Computer Forensics

CPIS 428 – PROJECT King Abdulaziz University Faculty of Computer and IT

Done By: Samar Samir Mahrous 1028265Sawsan Kamel Asad 1102241

• Introduction. • Forensics and Computer Forensics Definition.• Why do we need computer forensics and Where can we use it?• How did it all began? • Types of Computer Forensics Investigations.• Computer Forensic Requirements and Tools• Pro`s & Con`s to Computer Forensics• Computer Forensics Methodology• Rules and Polices of Computer Forensics.• Certifications and Challenges in Computer Forensics.• The Most Famous Computer Forensics Cases

Outline

Name ID Task

Samar Samir Mahrous 1028265 Introduction + Forensics and Computer Forensics Definition + Why do we need computer forensics and Where can you use it? + Computer Forensics Examples + How did it all began? + Who Uses Computer Forensics? + Types of Computer Forensics Investigations and Collected Data + Pro`s & Con`s to Computer Forensics + The Most Famous Computer Forensics Cases.

Sawsan Kamel Asad 1102241 Forensics and Computer Forensics Definition Computer Forensic Requirements and Tools + Computer Forensics Methodology + Rules and Polices of Computer Forensics + Challenges in Computer Forensics + Certifications in Computer Forensics.

Introduction

• Nowadays, more and more people are using computers and devices with computing capability.

• The combination of the growth in the number of computerization of business processes and Internet users has created new opportunities for criminal.

• The digital age has produced many new professions, but one of the most unusual is computer forensics.

• Computer forensics deals with the application of law to a science.

What is Computer Forensic

It is a field of science dedicated to the methodical gathering and analysis of evidence to establish facts that can be presented in a legal proceeding.

What is Forensic?

What is Computer Forensic?

• It is the scientific procedure that involves the preservation, identification, extraction, documentation, and interpretation of data on a computer so it can be used as evidence in a court of law.

• Its Goal: to do a structured investigation and find out exactly what happened on a digital system, and who was responsible for it. That is, to provide digital evidence of a specific or general activity.

• Electronic record or digital evidence: any data that is recorded or preserved on any medium in or by a computer system or other similar device.

Why do we need to use computer forensics?

• Digital Evidence is delicate in nature; therefore they must be recorded as early as possible to avoid loss of valuable evidence

• For recovering

o Deleted, o Encrypted or, o Corrupted files from a system

This data will be helpful during presenting testimony in the court.

Where can it be used?

Computer forensics can be used to uncover potential evidence in many types of cases including, like for example:

• Corruption• Decryption• Destruction of information• Fraud• Illegal duplication of software• Unauthorized use of a computer• Child pornography• Homicide investigations

• Copyright infringement• Industrial espionage• Money laundering• Piracy• Sexual harassment• Theft of intellectual property• Unauthorized access to

confidential information • Blackmail

How did it all began?

• The Early Years

In 1984 FBI program Computer Analysis and Response Team (CART)was created. Known for a time as the Magnetic Media Program. The credit for this project goes to Michael Anderson, a special agent with the criminal investigation division of the IRS. Known also as "the father of computer forensics".

• Early Training Programs

In 1988 IACIS (International Association of Computer Investigative Specialists) was formed. The first classes were held to train SCERS (Seized Computer Evidence Recovery Specialists).

How did it all began? (cont.)

• IOCE

In 1993 The first conference on collecting evidence from computers held. Two years later, the International Organization on Computer Evidence (IOCE) was established.

• Late 1990s

By 1997 It was widely recognized that law enforcement officials all over the world needed

to be well-versed in how to acquire evidence from computers. INTERPOL held a symposium on computer forensics the following year In 1999, the FBI's CART program tackled 2,000 individual cases.

How did it all began? (cont.)

• The First Decade of the 21st Century The FBI's CART caseload continued to grow. Computer forensics began to play a more important role for law

enforcement officials. With the advent of Smartphone's and PDAs ,computer forensics have

become even more important as criminals have a multitude of options for using computing devices to break the law.

Types of Computer Forensics

• The first is when the computer(s) was/were used as an instrument to commit a crime or involved in some other type of misuse.– C.F investigator may or may not be present when the computing

device is shut down to begin an investigation. They may have hard drives and other media delivered to them to analyze.

• The second is when the computer is used as the target of a crime - hacked into and information stolen for example. – C.F investigator will typically always want to capture

information that is extremely volatile, such as information contained in RAM.

Types of Computer Forensics Investigations

Computer Forensics Requirements

Computer Forensic Requirements

• Operation Systems– Windows 95,98,NT,2000,XP – DOS

– UNIX – LINUX.

• Laws– Computer, criminal and civil.

• BIOS (Basic Input/output System)– Understanding how the BIOS works– Familiarity with the various settings and limitations of the BIOS

Computer Forensic Requirements (Cont.)

• Hardware– Familiarity with all internal and external devices/components of

a computer.– Understanding motherboards and the various chipsets used.– Power connections.– Memory.

• Forensic Tools– Familiarity with computer forensic techniques and the software

packages that could be used.

Computer Forensics Tools

Computer Forensics Tools

Programmers have created many computer forensics applications. For many police

departments, the choice of tools depends on department budgets and available

expertise.• Disk imaging software.• Software or Hardware write tools.• Hashing.• File recovery programs.• There are several programs designed to preserve the information in a

computer's random access memory (RAM). • Analysis software.• Encryption decoding software and password cracking software are

useful for accessing protected data.

Pro`s & Con`s to Computer Forensics

1 (Preservation of data.

2 (The ability to search through a massive amount of data:

-Quickly

-Thoroughly

-In any language

1 (Digital evidence accepted in court only if:

-Must prove that there is no tampering.

