Computer Forensics

- A key for Cybercrimes

Abstract:
The continuing technological
revolution in communications and
information exchange has created an
entirely new form of crime, cyber crime.
Cyber crime has forced the computer and
law enforcement professions to develop new
areas of expertise and avenues of collecting
and analyzing evidence. This has developed
into a science called computer forensics.
The process of acquiring, examining, and
applying digital evidence is crucial in the
success of prosecuting a cyber criminal.
With the continuous evolution of technology,
it is difficult for law enforcement and
computer professionals to stay one step
ahead of the technologically savvy
criminals. To effectively combat cyber
crime, greater emphasis must be placed in
the computer forensic field of study,
including but not limited to financial
support, international guidelines and laws,
and training of the professionals involved in
the process.
The primary goal of this track will
be to provide a forum for researchers,
practitioners, and educators interested in
Computer Forensics in order to advance
research and educational methods in this
increasingly challenging field. We expect
that people from academia, industry,
government, and law enforcement will share
their previously unpublished ideas on
research, education, and practice through
this track.
Introduction:
Computer forensics is a branch of
forensic science. Forensics is the scientific
analysis of people, places and things to
collect evidence during crime investigations
that helps to prove innocence or guilt in
court. Computer forensics, sometimes called
digital forensics. But it specializes in the
scientific analysis of computer
communications and the data on computer
storage devices, such as disks and CD-
ROMs. Consequently, computer forensics
experts are often called "Cyber Cops",
"Cyber Investigators" or "Digital
Detectives". Investigators use a variety of
techniques and proprietary forensic
applications to examine the hard drive copy.
After physically isolating the computer in
question to make sure it cannot be
accidentally contaminated, investigators
make a digital copy of the hard drive. Once
the original hard drive has been copied, it is
locked in a safe or other secure storage
facility to maintain its pristine condition. All
investigation is done on the digital copy,
searching hidden folders and unallocated
disk space for copies of deleted, encrypted,
or damaged files. Any evidence found on the
digital copy is carefully documented in a
"finding report" and verified with the
original in preparation for legal proceedings
that involve discovery, depositions, or actual
litigation. In a homicide forensics
investigation, law enforcement agencies
present photographic and physical evidence.
Similarly, in Computer Forensics, after
initiation of the special boot procedure of
computer, the investigator utilizes computer
forensic software to create a bit-stream
image or “exact snapshot” of the target hard
drive and all other external media, such as
floppy or zip disks, which are subject to the
investigation.
Computer Forensics software allows
the investigator to recover all deleted files
that have not been overwritten, as well as
other forms of unallocated or temporary
data. Information contained in swap files,
printer spooler files, file stack and other
temporary or buffer files are examples of
data residing on a computer drive that are
not normally visible to the user.
What is Computer Forensics?
Judd Robbins, a prominent computer
forensics investigator, defines computer
forensics as “the application of computer
investigation and analysis techniques in the
interests of determining potential legal
evidence.” Other experts have taken the
definition a step further, believing computer
forensics has evolved into a science. Noblett
et al., as well as the FBI, define computer
forensic science as “the science of acquiring,
preserving, retrieving, and presenting data
that has been processed electronically and
stored on computer media.” Basically,
computer forensics is digital detective work.
It is searching a digital crime scene for
evidence, containing and preserving the
evidence, analyzing the evidence, often
times in a certified lab environment, and
then finally presenting the findings in legal
proceedings and court. In other words, it is
similar to performing an autopsy, except on
a digital device versus a human body.
Computer Forensics, importance:
The concept of storing and
processing information at incredible speeds
and across vast distances has generated an
environment where the mysteries of
technology can propagate a clouded
perception that leads to a lack of trust and
market confidence. Data theft, industrial
espionage, employee misconduct and
intellectual property theft are among other
computer security incidents that increasingly
plague corporate organizations.
Additionally, the vast majority of
information in the workplace is now stored
on PCs and servers, meaning that no internal
investigation of any form should ignore
computer evidence.
Some of the typical applications of
Computer Forensics are:
 Investigate and uncover evidence
of illegal activities conducted via
computer, such as credit-card fraud,
intellectual-property theft, pedophilia,
terrorism and computer system
intrusion (hacking). Illegal activities
conducted via computer are generally
referred to as "computer crimes" or
"cyber crimes".
