SAK 4801 SPECIAL TOPICS IN COMPUER SCIENCE IIChapter 1 Computer Forensics in Today’s World
Mohd Taufik AbdullahDepartment of Computer Science
Faculty of Computer Science and Information TechnologyUniversity Putra of Malaysia
Room No: 2.28
Portions of the material courtesy EC-Council
Computer Forensics and Investigations
3 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Learning Objectives• At the end of this chapter, you will be able
to:• Understand the concept of computer
forensics• Describe how to prepare for computer
investigations• Explain the difference between law
enforcement (public) agency and corporate (private) investigations• Explain the importance of maintaining
professional conduct
4 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Chapter 1 Outline
1. Computer Forensics in Today’s World 1.1. Introduction to Computer Forensics 1.2. History of Computer Forensics 1.3. Computer Forensics Flaws and Risks 1.4. Cyber crime 1.5. Reason for Cyber Attacks 1.6. Modes of Attacks 1.7. Role of Computer Forensics
1.1 Introduction to Computer Forensics
6 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.1 Introduction to Computer Forensics Computer combined with Internet has become an
important part of everyday life of the general public. Nowadays, more and more people are using
computers and devices with computing capability. The combination of the growth in the number of
computerization of business processes and Internet users has created new opportunities for criminal.
According to the EC-Council: 85% of business and government agencies detected
security breaches FBI estimates that the United States loses up to $10
billion a year to cyber crime.
7 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.1 Introduction to Computer Forensics (Cont.) The digital age has produced many new professions,
but one of the most unusual is computer forensics. Computer forensics deals with the application of law
to a science. Although it is similar to other forms of legal
forensics, the computer forensics process requires a vast knowledge of computer hardware and software in order to avoid the accidental invalidation or destruction of evidence and to preserve the evidence for later analysis.
1.2 History of Computer Forensics
9 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.2.1 Forensics Science Forensics science has been around since the dawn of
justice. Francis Galton (1822–1911) made the first recorded
study of fingerprints, Leone Lattes (1887–1954) discovered blood
groupings (A, B,AB, and 0), Calvin Goddard(1891–1955) allowed firearms and
bullet comparison for solving many pending court cases,
Albert Osborn (1858–1946) developed essential features of document examination,
Hans Gross(1847–1915) made use of scientific study to head criminal investigations.
FBI(1932) set up a lab to provide forensic services to all field agents and other law authorities across the country
10 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.2.2 Evolution Computer Forensics 1984 - FBI Computer Analysis and Response Team
(CART) emerged 1991 - International Law Enforcement meeting was
conducted to discuss computer forensics & the need for standardized approach
1994 – Department of Justice (DOJ) - Federal Guidelines for Searching & Seizing Computers
1997 - FBI- Scientific Working Group on Digital Evidence (SWGDE) was established to develop standards in computer forensics.
2001 - USAF - Digital Forensics Research Workshop was held,
2003 - Academic - International Journal of Digital Forensics & Incident Response, Elsevier
11 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.2.3 Definition of Forensics Science Forensic science is “the Application of physical
sciences to law in the search for truth in civil, criminal and social behavioral matters to the end that injustice shall not be done to any member of society” (Source: Handbook of Forensic Pathology College of American Pathologists 1990)
Forensic science is “the application of scientific techniques and principles to provide evidence to legal or related investigations and determinations” (Forensic science : an encyclopedia of history, methods, and techniques, 2006)
Aim: determining the evidential value of crime scene
and related evidence
12 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Computer forensics is defined as “a methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media, that can be presented in a court of law in a coherent and meaningful format” (Dr. H.B. Wolfe)
A ccording to Steve Hailey, Cybersecurity Institute, computer forensics is “The preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or administrative proceeding as to what was found.”
1.2.4 Definition of Computer Forensics
13 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
FBI defines computer forensics as an application of science and engineering to the legal problem of digital evidence.
