Upload
juan-thompson
View
61
Download
0
Tags:
Embed Size (px)
Citation preview
COMPUTER FORENSICS
Mr Kolapo Oyeusi
04044790
Supervisor : Dr. Nick Ioannides
A Dissertation submitted in partial fulfilment
of the requirements of London Metropolitan University for
the degree of Bachelor of Science in Computer Networking with Honours
May 2009
Faculty of Computing
TABLE OF CONTENT
Definition of Terms
Glossary
Acknowledgements
Dedication
Abstract
Chapter 1: Introduction
Chapter 2: Literature review
Chapter 3: Approach and scope
Chapter 4: Practical/ Simulation/ Research work & Result
Chapter 5: A Critical Appraisal, Recommendations and Suggestions for further Work
Summary
Chapter 6: Conclusions
Appendices
Appendix A: Project Proposal Report
Appendix B: Materials (i.e Configurations, Program source listings etc)
Reference & Bibliography
Literature review
2
Reference and Bibliography
Definition of terms
Write-Blockers: These are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. Hardware write blockers can be IDE-to-IDE or Firewire/USB-to-IDE.
Good data: These are known file types such as operating system files and common programs (Microsoft word etc)
3
Chapter 1: Introduction
Computer forensic is the collection, preservation, analysis and presentation of computer
related evidence that can be useful in criminal cases, civil disputes and human
resources/employment proceedings (Vacca, 2005).
With the growth of the internet and the ever changing digital environment, the need for
computer forensics experts cannot be over emphasised.
The world gradually is becoming a global village due to the presence of the internet and the
personal computer. Businesses and transactions that would have been done in person are now
carried out online. The internet has made targets much more accessible and the risk involved
for the criminals are much lower than traditional crimes.
With more people embracing the internet, the number of people using the internet is expected
to rise to 794 million in 2009 from 657 million that is currently available (Vacca, 2005).
However, the word forensic was derived from usage in the medical field. Forensic Medicine
has been a recognised discipline as far back as the 18th century (Dixon, 2005). The computer
industry has been taking computer forensic serious for some years now due to embarrassing
computer break-ins by teenage hackers.
Computer forensics is one of the largest growing professions of the 21st century. (Vacca,
2005). This is partly due to the growth of the internet which allows organizations and
individuals to be susceptible to security threat.
It is difficult to pinpoint the first computer forensic examination but in 1991, the term
computer forensics was coined in the first training session held by the International
Association of Computer Investigative Specialist (IACIS) (www.forensics-intl.com)
4
Computer forensics has also been described as the autopsy of a computer hard disk drive
because specialized software tools and techniques are required to analyze the various levels at
which computer data is stored after the fact. The Military and the intelligence gathering
agency have been involved in computer forensics since the mid-1980 but this field is
relatively new to the private sector. Computer forensic tools and procedures are used to
identify computer security weaknesses and the leakage of sensitive computer data.
(www.forensics-intl.com)
The main goals of computer forensics are the preservation, identification, extraction,
documentation and interpretation of recovered computer data.
5
Chapter 2: Literature review
Several criminal activities are being committed nowadays such as cyber terrorism, internet
fraud, viruses, illegal downloads, falsification of document, child pornography, counterfeiting,
economic espionage, benefit fraud, human resources/employment proceedings just to mention
a few. As such, there is need for necessary legislation to help prosecute the perpetrators of
these crimes. This is where the skills of a forensic expert come in to help build indisputable
evidence against them.
If the computer and its contents are examined by anyone other than a trained and experienced
computer forensics specialist, the usefulness and credibility of that evidence will be tainted
(Vacca , 2005). A highly skilled computer forensic analyst is someone who understands the
discipline as well as understands the use of computer forensic tools.
