A

Seminar report

On

Computer Forensics
Submitted in partial fulfillment of the requirement for the award of degree Of
CSE

SUBMITTED TO: SUBMITTED BY:

Vivek Srivastava Aditi Rai
CS-B (68)
Final Year
1401013005
 Acknowledgement
I would like to thank respected Mr Vivek Srivastava for giving me such a wonderful
opportunity to expand my knowledge for my own branch and giving me guidelines to
present a seminar report. It helped me a lot to realize of what we study for.

Secondly, I would like to thank my parents who patiently helped me as i went through my
work and helped to modify and eliminate some of the irrelevant or un-necessary stuffs.

Thirdly, I would like to thank my friends who helped me to make my work more
organized and well-stacked till the end.

Next, I would thank Microsoft for developing such a wonderful tool like MS Word. It
helped my work a lot to remain error-free.

Last but clearly not the least, I would thank The Almighty for giving me strength to
complete my report on time.

Page | 2
CONTENTS
i) Introduction
(1) Computer Forensics
(2) History of Computer Forensics

ii) Need for Computer Forensics

(1) Purpose
(2) Computer Forensics in Organisation
(3) Advantages

iii) Computer Forensics Methodology

iv) Computer Forensics Technology

(1) Get Free - Forensic Data Capture Tool
(2) Get Slack – Forensic Data Capture Utility

v) Computer Forensics Services

vi) Application of Computer Forensics

vii) Conclusion

Page | 3
1. INTRODUCTION
1.1 COMPUTER FORENSICS
“Forensic computing is the process of identifying, preserving, analyzing and
presenting digital evidence in a manner that is legally acceptable.”(Rodney
Mckemmish 1999).
From the above definition we can clearly identify four components:-
IDENTIFYING
This is the process of identifying things such as what evidence is present, where and how it
is stored, and which operating system is being used. From this information the investigator
can identify the appropriate recovery methodologies, and the tools to be used.
PRESERVING
This is the process of preserving the integrity of digital evidence, ensuring the chain of
custody is not broken. The data needs to preserved (copied) on stable media such as CD-
ROM, using reproducible methodologies. All steps taken to capture the data must be
documented. Any changes to the evidence should be documented, including what the change
was and the reason for the change. You may need to prove the integrity of the data in the
court of law.
ANALYSING
This is the process of reviewing and examining the data. The advantage of copying this
data onto CD-ROMs is the fact it can be viewed without the risk of accidental changes,
therefore maintaining the integrity whilst examining the changes
PRESENTING
This is the process of presenting the evidence in a legally acceptable and understandable
manner. If the matter is presented in court the jury who may have little or no computer
experience, must all be able to understand what is presented and how it relates to the original,
otherwise all efforts could be futile.

Far more information is retained on the computer than most people realize. Its also more
difficult to completely remove information than is generally thought. For these reasons
(and many more), computer forensics can often find evidence or even completely recover,
lost or deleted information, even if the information was intentionally deleted.
The goal of computer forensics is to retrieve the data and interpret as much
information about it as possible as compared to data recovery where the goal is to
retrieve the lost data.

Page | 4
1.2 History of Computer Forensics
Michael Anderson
 
“Father of computer forensics”


special agent with
IRS Meeting in
1988 (Portland, Oregon)


creation of 
IACIS, the International Association of Computer Investigative
Specialists

 
the first Seized Computer Evidence Recovery Specialists (SCERS) classes held





























Page | 5
2. NEED FOR COMPUTER FORENSICS
2.1 Purpose

The purpose of computer forensics is mainly due to the wide variety of computer crimes that
take place. In the present technological advancements it is common for every organization to
employ the services of the computer forensics experts. There are various computer crimes
that occur on small scale as well as large scale. The loss caused is dependent upon the
sensitivity of the computer data or the information for which the crime has been committed.

The computer forensics has become vital in the corporate world. There can be theft of the
data from an organization in which case the organization may sustain heavy losses. For this
purpose computer forensics are used as they help in tracking the criminal.

