Computer Forensics

COMPUTER FORENSICS
The field of study in which the artifacts in a computer that are of evidentiary
value are collected through different tools and techniques to take a case/trial
forward.
Here computer == which was attacked/ used as a medium to attack/ contains
data of the crime.
Phases of Computer Forensics

1. Collection: the data is identified and collected generally in the form of digital
data.
2. Preservation: Data that is collected is kept safe in a more “reliable”
“complete” “accurate” and “verifiable” way to look back at it whenever needed
for future purposes.
3. Filtering: Artifacts of evidentiary value are filtered in and others are filtered
out. A wide range of tools are used for this phase e.g. History-specific tools
(locates and extracts the available data that was left behind by web browser
activity).
4. Presenting: The artifacts (filtered-out ones) are presented in many forms.
It starts with extracting data from the original media/device.
Then that data is temporarily stored in digital media e.g. external hard drives.
Data is analyzed and processed and finally, the relevant evidence is
organized and saved onto CD-ROM/DVD-ROM storage devices.
FEW IMPORTANT THINGS

 Locard’s exchange Principle: When an object interacts with another
object, it leaves behind evidence. Just like criminals leave evidence at a
crime scene, hackers leave traces on computers.
 Example: When hackers try to do something on a computer, the operating
system keeps a record of their actions (like a log or history). Also, leftover
data on a hard disk, even in areas that aren't actively being used, can
show traces of what they did. This follows Locard's Principle.
 The collection of computer evidence is intended to provide proof at
trial/court.
 You only get one chance for evidence collection. If proper care is taken
during the identification and collection of digital data, any mistake in
the next stages of the investigation may be recoverable.
CHALLENGES TO COMPUTER EVIDENCE

1. Was the data altered?
This is addressed using methodologies such as maintaining the custody,
documentation, and cryptographic hash verification which doesn’t
contaminate the data.
2. The programs which are used to present the data are reliable?
The problem is handled by using programs that have industry-wide
acceptance & are peer-reviewed and individually tested for reliability.
3. What is the Identity of the Author / who created the data?

The name of the author can be identified by analyzing word usage (nouns)
in typed docs or chat scripts to identify the author of the message or data.
EVIDENCE DYNAMICS
Evidence Dynamics suggests that many forces are acting on the digital data, this
results in a change of data or will have some effect on data.
The forces that act on evidence are classified as Human forces, Natural forces,
and incidental forces.
Human Forces
Every human who interacts with the crime scene will come under human forces.
Examples:
Emergency personnel – these people focus on saving lives, which can affect the
evidence.
Law enforcement personnel – these people understand how the crime scenes are
but they lack technical knowledge on digital evidence.
Victims – these people either try to defend themselves or react to the hacker
(with or without their knowledge)
Suspects – these people try to remove hide or restrict access the digital
evidence.
Bystanders – these people may not affect the digital data, but they are prone to
be attacked unintentionally.
Forensic Investigators - The major effect these professionals can cause is losing
volatile data example, when a live computer is shut down. The investigators can
choose to switch off the system from a wide range of methods according to the
situation, as each method can give different results on digital data. One of the
possibilities is:
 Pulling the plug – This can be an effective way, but the hacker might have
installed a script that executes and deletes the evidence when the
computer does not shut down using the procedure known by the owner.
But deleting huge data from the disk.
Another automated destruction of evidence hackers use is to install an
app that will automatically delete all the evidence if the network
connections are lost. Sensing the loss of network connection is called
Dead Man’s Switch.
Natural Forces
Time: As time passes the data which is stored in the external devices will fade
away.
Water, fire, weather conditions, natural calamities
Humidity levels: if the air is too dry static electricity builds up, which is a shock
when we touch devices (electrostatic discharge), this can damage parts like open
circuit boards. If air is moist then the devices are subjected to corrosion. Both
these can spoil evidence, so we use protective measures and grounding
wristbands.
Heat: The external media where the data is stored should be protected from heat
by regulating the temperatures, to prevent from combustion and destruction of
media.
Equipment Forces
Special equipment exists for computer forensics to aid the investigators collect
the evidence efficiently. The equipment is either Software or hardware created
especially for CF or repurposed software or hardware. The forces of the
equipment play a key role in damaging digital evidence.
 Hardware equipment:
1. Hardware disk write-blocking devices: These devices are created
to collect digital evidence from the suspect’s disk without the
risk of modifying the original data in the suspect's disk.
Hence, these devices reduce evidence dynamics effects.
2. Disk imaging devices: These devices are built to create a disk
imaging process (replicating the disk that has evidence) in a bit
stream fashion to collect digital evidence.
Many such devices provide write blocking and sector-by-sector
imaging to aid CF investigators.
3. PCI is a hardware proposed by Brian Carrier, to reduce the
effects of collecting the data in volatile memory during digital
data collection. This device must be used before collecting the
data from volatile memory.
In some cases, investigators use standard computer h/w for the collection
and analysis of evidence. Then, specialized equipment can be used along
with repurposed equipment.
 Software: The s/w is developed specifically for the computer forensics
field to collect, interpret/analyze, and view disk data, this is created for
CF investigators to reduce the evidence dynamics effects during
collection & analysis of digital evidence and provides “data integrity.”
S/W manufacturers took the approach of reorganizing disk data from the
bit level and creating their filesystem(read-only) replicating disk data.
This not only ensures that the data is not altered but also helps to
analyze the data deeply.
So, the investigators should understand how each h/w device or s/w affects
digital data in different scenarios, this can mitigate the evidence dynamics.
Auditing the IT Systems and its scope

Auditing is the testing of the IT systems, and network of an organization or
enterprise to protect them from potential vulnerabilities and attacks.
Exploitation attempts of a person can fail for a variety of reasons, including the
following:
 A missing vulnerability
 Network delays
 Unforeseen equipment and software configurations
 Packet filtering and reactive firewalling anomalies

Computer Forensics

Uploaded by

Computer Forensics

Uploaded by

COMPUTER FORENSICS

Phases of Computer Forensics

FEW IMPORTANT THINGS

CHALLENGES TO COMPUTER EVIDENCE

3. What is the Identity of the Author / who created the data?

Auditing the IT Systems and its scope

You might also like