James Borek (2001), computer forensics is “equivalent of surveying a crime scene or performing an autopsy on a victim”.
Computer forensics is “the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” (DFRWS 2001)
1.2.4 Definition of Computer Forensics (Cont.)
14 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.2.5 Computer Forensics Versus Other Related Disiplines Computer forensics versus network forensics
Computer forensics involves scientifically examining and analyzing data from computer storage media so that the data can be used as evidence in court. (DIBS USA, Inc. – a corporation specializing n computer forensics) Computer forensics investigates data that can
be retrieved from a computer’s hard disk or other storage media.
Investigating computers includes collecting computer data securely, examining suspect data to determine details such as origin and content, presenting computer-based information to courts, and applying laws to computer practice.
15 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Computer forensics investigators retrieve information from a computer or its component parts.
The information might not be easy to find or decipher though it might already be on the disk.
Network forensics produces information about how a culprit or an hacker gained access to a network. Network forensics investigates logs files and
also tries to determine what tracks or new files were left behind on a victim’s computer or what changes were made.
Network forensics investigators use log files to determine when users logged on and try to determine which URLs users accessed, how they logged on to the network, and from what location.
1.2.5 Computer Forensics Versus Other Related Disiplines (Cont.)
16 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Computer forensics versus data recovery Data recovery involves recovering information
from a computer, for example, a file that was deleted by mistake or lost during a power surge or server crash. In data recovery, an information that you are
looking for are known. Computer forensics is the task of recovering data
that users have hidden or deleted, with the goal of ensuring that the recovered data is valid so that it can be used as evidence. The evidence can be inculpatory (in criminal cases, the
expression is “incriminating”) or exculpatory, meaning it might clear the
suspect.
1.2.5 Computer Forensics Versus Other Related Disciplines (Cont.)
17 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Investigators often examine a computer disk not knowing whether it contains evidence—they must search storage media. if they find data, they piece it together to
produce evidence. Various forensics software tools can be used for
most cases. In extreme cases, investigators can use
electron microscopes and other sophisticated equipment to retrieve information from machines that have been damaged or purposefully reformatted.
1.2.5 Computer Forensics Versus Other Related Disciplines (Cont.)
18 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Computer forensics versus computer security Computer forensics concerns with the proper
acquisition, preservation and analysis of digital evidence, typically after an unauthorized access or use has taken place.
Computer security the main focus concerns with the prevention of unauthorized access, as well as the maintenance of confidentiality, integrity and availability of computer systems.
1.2.5 Computer Forensics Versus Other Related Disciplines (Cont.)
19 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Need for computer forensics arises from: Presence of a majority of electronic documents
nowadays. According to a University of California study, during 1999: 93% of information was generated in digital form,
on computers 7% of information originated in other media, such
as paper Search and identify data in a computer
Increasing trail of activities by perpetrators left on computers.
Digital Evidence is delicate in nature; therefore they must be recorded as early as possible to avoid loss of valuable evidence Electronic information can be easily planted,
created and stored
1.2.6 Need for Computer Forensics
20 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Law enforcement officials, network and system administrators of IT firms, attorney and also private investigators depend upon qualified computer forensic experts to investigate their and civil cases. An appropriate computer forensics specialist is
called and extend them as much cooperative assistance as possible because if there is to be any chance of recovering property, locating and successfully prosecuting the criminal, there must be evidence of sufficient quantity and quality.
For recovering Deleted, Encrypted or, Corrupted files from a system
This data will be helpful during presenting testimony in the court.