-All evidence must be fully accounted for.

-CF specialists must have complete knowledge of legal requirements, evidence handling, storage and documentation

procedures .

2 (Costs: producing and preserving electronic records is extremely costly .

3 (Privacy Concerns of suspects

Methodology Of Computer

Forensics

• The Methodology or Four step process of C.F:

1. AcquisitionPhysically or remotely obtaining possession of the computer, all networkmappings from the system, and external physical storage devices.

2. IdentificationThis step involves identifying what data could be recovered andelectronically retrieving it by running various C.F tools and softwaresuites.

3. EvaluationEvaluating the information/data recovered to determine if and how itcould be used against the suspect for employment termination orprosecution in court.

4. Presentation

This step involves the presentation of evidence discovered in a

manner which is understood by lawyers, non-technically

staff/management, and suitable as evidence as determined by United

States and internal laws.

  Rules for Computer Forensics

Rule 1. An examination should never be performed on the original media.

Rule 2. A copy is made onto forensically sterile media. New media should always be used if available.

Rule 3. The copy of the evidence must be an exact, bit-by-bit copy. (Sometimes referred to as a bit-stream copy).

Rule 4. The computer and the data on it must be protected during the acquisition of the media to ensure that the data is not modified. (Use a write blocking device when possible).

Rule 5. The examination must be conducted in such a way as to prevent any modification of the evidence.

Rule 6. The chain of the custody of all evidence must be clearly maintained to provide an audit log of whom might have accessed the evidence and at what time.

Chain of custody

• Chain of custody is the accurate documentation of the movement and possession of a piece of evidence, from the time it is taken into custody until it is delivered to the court

– Who collected it?– How and Where?– Who took possession of it?– How as it stored and protected?– Who took it out of storage and why?

Policies for Computer Forensics

Policies for Computer Forensics

A) No analysis will be performed without legal authority (search warrant or consent form). If not submitted, the examiner must contact the investigator to obtain the necessary legal authority.

B) Forensic computers are not connected to the Internet.

C) All forensic archives created and data recovered during examinations are considered evidence.

D) Changes to this procedure can be made if approved by the Quality Manager, who will document the changes and ensure the revised procedure is validated, if necessary, prior to its use in casework.

Certifications in Computer Forensics

• The International Society of Forensic Computer Examiners (ISFCE) is a private organization dedicated to providing an internationally recognized, unblemished computer forensics certification that is available to all who can qualify, for a reasonable cost.

The ISFCE administers the Certified Computer Examiner (CCE)certification. The CCE certification is available internationally to both law enforcement and non-law enforcement forensic computer examiners.

• Information Assurance Certification Review Board (IACRB)

Also offers The Certified Computer Forensics Examiner (CCFE) tests a candidate's fundamental knowledge of the computer forensics evidence recovery and analysis process

Challenges of Computer Forensics

• The advancement of encryption. As encryption standards rise and the algorithms become more complex, it will be more difficult and more time-consuming for specialists to decrypt and then piece together encrypted files into meaningful information.

• Maintaining credible certifications and industry standards in the field. – The National Institute of Standards and Technology (NIST) creates the various

standards for the technology industry in the US.– More standards need to be adopted for this field to make the gathered evidence

and the compiled information used in court more credible in the eyes of the judge, jury and opposing attorneys.

Challenges in Computer Forensics

The Most Famous Computer Forensics Cases

The BTK Serial Killer

• For more than thirty years, the case of the BTK serial killer in Kansas remained unsolved. In 2005 the murderer, with a history of sending taunting letters to police, sent a floppy disk to police with a word document on it. Computer forensics professionals went to work examining the disk, and this is when the big break in the case finally happened.

• Computer forensics examiners recovered a file that had been deleted, and data attached to this file revealed who had been the last person to modify the document. After more than thirty years of traditional investigation, this case went unsolved. One floppy disc and the expertise of computer forensics experts, and this case was finally solved. The police and the prosecuting attorney had the evidence to put this dangerous serial killer behind bars.

Solved: Computer Forensics

References • Steen, S., and Hassell, J.(2004). “Computer Forensics 101” , Expert Law.

http://www.expertlaw.com/library/forensic_evidence/computer_forensics_101.html

• International Academy for Desgin & Technology (2011). “Most Famous Case Ever Solved by Computer Forensics” .

http://www.iadt.edu/Student-Life/IADT-Buzz/January-2011/Most-Famous-Case-Solved-Computer-Forensics

• Tech News 24h (2012). “The Most Famous Computer Forensics Cases” .http://www.technews24h.com/2012/05/most-famous-computer-forensics-cases.html

• Cummings, T. (2014). “ The History of Computer Forensics”. ehow. http://www.ehow.com/about_5813564_history-computer-forensics.html

• Information Assurance Certification Review (2009). “Certified Computer Forensics Examiner (CCFE)”.http://www.iacertification.org/ccfe_certified_computer_forensics_examiner.html

• The International Society of Forensic Computer Examiners (2014). CCE Certification. http://www.isfce.com/index.html

• Murphy, C. (2007). “The Rules for Computer Forensics”. Help Net Security. http://www.net-security.org/article.php?id=1040&p=2

• Gallegos, F. (2005). “Computer Forensics: An Overview”. INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 6, 2005.

http://www.isaca.org/Knowledge-Center/ITAF-IS-Assurance-Audit-/IT-Audit-Basics/Pages/Computer-Forensics-An-Overview.aspx

• Strickland, J. (2014). “How Computer Forensics Works”. HowStuffWorks.http://computer.howstuffworks.com/computer-forensic5.htm