Network forensic investigators on the other hand uses log files to determine when users
logged on and they also try to determine which URL’s users accessed, how they logged on to
the network and from what location. In special cases, forensic experts use electron
microscopes and other sophisticated equipments to retrieve information from machines that
have been damage or formatted. The use of this method can be very capital intensive which
may sometime exceed $20000. (Bill Nelson et al, 2008)
A survey recently conducted reveals that both public and private agencies face serious threats
from external and internal sources. (Computer Crime and Security Survey, 2003)
There are three things to take into consideration when carrying out computer forensic. A
computer can be the target of the crime, it can be the instrument of the crime or it can serve as
an evidence repository storing valuable information about the crime. Knowing what role the
6
computer played in the crime can of tremendous help when searching for evidence. This
knowledge can also help reduce the time taken to package your evidence.
Also, the evidence required can be located on a network, embedded system or on dead
systems. Most forensic examination is carried out on dead systems that have been delivered
for analysis. It is recommended that computers should be powered down to prevent loss of
evidence when making seizure but doing so before collecting volatile evidence can lead to
loss of evidence when dealing with systems with large RAM or those having active network
connections (Casey,2002).
The integrity and security of evidence is a priority when carrying out forensic investigation
and there are stringent guidelines that must be adhered to even when trying to save time.
A computer forensics specialist should not just rely on just one tool to preserve, identify,
extract and validate the computer evidence. Cross validation through the use of multiple tools
and techniques is standard in all forensic sciences. When this procedure is not used, it creates
advantages for defence lawyers who may challenge the accuracy of the software tool used and
thus the integrity of the results. Using multiple validation software tools enables computer
forensic specialists and procedures eliminate any doubt about the accuracy of the evidence.
(www.forensics-intl.com)
When searching for graphical images on a computer system, it is important not to look for
files with the GIF or JPEG extensions only since the suspect might have saved it with another
extension like DOC. Therefore it is important to search every sector of the physical disk for
certain file types (Casey, 2002)
Encryption and stenography hinder the investigation of a computer forensic specialist.
Encryption makes it difficult for the examiner to analyse evidence that have been found,
7
collected, documented and preserved. Stenography on the other hand involves the act of
hiding information.
An individual using specialist data hiding tools like the Marutukku can protect its self from all
data recovery techniques. (Casey, 2002)
Computers have been featuring in litigations for over 31 years. In 1977, there were 20 U.K
cases in which the word computer appeared and which was sufficiently important to be noted
in the lexis database. In the United state, there were 291 federal cases and 246 state cases in
which it appeared (Vacca, 2005). A lot of people sometimes think of a computer forensic
expert as someone who helps in recovering lost digital data from a computer but their work
goes far beyond that.
Countries all over the world are creating new laws and amending old ones since the surge in
computer related crimes. It is important to have the necessary legal backing to bring the
perpetrators of these crimes to justice or else the work carried out by a computer forensic
specialist will be in vain. Likewise, businesses are adjusting their policies to help protect
themselves against disgruntled employees willing to reveal sensitive client records and trade
secrets.
Employing the services of a computer forensic specialist can be tricky sometimes. Having
someone with the expertise and experience is not just enough nowadays. The individual must
also be able to testify and stand up to scrutiny and pressure of cross examination in the law
court.
In the early 1980’s, computer forensic tools were simple and mainly generated by government
agencies such as the U.S internal Revenue Service (IRS) and the Royal Canadian Mounted
Police (RCMP) in Ottawa. Most of the tools written then were in C language and assembly
language and were not that popular. Moving into the mid 1980’s, a software known as Xtree
8
Gold was introduced which was able to recognise file types as well as retrieve lost or deleted
files. Shortly after the release of Xtree, Norton released the DiskEdit and this became the best
tool for finding deleted files at that time because the DiskEdit was compatible with most PC’s
then.
Moving into the 1990’s, specialist tools for computer forensics became available. This led to
the training on software for computer forensic investigation by the International association of
Computer Investigative Specialist (IACIS). ASR Data created commercial GUI forensic
software called Expert Witness. The Expert Witness could recover deleted files and fragments
of deleted files. One of the ASR partner left to develop Encase which is the most popular
forensic tool.
DATA RECOVERY
Data recovery is the process in which highly trained forensic experts evaluate and extract data
from damaged media and return it in an intact format (Vacca, 2005). Lost data might be as a
result of computer systems crashing, accidental deletion, computer viruses corrupting files,
disgruntled employee destroying files just to mention a few. There is a high chance of
recovering all the data if recovery is attempted shortly after the files must have been removed.