1.2.6 Need for Computer Forensics (Cont.)
1.3 Computer Forensics Flaws and Risks
22 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.3 Computer Forensics Flaws and Risks Computer forensics is in its early or development
stages It is different from other forensic sciences as digital
evidence is examined There is a little theoretical knowledge to base
assumptions for analysis and standard empirical hypothesis testing when carried out lacks of proper training no standardization of tools
Designations are not entirely professional It is still more of an “Art” than a “Science”
23 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.3 Computer Forensics Flaws and Risks (Cont.) According to EC-Council, Corporate Espionage
Statistics: Corporate computer security budgets increased at
an average of 48% in 2002 62% of the corporate companies had their systems
compromised by virus FBI statistics reveal that more than 100 nations are
engaged in corporate espionage against US companies
More than 2230 documented incidents of corporate espionage by the year 2003
1.4 Cyber Crime
25 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.4.1 Definition of Cyber Crime Definition
”Any illegal act involving a computer, its systems, or its applications” (EC-Council)
The crime must be intentional and not accidental. Cyber crime is divided into 3 T’s • Tools of the crime • Target of the crime • Tangential to the crime
26 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.4.1 Definition of Cyber Crime (Cont.) Tools of the crime
Involve various hacking tools that have been used to commit a crime.
Include the computer or workstation from where the crime has been committed. Take the whole system include hardware such
as the keyboard, mouse and monitor. Considered to be the evidence that the computer
forensic investigator must analyze, process and then document.
27 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.4.1 Definition of Cyber Crime (Cont.) Target of the crime
Also termed as the victim The victim can be corporate organizations,
websites, consultancy agencies and government bodies.
The target of the crime is usually the location where the computer forensic investigator goes about the process of examining the crime scene
Tangential of the crime Means it was used as a secondary tool. The computer creates a unique environment or
unique form of assets. The computer is not the primary instrument of the
crime; it simply facilitates it. The computer is used to store the evidence.
28 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.4.2 Digital Evidence What is Digital Evidence? Information of probative value stored or transmitted
in digital form Probative Value - evidence which is sufficiently
useful to prove something important in a trial Type of Digital Evidence – What to seize?
Storage Media (i.e.. floppies, CD’s, thumb drives) Computer (CPU) Laptops (always seize power supply) External Drives & Media
Corresponding Devices i.e. tape/tape drive, jaz disk/jaz drive
Unique software and operating manuals(might need to load software on forensic
computer to view files)
29 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.4.2 Digital Evidence What is Digital Evidence? Information of probative value stored or transmitted
in digital form Probative Value - evidence which is sufficiently
useful to prove something important in a trial Type of Digital Evidence – What to seize?
Storage Media (i.e.. floppies, CD’s, thumb drives) Computer (CPU) Laptops (always seize power supply) External Drives & Media
Corresponding Devices i.e. tape/tape drive, jaz disk/jaz drive
Unique software and operating manuals(might need to load software on forensic
computer to view files)
30 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.4.3 Examples of Cyber Crime Theft of intellectual property
Includes any act that would allow an individuals to get access to patents, trade secret, customer data, sales trends and any other confidential information that can be of monetary gain.
Damage of company service networks Take place by the attacker planting a trojan horse, conducting a denial of service attack, installing an unauthorized modem in the network to allow insiders a chance to gain access.
Financial fraud Refers to any type of criminal behavior that uses fraudulent solicitation to prospective victims to conduct fraudulent transactions.
31 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.4.3 Examples of Cyber Crime (Cont.) Hacker system penetrations
A network or system penetration occurs when an outsider gets access to the network and changes settings within the network.
Hacker attacks using tools that take advantage of the vulnerability in the security posture ot the network such as Trojans, rootkits, and sniffers
Denial of Service Attacks Aim at stopping legitimate requests to a network
over the Internet by subjecting the network to illegitae requests.
Occur when several system take up useful network resources thereby rendering the network inaccessible.
32 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.4.3 Examples of Cyber Crime (Cont.) Planting of virus and worms
Virus can affect machines and seek to affect other vulnerable systems through applications such as an email client.
Worms seek to replicate themselves over the network thereby hogging resources apart from creating malfunctions.
Trojan horses and backdoors are programs that allow an intruder to retain access to a compromised machine.
