COMPUTER FORENSICS

COMPUTER FORENSICS

Chapter 1:
Introduction to Computer
Forensics
 Outline
INFORMATION SECURITY MANAGEMENT

• Cyber Crime

• What is Computer Forensics?

• Computer Forensic Investigation

• Computer Forensics as a Profession

 Cyber Crime
 Cyber crime refers to any crime that involves computers or a computer network. It is a
criminal activity where a computer or network is used as a source, tool, target, or place of
the crime
INFORMATION SECURITY MANAGEMENT

 Cyber crime occurs when the computer technology is used to commit or obscure an
offence.

 Although the terms ‘cyber crime’ and ‘computer crime’ are used more specifically to
criminal activities where the computer is a necessary part of the crime, these terms may
also refer to conventional crimes that involve the use of computers such as fraud, theft,
blackmail, forgery, and misappropriation.

 Examples of CyberCrime:
 Financial fraud
 Sabotage of data and/or networks
 Theft of proprietary information
 System penetration from the outside
 Denial of service
 Unauthorised access by insiders
 Employee abuse of Internet access privileges
INFORMATION SECURITY MANAGEMENT

 A computer can play different roles in a cyber crime.

 The use of computers in cyber crimes can be broadly classified into four categories.
INFORMATION SECURITY MANAGEMENT
 • Cyber crimes can be categorized as either insider attacks or external attacks

• Insider attacks are committed by those with a significant link to the intended victim, for
INFORMATION SECURITY MANAGEMENT

example a bank employee who siphons electronic funds from a customer's account. Other
examples include:
• Downloading or distributing offensive material;
• Theft of intellectual property;
• Internal system intrusions;
• Fraud; and
• Intentional or unintentional deletion or damage of data or systems.

• Attacks that involve hackers hired either by an insider or an external entity whose aim is to
destroy the company’s reputation. An external attack is committed anonymously.

• A typical example is the Philippine-based ILOVEYOU virus e-mail attack in 2000. Other
examples of external attacks include computer system intrusion, and deceptive, reckless or
deliberate and indiscriminate system crashes.

• An external attack is hard to anticipate, yet can often be traced using evidence available to
or provided by the organisation under attack.
 What is Computer Forensics
• Forensic science or forensics is the application of science to find answers to questions that
are of interest to legal proceedings
INFORMATION SECURITY MANAGEMENT

• Computer forensics is a step by step analysis of data stored in electronic equipment to

determine whether that electronic equipment has been used for illegal or unauthorised
purposes.

• Examples of electronic equipment investigated are computers, computer networks, storage

devices and digital media equipment.

• Cyber crime involves attacks on targeted systems, that contain confidential data, for
malicious purposes. This often includes a wide variety of crimes against persons, property or
organization's that are of public interest.

• Collecting cyber evidence through forensics is necessary to investigate crimes and to assure
that appropriate support is afforded to evidence that needs to be introduced in criminal or
other legal proceedings.

• Activities involved in a cyber crime investigation include collecting, archiving, and managing
digital evidence in a way that renders it acceptable in proceedings.
 • When an incident or crime occurs, an organization needs a proper forensic response in
place. By hiring computer forensics experts to manage the response to an incident,
organizations ensure that all avenues are investigated, all evidence are located and handled
correctly, and all those involved are treated neutrally.

• As soon as an incident that compromises the server occurs, an investigation takes place.
INFORMATION SECURITY MANAGEMENT

The computer forensics investigators typically follow the following steps in investigating the
case:

• Prepare a First Response of Procedures

• Seize digital evidence at crime scene and transport it back safely to forensic labs
• Prepare bit-streams images of the files and create the MD5# of the files to protect the
integrity
• Examine the evidence for a proof of crime
• Prepare a investigative report
• Submit the report to the client for further action
• Destroy any sensitive client data

• Computer forensics is still in the early developmental stage. It differs from other forensic
science, as it examines digital evidence

• There is little theoretical knowledge to base assumptions for analysis and standard empirical
hypothesis testing when carried out lacks proper training or standardisation of tools
 Computer Forensic Investigation
Before an investigation of any case is started, the investigator must have:

• Thorough understanding of the forensic process

• Technical training
INFORMATION SECURITY MANAGEMENT

• Proper lab preparation

• These are significant to the success of an investigation. All the technical expertise assigned
to the unit must have the necessary training and background to conduct investigations.

