Department of Computer Sciences

Introduction To
Digital Forensics
CYB 205

Akinsola, JET Ph.D.

 Lecture I:
Introduction to
Computer Forensic
Module Outline
▪ Computer Crime ▪ Digital Evidence
▪ Computer is Used to Commit a ▪ Where Evidence Resides
Crime ▪ Evidence on Application Layer
▪ Computer Security Incident ▪ Evidence on Transport and
▪ Computer Forensics Network Layers
▪ Computer Forensic Goal ▪ Evidence on the Data-link and
▪ Goals of Incident Response Physical Layers
▪ Background to Computer Forensic ▪ Challenges of Computer Forensics
▪ Forensic Science ▪ Cybertrail and Crime Scene
▪ Computer (or Cyber) Forensics ▪ Cyberwar or Information Warfare
▪ Computer and Digital Forensics ▪ Slack Space
▪ Network Forensics ▪ Evidence Recovery from RAMs on
▪ Forensic Methodology modern Unix systems
▪ Category of Digital Evidence
Learning Objectives

▪ Students are expected to:

▪ Define Computer crime
▪ Explain, Classify computer forensic and give
examples
▪ Distinguish between Computer Forensic and
Cyber Forensic
▪ Analyse digital forensic methodology
▪ Extract Digital evidences and analyse
▪ Explain the challenges of Computer Forensic

4
Computer Crime

▪ Computer crime is any criminal offense, activity

or issue that involves computers
(http://www.forensics.nl).
▪ Computer misuse tends to fall into two
categories:
▪ Computer is used to commit a crime
▪ Computer itself is a target of a crime.
Computer is the victim. Computer Security
Incident.
▪ In any computer forensic there will be Computer
Incident Response.

5
Computer is Used to Commit a Crime

▪ Computer is used in illegal activities: child pornography,

threatening letters, e-mail spam or harassment, extortion,
fraud and theft of intellectual property, embezzlement – all
these crimes leave digital tracks.
▪ Investigation into these types of crimes include searching
computers that are suspected of being involved in illegal
activities
▪ Analysis of gigabytes of data looking for specific
keywords, examining log files to see what happened at
certain times

6
Computer Forensic Goal

▪ The goal of computer forensics is to do a

structured investigation and find out exactly what
happened on a digital system, and who was
responsible for it. (http://www.forensics.nl)

7
Computer Security Incident

▪ Unauthorized or unlawful intrusions into computing systems

▪ Scanning a system - the systematic probing of ports to see
which ones are open
▪ Denial–of–Service (DoS) attack - any attack designed to
disrupt the ability of authorized users to access data.
▪ Malicious Code – any program or procedure that makes
unauthorized modifications or triggers unauthorized actions
(virus, worm, Trojan horse)

8
Goals of Incident Response
▪ Accumulation of accurate information
▪ Establishment of control for proper retrieval and
handling of evidence
▪ Protection of privacy rights established by law and
policy
▪ Minimization of disruption to business and network
operations
▪ Preparation of accurate reports and useful
recommendations
▪ Minimization of exposure and compromise of
proprietary data
▪ Protection of organization reputation and assets
▪ Education of senior management
▪ Promotion of rapid detection/or prevention of such
incidents in the future (via lessons learned, policy
changes, etc) 9
Computer Forensics Classification

▪ Computer Forensic Analysis

▪ Electronic Discovery
▪ Electronic Evidence Discovery
▪ Digital Discovery
▪ Data Recovery
▪ Data Discovery
▪ Computer Analysis
▪ Computer Examination

10
Computer Forensics Definitions (1)

▪ Computer Forensics involves the preservation,

identification, extraction, documentation and
interpretation of computer data [1]
▪ Computer Forensics is the application of science and
engineering to the legal problem of digital evidence. It
is a synthesis of science and law. [Mark Pollitt, 5, 6]
▪ Computer forensics, still a rather new discipline in
computer security, focuses on finding digital evidence
after a computer security incident has occurred
(http://www.forensics.nl)
11
Computer Forensics Definitions (2)

▪ Computer Forensics is the process of methodologically

examining computer media (hard discs, diskettes, tapes,
etc.) for evidence. It is about evidence from computers
that is sufficiently reliable to stand up in court and be
convincing
▪ Computer Evidence is often transparently created by the
operating system (OS) without the knowledge of the
computer user. The information may be hidden from view.
To find it, special forensic software tools and techniques
are required.

