0 оценок0% нашли этот документ полезным (0 голосов)
123 просмотров8 страниц
Computer Forensics specializes in the scientific analysis of computer communications and the data on computer storage devices. The process of acquiring, examining, and applying digital evidence is crucial in the success of prosecuting a cyber criminal. The goal of this track is to provide a forum for researchers, practitioners, and educators.
Computer Forensics specializes in the scientific analysis of computer communications and the data on computer storage devices. The process of acquiring, examining, and applying digital evidence is crucial in the success of prosecuting a cyber criminal. The goal of this track is to provide a forum for researchers, practitioners, and educators.
Авторское право:
Attribution Non-Commercial (BY-NC)
Доступные форматы
Скачайте в формате DOC, PDF, TXT или читайте онлайн в Scribd
Computer Forensics specializes in the scientific analysis of computer communications and the data on computer storage devices. The process of acquiring, examining, and applying digital evidence is crucial in the success of prosecuting a cyber criminal. The goal of this track is to provide a forum for researchers, practitioners, and educators.
Авторское право:
Attribution Non-Commercial (BY-NC)
Доступные форматы
Скачайте в формате DOC, PDF, TXT или читайте онлайн в Scribd
Abstract: court. Computer forensics, sometimes called digital forensics. But it specializes in the The continuing technological scientific analysis of computer revolution in communications and communications and the data on computer information exchange has created an storage devices, such as disks and CD- entirely new form of crime, cyber crime. ROMs. Consequently, computer forensics Cyber crime has forced the computer and experts are often called "Cyber Cops", law enforcement professions to develop new "Cyber Investigators" or "Digital areas of expertise and avenues of collecting Detectives". Investigators use a variety of and analyzing evidence. This has developed techniques and proprietary forensic into a science called computer forensics. applications to examine the hard drive copy. The process of acquiring, examining, and After physically isolating the computer in applying digital evidence is crucial in the question to make sure it cannot be success of prosecuting a cyber criminal. accidentally contaminated, investigators With the continuous evolution of technology, make a digital copy of the hard drive. Once it is difficult for law enforcement and the original hard drive has been copied, it is computer professionals to stay one step locked in a safe or other secure storage ahead of the technologically savvy facility to maintain its pristine condition. All criminals. To effectively combat cyber investigation is done on the digital copy, crime, greater emphasis must be placed in searching hidden folders and unallocated the computer forensic field of study, disk space for copies of deleted, encrypted, including but not limited to financial or damaged files. Any evidence found on the support, international guidelines and laws, digital copy is carefully documented in a and training of the professionals involved in "finding report" and verified with the the process. original in preparation for legal proceedings that involve discovery, depositions, or actual The primary goal of this track will litigation. In a homicide forensics be to provide a forum for researchers, investigation, law enforcement agencies practitioners, and educators interested in present photographic and physical evidence. Computer Forensics in order to advance Similarly, in Computer Forensics, after research and educational methods in this initiation of the special boot procedure of increasingly challenging field. We expect computer, the investigator utilizes computer that people from academia, industry, forensic software to create a bit-stream government, and law enforcement will share image or “exact snapshot” of the target hard their previously unpublished ideas on drive and all other external media, such as research, education, and practice through floppy or zip disks, which are subject to the this track. investigation.