• After the evidence has been properly analysed, the investigator acts as an expert witness
and present the evidence in court in an acceptable manner. The investigator also acts as a
tool for law enforcement to track and prosecute cyber criminals.

• There are two types of computer investigations as described below:

INFORMATION SECURITY MANAGEMENT
 A computer forensics investigator must follow certain stages and procedures when working on
a case.

Initial Assessment
First, the computer forensics investigator identifies the crime, along with the computer and
other tools used to commit the crime.
INFORMATION SECURITY MANAGEMENT

Obtain Evidence
Like any other investigation, the area must be handled as a crime scene. Everything there must
be left the way it is. For example, if the computer system was found turned off, it should be left
that way. The forensics investigator then takes digital photographs and secures documentary
evidence such as printouts, notes and disks found at the scene.

Analyze the Recovered Evidence

All evidence must now be taken to the lab to be examined. No evidence should be examined in
the same hardware it was found.

Complete the Case Report

Finally, a report is made on the findings and all the steps taken during the investigation
beginning from the acquisition of the data. This evidence will be presented in court if
prosecution is necessary.
 Computer Forensics as a Profession
• Computer forensics is a focused, fast growing and interesting field. As business enterprises
and organizations become more multifaceted and exchange more information online, ultra-
modern crimes are also increasing at a rapid rate. Due to this situation, many companies
and professionals are now offering computer forensic services.
INFORMATION SECURITY MANAGEMENT

• A computer forensics investigator is a combination of a private investigator and a computer

scientist. Although this unique field requires technical, legal and law enforcement
experience, many industries choose professionals with investigative intelligence and
technology expertise.

• A computer forensics professional can fill a diversity of roles which include a private
examiner, an investigator, a corporate compliance professional, and a law enforcement
official.

• Before becoming a computer forensics professional, we need to be aware that:

• The rest of the world is not part of that profession

• Majority of the general public are excluded from computer forensics
• Majority of computer professionals are not skilled in computer forensics
• Many computer forensic practitioners come from other disciplines (of computing and from
other areas, e.g. audit).
 • Aspects essential to the computer forensics profession are:

Academic
Application of computer science
Application of forensic science
Narrow specialism
INFORMATION SECURITY MANAGEMENT

Aligned to computer security

Core discipline

• A good forensics investigator should always follow these rules:

Examine original evidence as little as possible. Instead examine the duplicate evidence.
Follow the rules of evidence and do not tamper with the evidence.
Always prepare a chain of custody, and handle evidence carefully.
Never go beyond the knowledge base of the forensic investigation.
Document any changes in evidence.

• In relation to ethical behavior in computer forensics, there is a very thin line between what
is acceptable and what is deemed as malpractice.

• Computer forensics exists in an ethical grey area. The forensics investigator needs to
balance between self motivation, legal constraints and procedural considerations.
 • It is also the responsibility of the forensics investigator to help the court on matters within
his knowledge. The duty overrides any obligation to the person from whom the forensics
investigator receives instructions from or by whom he is paid by.

• While investigating cyber crimes, one has to know the laws that cover such crimes. Legal
authorizations are needed to access targets of evidence. In order to preserve the
INFORMATION SECURITY MANAGEMENT

admissibility of evidence, proper handling of evidence by a computer forensics expert is

required.

• Different warrant requirements and other legal constraints apply to different categories of
data such as recent, older, interceptable, not interceptable, etc.

• Investigators should always consult the legal department of their corporation to understand
the limits of their investigation. Privacy rights of suspects should not be ignored.

• Legal issues associated with cyber crime are still being developed by legislators and may
change in future