What is Computer Forensics??
- Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis.
- Evidence might be required for a wide range of computer crimes and misuses
- Multiple methods of
- Discovering data on computer system
- Recovering deleted, encrypted, or damaged file information
- Monitoring live activity
- Detecting violations of corporate policy
- Information collected assists in arrests, prosecution, termination of employment, and preventing future illegal activity
- What Constitutes Digital Evidence?
- Any information being subject to human intervention or not, that can be extracted from a computer.
- Must be in human-readable format or capable of being interpreted by a person with expertise in the subject.
- Computer Forensics Examples
- Recovering thousands of deleted emails
- Performing investigation post employment
termination - Recovering evidence post formatting hard
drive - Performing investigation after multiple
users had taken over the system
Reasons for Evidence
- Wide range of computer crimes and misuses
- Non-Business Environment: evidence collected by Federal, State and local authorities for crimes relating to:
- Theft of trade secrets
- Fraud
- Extortion
- Industrial espionage
- Position of pornography
- SPAM investigations
- Virus/Trojan distribution
- Homicide investigations
- Intellectual property breaches
- Unauthorized use of personal information
- Forgery
- Perjury
- Non-Business Environment: evidence collected by Federal, State and local authorities for crimes relating to:
- Computer related crime and violations include a range of activities including:
- Business Environment:
- Theft of or destruction of intellectual property
- Unauthorized activity
- Tracking internet browsing habits
- Reconstructing Events
- Inferring intentions
- Selling company bandwidth
- Wrongful dismissal claims
- Sexual harassment
- Software Piracy
- Business Environment:
Who Uses Computer Forensics?
- Criminal Prosecutors
- Rely on evidence obtained from a computer to prosecute suspects and use as evidence
- Civil Litigations
- Personal and business data discovered on a computer can be used in fraud, divorce, harassment, or discrimination cases
- Insurance Companies
- Evidence discovered on computer can be
used to mollify costs (fraud, worker’s
compensation, arson, etc)
- Evidence discovered on computer can be
- Private Corporations
- Obtained evidence from employee computers can
be used as evidence in harassment, fraud, and embezzlement cases
- Obtained evidence from employee computers can
- Law Enforcement Officials
- Rely on computer forensics to backup search warrants and post-seizure handling
- Individual/Private Citizens
- Obtain the services of professional computer forensic specialists to support claims of harassment, abuse, or wrongful termination from employment
Evidence Processing Guidelines
- New Technologies Inc. recommends following 16 steps in processing evidence
- They offer training on properly handling each step
- Step 1: Shut down the computer
- Considerations must be given to volatile information
- Prevents remote access to machine and destruction of evidence (manual or ant-forensic software)
- Step 2: Document the Hardware Configuration
of The System- Note everything about the computer configuration
prior to re-locating
- Note everything about the computer configuration
- Step 3: Transport the Computer System to A Secure Location
- Do not leave the computer unattended unless it is locked in a secure location
- Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks
- Step 5: Mathematically Authenticate Data on All Storage Devices
- Must be able to prove that you did not alter
any of the evid\ence after the computer
came into your possession
- Must be able to prove that you did not alter
- Step 6: Document the System Date and Time
- Step 7: Make a List of Key Search Words
- Step 8: Evaluate the Windows Swap File
- Step 9: Evaluate File Slack
- File slack is a data storage area of which most computer users are unaware; a source of significant security leakage.
- Step 10: Evaluate Unallocated Space (Erased Files)
- Step 11: Search Files, File Slack and Unallocated Space for Key Words
- Step 12: Document File Names, Dates and Times
- Step 13: Identify File, Program and Storage
Anomalies - Step 14: Evaluate Program Functionality
- Step 15: Document Your Findings
- Step 16: Retain Copies of Software Used
- Step 1: Shut down the computer
Collecting Evidence
- Make Exact copies of all hard drives & disks using computer software
- Date and Time stamped on each file; used for timeline
- Protect the Computer system
- Avoid deletion, damage, viruses and corruption
- Discover files
- Normal Files
- Deleted Files
- Password Protected Files
- Hidden Files
- Encrypted Files
- Reveal all contents of hidden files used by application and operating system
- Access contents of password protected files if legally able to do so
- Analyze data
- Print out analysis
- Computer System
- All Files and data
- Overall opinion
- Provide expert consultation/testimony
More about computer Forensic
Web link: – http://en.wikipedia.org/wiki/Computer_forensics
What is data recovery?
- Retrieving deleted/inaccessible data from electronic storage media (hard drives, removable media, optical devices, etc…)
- Typical causes of loss include:
- Electro-mechanical Failure
- Natural Disaster
- Computer Virus
- Data Corruption
- Computer Crime
- Human Error
Uses of data recovery
- Average User:
- Recover important lost files
- Keep your private information private
- Law enforcement:
- Locate illegal data
- Restore deleted/overwritten information.cc
- Prosecute criminals based on discovered data
Software Recovery of data
- Generally only restore data not yet overwritten.
- Do not work on physically damaged drives
- Undelete Pro, EasyRecovery, Proliant, Novanet, etc.
Recovery Methods
- Hidden files
- Recycle bin
- Unerase wizards
- Assorted commercial programs
- Ferrofluid
- Coat surface of disk
- Check with optical microscope
- Does not work for more recent hard drives
- More recently…
Basic Hard Disk
A hard disk drive (HDD) is also hard drive, hard disk, or disk drive is a device for storing and retrieving digital information, primarily computer data. A large-capacity, Permanent magnetic storage device built into most personal computers. It consists rapidly rotating discs (platters) coated with magnetic material, and with magnetic heads.
Hard Drive Capacities
Hard Drive can be store lots of data; today we are using best technique of technology. This is due to the fact that most hard drive manufacturers and many software applications associate the terms MB (megabyte), GB (gigabyte) and TB (terabyte) with different values.
Lots of software packages use the binary interpretation (binary prefix). This means that 1GB = 1000MB, 1GB as 1,024MB.Below shows the difference between the decimal and binary prefixes.