 Investigate and uncover evidence
of crimes that weren't directly
committed via computer, but for
which the accused might have stored
evidence on computer data storage
devices
 Detect and close computer
system security holes through "legal"
hacking.
Digital forensic analysis:
In general, the goal of digital
forensic analysis is to identify digital
evidence for an investigation. An
investigation typically uses both physical
and digital evidence with the scientific
method to draw conclusions. Examples of
investigations that use digital forensics
include computer intrusion, unauthorized
use of corporate computers, child
pornography, and any physical crime whose
suspect had a computer. At the most basic
level, digital forensics has three major
phases:
o Acquisition
o Analysis
o Presentation
Acquisition Phase:
The Acquisition Phase saves the
state of a digital system so that it can be later
analyzed. This is analogous to taking
photographs, fingerprints, blood samples, or
tire patterns from a crime scene. As in the
physical world, it is unknown which data
will be used as digital evidence so the goal
of this phase is to save all digital values.
Tools are used in the acquisition phase to
copy data from the suspect storage device to
a trusted device. These tools must modify
the suspect device as little as possible and
copy all data.
Analysis Phase:
The Analysis Phase takes the
acquired data and examines it to identify
pieces of evidence. There are three major
categories of evidence we are looking for.
Inculpatory Evidence:
Evidence which supports a given
theory is nothing but Inculpatory Evidence.
Exculpatory Evidence:
Evidence which contradicts a given
theory is an Exculpatory Evidence.
Evidence of tampering:
Evidence which cannot be related to
any theory, but shows that the system was
tampered with to avoid identification is
Evidence of Tampering.
This phase includes examining file
and directory contents and recovering
deleted content. The scientific method is
used in this phase to draw conclusions based
on the evidence that was found. Tools in this
phase will analyze a file system to list
directory contents and names of deleted
files; perform deleted file recovery, and
present data in a format that is most useful.
This phase should use an exact copy of the
original, which can be verified by
calculating an MD5 checksum. It is
important that these tools show all data that
exists in an image. Regardless of the
investigation setting (corporate, federal, or
military), the steps performed in the
acquisition and analysis phases are similar
because they are dominated by technical
issues, rather than legal.
Presentation Phase:
The Presentation Phase though is
based entirely on policy and law, which are
different for each setting. This phase
presents the conclusions and corresponding
evidence from the investigation. In a
corporate investigation, the audience
typically includes the general counsel,
human resources, and executives.
Privacy laws and corporate policies
dictate what is presented. In a legal setting,
the audience is typically a judge and jury,
but lawyers must first evaluate the evidence
before it is entered. In order to be admissible
in a United States legal proceeding,
scientific evidence must pass the so-called
“Daubert Test”, which stems from the U.S.
Supreme .Previously, under the “Frye Test”,
courts placed responsibility of identifying
acceptable procedures on the scientific
community using peer-reviewed journals.
However, as not every field has peer-
reviewed journals, the Daubert Test offered
additional methods of testing the quality of
evidence.
Benefits of professional forensic
methodology:
The impartial computer expert who
helps during discovery will typically have
experience on a wide range of computer
hardware and software. This is always
beneficial when your case involves
hardware and software with which this
expert is directly familiar. But fundamental
computer design and software
implementation is often quite similar from
one system to another, and experience in one
application or operating system area is often
easily transferable to a new system unlike
paper evidence, computer evidence can
often exist in many forms, with earlier
versions still accessible on a computer disk.
Knowing the possibility of their existence,
even alternate formats of the same data can
be discovered. The discovery process can be
served well by a knowledgeable expert
identifying more possibilities that can be
requested as possibly relevant evidence. In
addition, during on-site premises
inspections, for cases where computer disks
are not actually seized or forensically
copied, the forensics expert can more
quickly identify places to look, signs to look
for, and additional information sources for
relevant evidence.
These may take the form of earlier
versions of data files (e.g. memos,
spreadsheets) that still exist on the
computer's disk or on backup media, or
differently formatted versions of data, either
created or treated by other application
programs (e.g. word processing,
spreadsheet, e-mail, timeline, scheduling, or
graphic).Protection of evidence is critical. A
knowledgeable computer forensics
professional will ensure that a subject
computer system is carefully handled to
ensure that:
  No possible evidence is damaged,
destroyed, or otherwise
compromised by the procedures used
to investigate the computer.
 No possible computer virus is
introduced to a subject computer
during the analysis process.
