01 computer%20 forensics%20in%20todays%20world

SAK 4801 SPECIAL TOPICS IN COMPUER SCIENCE IIChapter 1 Computer Forensics in Today’s World

Mohd Taufik AbdullahDepartment of Computer Science

Faculty of Computer Science and Information TechnologyUniversity Putra of Malaysia

Room No: 2.28

Portions of the material courtesy EC-Council

Computer Forensics and Investigations

3 Chapter 1 Computer Forensics in Today’s World SAK4801 Special Topics in Computer Science II

Learning Objectives• At the end of this chapter, you will be able

to:• Understand the concept of computer

forensics• Describe how to prepare for computer

investigations• Explain the difference between law

enforcement (public) agency and corporate (private) investigations• Explain the importance of maintaining

professional conduct


Chapter 1 Outline

1. Computer Forensics in Today’s World 1.1. Introduction to Computer Forensics 1.2. History of Computer Forensics 1.3. Computer Forensics Flaws and Risks 1.4. Cyber crime 1.5. Reason for Cyber Attacks 1.6. Modes of Attacks 1.7. Role of Computer Forensics

1.1 Introduction to Computer Forensics


1.1 Introduction to Computer Forensics Computer combined with Internet has become an

important part of everyday life of the general public. Nowadays, more and more people are using

computers and devices with computing capability. The combination of the growth in the number of

computerization of business processes and Internet users has created new opportunities for criminal.

According to the EC-Council: 85% of business and government agencies detected

security breaches FBI estimates that the United States loses up to $10

billion a year to cyber crime.


1.1 Introduction to Computer Forensics (Cont.) The digital age has produced many new professions,

but one of the most unusual is computer forensics. Computer forensics deals with the application of law

to a science. Although it is similar to other forms of legal

forensics, the computer forensics process requires a vast knowledge of computer hardware and software in order to avoid the accidental invalidation or destruction of evidence and to preserve the evidence for later analysis.

1.2 History of Computer Forensics


1.2.1 Forensics Science Forensics science has been around since the dawn of

justice. Francis Galton (1822–1911) made the first recorded

study of fingerprints, Leone Lattes (1887–1954) discovered blood

groupings (A, B,AB, and 0), Calvin Goddard(1891–1955) allowed firearms and

bullet comparison for solving many pending court cases,

Albert Osborn (1858–1946) developed essential features of document examination,

Hans Gross(1847–1915) made use of scientific study to head criminal investigations.

FBI(1932) set up a lab to provide forensic services to all field agents and other law authorities across the country


1.2.2 Evolution Computer Forensics 1984 - FBI Computer Analysis and Response Team

(CART) emerged 1991 - International Law Enforcement meeting was

conducted to discuss computer forensics & the need for standardized approach

1994 – Department of Justice (DOJ) - Federal Guidelines for Searching & Seizing Computers

1997 - FBI- Scientific Working Group on Digital Evidence (SWGDE) was established to develop standards in computer forensics.

2001 - USAF - Digital Forensics Research Workshop was held,

2003 - Academic - International Journal of Digital Forensics & Incident Response, Elsevier


1.2.3 Definition of Forensics Science Forensic science is “the Application of physical

sciences to law in the search for truth in civil, criminal and social behavioral matters to the end that injustice shall not be done to any member of society” (Source: Handbook of Forensic Pathology College of American Pathologists 1990)

Forensic science is “the application of scientific techniques and principles to provide evidence to legal or related investigations and determinations” (Forensic science : an encyclopedia of history, methods, and techniques, 2006)

Aim: determining the evidential value of crime scene

and related evidence


Computer forensics is defined as “a methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media, that can be presented in a court of law in a coherent and meaningful format” (Dr. H.B. Wolfe)

A ccording to Steve Hailey, Cybersecurity Institute, computer forensics is “The preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or administrative proceeding as to what was found.”

1.2.4 Definition of Computer Forensics


FBI defines computer forensics as an application of science and engineering to the legal problem of digital evidence.

James Borek (2001), computer forensics is “equivalent of surveying a crime scene or performing an autopsy on a victim”.

Computer forensics is “the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” (DFRWS 2001)

1.2.4 Definition of Computer Forensics (Cont.)


1.2.5 Computer Forensics Versus Other Related Disiplines Computer forensics versus network forensics

Computer forensics involves scientifically examining and analyzing data from computer storage media so that the data can be used as evidence in court. (DIBS USA, Inc. – a corporation specializing n computer forensics) Computer forensics investigates data that can

be retrieved from a computer’s hard disk or other storage media.

Investigating computers includes collecting computer data securely, examining suspect data to determine details such as origin and content, presenting computer-based information to courts, and applying laws to computer practice.


Computer forensics investigators retrieve information from a computer or its component parts.