Most Linux systems use the ext2 file system which reveals the presence of slack space. A tool
called bmap can jam data in the slack space, take out data and also wipe the slack space clean
if needed. Data can be hidden in slack space to store secrets, plant evidence and maybe hide
tools from integrity checkers.
EVIDENCE COLLECTION
There are two main reasons why we need to collect evidence:
9
1) Future prevention.
2) Responsibility.
The job of a computer forensic specialist goes far beyond just data recovery. Evidence
collection must be done in a methodological manner by professionals trained for this purpose.
Real Evidence: is any evidence that speaks for itself without relying on anything else. For
instance, a log produced by an audit function which is free from contamination.
Testimonial Evidence: This is any evidence supplied by a witness. This evidence is dependent
on the reliability of the witness. As long as the witness is reliable, the testimonial evidence
can be as powerful the real evidence. It should be noted that hear say is inadmissible in the
court.
RULES OF EVIDENCE COLLECTION
The 5 rules of electronic evidence collection are also related to the 5 properties that evidence
must possess to be useful and they are:
1) Admissible: Evidence gathered is meant for use in the court/tribunal
2) Authentic: Evidence collected must be relevant to the incidence.
3) Complete: Evidence must be able to prove that the offender is liable for the offence
despite other people present at the same time of attack. Evidence that will implicate as
well as those that will vindicate him must be collected.
4) Reliable: The methods used in the collection of evidence and the analysis procedure
must not cast any doubt on the authenticity of the evidence.
5) Believable: The evidence presented must be understandable and believable to the jury.
10
To have believable evidence, there are certain guidelines you must adhere to such as:
Minimise handling and corruption of original data
Account for any changes and keep detailed logs of your actions
Comply with the five rules of evidence
Don’t exceed your knowledge
Follow your local security policy
Capture as accurate an image of the system as possible
Be prepared to testify
Work fast
Proceed from volatile to persistence evidence
Don’t shutdown before collecting evidence
Don’t run any program on affected system
11
TYPES OF COMPUTER FORENSIC TOOLS
Computer forensic tools can be classified into two major categories namely:
Hardware Forensic Tool
Software Forensic Tool
Hardware Forensic Tools
Hardware forensic tool varies and may range from simple, single purpose components to
complete systems and servers. An example of the single-purpose component is the ACARD
AEC-7720WP Ultra Wide SCSI-to-IDE Bridge. This device helps to write-block an IDE
drive connected to a SCSI cable.
Fig: ACARD AEC-7720WP Ultra Wide SCSI-to-IDE Bridge
Examples of complete systems forensic tool include the Digital Intelligence F.R.E.D. systems,
DIBS Advanced Forensic Workstation, and Forensic Computers Forensic Examination
stations and portable units (e.gTalon) just to mention a few.
12
Fig: Digital Intelligence F.R.E.D. systems
Forensic Recovery of Evidence Device (F.R.E.D) systems are designed for stationary
laboratory. It can acquire data directly from a whole range of hard drives and storage devices
including DLT-V4 tapes and save the forensic image retrieved onto a DVD, CD or hard drive.
Fig: DIBS® Advanced Forensic Workstation
The DIBS® Advanced Forensic Workstation is a very versatile piece of forensic equipment
that is easy to use. It can copy and analyse hard drives using windows XP operating systems.
The unit runs on Pentium 4 3GHz processor with a motherboard of 1GB RAM. DIBS® is
acceptable in courts throughout the world.
13
Fig: Portable Forensic Lab (PFL)
The Hand-held, computer forensic Talon is an advanced forensic capture system designed
specifically for the use of law enforcement, Military, corporate security, investigators and
auditors. Talon can make images and verifies data up to 4GB/min which makes it industry’s
most powerful and versatile data capturing system. This device captures IDE/UDMA/SATA
drives as well as SCSI drives via USB cable
Software Forensic Tools
Software forensic tool can be classified into command-line applications and GUI applications.
