Upload
lagbaa-agbaa
View
223
Download
0
Embed Size (px)
Citation preview
7/30/2019 COMPUTER Forensics for computer Science
1/90
COMPUTER FORENSICS
BY
HENRY O. QUARSHIE
1
7/30/2019 COMPUTER Forensics for computer Science
2/90
INTRODUCTION
Computer forensics is a newer field in the legal and lawenforcement field. As the computer industry has takenoff and more and more people are investing with acomputer, the need to understand, examine and present
the facts in a case regarding a computer have beenessential.
The persons who identify and analyse evidence found ina computer are called computer forensic experts. Theseindividuals also present the evidence during legal
proceedings.
2
7/30/2019 COMPUTER Forensics for computer Science
3/90
Computer forensics requires a specializedapproach and expertise. It goes far beyond whata typical system support analyst or personnelwill do for normal data collection.
Instead, the expert in computer forensics mustfollow legal protocol and still be able to locatethe information integral to the case. They willexamine the computer to see if it has been anaid in criminal or otherwise illegal activities.
3
7/30/2019 COMPUTER Forensics for computer Science
4/90
Definition of Computer Forensics
There are a number of slightly varyingdefinitions around. However, generally,computer forensics is considered to be the
use of analytical and investigativetechniques to identify, collect, examineand preserve evidence/information which
is magnetically stored or encoded.
4
7/30/2019 COMPUTER Forensics for computer Science
5/90
The objective of this, is to provide digitalevidence of a specific or general activity.
5
7/30/2019 COMPUTER Forensics for computer Science
6/90
WHO CAN USE COMPUTER
FORENSIC EVIDENCE?
. A forensic investigation can be initiatedfor a variety of reasons. The most highprofile are usually with respect to criminal
investigation, or civil litigation, but digitalforensic techniques can be of value in awide variety of situations, including
perhaps, simply re-tracking steps takenwhen data has been lost.
6
7/30/2019 COMPUTER Forensics for computer Science
7/90
WHO CAN USE COMPUTER
FORENSIC EVIDENCE?
Many types of criminal and civil proceedings can and domake use of evidence revealed by computer forensicsspecialists:
Criminal Prosecutors use computer evidence in avariety of crimes where incriminating documents can befound: homicides, financial fraud, drug andembezzlement record-keeping, and child pornography.
Civil litigations can readily make use of personal andbusiness records found on computer systems that bearon: fraud, divorce, discrimination, and harassment
cases. Insurance Companies may be able to mitigate costs by
using discovered computer evidence of possible fraud inaccident, arson, and workman's compensation cases.
7
7/30/2019 COMPUTER Forensics for computer Science
8/90
Corporations often hire computer forensics specialiststo ascertain evidence relating to: sexual harassment,embezzlement, theft or misappropriation of tradesecrets and other internal/confidential information.
Law Enforcement Officials frequently requireassistance in pre-search warrant preparations andpost-seizure handling of the computer equipment.
Individuals sometimes hire computer forensicsspecialists in support of possible claims of: wrongfultermination, sexual harassment, or age discrimination.
8
7/30/2019 COMPUTER Forensics for computer Science
9/90
What are the common scenarios?
Wide and varied! Examples include:- Employee internet abuse (common, butdecreasing)- Unauthorized disclosure of corporate
information and data (accidental and intentional)- Industrial espionage- Damage assessment (following an incident)- Criminal fraud and deception cases- More general criminal cases (many criminals
simply store information on computers,intentionally or unwittingly)- and countless others!
9
7/30/2019 COMPUTER Forensics for computer Science
10/90
What will a computer forensicsspecialist do on the job?
They can take copies of the hard drive; identify andrecover lost files; access hidden or protected files; studythe residue of previously deleted files and create adetailed report of all the actions on the computer that can
be considered suspect or illegal. Throughout theprocess, they are not permitted to change the data inany way as this would be considered literally tamperingwith the evidence being collected.
The computer forensics expert is specifically trained to
prevent altering the data while they search for theremnants and telling signs left on the computer itself.
10
7/30/2019 COMPUTER Forensics for computer Science
11/90
CYBERCRIME
Cybercrime is defined as crime committedon the internet using the computer aseither a tool or a targeted victim. It is very
difficult to classify crimes in general intodistinct groups as many crimes evolve ona daily basis.