Introduction: Computer Forensics software allows
the investigator to recover all deleted files Computer forensics is a branch of that have not been overwritten, as well as forensic science. Forensics is the scientific other forms of unallocated or temporary analysis of people, places and things to data. Information contained in swap files, collect evidence during crime investigations printer spooler files, file stack and other that helps to prove innocence or guilt in temporary or buffer files are examples of data residing on a computer drive that are Some of the typical applications of not normally visible to the user. Computer Forensics are:
What is Computer Forensics? Investigate and uncover evidence
of illegal activities conducted via Judd Robbins, a prominent computer computer, such as credit-card fraud, forensics investigator, defines computer intellectual-property theft, pedophilia, forensics as “the application of computer terrorism and computer system investigation and analysis techniques in the intrusion (hacking). Illegal activities interests of determining potential legal conducted via computer are generally evidence.” Other experts have taken the referred to as "computer crimes" or definition a step further, believing computer "cyber crimes". forensics has evolved into a science. Noblett Investigate and uncover evidence et al., as well as the FBI, define computer of crimes that weren't directly forensic science as “the science of acquiring, committed via computer, but for preserving, retrieving, and presenting data which the accused might have stored that has been processed electronically and evidence on computer data storage stored on computer media.” Basically, devices computer forensics is digital detective work. Detect and close computer It is searching a digital crime scene for system security holes through "legal" evidence, containing and preserving the hacking. evidence, analyzing the evidence, often times in a certified lab environment, and Digital forensic analysis: then finally presenting the findings in legal proceedings and court. In other words, it is In general, the goal of digital similar to performing an autopsy, except on forensic analysis is to identify digital a digital device versus a human body. evidence for an investigation. An investigation typically uses both physical Computer Forensics, importance: and digital evidence with the scientific method to draw conclusions. Examples of The concept of storing and investigations that use digital forensics processing information at incredible speeds include computer intrusion, unauthorized and across vast distances has generated an use of corporate computers, child environment where the mysteries of pornography, and any physical crime whose technology can propagate a clouded suspect had a computer. At the most basic perception that leads to a lack of trust and level, digital forensics has three major market confidence. Data theft, industrial phases: espionage, employee misconduct and intellectual property theft are among other o Acquisition computer security incidents that increasingly o Analysis plague corporate organizations. o Presentation Additionally, the vast majority of information in the workplace is now stored Acquisition Phase: on PCs and servers, meaning that no internal investigation of any form should ignore The Acquisition Phase saves the computer evidence. state of a digital system so that it can be later analyzed. This is analogous to taking phase will analyze a file system to list photographs, fingerprints, blood samples, or directory contents and names of deleted tire patterns from a crime scene. As in the files; perform deleted file recovery, and physical world, it is unknown which data present data in a format that is most useful. will be used as digital evidence so the goal This phase should use an exact copy of the of this phase is to save all digital values. original, which can be verified by Tools are used in the acquisition phase to calculating an MD5 checksum. It is copy data from the suspect storage device to important that these tools show all data that a trusted device. These tools must modify exists in an image. Regardless of the the suspect device as little as possible and investigation setting (corporate, federal, or copy all data. military), the steps performed in the acquisition and analysis phases are similar Analysis Phase: because they are dominated by technical issues, rather than legal. The Analysis Phase takes the acquired data and examines it to identify Presentation Phase: pieces of evidence. There are three major categories of evidence we are looking for. The Presentation Phase though is based entirely on policy and law, which are Inculpatory Evidence: different for each setting. This phase presents the conclusions and corresponding Evidence which supports a given evidence from the investigation. In a theory is nothing but Inculpatory Evidence. corporate investigation, the audience typically includes the general counsel, Exculpatory Evidence: human resources, and executives.
Evidence which contradicts a given Privacy laws and corporate policies
theory is an Exculpatory Evidence. dictate what is presented. In a legal setting, the audience is typically a judge and jury, Evidence of tampering: but lawyers must first evaluate the evidence before it is entered. In order to be admissible Evidence which cannot be related to in a United States legal proceeding, any theory, but shows that the system was scientific evidence must pass the so-called tampered with to avoid identification is “Daubert Test”, which stems from the U.S. Evidence of Tampering. Supreme .Previously, under the “Frye Test”, courts placed responsibility of identifying This phase includes examining file acceptable procedures on the scientific and directory contents and recovering community using peer-reviewed journals. deleted content. The scientific method is However, as not every field has peer- used in this phase to draw conclusions based reviewed journals, the Daubert Test offered on the evidence that was found. Tools in this additional methods of testing the quality of evidence. Benefits of professional forensic identifying more possibilities that can be methodology: requested as possibly relevant evidence. In addition, during on-site premises The impartial computer expert who inspections, for cases where computer disks helps during discovery will typically have are not actually seized or forensically experience on a wide range of computer copied, the forensics expert can more hardware and software. This is always quickly identify places to look, signs