Some of these tools are designed to perform only one Task. A good example of this is the
SafeBack software which is a command-line disk acquisition tool from New Technologies Inc
(NTI). Other forensic software tool can carry out several tasks and these are usually GUI tools
capable of performing most of the computer forensic acquisition and analysis functions. Some
good examples of such GUI tool are the Technology Pathways ProDiscover, Guidance
Software EnCase and AccessData FTK. Many GUI acquisition tools can read all structures in
an image file as though it was the original drive. (Bill et al, 2008)
14
Comparing Forensic Tool Functions
To be able to determine what kind of tool might be required to achieve the set objectives, it is
necessary to cross-reference functions and sub-functions with vendor products to determine
which forensic tool meet my needs.
15
TOOLS AND TECNOLOGY DEPLOYED IN COMPUTER FORENSICS
Technology surrounding computer forensics can be classified into three based on the area
where it is deployed.
1. Military computer forensic technology.
2. Law enforcement computer forensic technology.
3. Business computer forensic technology.
Military Computer Forensic Technology
This technology focuses on evaluating and in-depth examination of data related to both Trans
and Post Cyber attack periods.
CFX-2000 came to be as a result of the partnership between the U.S Department of Defence
(DoD) and the National Institute of Justice via the auspices of the National Law Enforcement
and Correction Technology Centre (NLECTC). Most computer forensic examinations are
usually carried out after the crime/event has been committed. But with CFX-2000, it is
possible to accurately determine the intent, motive, target, sophistication, identity and location
of Cyber criminals by deploying an integrated analysis frame work. Forensic tools involved
in CFX-2000 consisted of commercial off the shelf software and directorate-sponsored R&D
prototype.
Law Enforcement and Business Computer Forensic Tool
AnaDisk
Anadisk turns your PC into a sophisticated diskette analysis tool. The software was originally
created to meet the needs of the U. S. Treasury Department in 1991. It is primarily used to
16
identify data storage anomalies on floppy diskettes. AnaDisk can be used to analyze floppy
diskettes when doing work which involves abnormal floppy diskettes or data storage issues
tied to floppy diskettes. However standard duplication of floppy diskettes is more easily
accomplished with NTI's COPYQM.
USES:
It is used for security reviews of floppy diskettes for storage anomalies.
It is used for editing diskette at a physical sector level.
It searches data on floppy diskettes in traditional and non-traditional storage areas.
It is also used to illustrate data hiding techniques
CRCMD5 DATA VALIDATION TOOL
This program mathematically creates a unique signature for the contents of one, multiple or
all files on a given storage device. Such signatures can be used to identify whether or not the
contents of one or more computer files have changed.
The program is also used to document that computer evidence has not been altered or
modified during computer evidence processing
USES:
It is used to identify files that have changed or have been altered.
It is used to benchmark operating system files on a new computer system before distribution
to computer users.
It is used to quickly identify altered files after a computer incident.
17
It is used in computer investigations to prove that the evidence remains unchanged after
forensic processing.
SAFEBACK 3.0
SafeBack is used to create mirror-image (bit-stream) backup files of hard disks or to make a
mirror-image copy of an entire hard disk drive or partition. The process is analogous to
photography and the creation of a photo negative. Once the photo negative has been made
several exact reproductions can be made of the original. SafeBack is an industry standard self-
authenticating computer forensics tool that is used to create evidence grade backups of hard
drives
USES:
Used to create evidence grade backups of hard disk drives on Intel based computer
systems.
Used to exactly restore archived SafeBack images to another computer hard disk drive of
equal or larger storage capacity.
Used as an evidence preservation tool in law enforcement and civil litigation matters.
Used as an intelligence gathering tool by military agencies.
GETGIF
GetGIF software is a computer forensics software tool which was designed to automatically
extract exact copies of GIF graphics file images from ambient data sources
18
GetGiF can be of assistance in investigations involving the distribution of child pornography
and in identity theft cases involving the use of GIF graphics files.
USES:
It is used to find evidence in corporate, civil and criminal investigations which involve GIF
computer graphics files, e.g., investigations which potentially involve child pornography
and/or inappropriate Internet web browsing in a corporate or government setting.
Also used with other computer forensic software to quickly reconstruct and view previously
deleted GIF graphics files stored on computer storage media.