11
7/30/2019 COMPUTER Forensics for computer Science
12/90
TYPES OF CYBERCRIME
ELECTRONIC THEFT:
Citibank was subjected to over 40 electronicthefts by a former Russian employee of a St
Petersburg software house.
Together, with a number of accomplices, hemanaged to transfer approximately $7.5 million
to Finland, California, Israel, Germany, Holland& Switzerland(source:PCB Lawson House U.S.A)
12
7/30/2019 COMPUTER Forensics for computer Science
13/90
Police in London foiled a massive banktheft, 17th March 2005,the plan was tosteal 220m from the London offices of
the Japanese bank, Sumitomo Mitsui.They managed to infiltrate the system withkeylogging software.
13
7/30/2019 COMPUTER Forensics for computer Science
14/90
CREDIT CARD FRAUD:
An Internet retailer, C. D. Universe Whorefused to pay $100,000 to a Russianhacker, known as "Maxim" stole 300,000Credit Card numbers from their web site.
As a result, the hacker posted some
25,000 credit card details on the web, forall to see. (source: PCB Lawson House U.S.A)
14
7/30/2019 COMPUTER Forensics for computer Science
15/90
ONLINE AUCTION FRAUD: it is thenumber one Internet fraud in the U. S.Goods often dont arrive, in one case a
Russian fraudster ordered goods using astolen credit card, then sold them on anonline auction at a low price to United
States citizens, who then wired money toan untraceable Latvian bank.. (source:PCB Laws- onHouse U.S.A}
15
7/30/2019 COMPUTER Forensics for computer Science
16/90
Internet auction fraud accounted for 62percent of the 97,076 Internet fraudcomplaints that the Internet Crime
Complaint Center U.S,A. referred to law-enforcement agencies for investigation in2005.
16
7/30/2019 COMPUTER Forensics for computer Science
17/90
PYRAMID FRAUD
It entices the victim with promises ofextraordinary returns on investment.Those at the top of the scheme are initiallysuccessful, but subsequent investorsloose all the money invested. .(source: PCB LawsonHouse U.S.A)
17
7/30/2019 COMPUTER Forensics for computer Science
18/90
FRAUDULENT INTERNET BANKING SITES
The Internet allows fraudsters to offer bogus
credible banking services. It is difficult for the
consumer to discern between genuine andfraudulent Internet banks. The fraudsterdoes not need to go to great expense to
dress up his site as genuine and will enticevictims with a promise of high interestrates..(source: PCB Lawson House U.S.A )
18
7/30/2019 COMPUTER Forensics for computer Science
19/90
PHISHING:
This attack occurs when a hacker tries toget people's banking details electronicallyand then use the details to rob bankaccounts.
19
7/30/2019 COMPUTER Forensics for computer Science
20/90
A phishing email claiming that The NationalAustralia Bank (NAB) is bankrupt caught morethan 1,000 of the bank's customers in its net.
It claimed that the bank's ATMs were notworking, This caused panic withdrawals. Itinvited them to click on a link that will provide
them with more information.
20
7/30/2019 COMPUTER Forensics for computer Science
21/90
The link in fact downloads a Trojan ontothe hapless banker's machine. This stoletheir bank login details and password
when they follow the rest of the emailed"advice" to go online to check theirbalance.
(Source channel Register, June 19,2006)
21
7/30/2019 COMPUTER Forensics for computer Science
22/90
CYBERTERRORISM:
This is a very real threat in todays informationage. Cyberterrorists have at their disposal
weapons that can cause severe destruction.
Cyberterrorists, such as Russian cyber gangscan attack anyone, anywhere, blackmailing
organizations into paying them millions toprevent the terrorists from destroying theirsystems.
22
7/30/2019 COMPUTER Forensics for computer Science
23/90
A group of British hackers allegedlydemanded a 10m ransom from Visa,after they claimed they would crash the
Visa system if they were not paid. The hackers stole computer "source
codes" that are critical to programming. Ifthe system did crash, even for just a day,the cost to Visa would have run into tensof millions of pounds.(source :PCB Lawson House U.S.A)
23
7/30/2019 COMPUTER Forensics for computer Science
24/90
LOTTERY SCAM
These are emails that tells recipient they havewon a sum of money in a lottery. The recipient is
instructed to keep the notice secret and tocontact an agent. After contacting the "agent",the recipient will be asked to pay money as fees,but will never receive any lottery payment.