The need in the present age can be considered as much severe due to the internet
advancements and the dependency on the internet. The people that gain access to the
computer systems with out proper authorization should be dealt in. The network security is
an important issue related to the computer world. The computer forensics is a threat against
the wrong doers and the people with the negative mindsets.

The computer forensics is also efficient where in the data is stored in a single system for the
backup. The data theft and the intentional damage of the data in a single system can also be
minimized with the computer forensics. There are hardware and software that employ the
security measures in order to track the changes and the updating of the data or the
information. The user information is provided in the log files that can be effectively used to
produce the evidence in case of any crime a legal manner.

The main purpose of the computer forensics is to produce evidence in the court that can
lead to the punishment of the actual. The forensic science is actually the process of utilizing
the scientific knowledge for the purpose of collection, analysis, and most importantly the
presentation of the evidence in the court of law. The word forensic itself means to bring to
the court.

The need or the importance of the computer forensics is to ensure the integrity of the
computer system. The system with some small measures can avoid the cost of operating and
maintaining the security. The subject provides in depth knowledge for the understanding of
the legal as well as the technical aspects of computer crime. It is very much useful from a
technical stand point, view.

The importance of computer forensics is evident in tracking the cases of the child
pornography and email spamming. The computer forensics has been efficiently used to track
down the terrorists from the various parts of the world. The terrorists using the internet as the
medium of communication can be tracked down and their plans can be known.

2.2 Computer forensics helps the organization in the following way:-
 RECOVER DATA THAT YOU THOUGHT WAS LOST FOREVER

Page | 6
 
ADVICE YOU ON HOW TO KEEP YOURDATA AND INFORMATION SAFE
FROM THEFT OR ACCIDENTAL LOSS


EXAMINE
 A COMPUTER TO FIND OUT WHAT ITS USER HAS BEEN
DOING

 
SWEEP YOUR OFFICE FOR LISTNENING DEVICES

 
HI-TECH INVESTIGATION

2.3Advantage of Computer Forensics:-

The main task or the advantage from the computer forensic is to catch the culprit or the
criminal who is involved in the crime related to the computers.

Computer Forensics deals extensively to find the evidence in order to prove the crime and
the culprit behind it in a court of law. The forensics provides the organization with a support
and helps them recover their loss.

The important thing and the major advantage regarding the computer forensics is the
preservation of the evidence that is collected during the process. The protection of evidence
can be considered as critical.

The ethicality can be considered as an advantage of the forensics in computer systems. At

last the computer forensics has emerged as important part in the disaster recovery
management
















Page | 7
3. COMPUTER FORENSIC METHODOLOGY
3.1 Methods Used:-
According to many professionals, Computer Forensics is a four (4) step process

Acquisition

Physically or remotely obtaining possession of the computer, all network mappings from
the system, and external physical storage devices.

Identification

This step involves identifying what data could be recovered and electronically
retrieving it by running various Computer Forensic tools and software suites.

Evaluation

Evaluating the information/data recovered to determine if and how it could be used

againthesuspect for employment termination or prosecution in court.

Presentation

This step involves the presentation of evidence discovered in a manner which is understood
by lawyers, non-technically staff/management, and suitable as evidence as determined by
United States and internal laws

3.2 COMPUTER FORENSIC PROCESS:-

As in any investigation, establishing that an incident has occurred is the first key step.
Secondly, the incident needs to be evaluated to determine if computer forensics may be
required. Generally, if the computer incident resulted in a loss of time or money, or the
destruction or compromise of information, it will require the application of computer
forensic investigative techniques. When applied, the preservation of evidence is the first rule
in the process. Failure to preserve evidence in its original state could jeopardize the entire
investigation. Knowledge of how the crime was initiated and committed may be lost for
good. Assignment of responsibility may not be possible if evidence is not meticulously and
diligently preserved. The level of training and expertise required to execute a forensics task
will largely depend on the level of evidence required in the case. If the result of the
investigation were limited to administrative actions against an employee, the requirement
would be lower than taking the case to court for civil or criminal litigation.

