COMPUTER FORENSICS

LIBIN P BABU

WHAT ALL NEWSES WE SEE TODAY..?

WHAT IS COMPUTER FORENSICS

A process of applying scientific and analytical techniques to

computer Operating Systems and File Structures to

determining the potential Legal Evidence.

IT IS THE PRACTICE OF LAWFULLY ESTABLISHING EVIDENCE AND FACTS.

This is science involving legal evidence THAT IS FOUND IN DIGITAL STORAGE MEDIUMS AND IN COMPUTERS.

Subdivisions: - DISK FORENSICS Network forensics MOBILE FORENSICS

TYPES OF CYBER CRIMESFORGERY

BREECH OF COMPUTER

SECURITY

FRAUD/THEFT

COPYRIGHT VIOLATIONS

IDENTITY THEFT

THREATS

BURGLARY

HOMICIDE

ADMINISTRATIVE INVESTIGATIONS

CYBER TERRORISM

SALES AND INVESTMENT FRAUD

ELECTRONIC FUND TRANSFER FRAUD

CYBER CRIME : TOP 20 COUNTRIES

SOURCE OF EVIDENCE SLACK, FREE, SWAP, RECYCLE BIN EVENT LOGS REGISTRY APPLICATION FILES, TEMP FILES E-MAIL BROWSER HISTORY AND CACHE

DIGITAL EVIDENCE• “ANY DATA THAT IS RECORDED OR PRESERVED ON ANY MEDIUM IN

OR BY A COMPUTER SYSTEM OR OTHER SIMILAR DEVICE, THAT CAN

BE READ OR UNDERSTAND BY A PERSON OR A COMPUTER SYSTEM

OR OTHER SIMILAR DEVICE. IT INCLUDES A DISPLAY, PRINT OUT OR

OTHER OUTPUT OF THAT DATA.”

TYPES OF DIGITAL EVIDENCE1) PERSISTANT DATA

Meaning data that remains intact when the computer is turned off. E.G. Hard drives, disk drives and removable storage devices (such as USB drives or flash drives).

2) VOLATILE DATA,

Meaning data that would be lost if the computer is turned off. E.G. Deleted files, computer history, the computer's registry, temporary files and web browsing history.

FORENSIC TOOLS

•BLACKLIGHT - Windows, mac and ios forensics analysis software

•INTERNET EVIDENCE FINDER - Forensic tool that recovers internet related communications (chat, social networking, webmail, cloud, web history, and more), including deleted data

•SANS INVESTIGATIVE FORENSICS TOOLKIT (SIFT) - Multi-purpose forensic operating system

•REGISTRY RECON - Forensics tool that rebuilds windows registries from anywhere on a hard drive and parses them for deep analysis.

MOBILE DEVICE FORENSICS•CELLEBRITE MOBILE FORENSICS - Universal forensics

extraction device - hardware and software

•MICROSYSTEMATION XRY/XACT - Hardware/software package, specialises in deleted data

•ELCOMSOFT IOS FORENSIC TOOLKIT (EIFT) - Acquires bit-precise images of apple ios devices in real time

•ELCOMSOFT PHONE PASSWORD BREAKER - Enables forensic access to password-protected backups for smartphones and portable devices based on RIM blackberry and apple ios platforms,

FORENSICS PROCEDURES1) Make a digital copy of the original evidence. Investigators make a

copy of the evidence and work with the copy to reduce the possibility of inadvertently changing the original evidence.

2) Authenticate that the copy of the evidence. Investigators must verify the copy of the evidence is exactly the same as the original.

3) Analyze the digital copy. The specific procedures performed in an investigation are determined by the specific circumstances under which the investigation is occurring.

CREATING A FORENSIC IMAGE•Use a write blocker to ensure that no data is written back to the

subject’s hard drive

•Connect the disk to forensic server.