1.5 Reasons for Attacks
34 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.5 Reason for cyber attacks Motivation for cyber attacks
Experimentation and a desire for script kiddies to learn
Psychological needs – to leave a mark Misguided trust in other individuals Revenge and malicious reasons – disgruntled
employee Desire to embarrass the target Espionage - corporate and governmental
Paid to gain information
1.6 Modes for Attacks
36 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.6 Modes for attacks Cyber crime falls into two categories depending on
the ways attack take place Following are the two types of attacks
Insider Attacks Attack from the employee within an
organization External Attacks
Attack from the outside by persons who are not within the company
These involve hackers hired by either an insider or an external entity whose aim is to destroy a competitor’s reputation.
1.7 Role of Computer Forensics
38 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.7.1 Stage of Forensic Investigation in Tracking Computer Crime Identifying the crime
Gathering the evidence Building a chain of custody
In this stage, data have been recovered Data once recovered must be duplicated or
replicated. Analyzing the evidence – use duplicate one Presenting the evidence Testifying Prosecution
In this stage, computer forensics investigator must act as an expert witness
39 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.7.1 Stage of Forensic Investigation in Tracking Computer Crime (Cont.) An expert witness
A person who can investigate on a particular case, evaluate all findings, and educate the jury about his/her findings.
His/her most important functions is to present all his/her findings of the case in court.
When functioning as an expert witness, the forensic investigator is the actual tool that law enforcement agencies around the world use to track and prosecute cyber criminal.
40 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.7.2 Rules of Computer Forensics A good forensic investigator should always follow
these rules: Minimize the option of examining the original
evidence Instead, examine the duplicate evidence
Obey rules of evidence and do not tamper with the evidence
Always prepare a chain of custody, and handle evidence with care
Never exceed the knowledge base of the forensic investigation
Document any changes in evidence
41 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
The 3 As of computer forensics methodologies Acquire evidence without modification or
corruption Authenticate that the recovered evidence is
same as the originally seized data Analyze data without any alterations
1.7.3 The 3 As of Computer Forensics Methodology
42 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Accessing computer forensics resources Resources can be referred by joining various
discussion groups such as: Computer Technology Investigators Northwest –
High Technology Crime Investigation Association
Joining a network of computer forensic experts and other professionals
News services devoted to computer forensics can also be a powerful resource
Other resources: Journals of forensic investigators Actual case studies
1.7.4 Accessing Computer Forensics Resources
43 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Computing investigations fall under two distinct categories: Public Investigation Corporate Investigation
Public (Enforcement agency) investigations include: Tools used to commit the crime Reason for the crime Type of crime Infringement on someone else’s rights by
cyberstalking
1.7.5 Preparing for Computer Investigations
44 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Corporate investigations include: Involve private companies who address
company policy violations and litigation disputes
Company procedures should continue without any interruption from the investigation
After the investigation the company should minimize or eliminate similar litigations
Industrial espionage is the foremost crime in corporate investigations
1.7.5 Preparing for Computer Investigations (Cont.)
45 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
1.9 Preparing for Computing Investigations (Cont.) Identification: Detecting/identifying the event/crime.
Asses the case, ask people questions, and documenting the results in an effort to identify the crime and the location of the evidence
Preservation of evidence: Chain of Custody/Evidence, Documentation. A chain of custody/evidence must be prepared to
know who handled the evidence, and every step taken by the forensic investigator must be documented for inclusion in the final report.
Sometimes a computer and its related evidence can determine the chain of events leading to a crime for the investigator as well as provide the evidence which can lead to conviction.
1.7.6 Investigation Process
46 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Chain of custody is the accurate documentation of the movement and possession of a piece of evidence, from the time it is taken into custody until it is delivered to the court Who collected it? How and Where? Who took possession of it? How as it stored and protected? Who took it out of storage and why?
