Computer Forensics Semiarn

8/2/2019 Computer Forensics Semiarn

1/19

Computer Forensics

Introduction :-Introduction :-

Computer Forensics is a branch offorensic sciencepertaining to legal evidence

found in computers and digital storage media. Computer forensics is also known as

digital forensics.

There are many definitions of computer forensics however generally, computer

forensic refers to the detail investigation of the computers to carry out the required

tasks. It performs the investigation of the maintained data of the computer to check out

what exactly happened to the computer and who is responsible for it. The investigation

process starts from the analysis of the ground situation and moves on further to the

insides of the computers operating system.
http://en.wikipedia.org/wiki/Forensic_sciencehttp://www.computerforensics1.com/computer-forensic-operating-system.htmlhttp://www.computerforensics1.com/computer-forensic-operating-system.htmlhttp://en.wikipedia.org/wiki/Forensic_science


2/19

Computer forensic is a broader concept which is mainly related to the crimes

happening in computer which is against law. Various laws have been imposed to check

out the crimes but still they exist and are difficult to find the criminal due to lack of

evidence. All these difficulties can be overcome with the help of computer forensics.

The main motto of computer forensic experts is not only to find the criminal but also

to find out the evidence and the presentation of the evidence in a manner that leads to

legal action of the culprit. The major reasons for criminal activity in computers are:

1. Unauthorized use of computers mainly stealing a username and password

2. Accessing the victims computer via the internet

3. Releasing a malicious computer program that is virus

4. Harassment and stalking in cyberspace

5. E-mail Fraud

6. Theft of company documents.

The goal of computer forensics is to explain the current state of a digital artifact.

The term digital artifact can include a computer system, storage medium (such as a

hard disk or CD-ROM), an electronic document .e.g. an email message or JPEG

image or even a sequence of packets moving over a computer network

It is Scientific process of preserving, identifying, extracting, documenting, and

interpreting data on computer.


3/19

HistoryHistory

Michael Anderson

Father of computer forensics

special agent with IRS

Meeting in 1988 (Portland, Oregon)

creation of IACIS, the International Association of Computer Investigative

Specialists

the first Seized Computer Evidence Recovery Specialists (SCERS) classes

held


4/19

Computer Forensics RequirementComputer Forensics Requirement

Hardware

Familiarity with all internal and external devices/components of a computer

Thorough understanding of hard drives and settings

Understanding motherboards and the various chipsets used

Power connections

Memory

BIOS

Understanding how the BIOS works

Familiarity with the various settings and limitations of the BIOS

Operation Systems

Windows 3.1/95/98/ME/NT/2000/2003/XP

DOS


5/19

UNIX

LINUX

VAX/VMS

Software

Familiarity with most popular software packages

such as Office

Forensic Tools

Familiarity with computer forensic techniques and the software packages that

could be used


6/19

Multiple methods of computer forensics :-Multiple methods of computer forensics :-

Discovering data on computer system

Recovering deleted, encrypted, or damaged File information.

Monitoring live activity

Detecting violations of corporate policy


7/19

According to many professionals, Computer Forensics isAccording to many professionals, Computer Forensics is

a four (4) step process :-a four (4) step process :-

Acquisition

Physically or remotely obtaining possession of the computer, all network mappings

from the system, and external physical storage devices

Identification

This step involves identifying what data could be recovered and electronically

retrieving it by running various Computer Forensic tools and software

suites

Evaluation

Evaluating the information/data recovered to determine if and how it could be used

again the suspect for employment termination or prosecution in court.

Presentation

This step involves the presentation of evidence discovered in a manner which is

understood by lawyers, non-technically staff/management, and suitable as evidence as

determined by United States and internal laws


8/19

A Computer Forensic Promises:

Not delete, damage or alter any evidence

Protect the computer and files against a virus

Handle all evidence properly to prevent any future damage

Keep a log of all work done and by whom

Keep any Client-Attorney information that is gained confidential

Advantages of Computer forensics:-Advantages of Computer forensics:-

Ability to search through a massive amount of data

Quickly

Thoroughly

In any language

The main task or the advantage from the computer forensic is to catch the culprit or

the criminal who is involved in the crime related to the computers. The information of the

computer is advantageous in case where the involvement of hardware and software

with which forensics expert is familiar. The basics of the computer design and

architecture play a prominent role and the expert professional should have a great deal

of knowledge about the fundamental software design and implementation.

This is quite often similar from one computer system to the other. Experience of one

application, software, file system or the operating system can be applied to gain the

results in the other aspects of the case. The computer crime exists in many forms.