•Create the image of disk using commands or specific applications

•Verify the image using md5 sum

ANALYSIS OF A FORENSIC IMAGE

• Logical and Physical analysis

• Logical – Conventional way of accessing files using file explorer, image viewers

e.t.c. Analyses allocated space

• Physical – Using hex editors. Analyses unallocated and slack space

• Mount image• Search for files using keywords, type e.t.c

TO REDUCE SEARCH SIZE

•HASH ANALYSIS

• SIGNATURE ANALYSIS

SEARCHING FOR EVIDENCE

•Emails

•Windows swap file - A swap file is virtual memory that is used as an

extension of the computer systems RAM

•Cookies - cookies are pieces of information generated by a web server

and stored in the user's computer, ready for future access

•INDEX.DAT

index.dat FILE•Every time a user uses windows explorer or internet explorer access a

file or web site, digital traces of these activities are placed on the hard drive.

•index.dat files are binary files

•Pasco is a small open source application that parses the contents of index.dat files, and outputs the results into a tab delimited file

•Containing informationsFiles accessed and opened via windows explorer (rows 4 through 9)Keywords used in searches over the internet (rows 10 and 11)Urls visited via internet explorer (rows 12 through 15)

WHAT HAPPENS WHEN A FILE IS DELETED..?Consider fat file system

•Constructed with1. The boot record is the 1st sector of the disk

2. 1st file allocation table

3. 2nd file allocation table (a backup to the first)

4. Root directory

5. Data area

When file is deleted

•The first character of the file’s name in the root directory is changed

to e5h.

•The fat entries are set to 0.

COMPUTER FORENSICS METHODOLOGY1) SHUT DOWN THE COMPUTER

2) DOCUMENT THE HARDWARE CONFIGURATION OF THE SYSTEM

3) TRANSPORT THE COMPUTER SYSTEM TO A SECURE LOCATION

4) MAKE BIT STREAM BACKUPS OF HARD DISKS AND FLOPPY DISKS

5) MATHEMATICALLY VERIFY DATA ON ALL STORAGE DEVICES

6) DOCUMENT THE SYSTEM DATE AND TIME7) MAKE A LIST OF KEY SEARCH WORDS

8) EVALUATE THE WINDOWS SWAP FILE 9) EVALUATE FILE SLACK 10) EVALUATE UNALLOCATED SPACE (ERASED FILES)11) SEARCH FILES, FILE SLACK AND UNALLOCATED

SPACE FOR KEY WORDS 12) DOCUMENT FILE NAMES, DATES AND TIMES 13) IDENTIFY FILE, PROGRAM AND STORAGE ANOMALIES 14) EVALUATE PROGRAM FUNCTIONALITY 15) DOCUMENT YOUR FINDINGS

APPLICATIONS

•FINANCIAL FRAUD DETECTION

•CRIMINAL PROSECUTION

•CIVIL LITIGATION

•“CORPORATE SECURITY POLICY AND VIOLATIONS”

WHO USES COMPUTER FORENSICSCRIMINAL PROSECUTORS

RELY ON EVIDENCE OBTAINED FROM A COMPUTER TO PROSECUTE SUSPECTS AND USE AS EVIDENCE.

CIVIL LITIGATIONS

PERSONAL AND BUSINESS DATA DISCOVERED ON A COMPUTER CAN BE USED IN FRAUD, HARASSMENT, OR DISCRIMINATION CASES.

PRIVATE CORPORATIONS

OBTAINED EVIDENCE FROM EMPLOYEE COMPUTERS CAN BE USED AS EVIDENCE IN HARASSMENT, FRAUD, AND EMBEZZLEMENT CASES.

LAW ENFORCEMENT OFFICIALSRELY ON COMPUTER FORENSICS TO BACKUP SEARCH

WARRANTS AND POST-SEIZURE HANDLING.

INDIVIDUAL/PRIVATE CITIZENSOBTAIN THE SERVICES OF PROFESSIONAL COMPUTER

FORENSIC SPECIALISTS TO SUPPORT CLAIMS OF HARASSMENT, ABUSE, OR WRONGFUL TERMINATION FROM EMPLOYMENT.

THANK YOU