12
Background: Computer Forensic

▪ Cyber activity has become a significant portion of

everyday life of general public.
▪ Thus, the scope of crime investigation has also been
broadened.
(source: Casey, Eoghan, Digital Evidence and Computer Crime:
Forensic Science, Computer and the Internet,Academic Press,
2000.)

13
Background: Computer Forensic

▪ Computers and networks have been widely used

for enterprise information processing.
▪ E-Commerce, such as B2B, B2C and C2C, has
become a new business model.
▪ More and more facilities are directly controlled
by computers.
▪ As the society has become more and more
dependent on computer and computer
networks. The computers and networks may
become targets of crime activities, such as thief,
vandalism, espionage, or even cyber war.
14
Background: Computer Forensic

▪ In early 1990s, the threats to information systems are at

approximately 80% internal and 20% external.
▪ With the integration of telecommunications and
personal computers into the internet, the threats
appear to be approaching an equal split between
internal and external agents.
▪ (Source: Kovacich, G. L., and W. C. Boni, 2000, High-
Technology Crime Investigatot’s Handbook, Butterworth
Heinemann, p56.)

15
Background: Computer Forensic

▪ Counter measures for computer crime

▪ Computer & network security
▪ Effective prosecution, and prevention

16
Forensic Science

▪ Definition:
▪ Application of Physical Sciences to Law in the
search for truth in civil, criminal, and social
behavioral matters to the end that injustice shall
not be done to any member of society.(Source:
Handbook of Forensic Pathology, College of
American Pathologists, 1990.)
▪ Sciences: chemistry, biology, physics, geology, …
▪ Goal: determining the evidential value of crime scene
and related evidence.
Forensic Science (Contd)

▪ The functions of the forensic scientist

▪ Analysis of physical evidence
▪ Provision of expert testimony
▪ Furnishes training in the proper recognition,
collection, and preservation of physical evidence.

Source: (Richard Saferstein, 1981, Criminalistics—An introduction to

Forensic Science, 2nd edition, Prentice Hall)
Computer (or Cyber) Forensics

▪ Definition:
▪ Preservation, identification, extraction, documentation,
and interpretation of computer media for evidentiary
and/or root cause analysis using well-defined
methodologies and procedures.
▪ Methodology:
▪ Acquire the evidence without altering or damaging the
original.
▪ Authenticate that the recovered evidence is the same
as the original seized.
▪ Analyze the data without modifying it.

(Warren, G. Kruse ii and Jay G. Heiser, 2002, Computer Forensics – Incident Response Essentials, Addison Wesley)
Computer and Digital Forensics

▪ computer forensics refers to the investigation of

computers. Digital forensics includes not
only computers but also any digital device, such
as digital networks, cell phones, flash drives
and digital cameras
Network Forensics

▪ Definition
▪ The study of network traffic to search for truth in
civil, criminal, and administrative matters to
protect users and resources from exploitation,
invasion of privacy, and any other crime fostered
by the continual expansion of network
connectivity.
(Source: Kevin Mandia & Chris Prosise, Incident
response,Osborne/McGraw-Hill, 2001. )
Category of Digital Evidence

▪ Hardware
▪ Software
▪ Data
▪ Programs
▪ Files
Machine learning (ML) based techniques that can be
used to ease the process of Digital Forensics (DF)
principally in the field of malware, network forensics,
image/video forensics, and mobile/memory forensics
Digital Evidence