It is used to quickly identify and view GIF image files stored anywhere on a computer hard
disk drive when used with NTI's SafeBack evidence grade backup software.
It is used effectively in computer investigations involving the distribution of child
pornography and identity theft when GIF graphics files are involved.
Used "after-the-fact" to determine what files may have been viewed over or downloaded from
the Internet. (http://www.forensics-intl.com/getgif.html)
GRAPHIC IMAGE FILE EXTRACTOR
Graphics Image File Extractor is a computer forensics software tool which was designed to
automatically extract exact copies of graphics file images from ambient data sources
19
Graphics File Extractor software can be used to quickly sample the Windows Swap/Page File
and help the computer forensics investigator in making a quick determination about possible
past Internet computer usage tied to a specific computer.
USES
It is used to find evidence in corporate, civil and criminal investigations which involve
computer graphics files, e.g., investigations which potentially involve child pornography
and/or inappropriate Internet web browsing in a corporate or government setting.
Used with other computer forensic software to quickly reconstruct and view previously
deleted BMP, GIF and JPEG graphics files stored on computer storage media.
Used to quickly identify and view BMP, GIF and JPEG image files stored anywhere on a
computer hard disk drive when used with NTI's SafeBack evidence grade backup software
and Firehand Embers.
Used effectively in computer investigations involving the distribution of child pornography
and identity theft.
Used very effectively in the recovery of deleted graphics files from computer hard disk drives
and/or digital flash memory chips. (http://www.forensics-intl.com/iextract.html)
GETSLACK
This software is used to capture all of the file slack contained on a logical hard disk drive or
floppy diskette on a DOS and Windows systems.
20
Software is an ideal computer forensics tool for use in investigations, internal audits and in
computer security reviews
Network logons and passwords are found in file slack. It is also possible for passwords used
in file encryption to be stored as memory dumps in file slack.
USES:
Quickly calculates the amount of storage space which is allocated to file slack on a logical
DOS/Windows partition.
Captures all file slack on a logical DOS/Windows drive and converts it into one or more files
automatically.
Used in computer security reviews and computer investigations.
Validates the results of computer security scrubbers used to eliminate sensitive or classified
data from file slack on computer storage devices.
(http://www.forensics-intl.com/getslack.html)
21
Tasks Performed by Computer Forensic Tools
Computer forensic tools are required to be able to perform and meet certain criteria which can be grouped into 5 Major Categories namely:
Acquisition
Validation and Discrimination
Extraction
Reconstruction
Reporting
Acquisition: It involves making copies of the original drive. Acquisition is referred to as the
first task in computer forensics investigation. Tools such as EnCase and AccessData FTK are
used to acquire data images. It is also possible to acquire image of data using hardware
devices such as Talon from Logicube. This hardware device possesses in-built software for
data acquisition. There are two types of data copying methods used in software acquisition
and they are: physical copying of entire drive and logical copying of disk partition. Logical
acquisition is more preferable because data acquired can be read and analysed easily.
Validation and Discrimination: Validation is the process of ensuring and maintaining the
integrity of the data acquired. The process of validating data is what result in the
discrimination of data. The main purpose of data discrimination is to separate good data from
suspicious data. All computer forensic tools have a way of ensuring that the integrity of the
data is still intact by comparing the original data with the image data. This is possible with the
help of processes like Hashing, Filtering and Analysing file header. Searching and comparing
file headers improves data discrimination.
Extraction: This is the recovery task in a computing investigation (Bill et al, 2008).
Subfunctions of extraction used in investigation include: Data viewing, Keyword searching,
22
Decompressing, carving, Decrypting and Bookmarking. Extraction of data involves great
mastery in the software and hardware deployed.
Reconstruction: Reconstruction features in a forensic tool are necessary to recreate a
suspect’s drive and to show what happened during the crime or an incident (Bill et al, 2008).
Duplicating a suspect’s hard drive enables other investigators to carry out their own
acquisition, test and analysis of the evidence. The most reliable way to recreating an image of
a suspect’s hard drive is to obtain the same make and model drive as the suspect’s drive.