24
7/30/2019 COMPUTER Forensics for computer Science
25/90
At the end of 2005, the U.S. Department ofTreasury announced that cybercrimeovertook drug trafficking .Cybercrime cost
$180 billion.
(source:Sun-Sentinel.com June 03,2006)
25
7/30/2019 COMPUTER Forensics for computer Science
26/90
While criminal activity via the Internet isstill a fairly new phenomenon, the FBIranks it just behind stopping terrorism and
counterintelligence on their list of priorities.
26
7/30/2019 COMPUTER Forensics for computer Science
27/90
Nigerian 419 scam stole the most moneyoff Internet.Americans reported losing anall-time high of $183 million to Internet
fraud in 2005, up 169 percent from $68million in 2004.
(Source: Internet Crime Complaint Center)
27
7/30/2019 COMPUTER Forensics for computer Science
28/90
REPORTS (GHANA)
Man of God in 419 for alleged cyber fraud. He claimsto have inherited $39m. .( source Daily Graphic 25th April 2005)
11 Nigerians arrested at a caf at Dzowulu withforged documents designed to deceive potentialvictims.( source Daily Graphic 20th Aug 2005)
Online Fraud security council gets tough. Ghana hasbeen blacklisted and could be totally banned from theuse of credit cards. .( source Daily Graphic 19th Sept 2005)
28
7/30/2019 COMPUTER Forensics for computer Science
29/90
Techniques and Tools used in
Computer Crime
Computer Virus, spyware, adware,malware.
cracking
Spamming
Phishing
Cyberterrorism
29
7/30/2019 COMPUTER Forensics for computer Science
30/90
Computer Virus
A computerv i rus can be defined by threebasic properties:
It is a piece of Software (executable code).
It is a parasite. It never remains as anamed piece of Software. It attaches itselfwith some other executable code and
remains with it.
30
7/30/2019 COMPUTER Forensics for computer Science
31/90
To attach, might mean physically adding tothe end of a file, inserting into the middleof a file, or simply placing a pointer to a
different location on the disk somewherewhere the virus can find it.)
It reproduces itself. On activation it always
tries to spread by attaching itself withother executable codes also.
31
7/30/2019 COMPUTER Forensics for computer Science
32/90
Since a virus is an executable code and for itsactivation it has to attach itself with such a codewith which it can get executed. Hence a
computer virus can live with Boot Sector.
Partition Table.
Executable files (EXE, COM, DLL, OVL etc). Macros in MS Office files (Documents,Spreadsheet etc.)
32
7/30/2019 COMPUTER Forensics for computer Science
33/90
TYPES OF VIRUSES
Boot / Partition Viruses.
File Viruses
Macro Viruses Backdoor
Worms
Trojans
33
7/30/2019 COMPUTER Forensics for computer Science
34/90
Boot / Partition Viruses.
The Partition Table / Boot Sector virusgets themselves housed at the originalBoot / Partition areas and shift the original
code to some other location.Most of these viruses remain in thememory, thereby take control of themachine. From here these viruses getthemselves attached to the boot sector ofthe hard drive or other executable.
34
7/30/2019 COMPUTER Forensics for computer Science
35/90
Macro Viruses .
These are viruses, which infect Document fileslike MS-Word. All MS-Office components (Word,Excel, PowerPoint & Access) support writing
macros.Unlike the limited macro powers available inprevious generation, these macros providealmost all the functionalities of a computer
programming language. Viruses too smell theopportunity and target these Macros.
35
7/30/2019 COMPUTER Forensics for computer Science
36/90
Backdoor
Backdoor have two components. Itbasically creates a client-serverenvironment. The target machine is
converted into a server and the attackerposes as a client taking control of themachine and information.
36
7/30/2019 COMPUTER Forensics for computer Science
37/90
Worms
A Worm is a computer program or a pieceof software that has the ability to replicateon its own. It arrives as an e-mail or
newsgroup attachment and infect userswho run the attachment. The worm altersthe host computers windsock32.dll file,
the doorway to the internet. Worms canspread rapidly to other machines on thenetwork. E.g. W32 Nimda, W32 sircam.