The information might not be easy to find or decipher though it might already be on the disk.

Network forensics produces information about how a culprit or an hacker gained access to a network. Network forensics investigates logs files and

also tries to determine what tracks or new files were left behind on a victim’s computer or what changes were made.

Network forensics investigators use log files to determine when users logged on and try to determine which URLs users accessed, how they logged on to the network, and from what location.

1.2.5 Computer Forensics Versus Other Related Disiplines (Cont.)


Computer forensics versus data recovery Data recovery involves recovering information

from a computer, for example, a file that was deleted by mistake or lost during a power surge or server crash. In data recovery, an information that you are

looking for are known. Computer forensics is the task of recovering data

that users have hidden or deleted, with the goal of ensuring that the recovered data is valid so that it can be used as evidence. The evidence can be inculpatory (in criminal cases, the

expression is “incriminating”) or exculpatory, meaning it might clear the

suspect.

1.2.5 Computer Forensics Versus Other Related Disciplines (Cont.)


Investigators often examine a computer disk not knowing whether it contains evidence—they must search storage media. if they find data, they piece it together to

produce evidence. Various forensics software tools can be used for

most cases. In extreme cases, investigators can use

electron microscopes and other sophisticated equipment to retrieve information from machines that have been damaged or purposefully reformatted.



Computer forensics versus computer security Computer forensics concerns with the proper

acquisition, preservation and analysis of digital evidence, typically after an unauthorized access or use has taken place.

Computer security the main focus concerns with the prevention of unauthorized access, as well as the maintenance of confidentiality, integrity and availability of computer systems.



Need for computer forensics arises from: Presence of a majority of electronic documents

nowadays. According to a University of California study, during 1999: 93% of information was generated in digital form,

on computers 7% of information originated in other media, such

as paper Search and identify data in a computer

Increasing trail of activities by perpetrators left on computers.

Digital Evidence is delicate in nature; therefore they must be recorded as early as possible to avoid loss of valuable evidence Electronic information can be easily planted,

created and stored

1.2.6 Need for Computer Forensics


Law enforcement officials, network and system administrators of IT firms, attorney and also private investigators depend upon qualified computer forensic experts to investigate their and civil cases. An appropriate computer forensics specialist is

called and extend them as much cooperative assistance as possible because if there is to be any chance of recovering property, locating and successfully prosecuting the criminal, there must be evidence of sufficient quantity and quality.

For recovering Deleted, Encrypted or, Corrupted files from a system

This data will be helpful during presenting testimony in the court.

1.2.6 Need for Computer Forensics (Cont.)

1.3 Computer Forensics Flaws and Risks


1.3 Computer Forensics Flaws and Risks Computer forensics is in its early or development

stages It is different from other forensic sciences as digital

evidence is examined There is a little theoretical knowledge to base

assumptions for analysis and standard empirical hypothesis testing when carried out lacks of proper training no standardization of tools

Designations are not entirely professional It is still more of an “Art” than a “Science”


1.3 Computer Forensics Flaws and Risks (Cont.) According to EC-Council, Corporate Espionage

Statistics: Corporate computer security budgets increased at

an average of 48% in 2002 62% of the corporate companies had their systems

compromised by virus FBI statistics reveal that more than 100 nations are

engaged in corporate espionage against US companies

More than 2230 documented incidents of corporate espionage by the year 2003

1.4 Cyber Crime


1.4.1 Definition of Cyber Crime Definition

”Any illegal act involving a computer, its systems, or its applications” (EC-Council)

The crime must be intentional and not accidental. Cyber crime is divided into 3 T’s • Tools of the crime • Target of the crime • Tangential to the crime


1.4.1 Definition of Cyber Crime (Cont.) Tools of the crime

Involve various hacking tools that have been used to commit a crime.

Include the computer or workstation from where the crime has been committed. Take the whole system include hardware such

as the keyboard, mouse and monitor. Considered to be the evidence that the computer

forensic investigator must analyze, process and then document.


1.4.1 Definition of Cyber Crime (Cont.) Target of the crime

Also termed as the victim The victim can be corporate organizations,

websites, consultancy agencies and government bodies.

The target of the crime is usually the location where the computer forensic investigator goes about the process of examining the crime scene

Tangential of the crime Means it was used as a secondary tool. The computer creates a unique environment or

unique form of assets. The computer is not the primary instrument of the

crime; it simply facilitates it. The computer is used to store the evidence.


1.4.2 Digital Evidence What is Digital Evidence? Information of probative value stored or transmitted

in digital form Probative Value - evidence which is sufficiently

useful to prove something important in a trial Type of Digital Evidence – What to seize?