1.7.6 Investigation Process (Cont.)
47 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Collection: Data recovery, evidence collection. Finding the evidence, discovering relevant data,
preparing an Order of Volatility, eradicating external avenues of alteration, gathering the evidence, and preparing a chain of custody
Create MD5 hash of the evidence collected Prior to collection, one should do preliminary
assessment to search for the evidence. Collect and seize the equipment used in
committing the crime, document the items collected, such as floppy disks, thumb drives, CDs, DVDs, and external back up drives.
1.7.6 Investigation Process (Cont.)
48 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Take photo of the crime scene before removing the evidence using Single len Reflex (SLR) camera.
Examination: Tracing, Filtering, Extracting hidden data. Review registers and cache, routing tables, ARP, cache,
process tables, and kernel statistics and modules Analysis
Analyzing evidence Can be carried out using various forensic analysis tools
such Encase, Access Data etc.
1.7.6 Investigation Process (Cont.)
49 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Presentation : Investigation report, Expert witness Include what was done and the results in the final report.
This include: Who, what, when, where, and how of the crime. Explain the computer and network processes The log files generated by forensic tools to keep track
of all the steps taken. Decision
Report
1.7.6 Investigation Process (Cont.)
50 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Use computer forensics when: there is a need to provide real evidence such as
reading bar codes, magnetic tapes and to identify the occurrence of electronic transactions and reconstruct an incidence with sequence of events.
a breach of contract occurs, or if copyright and intellectual property theft/misuse happens or during employee disputes where there is damage to resources.
1.7.7 Where and When Do You Use Computer Forensics
51 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Professional conduct determines the credibility of a forensic investigator
Investigators must display the highest level of ethics and moral integrity
Maintaining objectivity Sustain unbiased opinions of your cases
Confidentiality is an essential feature which all forensic investigators must display
Avoid making conclusions about the findings until all reasonable leads have been exhausted
Considered all the available facts Ignore external biases to maintain the integrity of
the fact-finding in all investigations
1.7.8 Maintaining Professional Conduct
52 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Discuss the case at hand only with person who has the right to know
Stay current with the latest technical changes in computer hardware and software, networking, and forensic tools
Learn about the latest investigation techniques that can be applied to the case
Record fact-finding methods in a journal Include dates and important details that serve as
memory triggers Develop a routine of regularly reviewing the
journal to keep past achievements fresh
1.7.8 Maintaining Professional Conduct (Cont.)
53 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Attend workshops, conferences, and vendor-specific courses conducted by software manufacturers
Monitor the latest book releases and read as much as possible about computer investigations and forensics
1.7.8 Maintaining Professional Conduct (Cont.)
54 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Summary The need for computer forensics has grown to a
large extent due to the presence of a majority of digital documents
Differs from network forensics, data recovery, and disaster recovery in scope, technique, and objective
A computer can be used as a tool for investigation or as evidence
Minimize the option of examining the original evidence
3A’s of Computer forensics methodologies are – Acquire, Authenticate, and Analyze
A computer forensic investigator must be aware of the steps involved in the investigative process
55 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Summary (Cont.) To be successful, you must be familiar with more
than one computing platform To supplement your knowledge, develop and
maintain contact with computer, network, and investigative professionals
Public investigations typically require a search warrant before the digital evidence is seized
During public investigations, you search for evidence to support criminal allegations
During private investigations, search for evidence to support allegations of abuse of a company or person’s assets and, in some cases, criminal complaints
Forensics investigators must maintain an impeccable reputation to protect credibility
56 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II
Summary (Cont.) Most information is stored on hard disks, floppy
disks, and CD-ROMs in a nonvolatile manner Peripheral components (video adapter cards, sound
cards, mice, keyboards, NICs) attach to mainboard via an expansion slot or port
All peripherals must have a unique IRQ and I/O address to communicate with the processor
Hardware information can be gathered from computer manuals, BIOS, or other Oss
Computer forensics investigators must maintain professional conduct to protect their credibility
End of Chapter 1
Top Related