37
7/30/2019 COMPUTER Forensics for computer Science
38/90
Trojans
A Trojan refers to a program that appears,as something you may think is safe, buthidden inside is usually something
harmful, probably a worm or a virus. The lure of Trojans is that you may
download a game or a picture, thinking it's
harmless, but once you execute this file(run it); the worm or virus gets to work.
38
7/30/2019 COMPUTER Forensics for computer Science
39/90
TECHNIQUE USED BYCOMPUTER VIRUS WRITERS
Self-Encryption
This hides its code and its destructive property, avirus remains in the file in encrypted format anddecrypts itself at the time of execution. Thismakes the task of studying the virus a trickyaffair.
Thus the virus now consists of 2 parts, one is thedecryption routine and another is the originalencrypted code of the virus. If not studiedproperly, an accidental removal of the virus mayresult into serious loss of data, so be careful.
39
7/30/2019 COMPUTER Forensics for computer Science
40/90
Polymorphic natureThe new generation viruses keep on
changing and modifying their code. This
poly (many) orphic nature makes the virusidentification a difficult task. At times theform changes to such an extent that if notstudied properly some of its variantsevade the virus scanner. Almost all thenew viruses are polymorphic in nature.
40
7/30/2019 COMPUTER Forensics for computer Science
41/90
Stealth Methodology:
A virus that actively conceals itself bytemporarily removing itself from an
infected file that is about to be examined,and then hiding a copy of itself elsewhereon the drive. It can keep a copy of the bootsector and show it as normal to anti-virussoftware. They also report the correct filesize even after infecting a file.
41
7/30/2019 COMPUTER Forensics for computer Science
42/90
SPYWARE
Software that hides itself somewhere onyour computer collecting information aboutyou and what you do on the internet and
pass on your personal details without youever knowing.
There are currently over 78,000 spywareand adware programs that are infectinginnocent Internet users.
42
7/30/2019 COMPUTER Forensics for computer Science
43/90
HOW SPYWARE WORKS
Steal your passwords
Steal your Identity
SPAM your email account
Crash your computer Bombard you with advertising
Steal your credit card numbers
Download your private files
Monitor your emails & Keystrokes
Watch the sites you visit
43
7/30/2019 COMPUTER Forensics for computer Science
44/90
Symptoms of SPYWARE
Computer slows down
E-mails bounce back
E-mails being sent without your knowledge
Programs opening and closing
CD drive opening and shutting
Credit card account and password being
tempered with.( offline symptoms) Hijacks your homepage
44
7/30/2019 COMPUTER Forensics for computer Science
45/90
ADWARE
Software that presents advertisements tothe user, normally in the form of Pop-upadverts. Adware is installed on a user's
computer at some Web sites, "freeware"products, and sometimes, with legitimatelypurchased commercial software.
45
7/30/2019 COMPUTER Forensics for computer Science
46/90
Adware has been criticized because itusually includes code that tracks a user'spersonal information and passes it on to
third parties, without the user'sauthorization or knowledge.
This practice has been dubbed spyware
and has prompted an outcry fromcomputer security and privacy advocates.
46
7/30/2019 COMPUTER Forensics for computer Science
47/90
SYMPTOMS OF ADWARE
Slow computer performance
New desktop shortcut or switchedhomepage
Annoying pop-ups on your PC
47
7/30/2019 COMPUTER Forensics for computer Science
48/90
HOW ADWARE WORKS
Steals your information
Sends deceptive adverts
Breaks websites
Installs new code to your system
48
7/30/2019 COMPUTER Forensics for computer Science
49/90
CRACKING TECHNIQUES
The following are some of the techniques used bycrackers.
1.Remote Penetration: Programs that go out on theInternet (or network) and gain unauthorized control of a
computer. 2.Local Penetration: Programs that gain unauthorized
access to the computer on which they are run.
3. Remote Denial of Service: Programs that go out onthe Internet (or network) and shut down another
computer or a service provided by that computer. 4. Local Denial of Service: Programs that shut down
the computer on which they are run.
49
7/30/2019 COMPUTER Forensics for computer Science
50/90
5. Network Scanners: Programs that map out a networkto figure out which computers and services are availableto be exploited.
6.Vulnerability Scanners: Programs that scour theInternet looking for computers vulnerable to a particular
type of attack. 7. Password Crackers: Programs that discover easy-to-
guess password in encrypted password files. Computerscan now guess passwords so quickly that manyseemingly complex password can be guessed.