3.3 Approach to retrieve the evidence:-

The following steps should be taken:-

3.3.1 Shut Down the Computer

Depending upon the computer operating system involved, this usually involves pulling
the plug or shutting down a net work computer using relevant operating system

Page | 8
commands. At the option of the computer specialists, pictures of the screen image can be
taken using a camera. However, consideration should be given to possible destructive
processes that may be operating in the background. These can be resident in memory
or available through a modem or network connection. Depending upon the operating
system involved, a time delayed password protected screen saver may potentially kick in
at any moment. This can complicate the shutdown of the computer. Generally, time is of
the essence and the computer system should be shut down or powered down.
3.3.2Document the Hardware Configuration of the System

It is assumed that the computer system will be moved to a secure location where a proper
chain of custody can be maintained and the processing of evidence can begin. Before
dismantling the computer, it is important that pictures are taken of the computer from all
angles to document the system hardware components and how they are connected. Labeling
each wire is also important so that the original computer configuration can be restored.
Computer evidence should ideally be processed in a computer hardware environment that is
identical to the original hardware configuration.

3.3.3 Transport the Computer System to A Secure Location

This may seem basic but all too often seized evidence computers are stored in less than
secure locations. It is imperative that the subject computer is treated as evidence and it should
be stored out of reach of curious computer users. All too often, individuals operate seized
computers without knowing that they are destroying potential computer evidence and the
chain of custody. Furthermore, a seized computer left unintended can easily be compromised.
Evidence can be planted on it and crucial evidence can be intentionally destroyed. A lack of a
proper chain of custody can 'make the day' for a savvy defense attorney. Lacking a proper
chain of custody, how can you say that relevant evidence was not planted on the computer
after the seizure? The answer is that you cannot. Do not leave the computer unattended
unless it is locked in a secure location! NTI provides a program named Seized to law
enforcement computer specialists free of charge. It is also made available to NTI's business
and government in various suites of software that are available for purchase. The program is
simple but very effective in locking the seized computer and warning the computer operator
that the computer contains evidence and should not be operated

3.3.4 Make Bit Stream Backups of Hard Disks and Floppy Disks

The computer should not be operated and computer evidence should not be processed until

Page | 9
bit stream backups have been made of all hard disk drives and floppy disks. All evidence
processing should be done on a restored copy of the bit stream backup rather than on the
original computer. The original evidence should be left untouched unless compelling
circumstances exist. Preservation of computer evidence is vitally important. It is fragile and
can easily be altered or destroyed. Often such alteration or destruction of data is irreversible.
Bit stream backups are much like an insurance policy and they are essential for any serious
computer evidence processing.

3.3.5 Mathematically Authenticate Data on All Storage Devices

You want to be able to prove that you did not alter any of the evidence after the computer
came into your possession. Such proof will help you rebut allegations that you changed or
altered the original evidence. Since 1989, law enforcement and military agencies have used a
32 bit mathematical process to do the authentication process. Mathematically, a 32 bit data
validation is accurate to approximately one in 4.3 billion. However, given the speed of
today's computers and the vast amount of storage capacity on today's computer hard disk
drives, this level of accuracy is no longer accurate enough. A 32 bit CRC can easily be
compromised. Therefore, NTI includes two programs in its forensic suites of tools that
mathematically authenticate data with a high level of accuracy. Large hashing number,
provides a mathematical level of accuracy that is beyond question. These programs are used
to authenticate data at both a physical level and a logical level. The programs are called
CrcMD5 and DiskSig Pro. The latter program was specifically designed to validate a
restored bit stream backup and it is made available free of charge to law enforcement
computer specialists as part of NTI's Free Law Enforcement Suite. The programs are also
included in our various suites of forensic software which are sold NTI's clients.

3.3.6 Document the System Date and Time

The dates and times associated with computer files can be extremely important from an
evidence standpoint. However, the accuracy of the dates and times is just as important. If
the system clock is one hour slow because of daylight-saving time, then file time stamps
will also reflect the wrong time. To adjust for these inaccuracies, documenting the system
date and time settings at the time the computer is taken into evidence is essential.

3.3.7 Make a List of Key Search Words

Because modern hard disk drives are so voluminous, it is all but impossible for a computer
specialist to manually view and evaluate every file on a computer hard disk drive.

