Chapter Four

Computer Forensics

1
 What do we mean forensics?
• Forensics is the process of using scientific knowledge for
collecting, analyzing, and presenting evidence to the courts.

• The word forensics means “to bring to the court.”

• Forensics deals primarily with the recovery and analysis of

hidden evidence.

2
 Computer forensics

• We define computer forensics as the

discipline that combines elements of law and
computer science to collect and analyze data
from computer systems, networks, wireless
communications, and storage devices in a
way that is admissible as evidence in a court of
law.

3
 Computer / Digital Forensics
• Emerging discipline in computer security
• Investigation that takes place after an incident has
happened

• Try to answer questions like

– Who, what, when, where, why, and how

4
 Purpose of Digital Forensics
• The most common use of digital forensics is to support or
disprove a hypothesis in a criminal or civil court:

– Criminal cases: Involve the alleged breaking of laws and

law enforcement agencies and their digital forensic
examiners.

– Civil cases: Involve the protection of rights and property

of individuals or contractual disputes between commercial
entities where a form of digital forensics called electronic
discovery (eDiscovery) may be involved. 5
 Purpose of Digital Forensics (2)
• Digital forensics experts are also hired by the private sector
as part of cyber security and information security teams to
identify the cause of data breaches, data
leaks, cyber attacks and other cyber threats.

• Digital forensic analysis may also be part of incident

response to help recover or identify any sensitive
data or personally identifiable information (PII) that was lost
or stolen in a cybercrime.

6
 Benefits of forensics
• Computer forensics assists in Law Enforcement. This can
include:
1. Recovering deleted files such as documents, graphics,
and photos

2. Searching unallocated space on the hard drive, places

where an abundance of data often resides.

3. Tracing artifacts, those tidbits of data left behind by the

operating system.
• Our experts know how to find these artifacts and,
more importantly, they know how to evaluate the value
7
of the information they find.
 Benefits of forensics
4. Processing hidden files
• files that are not visible or accessible to the user that
contain past usage information.
• Often, this process requires reconstructing and
analyzing the date codes for each file and determining
when each file was created, last modified, last accessed
and when deleted.

5. Running a string-search for e-mail, when no e-mail

client is obvious

8
 Objectives of computer forensics

1. It helps to recover, analyze, and preserve computer and

related materials in such a manner that it helps the
investigation agency to present them as evidence in a court
of law.

2. It helps to postulate the motive behind the crime and identity

of the main culprit.

3. Designing procedures at a suspected crime scene which helps

you to ensure that the digital evidence obtained is not
corrupted.
9
 Objectives of computer forensics
4. Data acquisition and duplication: Recovering deleted files
and deleted partitions from digital media to extract the
evidence and validate them.

5. Helps you to identify the evidence quickly, and also allows

you to estimate the potential impact of the malicious activity
on the victim

6. Producing a computer forensic report which offers a

complete report on the investigation process.

7. Preserving the evidence by following the chain of custody.

10
Process of computer forensics

11
 Process of computer forensics
1. Identification
– It is the first step in the forensic process.
– The identification process mainly includes things like what
evidence is present, where it is stored, and lastly, how it is
stored (in which format).
– Electronic storage media can be personal computers,
Mobile phones, PDAs, etc.

2. Preservation
– In this phase, data is isolated, secured, and preserved.
– It includes preventing people from using the digital device
so that digital evidence is not tampered with.
12
 Process of Computer forensics
3. Analysis
– In this step, investigation agents reconstruct fragments of
data and draw conclusions based on evidence found.
– However, it might take numerous iterations of examination
to support a specific crime theory.

4. Documentation
– In this process, a record of all the visible data must be
created.
– It helps in recreating the crime scene and reviewing it.
– It Involves proper documentation of the crime scene along
with photographing, sketching, and crime-scene mapping.
13
 Process of Computer forensics
5. Presentation
– process of summarization and explanation of conclusions
is done.
– should be written in a layperson’s terms using abstracted
terminologies.

14
 Types of Computer Forensics
1. Disk Forensics
– It deals with extracting data from storage media by
searching active, modified, or deleted files.
2. Network Forensics
– It is a sub-branch of digital forensics.
– It is related to monitoring and analysis of computer
network traffic to collect important information and legal
evidence.
3. Wireless Forensics
– It is a division of network forensics.
– The main aim of wireless forensics is to offers the tools
need to collect and analyze the data from wireless network
15
 Types of Computer Forensics
4. Database Forensics
– It is a branch of digital forensics relating to the study and
examination of databases and their related metadata.