8. Sniffers: Programs that listen to network traffic. Oftenthese programs have features to automatically extractusernames, passwords, or credit card information.
50
G id li f F i
7/30/2019 COMPUTER Forensics for computer Science
51/90
Guidelines for Forensic
examination and Analysis Forensics is a science and an art that
requires specialised techniques forrecovery, authentication, and analysis of
electronic data for the purpose of acriminal act. Specific processes existrelating to reconstruction of computer
usage, examination, of residual data,authentication of data by technicalanalysis or explanation of technical
51
7/30/2019 COMPUTER Forensics for computer Science
52/90
Features of data, and computer usage.This is not something the ordinary networkadministrator should be carrying out.
52
7/30/2019 COMPUTER Forensics for computer Science
53/90
INTERNATIONAL ORGANISATION ONCOMPUTER EVIDENCE
The international organisation oncomputer evidence(IOCE) was created todevelop international principles dealing
with how digital evidence is to be collectedand handled so various courts willrecognise and use the evidence in the
same manner.
53
7/30/2019 COMPUTER Forensics for computer Science
54/90
The international principles developed byIOCE for the standardized recovery ofcomputer-based evidence are governed
by the following attributes: 1: Consistency with all legal systems
2: Allowance for the use of a common
language.
3: Durabilty.
54
7/30/2019 COMPUTER Forensics for computer Science
55/90
4: Ability to cross international boundaries.
5: Ability to instill confidence in theintegrity of evidence.
6: Applicability to all forensic evidence.
7: Applicability at every level, includingthat of individual, agency, and country.
55
7/30/2019 COMPUTER Forensics for computer Science
56/90
FORENSICS INVESTIGATION PROCESS
To ensure that forensics activities arecarried out in a standardized manner, it isnecessary for the team to follow specific
laid-out steps so nothing is missed andthus ensure the evidence is admissible.Each team or company or team may come
up with their own steps, but all areessentially accomplishing the same things.
56
7/30/2019 COMPUTER Forensics for computer Science
57/90
1: Adhere to your site's Security Policy andengage the appropriate Incident Handlingand Law Enforcement personnel. Capture
as accurate a picture of the system aspossible.
57
7/30/2019 COMPUTER Forensics for computer Science
58/90
2: When confronted with a choicebetween collection and analysis youshould do collection first and analysis
later.
58
7/30/2019 COMPUTER Forensics for computer Science
59/90
3: Computer Time and Date Settings The time and date that files were created can be
important in cases involving computer evidence.However, the accuracy of the time and date stamps on
files is directly tied to the accuracy of the time and datestored in the CMOS chip of the computer.
Consequently, documenting the accuracy of thesesettings on the computer is important. Without suchinformation, it will be all but impossible to validate theaccuracy of the times and dates associated with relevantcomputer files.
59
7/30/2019 COMPUTER Forensics for computer Science
60/90
4: Hard Disk Partitions The potential for hidden or missing data exists
when computer hard disk drives are involved. Asa result, it is important to document the make,model and size of all hard disk drives containedin the computers. This is accomplished byconducting a physical examination of the harddisk drive.
The factory information recorded on the outsideof the hard disk drive should be documented.
60
7/30/2019 COMPUTER Forensics for computer Science
61/90
5: Operating System and Version
The computer may rely upon one or moreoperating systems. The operating system
involved should be documented.
The results of findings should be notedand the software and version used should
be documented.
61
7/30/2019 COMPUTER Forensics for computer Science
62/90
6: File Catalog The files stored on the computer hard disk drive
should be listed and cataloged. The dates andtimes that the files were created and/or updated
should also be recorded. Many times relevantleads can be obtained through the sorting of thefiles by file date and time.
The combination of such information frommultiple computers as evidence in the samecase can also prove valuable for leads. Suchinformation can be helpful in documenting aconspiracy when sorted file dates and times areevaluated.
62
7/30/2019 COMPUTER Forensics for computer Science
63/90
7: Backups:
Normally computer evidence is preserved bymaking an exact copy of the original evidence
before any analysis is performed. It is notenough to just make copies of computer filesusing a conventional backup program. Valuableevidence may exist in the form of erased files
and the data associated with these files can onlybe preserved through a backup.
