Embed Size (px)
Citation preview
a
Computer Computer ForensicsForensics
a
Computer in crimes
ToolTarget
a
Excise evasionExcise evasion
Raid on residence of plastic company owner
Seized amount - Two crores
12 Computers confiscated
a
Excise Evasion (Contd.)Excise Evasion (Contd.) Forensic examination of computer
systems revealed
– Excise evasion of more than 26 crores
– Detailed kickbacks to excise officials
a
Parliament Attack CaseParliament Attack Case Seized laptop contained incriminating
material.
Forensic analysis revealed– Role of LET– Pakistan IPs– Telephone numbers– Coded messages
a
Computer ForensicsComputer Forensics Establishes the link between crime
and the criminal
Different from traditional branches of forensic science
Deals with collection, examination and analysis of digital evidence
a
Components Of Components Of Computer ForensicsComputer Forensics
Disk forensics
Network forensics
Software forensics
a
Disk ForensicsDisk Forensics
Recovering deleted information
Recreating time critical events
a
Digital EvidenceDigital Evidence Evidence stored or transmitted in binary
form
Includes evidence from– computer – digital audio– digital video– cell phones
a
Precautions in handling Precautions in handling digital evidencedigital evidence
The U.S. doorframe case
Evidence is not compromised due to incorrect procedures
A continuing chain of custody is established and maintained
Procedures and findings are documented.
a
Electronic Evidence Electronic Evidence PrecautionsPrecautions
Static Electricity Magnetic Fields Shock Moisture
a
New TechnologyNew Technology
a
Computer Forensics Computer Forensics PracticesPractices
Analysis of bit-stream copies
Use of proper software utilities
Proper documentation
Not trusting the suspect computer
a
Computer Forensics Computer Forensics Practices (Contd..)Practices (Contd..)
Avoiding booting from the suspect machine
– Modification of system files to delete information
Avoiding use of the suspect OS
– Modification of routine OS commands for destruction of information
a
Duties of a forensic Duties of a forensic expertexpert
Protect suspect system during examination
Recover all files
Access the contents of protected or encrypted files
Analyze relevant data
Provide testimony in court of law
a
The computer The computer forensics processforensics process
• acquire• authenticate• analyze• document
a
ImagingImaging
Attaching suspect storage media to forensic workstation
Imaging storage media by attaching a hard drive to the suspect computer
a
Make suspect drive Make suspect drive read onlyread only
Prevent accidental writes to the suspect hard drive using a write blocker
a
Imaging ToolsImaging Tools
Winhex Norton Ghost 2000 Byte back (tech
assist. Inc) Encase (guidance
software)
a
AuthenticateAuthenticate Using hash functions to ensure
authenticity of image
If acquisition hash equals verification hash, image is authentic
a
DocumentDocument
A forensic examination report must
– List softwares used & their versions
– be in simple language– list the hash results– list all storage media
numbers, model, make– be supported by
photographs
a
DocumentDocumentChain-of-custody log
– ACL of people having access to collected evidence– Tracks evidence from source to courtroom– Unbroken chain-of-custody authenticates electronic
evidence
a
DocumentDocumentThe five “Ws” of chain-of-
custody log– Who – took possession of the
evidence– What – description of evidence– Where – did they take it to– When – time and date– Why – purpose for taking evidence
a
Work Station- Portable
a
Data RetrievalData Retrieval
Active space Slack space Unallocated
space Swap files
a
Data StorageData Storage The sector is the
smallest unit of storage device
A "regular" disk sector is 512 bytes, a CD-ROM sector is 2048 bytes.
a
How data is stored?How data is stored? Data is stored in clusters in
MS operating systems
Clusters are groups of sectors
A cluster can range from 1-128 sectors
Cluster size depends on the size of storage media and the operating system
a
Slack Space (File Slack)Slack Space (File Slack) File sizes rarely match the size of one or
multiple clusters perfectly.
“File slack” is storage space existing from the end of file to the end of the last cluster assigned to the file.
Contains random data from any part of the storage media
a
Slack Space (RAM Slack Space (RAM slack)slack)
If the last sector in a file has storage space it is padded with random data from the memory buffers of the operating system.
This random data is called RAM Slack as it comes from the RAM of the computer.
a
Importance of Slack Importance of Slack SpaceSpace
Identifying network logon names, passwords and other sensitive information
Legacy data in file slack can be analyzed to identify prior uses of the suspect computer
Fragments of prior e-mail messages and word processing documents can be found in file slack.
a
Unallocated SpaceUnallocated Space
Deletion of a file by the computer user releases clusters allocated to the file
The data associated with the 'deleted' file remains behind.
This data storage area is referred to as unallocated storage space
a
Data HidingData Hiding Renaming file files
Changing file extensions
Turning on hidden attribute
Encryption & Steganography