Page | 10
Therefore, state-of-the-art automated forensic text search tools are needed to help find the
relevant evidence.

3.3.8 Evaluate the Windows Swap File

The Windows swap file is potentially a valuable source of evidence and leads. The
evaluation of the swap file can be automated with several of NTI's forensic tools, e.g., NTA
Stealth, Filter_N, FNames, Filter_G, GExtract and GetHTML. These intelligent filters
automatically identifies patterns of English language text, phone numbers, social security
numbers, credit card numbers, Internet E-Mail addresses, Internet web addresses and names
of people.

3.3.9 Evaluate File Slack

File slack is a data storage area of which most computer users are unaware. It is a source of
significant 'security leakage' and consists of raw memory dumps that occur during the work
session as files are closed. The data dumped from memory ends up being stored at the end
of allocated files, beyond the reach or the view of the computer user. Specialized forensic
tools are required to view and evaluate file slack and it can prove to provide a wealth of
information and investigative leads. Like the Windows swap file, this source of ambient
data can help provide relevant key words and leads that may have previously been
unknown.

Page | 11
4. COMPUTER FORENSIC TECHNOLOGY

Computer forensics tools and techniques have proven to be a valuable resource for
law enforcement in the identification of leads and in the processing of computer-
related evidence. Computer forensic tools and techniques have become important
resources for use in internal investigations, civil law suits, and computer security risk
management.
Forensic S/w tools and methods can be used to identify passwords, logons, and other
information that is automatically dumped from the computer memory. Such forensic
tools can be used to tie a diskette to the computer that created it. Some of the tools
used are as follows:-

4.1 Get Free - Forensic Data Capture Tool:-

When files are 'deleted' in DOS, Windows, Windows95 and Windows 98, the data
associated with the file is not actually eliminated. It is simply reassigned to unallocated
storage space where it may eventually be overwritten by the creation of new files over time.
Such data can provide the computer forensics investigator with valuable leads and evidence.
However, the same data can create a significant security risk when sensitive data has been
erased using DOS, Windows, Windows 95 and Windows 98 file deletion procedures and
commands.

GetFree software is used to capture all of the unallocated file space on DOS, Windows,
Windows 95 and Windows 98 based computer systems. The program can be used to identify
leads and evidence. It is also effectively used to validate the secure Scrubbing of unallocated
storage space with programs like NTI's M-Sweep ambient data deletion software. When
GetFree software is used as an investigative tool, it eliminates the need to restore potentially
hundreds or thousands of files on computer hard disk drives and floppy diskettes. The
software was primarily developed as a computer forensic tool for use in computer related
investigations and internal audits. However, GetFree has also proven to be an ideal tool for
use in computer security risk assessments because the software automatically captures the
data associated with unallocated file space. Such data can be reviewed and analyzed using
other NTI forensic tools, e.g., Filter_I, Net Threat Analyzer and Graphics Image File
Extractor

4.2 Get Slack - Forensic Data Capture Utility:-

This software is used to capture all of the file slack contained on a logical hard disk drive or
floppy diskette on a DOS, Windows, Windows 95 and/or Windows 98 computer system. The
resulting output from GetSlack can be analyzed with standard computer utilities or with
special NTI tools, e.g., Filter_I and Net Threat Analyzer software. GetSlack software is an
ideal computer forensics tool for use in investigations, internal audits and in computer
security reviews. NTI places special importance on the use of this tool in computer security
risk assessments because memory dumps in file slack are the cause for security related

Page | 12
concerns. Typically, network logons and passwords are found in file slack. It is also possible
for passwords used in file encryption to be stored as memory dumps in file slack.

From an investigative standpoint, file slack is a target rich environment to find lead sand
evidence. File slack can contain leads and evidence in the form of fragments of word
processing communications, Internet E-mail communications, Internet chat room
communications, Internet news group communications and Internet browsing activity. As
a result, this program is a good tool for use in computer related investigations. It also acts
as a good validation tool for use with computer security programs which are designed to
eliminate file slack, e.g., NTI's M-Sweep ambient data scrubbing software.