5. Malware Forensics:
– This branch deals with the identification of malicious code,
to study their payload, viruses, worms, etc.

6. Email Forensics
– Deals with recovery and analysis of emails, including
deleted emails, calendars, and contacts.

16
 Types of Computer Forensics
7. Memory Forensics
– It deals with collecting data from system memory (system
registers, cache, RAM) in raw form and then carving the
data from Raw dump.

8. Mobile Phone Forensics

– It mainly deals with the examination and analysis of mobile
devices
– It helps to retrieve phone and SIM contacts, call logs,
incoming, and outgoing SMS/MMS, Audio, videos, etc.

17
 Computer Crimes
• Alternatively referred to as
– cyber crime,
– e-crime,
– electronic crime, or
– hi-tech crime.
• Computer crime is an act performed by a knowledgeable
computer user, sometimes referred to as a hacker that illegally
browses or steals a company's or individual's private
information.

• In some cases, this person or group of individuals may be

malicious and destroy or otherwise corrupt the computer or
18
18
data files.
 Why do people commit computer crimes?
• to obtain goods or money.
• Greed and desperation are powerful motivators for some
people to try stealing by way of computer crimes.
• Some people are pressured, or forced, to do so by another
person.
• because people are bored.
• to prove they can do it
– A person who can successfully execute a computer crime
may find great personal satisfaction in doing so.
– These types of people, sometimes called black
hat hackers, like to create chaos, wreak havoc on other
people and companies.
19
19
 Examples of computer crimes
1. Child pornography - Making, distributing, storing, or viewing child
pornography.

2. Copyright violation - Stealing or using another

person's Copyrighted material without permission.

3. Cracking - Breaking or deciphering codes designed to protect data.

4. Cyber terrorism - Hacking, threats, and blackmailing towards a

business or person.

5. Cyberbully or Cyberstalking - Harassing or stalking others online.

6. Creating Malware - Writing, creating, or distributing malware

20
20
(e.g., viruses and spyware)
 Examples of computer crimes
7. Data diddling - Computer fraud involving the intentional falsification
of numbers in data entry.

8. Denial of Service attack - Overloading a system with so many

requests it cannot serve normal requests.

9. Doxing - Releasing another person's personal information without

their permission.

10. Espionage - Spying on a person or business.

11. Fraud - Manipulating data, e.g., changing banking records to transfer

money to an account or participating in credit card fraud.
12. etc 21
21
 Challenges of computer forensics
• A computer may have 1TB or more storage capacity.

• There are more than 2.2 billion messages expected to be sent

and received (in US) per day.

• There are more than 3 billion indexed Web pages world wide.

• There are more than 550 billion documents on line.

• Exabytes of data are stored on tape or hard drives.

22
22
 Challenges of computer forensics (2)
• How to collect the specific, probative, and case-related
information from very large groups of files?
– Link analysis
– Visualization

• Enabling techniques for lead discovery from very large groups

of files:
– Text mining
– Data mining
– Intelligent information retrieval

23
23
 Challenges of computer forensics (3)
• Computer forensics must also adapt quickly to new products
and innovations with valid and reliable examination and
analysis techniques.
• The increase of PC’s and extensive use of internet access
• Easy availability of hacking tools
• Lack of physical evidence makes prosecution difficult.
• The large amount of storage space into Terabytes that makes
this investigation job difficult.
• Any technological changes require an upgrade or changes to
solutions.

24
24
 Advantages of Digital forensics

• To ensure the integrity of the computer system.

• To produce evidence in the court, which can lead to the
punishment of the culprit.

• It helps the companies to capture important information if

their computer systems or networks are compromised.

• Efficiently tracks down cybercriminals from anywhere in the

world.

• Helps to protect the organization’s money and valuable time.

• Allows to extract, process, and interpret the factual evidence,

so it proves the cybercriminal action’s in the court. 25
 Disadvantages of Digital Forensics
• Digital evidence accepted into court. However, it is must be
proved that there is no tampering
• Producing electronic records and storing them is an extremely
costly affair
• Legal practitioners must have extensive computer knowledge
• Need to produce authentic and convincing evidence
• If the tool used for digital forensic is not according to
specified standards, then in the court of law, the evidence can
be disapproved by justice.

• Lack of technical knowledge by the investigating officer might

26
End of Chapter-Four

Thanks

27