Subfunctions of reconstructions are: Disk-to-disk copy, Image-to-disk copy, Partition-to-
partition copy, Image-to-partition copy. Examples of tools that can perform image-to-disk and
image-to-partition copies are: SafeBack, SnapBack, EnCase, FTK Imager, ProDiscover. All
these tools are proprietary and as such image created can only be re assemble by the exact
application that created them.
Reporting: The report phase is the final phase of the forensic disk analysis and examination.
The log report can be included in the final report detailing the step by step process undergone
during the examination.
23
SCENARIO
A company evaluates the performance and productivity of his staff and noticed that it falls
way below the standard. It discovers that valuable time being lost by his employees
downloading and surfing the internet during office hours and as such he implements strict
policy guiding against the indiscriminate use of the internet.
After few weeks, his IT manager reviews a detection tool report used by the company. This
report suggests that an employee of the company is still accessing restricted sites and
downloading objectionable content (graphic) during office hours using his official
workstation PC.
The IT manager decided to follow procedure by contacting the chief information officer
(CIO) of the company who is the person officially nominated to deal with computer related
violations and crimes within the company. He decides to invoke the incident response team
comprising of a computer forensic specialist.
The company aims to determine which employee is responsible, examining data recovered
from the employee hard disk, build evidence against such employee which might eventually
lead to their dismissal.
24
AIM AND OBJECTIVES
The purpose of Computer Forensics is to preserve, identify, extraction, document and
interpret computer data that are located on offending machines.
Academic Objectives
1) To locate and isolate offending machine(s)
2) To conduct computer forensics examination of the computer system using necessary
tools and technology.
3) To analyse the data gathered to determine where the materials came from, how often it
has been going on.
4) To prevent evidence from being contaminated.
5) To produce a report detailing every activity and action carried out on the offending
machine.
Personal objectives
To have a better understanding of computer forensics methodologies
To improve my problem solving and communication skills
To conclude my project within the allocated time required
To develop my project management skills.
25
RISKS
There are several risks that I foresee might hinder the progress of my project and they include:
Loss of data as a result of damage or loss to memory stick
Availability of credible resources
Lack of experience in the subject area.
CONTINGENCIES
Backing up all my data on multiple storage devices.
Work fast so that there is enough time to rectify any mishap.
LIMITATIONS
Time: Being able to divide my time between my project and other module as well as my paid
employment.
Cost of Tools/Software: Computer Forensic software can be very expensive so i have decided
to use the trial version of the software required to achieve my goals
Availability of credible resources: There are limited materials regarding computer forensics in
the school library.
26
27
A Brief Description of the hard drive recovered/Given
The hard drive retrieved is the Maxtor’s D740X-6L 20GB AT hard disk. This hard disk is part
of the family of high performance 1-inch high hard drive. This hard drive uses a non-
removable 3 ½-inch hard disks available with ATA interface. The Maxtor D740X-6L 20GB
AT hard disk possess an embedded hard disk drive controllers and uses ATA commands to
optimise system performance.
General characteristics
Manufacturer: Maxtor Corporation
Model: D740X6L (20GB)
Interface: EIDE/UltraATA/133
Capacity: 20GB
Total LBAs: 40,132,503
Height: 1.028" (26.10mm) max
Width: 4.00 ± 0.01" (101.6 ± 0.25mm)
Depth: 5.786" (147mm) max
Weight: <1.4lbs. (635grm)
Performance
Rotational speed: 7200RPM
Average Rotational Latency: 4.17ms
Spin-up time to Ready (typical) 12.5Sec
28
Activity Specification
Track-to-Track 0.8ms
Average Random Read 8.5ms
Average Random Write 10.5ms
Full Stroke 17.8ms
Cache (Total): 2MB
Interface transfer rate (Max) 133MB/Sec Burst
Interleave Factor: 1:1
Internal Characteristics
Number of Heads: 1
Number of Disks: 1
Track Density: 60,000 tracks per inch
Total sector: 40,132,503
Byte per sector: 512
Electrical
Nominal Voltage: +5Vdc/ +12Vdc
Voltage Margin: +5Vdc @ ± 5%, +12vdc @ ± 10%
Environmental
Operating Temperature: 5 to 55 Degrees centigrade
Operating Humidity: 10 to 85% RH (non-condensing)
Non-Operating Temperature: -40 to 65 Degrees Centigrade
Non-Operating Humidity: 5 to 95% RH (non-condensing)
29
Power Dissipation
Operating Mode Power (Watts)
Start-up (Peak) 23.9 Watts
Maximum Seeking 11.6Watts
Read/Write on Tracks 7.1Watts
Idle 6.5Watts
Standby 1.0Watt
Sleep 1.0Watt
Fig1: A diagram of the Maxtor D740X-6L 20GB AT hard drive
30
Fig2: A diagram showing the drive power and interface connector of the hard drive.