9/19

Computer Forensics deals extensively to find the evidence in order to prove the crime

and the culprit behind it in a court of law. The forensics provides the organization with a

support and helps them recover their loss. If it is known that the data exists then the

alternate formats of the same data or the information can also be recovered. The

discovery of the data or the information that can provide vital clues in the prosecution of

the criminal is itself a process.

A forensics expert always identifies many possibilities that to get a relevant evidence.

In addition to all the benefits of utilizing the services of the computer forensics, the

professional may also undertake the inspections of the location during on site premises.

This may be required in the cases where the signs or clues of the physical movement

are required. Some cases may also involve additional information regarding the earlierversions or the method of backups, formatted versions of data or information, which is

either created or treated by the other application programs.

The application programs may have different formats also. Some of the application

programs include the word processors, spreadsheets, email, timeline and scheduling

applications and even the usage of graphical applications.

The important thing and the major advantage regarding the computer forensics is thepreservation of the evidence that is collected during the process. The protection of

evidence can be considered as critical. A computer forensics professional expert should

ensure that computer system that is being dealt with is handled carefully. Since the

subject is legalized and there are many laws hence the computer forensic professionals

maintain a code of ethics.

The ethicality can be considered as an advantage of the forensics in computer

systems. At last the computer forensics has emerged as important part in the disaster

recovery management. Most of the organizations some time or the other employs the

services of the computer forensics experts. The cost of operations is also lower in

comparison with the security measures that are applied.


10/19

Disadvantages of Computer Forensics :-Disadvantages of Computer Forensics :-

The major disadvantage of the computer forensics is the privacy concern. It may

happen in some cases that the privacy of the client is compromised.

It is the duty of the computer forensics expert to maintain the high standards and thekeep in mind the sensitivity of the case and maintain the privacy and secrecy of the data

or the information of the clients interests. But in some circumstances it becomes almost

impossible for the computer forensics professional to maintain the secrecy of the data or

the information. This may happen if the information is necessary to prove the crime and

should be produced as the evidence in the court of law in order to prove the crime.

There are other disadvantages as well regarding the computer forensics. It is also

possible that some sensitive data or information that is important to the client may be

lost in order to find the evidence. The forensics professional must maintain the concern

that the data information or the possible evidence is not destroyed, damaged, or even

otherwise be compromised by the procedures that are utilized for the purpose of

investigating a computer system.
http://www.computerforensics1.com/http://www.computerforensics1.com/


11/19

There are also the chances of introduction of some malicious programs in the computer

system that may corrupt the data at a later stage of time. During the analysis process

care should be taken that no possible computer virus is released or introduced in the

computer system. IT is also possible that the hardware of the computer system is

damaged physically.

The evidence that is physically extracted and the relevant evidence should be properly

handled as well as protected from later damage that may either mechanical or

electromagnetic in nature. The integrity of the data and the information that is acquired

should be preserved. The custody of the data that is acquired as the evidence is the

responsibility of the computer forensics team.

During the time case is solved; it may be required that the data or the information is

stored in the court. In some cases it is also possible that the data is in dispute and

neither of the disputing parties can use the data. Due to this reason the business

operations may also be affected. The duty of the computer forensics expert is to ensure

that justice is delivered as fast as possible so that the inconvenience and the

subsequent loss to the organization can be avoided.

It is also important the information that is acquired during the forensic exploration isethically and legally respected. More over despite some of the limitations of the

Computer Forensics the subject is still perceived. Also the advantages and the benefits

of the subject have wide applications in various situations. Measures should be taken

and the care of the professional employed for the computer forensics is a must to avoid

any subsequent damage to the computer system. It is also possible in cases that the

operations cost may exceed. Steps should be taken to minimize the cost.

Need for Computer Forensics:-Need for Computer Forensics:-

The purpose of computer forensics is mainly due to the wide variety of computer

crimes that take place. In the present technological advancements it is common for

every organization to employ the services of the computer forensics experts. There are
http://www.computerforensics1.com/computer-forensic-analysis.htmlhttp://www.computerforensics1.com/computer-forensic-analysis.html


12/19

various computer crimes that occur on small scale as well as large scale. The loss

caused is dependent upon the sensitivity of the computer data or the information for

which the crime has been committed.

The computer forensics has become vital in the corporate world. There can be theft of

the data from an organization in which case the organization may sustain heavy losses.

For this purpose computer forensics are used as they help in tracking the criminal.

The need in the present age can be considered as much severe due to the internet

advancements and the dependency on the internet. The people that gain access to the

computer systems without proper authorization should be dealt in. The network security

is an important issue related to the computer world. The computer forensics is a threat

against the wrong doers and the people with the negative mindsets.

The computer forensics is also efficient where in the data is stored in a single system

for the backup. The data theft and the intentional damage of the data in a single system

can also be minimized with the computer forensics. There are hardware and software

that employ the security measures in order to track the changes and the updating of the

data or the information. The user information is provided in the log files that can be

effectively used to produce the evidence in case of any crime a legal manner.

