London airport.
searched for e-evidence
FBI discovered that the 19 hijackers
used Kinko's computers in various
cities to gain access to the Internet to
plan 9/11.

Future of Computer Forensics

Computer forensics is now part of criminal investigations.
Crimes & methods to hide crimes are becoming more
Computer forensics will be in demand for as long as
there are criminals and misbehaving people.
Will attract students and law professionals who need to
update their skills.