63
7/30/2019 COMPUTER Forensics for computer Science
64/90
8: Never run any programs on the computer inquestion without taking precautions, e.g. writeprotection or by making a backup. Also, you
should not boot or run the computer using theoperating system on the computer in question.
It is relatively easy for criminals to rig theircomputers to destroy hard disk drive content or
specific files by planting decoy programs orthrough the modification of the operating system
64
7/30/2019 COMPUTER Forensics for computer Science
65/90
Take Precautions In The Transport ofComputer Evidence.
Computer evidence is very fragile. Heat and
magnetic fields can destroy or alter it in avery short period of time.
65
ANALYSIS OF A SECURITY
7/30/2019 COMPUTER Forensics for computer Science
66/90
ANALYSIS OF A SECURITYSOFTWARE
ONLINE PROTECTION
Prevents your system from virus attack bycontinuously monitoring the system and
prevents virus infection from e-mail attachments,Internet Downloads, network, ftp, floppy, Datastorage devices, CD-DVD ROM file executablesand during suspected file copying. All this is
done in the background and you are notifiedonly when a virus infected file is found or a viruslike activity is detected.
66
7/30/2019 COMPUTER Forensics for computer Science
67/90
EMAIL PROTECTION.
Mail Protection has been redesigned toprovide utmost and best protection to its
users. Your e-mail messages are scannedautomatically for any malicious codecontent within.
67
7/30/2019 COMPUTER Forensics for computer Science
68/90
QUARANTINTE Quarantine helps in safely isolating the
infected or suspected files. When a file is
added to Quarantine, the files areencrypted and kept inside the Quarantinedirectory. Being kept in an encrypted form,these files cannot be executed and hence
are safe. Quarantine also keeps a copy ofinfected file before repairing.
68
7/30/2019 COMPUTER Forensics for computer Science
69/90
MESSENGER
It automatically gathers information from the web site and
informs you about New Viruses, Hoaxes, Upgradeavailabilities and other information. It can be also usedfrom Local Folder or Network path.
The messenger starts blinking along with an Audio Alarmwhenever there is a new message. Click on the blinkingball to view the message. A detailed log of messages isalso maintained.
69
7/30/2019 COMPUTER Forensics for computer Science
70/90
Virus List
Provides an exhaustive database ofrespective virus names along with their
category.
70
7/30/2019 COMPUTER Forensics for computer Science
71/90
System Information is an essential tool togather critical information of a Windowsbased system for following cases:
This tool gathers information to detectnew Malwares from Running processes,Registry, System files like Config.Sys,
Autoexec.bat etc.
71
7/30/2019 COMPUTER Forensics for computer Science
72/90
REPORTS
This provide detailed information about thedifferent modules functioning and virus scan
sessions. Examples are Scan reports
Online protection reports
E-mail reports Scheduler reports
72
7/30/2019 COMPUTER Forensics for computer Science
73/90
Advanced System ExplorerThis tool provides all important information related
to your computer such as running process,installed BHOs, toolbars installed in Internet
Explorer, installed ActiveX, Hosts, LSPs, StartupPrograms, Internet Explorer settings and Activenetwork connection. This will help diagnose thesystem for tracing existence of any new malware
or riskware.
73
7/30/2019 COMPUTER Forensics for computer Science
74/90
Hijack RestoreThis restores the important Internet Explorer
settings to default settings. Internet Explorersettings modified by Malwares, Spywares,
Genuine applications and even by you can beeasily restored to default setting using Hijackrestore. This tool also restores certain othercritical operating system settings like registry
editor and task manager.
74
7/30/2019 COMPUTER Forensics for computer Science
75/90
DNAScanThis detects new and unknown threats without the needfor update. Additionally it copies the suspected file in thequarantine directory before taking any action. These
quarantined suspicious files are submitted to a researchlab for further analysis. After the detailed analysis it canthen be added in the known threat database which willbe provided in updates to all the users. This can only bepossible if they are detected and eliminated before their
wild spread. DNAScan technology successfully trapssuspected files with very less false alarms.
75
7/30/2019 COMPUTER Forensics for computer Science
76/90
WINDOW SPY This tool can be used to find out more information about
an application or process whenever required. At times ithappens that we keep on getting dialog boxes ormessages that are shown by spyware or some malware
and we are not able to locate the malware. In suchsituation this tool can be used to find out moreinformation about the application by dragging the targeton to the dialog or window that appears on the screen.