The main purpose of the computer forensics is to produce evidence in the court that

can lead to the punishment of the actual. The forensic science is actually the process of

utilizing the scientific knowledge for the purpose of collection, analysis, and most

importantly the presentation of the evidence in the court of law. The word forensic itself

means to bring to the court.

The need or the importance of the computer forensics is to ensure the integrity of thecomputer system. The system with some small measures can avoid the cost of

operating and maintaining the security. The subject provides in depth knowledge for the

understanding of the legal as well as the technical aspects of computer crime. It is very

much useful from a technical stand point, view.
http://www.computerforensics1.com/http://www.computerforensics1.com/


13/19

The importance of computer forensics is evident in tracking the cases of the child

pornography and email spamming. The computer forensics has been efficiently used to

track down the terrorists from the various parts of the world. The terrorists using the

internet as the medium of communication can be tracked down and their plans can be

known.

There are many tools that can be used in combination with the computer forensics to

find out the geographical information and the hide outs of the criminals. The IP address

plays an important role to find out the geographical position of the terrorists. The

security personnel deploy the effective measures using the computer forensics. The

Intrusion Detecting Systems are used for that purpose.

Methods of Hiding DataMethods of Hiding Data:-

1. Manipulating HTTP requests by changing (unconstrained) order of elements

The order of elements can be preset as a 1 or 0 bit

No public software is available for use yet, but the government uses this

method for its agents who wish to transfer sensitive information online

Undetectable because there is no standard for the order of elements and it

is, in essence, just normal web browsing

2. Encryption: -

The encryption of any information in a computer system is done to maintain the

privacy or secrecy of the subject. The encrypted file is stored in some location that is not

easily identifiable. This is done so that there is no leakage of the file. Even in extreme

cases when a file is found and opened by any person then also person should not be

able to read to the file.


14/19


15/19

Conclusion:-Conclusion:-

Thus we made conclusion on the study of computer forensics as

With computers becoming more and more involved in our everyday lives, both

professionally and socially, there is a need for computer forensics. This field will

enable crucial electronic evidence to be found, whether it was lost, deleted,

damaged, or hidden, and used to prosecute individuals that believe they have

successfully beaten the system.

References:-References:-

1. ^ http://www.computer forensics.com _ Computer Forensic.html

2. ^http://www.wekipedia.com _ definition of computer forensics.

3. ^http://rapidshare.com/Computer_Forensics.rar._abstract.
http://www.wekipedia.com/http://rapidshare.com/Computer_Forensics.rarhttp://www.wekipedia.com/http://rapidshare.com/Computer_Forensics.rar


16/19

Abstract :-Abstract :-

Forensic computing is the process of identifying, preserving, analyzing and

presenting digital evidence in a manner that is legally acceptable.

From the above definition we can clearly identify four components :-

IDENTIFYING :-

this is the process of identifying things such as what evidence is present,

where and how it is stored, and which operating system is being used. From

this information the investigator can identify the appropriate recovery

methodologies, and the tools to be used.

PRESERVING :-

This is the process of preserving the integrity of digital evidence, ensuring the

chain of custody is not broken. The data needs to preserve (copied) on stable

media such as CD-ROM, using reproducible methodologies. All steps taken to

capture the data must be documented. Any changes to the evidence should


17/19

be documented, including what the change was and the reason for the

change. You may need to prove the integrity of the data in the court of law

ANALYSING :-

this is the process of reviewing and examining the data. The advantage of

copying this data onto CD-ROMs is the fact it can be viewed without the risk of

accidental changes, therefore maintaining the integrity whilst examining the

changes.

PRESENTING :-

this is the process of presenting the evidence in a legally acceptable and

understandable manner. If the matter is presented in court the jury who may

have little or no computer experience, must all be able to understand what is

presented and how it relates to the original, otherwise all efforts could be

futile.

Far more information is retained on the computer than most people

realize. Its also more difficult to completely remove information than is

generally thought. For these reasons (and many more), computer forensics

can often find evidence or even completely recover, lost or deleted

information, even if the information was intentionally deleted.

The goal of computer forensics is to retrieve the data and interpret as much

information about it as possible as compared to data recovery where the goal

is to retrieve the lost data.


18/19

Government Polytechnic, Amravati

(An Autonomous Institute of Maharashtra)

PROJECT REPORT


19/19

ON

COMPUTER FORENSICS

Prepared By:-

Gopal P. Rathi

(07CM040)

Guide By: - Head OfDepartment:-

Fafat Madam M. A. Ali Sir

DEPARTMENT OF COMPUTER ENGINEERING

Documents

Computer Forensics Semiarn