Fig3: Show the jumper locations on the hard drive
31
The Maxtor’s D740X-6L 20GB AT hard disk has three jumper location which is used to
configure the master or slave operation.
Fig4: Picture of the Maxtor’s D740X-6L 20GB AT hard disk
32
GANTT CHART
FIG1: Gantt chart showing how I intend to implement my task
33
WORK BREAKDOWN STRUCTURE
34
COMPUTER FORENSICS
To investigate the current and future state of computer forensics
To identify and explain various tools and technology employed in computer forensics and ways of recovering and analysing data to produce indisputable evidence
Applying computer forensic skills in the recovering of lost data
Current state of computer forensics
Explaining the tools and technology employed in computer forensics
Ways to recover and analyse data to produce indisputable evidence
Examining a recovered hard disk for lost data.
Using necessary tools and technology to extract lost data.
Analyse recovered data.
Production of report that can be allowed in legal proceedings.
Future of computer forensics
Technology employed in computer forensic
Ways to recover lost data
Ways of analysing data to produce indisputable evidence
Tools available in the market and Specialist tools
INDICATIVE FINAL YEAR PROJECT
Acknowledgement
Abstract
Introduction
Literature review
Current state and future direction of computer Forensics
Software deployed in Computer Forensics
Case study/Scenario
How to capture and analyse data
Production of Report
Conclusion
Recommendation
Bibliography
Appendix
35
REFERENCE AND BIBLIOGRAPHY
BOOKS
“2003 Computer Crime and Security Survey,” Federal Bureau of Investigation, J.
Edgar Hanover Building, 935 Pennsylvania Ave. NW, Washington, D.C. 20535-0001,
2003.
John R. Vacca (2005) Computer Forensics: Computer Crime Scene Investigation 2nd
Ed. Charles River Media. Massachusetts (USA)
Casey Eoghan (2002) Handbook of Computer Crime Investigation: Forensic Tool and
Technology. 1st Ed Academic Press Amsterdam (Netherlands)
Casey Eoghan (2004) Digital Evidence and Computer Crime: Forensic Science,
Computers and the Internet. 2nd Ed. Academic Press. California (USA)
Sammes, T., Sammes, A.J and Jenkinson, B (2000) Forensic Computing: A
Practitioner’s Guide(Practitioner Series), 1st Ed. Springer-Verlag
36
WEBSITES
http://www.comouterforensicworld.com/
http://support.dell.com/support/edocs/storage/7j376/intro.htm
http://www.forensic-computers.com/index.php
http://www.digitalintelligence.com/products/forensic_duplicator/
http://www.logicube.com/products/hd_duplication/talon.asp#
(http://www.forensics-intl.com/getslack.html)
(http://www.forensics-intl.com/iextract.html)
(http://www.forensics-intl.com/getgif.html)
(http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6V8G-4BJWYVJ-
1&_user=983321&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000044920&
_version=1&_urlVersion=0&_userid=983321&md5=defaa524a1b6df68ad9b4e2612b78310)
(http://delivery.acm.org/10.1145/1070000/1060428/p143-francia.pdf?
key1=1060428&key2=2510398221&coll=GUIDE&dl=GUIDE&CFID=14665516&CFTOKE
N=83314542)
http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6V8G-4BJWYVJ-
1&_user=983321&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000044920&
_version=1&_urlVersion=0&_userid=983321&md5=defaa524a1b6df68ad9b4e2612b78310
37
38