Page | 13
5. COMPUTER FORENSICS SERVICES
There are many different areas of computers where in the services of computer forensics is
employed. Most of computer forensics services provide useful services to an organization. It
is very much useful in professional environment where the requirement is quite high.
Computer forensics services also include investigative assistance. The computer forensics is
also important in corporate consulting. Forensic data recovery – FDR is also a part of
computer forensics. Incident Response Systems also play a part of computer forensics. The
services of computer forensics are availed in private as well as government organizations.

The secrecy or the privacy of organization is important in some cases where it is

maintained as per expectations. Some of important fields where in the services of
computer forensics can be applied include the following. Incident response systems and
internal investigations can be done using the computer forensics. Computer forensics is
extensively used in criminal as well as civil litigations. There are many laws that provide
the support to a computer forensic.

Another aspect of computer forensics is the electronic document discovery. Data recovery in
itself is a large topic. But some times it is referred to as a part of computer forensic. Security
risk management can also be carried out using the computer forensic tools. The services
provided by the computer forensics are the development of the plans to gather the electronic
evidence. Computer forensic can be used for its services to support criminal and civil
warrants.

Also the computer forensics is useful in electronic discovery requests. Even computer
forensics investigation is beneficent for the purpose of identification, acquisition,
preservation, analysis and reporting of digital evidence. The digital evidence may be from
desktop computers, laptops, storage servers, or any type of removable storage devices. The
services are also available for dispute resolution and to provide an expert witness testimony.
In the event of conducting the audits also its services can be availed. These audits may
involve remote or even network analysis.

The compliance of proactive reviews as well as risk assessment and even for the
investigation of specific allegations the services of computer forensics can be availed. In
case of corporate consultations the services provided by the computer forensics professional
include the development of in house standards. Also the protection of intellectual property is
a major service.

The protection of corporate assets is also a service of computer forensics. The consultation of
computer forensic can be provided to adhere to the legislation involving federal and
provincial privacy. The electronic file retention policies are also a part of consultancy
services of computer forensics.

Apart from all these services, the computer forensics can be even applied for individual
case studies involving personal issues. Even the services of computer forensics can be
used for data recovery problems. Intentional misuse of privacy or personal information
can be considered as a legal case with the help of computer forensics.

Page | 14
6. APPLICATION OF COMPUTER FORENSICS
System forensics is not different from any other forensic science when it comes to
application. It can be applied to any activity, where other mainstream traditional forensics
such as DNA mapping is used, if there has been an involvement of a system or computer in
the event.

Some of the common applications of computer forensics are:-

 
 FINANCIAL FRAUD DETECTION:-
Corporates and banks can be detect financial frauds with the help of evidence
collected from systems. Also, insurance companies can detect possible fraud in
accident, arson, and workman’s compensation cases with the help of computer
evidence.

CRIMINAL PROSECUTION:-
Prosecutors can use computer evidence to establish crimes such as homicides, drug
and false record-keeping, financial frauds, and child pornography in the court of law.


CIVIL LITIGATION:-
Personal and business records found on the computer systems related to fraud,
discrimination, and harassment cases can be used in civil litigations.



“CORPORATE SECURITY POLICY AND ACCEPTABLS USE
 VIOLATIONS”:-
A lot of computer forensic work done is to support management and human

resources (HR) investigations of employee abuse.

Besides cyber crimes and system crimes, criminals use computers for other criminal
activities. In such cases, besides the traditional forensics, system forensic investigation also
plays a vital role.

Page | 15
7. CONCLUSION
With computers becoming more and more involved in our everyday lives, both
professionally and socially, there is a need for computer forensics. This field will enable
crucial electronic evidence to be found, whether it was lost, deleted, damaged, or hidden,
and used to prosecute individuals that believe they have successfully beaten the system.

The computer forensic needs and challenges can be accomplished only with the
cooperation of the private, public, and international sectors. All stakeholders must be
more willing to exchange information on the effect economic and cyber crime has on
them and the methods they are using to detect and prevent it.

Page | 16