Storage Media (i.e.. floppies, CD’s, thumb drives) Computer (CPU) Laptops (always seize power supply) External Drives & Media

Corresponding Devices i.e. tape/tape drive, jaz disk/jaz drive

Unique software and operating manuals(might need to load software on forensic

computer to view files)


1.4.2 Digital Evidence What is Digital Evidence? Information of probative value stored or transmitted

in digital form Probative Value - evidence which is sufficiently

useful to prove something important in a trial Type of Digital Evidence – What to seize?

Storage Media (i.e.. floppies, CD’s, thumb drives) Computer (CPU) Laptops (always seize power supply) External Drives & Media

Corresponding Devices i.e. tape/tape drive, jaz disk/jaz drive

Unique software and operating manuals(might need to load software on forensic

computer to view files)


1.4.3 Examples of Cyber Crime Theft of intellectual property

Includes any act that would allow an individuals to get access to patents, trade secret, customer data, sales trends and any other confidential information that can be of monetary gain.

Damage of company service networks Take place by the attacker planting a trojan horse, conducting a denial of service attack, installing an unauthorized modem in the network to allow insiders a chance to gain access.

Financial fraud Refers to any type of criminal behavior that uses fraudulent solicitation to prospective victims to conduct fraudulent transactions.


1.4.3 Examples of Cyber Crime (Cont.) Hacker system penetrations

A network or system penetration occurs when an outsider gets access to the network and changes settings within the network.

Hacker attacks using tools that take advantage of the vulnerability in the security posture ot the network such as Trojans, rootkits, and sniffers

Denial of Service Attacks Aim at stopping legitimate requests to a network

over the Internet by subjecting the network to illegitae requests.

Occur when several system take up useful network resources thereby rendering the network inaccessible.


1.4.3 Examples of Cyber Crime (Cont.) Planting of virus and worms

Virus can affect machines and seek to affect other vulnerable systems through applications such as an email client.

Worms seek to replicate themselves over the network thereby hogging resources apart from creating malfunctions.

Trojan horses and backdoors are programs that allow an intruder to retain access to a compromised machine.

1.5 Reasons for Attacks


1.5 Reason for cyber attacks Motivation for cyber attacks

Experimentation and a desire for script kiddies to learn

Psychological needs – to leave a mark Misguided trust in other individuals Revenge and malicious reasons – disgruntled

employee Desire to embarrass the target Espionage - corporate and governmental

Paid to gain information

1.6 Modes for Attacks


1.6 Modes for attacks Cyber crime falls into two categories depending on

the ways attack take place Following are the two types of attacks

Insider Attacks Attack from the employee within an

organization External Attacks

Attack from the outside by persons who are not within the company

These involve hackers hired by either an insider or an external entity whose aim is to destroy a competitor’s reputation.

1.7 Role of Computer Forensics


1.7.1 Stage of Forensic Investigation in Tracking Computer Crime Identifying the crime

Gathering the evidence Building a chain of custody

In this stage, data have been recovered Data once recovered must be duplicated or

replicated. Analyzing the evidence – use duplicate one Presenting the evidence Testifying Prosecution

In this stage, computer forensics investigator must act as an expert witness


1.7.1 Stage of Forensic Investigation in Tracking Computer Crime (Cont.) An expert witness

A person who can investigate on a particular case, evaluate all findings, and educate the jury about his/her findings.

His/her most important functions is to present all his/her findings of the case in court.

When functioning as an expert witness, the forensic investigator is the actual tool that law enforcement agencies around the world use to track and prosecute cyber criminal.


1.7.2 Rules of Computer Forensics A good forensic investigator should always follow

these rules: Minimize the option of examining the original

evidence Instead, examine the duplicate evidence

Obey rules of evidence and do not tamper with the evidence

Always prepare a chain of custody, and handle evidence with care

Never exceed the knowledge base of the forensic investigation

Document any changes in evidence


The 3 As of computer forensics methodologies Acquire evidence without modification or

corruption Authenticate that the recovered evidence is

same as the originally seized data Analyze data without any alterations

1.7.3 The 3 As of Computer Forensics Methodology


Accessing computer forensics resources Resources can be referred by joining various

discussion groups such as: Computer Technology Investigators Northwest –

High Technology Crime Investigation Association

Joining a network of computer forensic experts and other professionals

News services devoted to computer forensics can also be a powerful resource

Other resources: Journals of forensic investigators Actual case studies

1.7.4 Accessing Computer Forensics Resources


Computing investigations fall under two distinct categories: Public Investigation Corporate Investigation

Public (Enforcement agency) investigations include: Tools used to commit the crime Reason for the crime Type of crime Infringement on someone else’s rights by

cyberstalking

1.7.5 Preparing for Computer Investigations


Corporate investigations include: Involve private companies who address

company policy violations and litigation disputes

Company procedures should continue without any interruption from the investigation

After the investigation the company should minimize or eliminate similar litigations

Industrial espionage is the foremost crime in corporate investigations

1.7.5 Preparing for Computer Investigations (Cont.)


1.9 Preparing for Computing Investigations (Cont.) Identification: Detecting/identifying the event/crime.

Asses the case, ask people questions, and documenting the results in an effort to identify the crime and the location of the evidence

Preservation of evidence: Chain of Custody/Evidence, Documentation. A chain of custody/evidence must be prepared to

know who handled the evidence, and every step taken by the forensic investigator must be documented for inclusion in the final report.