▪ Definition
▪ Digital data that can establish that a crime has been
committed or can provide a link between a crime and its
victim or a crime and its perpetrator.(source: Casey,
Eoghan, Digital Evidence and Computer Crime: Forensic
Science, Computer and the Internet,Academic Press,
2000.)
▪ Categories
▪ Text
▪ Audio
▪ Image
▪ Video
Forensic Methodology

▪ Treat every case as if it will end up in the court [1]

▪ Forensics Methodology:
▪ Acquire the evidence without altering or
damaging the origin
▪ Authenticate that your recovered evidence is the
same as the originally seized data
▪ Analyze the data without modifying it
▪ There are essentially three phases for recovering
evidence from a computer system or storage
medium. Those phases are: (1) acquire, (2) analyze,
and (3) report (http://www.forensics.nl).
Where Evidence Resides
▪ Computer systems
▪ Logical file system
▪ File system
▪ Files, directories and folders, FAT,
Clusters, Partitions, Sectors
▪ Random Access memory
▪ Physical storage media
▪ magnetic force microscopy can be
used to recover data from
overwritten area.
▪ Slack space
▪ space allocated to file but not actually
used due to internal fragmentation.
▪ Unallocated space
Where Evidence Resides (contd)
▪ Computer networks.
▪ Application Layer
▪ Transportation Layer
▪ Network Layer
▪ Data Link Layer
Evidence on Application Layer

• Web pages, Online documents.

• E-Mail messages.
• News group archives.
• Archive files.
• Chat room archives.
• …
Evidence on Transport and Network Layers
Evidence on the Data-link and Physical Layers
Evidence on the Data-link and Physical Layers
Challenges of Computer Forensics

▪ A microcomputer may have 60-GB or more storage

capacity.
▪ There are more than 2.2 billion messages expected to
be sent and received (in US) per day.
▪ There are more than 3 billion indexed Web pages
world wide.

▪ There are more than 550 billion documents on line.

▪ Exabytes of data are stored on tape or hard drives.
(Source: Marcella, Albert, et al, Cyber Forensic, 2002.)
Challenges of Computer Forensics

▪ How to collect the specific, probative, and case-

related information from very large groups of files?
▪ Link analysis
▪ Visualization
▪ Enabling techniques for lead discovery from very
large groups of files:
▪ Text mining
▪ Data mining
▪ Intelligent information retrieval
Hands-On

▪ Practical on Autopsy
▪ Use of Autopsy tool for forensic analysis and
evidence extraction in the digital media
Challenges of Computer Forensics

▪ Computer forensics must also adapt quickly to

new products and innovations with valid and
reliable examination and analysis techniques.

On Going Research Projects

▪ Search engine techniques for searching Web
pages which contain illegal contents.
▪ Malicious program feature extraction and
detection using data mining techniques.
Cybertrail and Crime Scene

crime
scene
network
evidence

Cybertrail
Cyberwar or Information Warfare

▪ Information warfare is the offensive and defensive use

of information and information systems to deny, exploit,
corrupt, or destroy, an adversary's information,
information-based processes, information systems, and
computer-based networks while protecting one's own.
▪ Such actions are designed to achieve advantages
over military or business adversaries. (Ivan K. Goldberg)
Slack Space

Old file Old New file

Slack space is a form of internal fragmentation, i.e.

wasted space, on a hard disk. When a file is written to
disk it's stored at the “beginning” of the cluster. A cluster
is defined as a collection of logically contiguous sectors
and the smallest amount of disk space that can be
allocated to hold a file.
Evidence Recovery from RAMs on modern Unix systems

BSD:The Berkeley Software Distribution was an operating

system based on Research Unix, developed and
distributed by the Computer Systems Research Group at
the University of California, Berkeley. Today, "BSD" often
refers to its descendants, such as FreeBSD, OpenBSD,
NetBSD, or DragonFly BSD
Computer crime is any criminal offense,
activity or issue that involves computers

CONCLUSION:
Computer is used to commit a crime.
Computer itself is a target of a crime.
Computer is the victim !!