COMPUTER

FORENSICS
Guided By
DR Patel

Presented By
Paritosh Goldar
P08CO979

INDEX
Introduction
Components of Computer Forensic
Analysis
The Forensic Investigation Process
Objectives of the Investigative Process.
Applications of Computer Forensics
Security Incidence
Computer Forensic Tools
Conclusion
References

Introduction
computer forensics is the collection,
preservation, analysis, and presentation of
computer-related evidence.
Real scientific discipline for crime
investigation.
The use of science and technology to
investigate and establish facts in criminal
or civil courts of law.

Introduction
Proper Acquisition and Preservation of
Computer Evidence.
Authentication of Collected Data for Court
Presentation.
Recovery of All Available Data, Including
delete files.
Computer forensics creates opportunities
to uncover evidence impossible to find
using a manual process

Components of Computer Forensic

Analysis

Preservation
Involves making a forensic copy of the
original data and conducting a comparison
between the copy and the original
Examine the live computer system if
possible
Inspect the surroundings, collect all
pertinent physical evidence
Photograph all devices before examination
Fully document the hardware configuration

Components of Computer Forensic

Analysis
Identification
Identify the potential containers of
electronic evidence (e.g. hard drives, etc.)
Identify the data pertinent to the case under
investigation
Extraction
Making electronic and hard copies of
relevant data

Components of Computer Forensic

Analysis
Interpretation
Results of investigation based on data and
tools used must be interpreted by forensic
experts
Documentation
Document everything from start to finish

Components of Computer Forensic

Analysis
Rules of Evidence
Forensic investigators must consider local
rules of evidence (define conditions for
admissibility, reliability, and relevance) that
apply to the situation at hand

The Forensic Investigation Process

Recovery of evidence: recovery of hidden and
deleted information, recovery of evidence
from damaged equipment
Harvesting: Obtaining data about data
Data reduction: Eliminate/filter evidence
Organization and search: Focus on
arguments
Analysis: Analysis of evidence to support
positions
Reporting: Record of the investigation
Persuasion and testimony: In the courts

Objectives of the Investigative Process

Acceptance: Process has wide
acceptance
Reliability: Methods used can be trusted
to support findings
Repeatability: Process can be
replicated
Integrity: Trust that the evidence has not
been altered
Cause & Effect: Logical relationship
between suspects, events, evidence
Documentation: Recording of evidence

Applications of Computer Forensics

High Tech Crime Investigations
Incident Response
Email Recovery & Analysis
Document & File recovery
Law enforcement agencies e.g.
cybercrime
Civil Litigators e.g. IP infringement
Insurance companies

Security Incidents
Incident: "A computer security incident, is
any adverse event whereby some aspect
of computer security could be threatened:
loss of data confidentiality, disruption of
data or system integrity, or disruption or
denial of availability.
any security relevant adverse event that
might threaten the security of a computer
system or a network.

Security Incidence

Types of Incidents
Most incidents point towards:
1. Confidentiality,
2. Integrity,
3. Availability.

Main Categories of Incidents

Compromise of integrity
Such as when a virus infects a
program or the discovery of a
serious system vulnerability.
Denial of service
Such as when an attacker has
disabled a system or a network
worm has saturated network
bandwidth.

Main Categories of Incidents

Misuse
Such as when an intruder (or
insider) makes unauthorized use of
an account or information.
Damage
Such as when a virus destroys
data.
Intrusions
Such as when an intruder
penetrates system security.

Examples of Incidents
Different types of incidents:
Repudiation,
Harassment,
Pornography trafficking,
Organized crime activity,
Subversion.

Incident Response Methodology

Digital Forensics/Evidence Management

Preparation

Detection

Containment

Analysis

Eradication

Feed Back

Recovery

Follow-up

Types of Digital Forensics

Network Analysis
Communication analysis
Log analysis
Path tracing

Types of Digital Forensics

Media Analysis
Disk imaging
MAC time analysis (Modify,
Access, Create)
Content analysis
Slack space analysis
Steganography

Types of Digital Forensics

Code Analysis
Reverse engineering
Malicious code review
Exploit Review

Computer Forensics Tools

Filter and search software

Password recovery software
Data recovery
Data elimination
Hashing tools to validate accuracy of
forensic copies

Computer Forensics Tools

Imaging Softwares ex. EnCase,
SafeBack.
Data extraction or data mining
softwares

Example of Crime Solved by Computer

Forensics
TYPE OF CRIME

Murder

Double murder

Terrorism

TYPE OF E-EVIDENCE

Files on computer hard drives and a

PDA

GPS data from his car and cell phone;

Internet history
E-mail, files from his computers

Example of Crime Solved by Computer

Forensics
TYPE OF CRIME

TYPE OF E-EVIDENCE

Serial killer

Deleted files on a pen drive used by

the criminal at his computer

Kidnapping

E-mail communication between the

victim and criminaltracing an IP
address to a computer at criminals
home

Snipers

Rape

Digital recordings on a device in

suspects car
E-evidence of pornography on his
computer

Conclusion
Several unique opportunities give
computer forensics the ability to uncover
evidence that would be extremely difficult
to find using a manual process
Computer forensics also has a unique set
of challenges that are not found in
standard evidence gathering, including
volume of electronic evidence, how it is
scattered in numerous locations, and its
dynamic content

References
Books :
1. Computer Forensics For Dummies
2. Cyber Forensics- A Field Manual for
Collecting, Examining, and
Preserving Evidence of Computer
Crimes
3. Computer Forensics Computer
Crime Scene Investigation

References
Websites
1. http://computer-forensics.safemode.org
2. http://www.cybersecurityinstitute.biz/foren
sics.htm
3. www.forensics-intl.com
4. www.cybersecurityinstitute.biz

COMPUTER FORENSICS

Questions???
and
THANK YOU!!