Sometimes a computer and its related evidence can determine the chain of events leading to a crime for the investigator as well as provide the evidence which can lead to conviction.

1.7.6 Investigation Process


Chain of custody is the accurate documentation of the movement and possession of a piece of evidence, from the time it is taken into custody until it is delivered to the court Who collected it? How and Where? Who took possession of it? How as it stored and protected? Who took it out of storage and why?

1.7.6 Investigation Process (Cont.)


Collection: Data recovery, evidence collection. Finding the evidence, discovering relevant data,

preparing an Order of Volatility, eradicating external avenues of alteration, gathering the evidence, and preparing a chain of custody

Create MD5 hash of the evidence collected Prior to collection, one should do preliminary

assessment to search for the evidence. Collect and seize the equipment used in

committing the crime, document the items collected, such as floppy disks, thumb drives, CDs, DVDs, and external back up drives.



Take photo of the crime scene before removing the evidence using Single len Reflex (SLR) camera.

Examination: Tracing, Filtering, Extracting hidden data. Review registers and cache, routing tables, ARP, cache,

process tables, and kernel statistics and modules Analysis

Analyzing evidence Can be carried out using various forensic analysis tools

such Encase, Access Data etc.



Presentation : Investigation report, Expert witness Include what was done and the results in the final report.

This include: Who, what, when, where, and how of the crime. Explain the computer and network processes The log files generated by forensic tools to keep track

of all the steps taken. Decision

Report



Use computer forensics when: there is a need to provide real evidence such as

reading bar codes, magnetic tapes and to identify the occurrence of electronic transactions and reconstruct an incidence with sequence of events.

a breach of contract occurs, or if copyright and intellectual property theft/misuse happens or during employee disputes where there is damage to resources.

1.7.7 Where and When Do You Use Computer Forensics


Professional conduct determines the credibility of a forensic investigator

Investigators must display the highest level of ethics and moral integrity

Maintaining objectivity Sustain unbiased opinions of your cases

Confidentiality is an essential feature which all forensic investigators must display

Avoid making conclusions about the findings until all reasonable leads have been exhausted

Considered all the available facts Ignore external biases to maintain the integrity of

the fact-finding in all investigations

1.7.8 Maintaining Professional Conduct


Discuss the case at hand only with person who has the right to know

Stay current with the latest technical changes in computer hardware and software, networking, and forensic tools

Learn about the latest investigation techniques that can be applied to the case

Record fact-finding methods in a journal Include dates and important details that serve as

memory triggers Develop a routine of regularly reviewing the

journal to keep past achievements fresh

1.7.8 Maintaining Professional Conduct (Cont.)


Attend workshops, conferences, and vendor-specific courses conducted by software manufacturers

Monitor the latest book releases and read as much as possible about computer investigations and forensics

1.7.8 Maintaining Professional Conduct (Cont.)


Summary The need for computer forensics has grown to a

large extent due to the presence of a majority of digital documents

Differs from network forensics, data recovery, and disaster recovery in scope, technique, and objective

A computer can be used as a tool for investigation or as evidence

Minimize the option of examining the original evidence

3A’s of Computer forensics methodologies are – Acquire, Authenticate, and Analyze

A computer forensic investigator must be aware of the steps involved in the investigative process


Summary (Cont.) To be successful, you must be familiar with more

than one computing platform To supplement your knowledge, develop and

maintain contact with computer, network, and investigative professionals

Public investigations typically require a search warrant before the digital evidence is seized

During public investigations, you search for evidence to support criminal allegations

During private investigations, search for evidence to support allegations of abuse of a company or person’s assets and, in some cases, criminal complaints

Forensics investigators must maintain an impeccable reputation to protect credibility


Summary (Cont.) Most information is stored on hard disks, floppy

disks, and CD-ROMs in a nonvolatile manner Peripheral components (video adapter cards, sound

cards, mice, keyboards, NICs) attach to mainboard via an expansion slot or port

All peripherals must have a unique IRQ and I/O address to communicate with the processor

Hardware information can be gathered from computer manuals, BIOS, or other Oss

Computer forensics investigators must maintain professional conduct to protect their credibility

End of Chapter 1