This tool will provide following information about the
dialog or a window.
76
7/30/2019 COMPUTER Forensics for computer Science
77/90
Application Name Original File Name Company Name File Description File Version Internal Name Product Name
Product Version Copyrights Information Comments
77
7/30/2019 COMPUTER Forensics for computer Science
78/90
ANTI-SPAM
Anti-spam tags unwanted emails like spam,phishing emails and porn emails. It blocks
unwanted mails coming to your inbox Anti-Spamscans the mail, while scanning it will append thesubject of the spam mail with [SPAM] -.ASpamMails folder in the e-mail client gets
created automatically and all spam mails will bedirectly moved to that folder.
78
7/30/2019 COMPUTER Forensics for computer Science
79/90
Spam is estimated to account for up to40% of global e-mail traffic and is causinga massive headache for businesses,
which are losing billions in productivity.
79
7/30/2019 COMPUTER Forensics for computer Science
80/90
ANTI-PHISHING This prevents you from accessing phishing and
fraudulent websites. Phishing is a fraudulentattempt, usually made through email, to steal
your personal information. This automatically scans all accessed webpages for fraudulent activity protecting youagainst any phishing attack as you surf theinternet. Prevents identity theft by blocking
phishing websites. So you can do onlineshopping, banking and website surfing safely.
80
7/30/2019 COMPUTER Forensics for computer Science
81/90
Phishing is generally attempted through emails.It usually ask for your personal information, suchas credit card number, social security number,account number or password.
. In order for Internet criminals to successfully"phish" your personal information, they must getyou to go from an email to a website.
Phishing emails will almost always tell you to
click a link that takes you to a site where yourpersonal information is requested.
81
P i C id ti
7/30/2019 COMPUTER Forensics for computer Science
82/90
Privacy Considerations
1:Respect the privacy rules and guidelinesof your client and your legal jurisdiction. Inparticular, make sure no information
collected along with the evidence you aresearching for is available to anyone whowould not normally have access to this
information.
82
7/30/2019 COMPUTER Forensics for computer Science
83/90
2:Do not intrude on people's privacy withoutstrong justification. In particular, do notcollect information from areas you do not
normally have reason to access (such aspersonal file stores) unless you havesufficient indication that there is a real
incident.
83
7/30/2019 COMPUTER Forensics for computer Science
84/90
3: Make sure you have the backing of yourcompany's established procedures intaking the steps you do to collect evidence
of an incident.
84
L l C id ti
7/30/2019 COMPUTER Forensics for computer Science
85/90
Legal Considerations
Computer evidence needs to be1:Admissible: It must conform to certainlegal rules before it can be put before a
court.2:Authentic: It must be possible topositively tie evidentiary material to the
incident.
85
7/30/2019 COMPUTER Forensics for computer Science
86/90
3:Complete: It must tell the whole story andnot just a particular perspective.
4: Reliable: There must be nothing about
how the evidence was collected andsubsequently handled that casts doubtabout its authenticity and veracity.
5:Believable: It must be readily believableand understandable by a court.
86
T
7/30/2019 COMPUTER Forensics for computer Science
87/90
Transparency
The methods used to collect evidenceshould be transparent and reproducible.You should be prepared to reproduce
precisely the methods you used, andhave those methods tested byindependent experts.
87
C ll ti St
7/30/2019 COMPUTER Forensics for computer Science
88/90
Collection Steps
1:List what systems were involved in theincident and from which evidence will becollected.
2:Establish what is likely to be relevant andadmissible.
3:Don't forget the people involved. Makenotes of who was there and what werethey doing, what they observed and howthey reacted.
88
Ch i f C t d
7/30/2019 COMPUTER Forensics for computer Science
89/90
Chain of Custody
You should be able to clearly describehow the evidence was found, how it washandled and everything that happened to
it. The following need to be documented1: Where, when, and by whom was the
evidence discovered and collected.
89
7/30/2019 COMPUTER Forensics for computer Science
90/90
2:Where, when and by whom was theevidence handled or examined.
3:Who had custody of the evidence, during
what period.4:How was it stored.
5: When the evidence changed custody,
when and how did the transfer occur.