to look beneficial when your case involves for, and additional information sources for hardware and software with which this relevant evidence. expert is directly familiar. But fundamental computer design and software These may take the form of earlier implementation is often quite similar from versions of data files (e.g. memos, one system to another, and experience in one spreadsheets) that still exist on the application or operating system area is often computer's disk or on backup media, or easily transferable to a new system unlike differently formatted versions of data, either paper evidence, computer evidence can created or treated by other application often exist in many forms, with earlier programs (e.g. word processing, versions still accessible on a computer disk. spreadsheet, e-mail, timeline, scheduling, or Knowing the possibility of their existence, graphic).Protection of evidence is critical. A even alternate formats of the same data can knowledgeable computer forensics be discovered. The discovery process can be professional will ensure that a subject served well by a knowledgeable expert computer system is carefully handled to ensure that: No possible evidence is damaged, the application programs and the destroyed, or otherwise operating system. compromised by the procedures used Accesses (if possible and if legally to investigate the computer. appropriate) the contents of protected No possible computer virus is or encrypted files. introduced to a subject computer Analyzes all possibly relevant data during the analysis process. found in special (and typically Extracted and possibly relevant inaccessible) areas of a disk. This evidence is properly handled and includes but is not limited to what is protected from later mechanical or called 'unallocated' space on a disk electromagnetic damage. (currently unused, but possibly the A continuing chain of custody is repository of previous data that is established and maintained. relevant evidence), as well as 'slack' Business operations are affected for space in a file (the remnant area at a limited amount of time, if at all. the end of a file, in the last assigned Any client-attorney information that disk cluster, that is unused by current is inadvertently acquired during a file data, but once again may be a forensic exploration is ethically and possible site for previously created legally respected and not divulged. and relevant evidence). Prints out an overall analysis of Steps taken by computer forensics the subject computer system, as well as a listing of all possibly relevant specialists: files and discovered file data. Further, provides an opinion of the Provides expert consultation system layout, the file structures and/or testimony, as required. The discovered, any discovered data and computer forensics specialist will authorship information, any attempts take several careful steps to identify to hide, delete, protect, encrypt and attempt to retrieve possible information, and anything else that evidence that may exist on a subject has been discovered and appears to computer system: be relevant to the overall computer Protects the subject computer system examination. system during the forensic examination from any possible Who can use computer forensic alteration, damage, data corruption, or virus introduction. evidence? Discovers all files on the subject Many types of criminal and civil system: This includes existing proceedings can and do make use of normal files, deleted yet remaining evidence revealed by computer forensics files, hidden files, password- specialists: protected files, and encrypted files. Recovers all (or as much as Criminal Prosecutors use computer possible) of discovered deleted files. evidence in a variety of crimes where Reveals (to the extent possible) the incriminating documents can be contents of hidden files as well as found: homicides, financial fraud, temporary or swap files used by both drug and embezzlement record- Example Two: A final example of how keeping, and child pornography. computer forensics is affecting the current Civil litigations can readily make workplace is the aspect of security. use of personal and business records Employees work computers are now being found on computer systems that bear monitored to ensure no illegal actions are on: fraud, divorce, discrimination, taking place in the office. They also have and harassment cases. heightened security so outsiders cannot Insurance Companies may be able access a company’s confidential files. If this to mitigate costs by using discovered security is broken a company is then able to computer evidence of possible fraud use computer forensics to trace back to in accident, arson, and workman's which computer was being tampered with compensation cases. and what information was extracted from it, Corporations often hire computer possibly leading to the guilty parties and forensics specialists to ascertain other potential parties involved. evidence relating to: sexual harassment, embezzlement, theft or Conclusion: misappropriation of trade secrets and other internal/confidential Computers are not going away, and information. neither is computer forensics. Its usage is Law Enforcement Officials significant for protecting the innocent as frequently require assistance in pre- well as prosecuting the guilty. The law search warrant preparations and post- enforcement community has made a major seizure handling of the computer commitment in resources and funds to equipment. increase the use of computer forensics in Individuals sometimes hire investigations. Attorneys today, therefore, computer forensics specialists in should have at least a basic understanding of support of possible claims of: computer forensics and when its use is wrongful termination, sexual practical. Finally, Computer forensics has harassment, or age discrimination become its own area of scientific expertise, with accompanying coursework and Computer forensics examples: certification.
Example One: In the case about Chandra References:
Levy a Washington intern whose disappearance caused great stir within the www.computerforensics.net community. She went missing on April 30, www.wikipedia.org 2001. While her whereabouts were unknown, she had used the Internet as well www.forensics.ca as e-mail to organize travel arrangements and to communicate with her parents. The www.ncfs.ucf.edu use of this technology helped a computer www.l0t3k.net criminalist to trace her whereabouts. The information found on her computer lead the www.computerforensicsworld.com police to this location, even though she had been missing for one year.