 Extracted and possibly relevant
evidence is properly handled and
protected from later mechanical or
electromagnetic damage.
 A continuing chain of custody is
established and maintained.
 Business operations are affected for
a limited amount of time, if at all.
 Any client-attorney information that
is inadvertently acquired during a
forensic exploration is ethically and
legally respected and not divulged.
Steps taken by computer forensics
specialists:
 Provides expert consultation
and/or testimony, as required. The
computer forensics specialist will
take several careful steps to identify
and attempt to retrieve possible
evidence that may exist on a subject
computer system:
 Protects the subject computer
system during the forensic
examination from any possible
alteration, damage, data corruption,
or virus introduction.
 Discovers all files on the subject
system: This includes existing
normal files, deleted yet remaining
files, hidden files, password-
protected files, and encrypted files.
 Recovers all (or as much as
possible) of discovered deleted files.
 Reveals (to the extent possible) the
contents of hidden files as well as
temporary or swap files used by both
the application programs and the
operating system.
 Accesses (if possible and if legally
appropriate) the contents of protected
or encrypted files.
 Analyzes all possibly relevant data
found in special (and typically
inaccessible) areas of a disk. This
includes but is not limited to what is
called 'unallocated' space on a disk
(currently unused, but possibly the
repository of previous data that is
relevant evidence), as well as 'slack'
space in a file (the remnant area at
the end of a file, in the last assigned
disk cluster, that is unused by current
file data, but once again may be a
possible site for previously created
and relevant evidence).
 Prints out an overall analysis of
the subject computer system, as well
as a listing of all possibly relevant
files and discovered file data.
Further, provides an opinion of the
system layout, the file structures
discovered, any discovered data and
authorship information, any attempts
to hide, delete, protect, encrypt
information, and anything else that
has been discovered and appears to
be relevant to the overall computer
system examination.
Who can use computer forensic
evidence?
Many types of criminal and civil
proceedings can and do make use of
evidence revealed by computer forensics
specialists:
 Criminal Prosecutors use computer
evidence in a variety of crimes where
incriminating documents can be
found: homicides, financial fraud,
 drug and embezzlement record-
keeping, and child pornography.
 Civil litigations can readily make
use of personal and business records
found on computer systems that bear
on: fraud, divorce, discrimination,
and harassment cases.
 Insurance Companies may be able
to mitigate costs by using discovered
computer evidence of possible fraud
in accident, arson, and workman's
compensation cases.
 Corporations often hire computer
forensics specialists to ascertain
evidence relating to: sexual
harassment, embezzlement, theft or
misappropriation of trade secrets and
other internal/confidential
information.
 Law Enforcement Officials
frequently require assistance in pre-
search warrant preparations and post-
seizure handling of the computer
equipment.
 Individuals sometimes hire
computer forensics specialists in
support of possible claims of:
wrongful termination, sexual
harassment, or age discrimination
Computer forensics examples:
Example One: In the case about Chandra
Levy a Washington intern whose
disappearance caused great stir within the
community. She went missing on April 30,
2001. While her whereabouts were
unknown, she had used the Internet as well
as e-mail to organize travel arrangements
and to communicate with her parents. The
use of this technology helped a computer
criminalist to trace her whereabouts. The
information found on her computer lead the
police to this location, even though she had
been missing for one year.
Example Two: A final example of how
computer forensics is affecting the current
workplace is the aspect of security.
Employees work computers are now being
monitored to ensure no illegal actions are
taking place in the office. They also have
heightened security so outsiders cannot
access a company’s confidential files. If this
security is broken a company is then able to
use computer forensics to trace back to
which computer was being tampered with
and what information was extracted from it,
possibly leading to the guilty parties and
other potential parties involved.
Conclusion:
Computers are not going away, and
neither is computer forensics. Its usage is
significant for protecting the innocent as
well as prosecuting the guilty. The law
enforcement community has made a major
commitment in resources and funds to
increase the use of computer forensics in
investigations. Attorneys today, therefore,
should have at least a basic understanding of
computer forensics and when its use is
practical. Finally, Computer forensics has
become its own area of scientific expertise,
with accompanying coursework and
certification.
References:
 www.computerforensics.net
 www.wikipedia.org
 www.forensics.ca
 www.ncfs.ucf.edu
 www.l0t3k.net
 www.computerforensicsworld.com