01-Computer forensics
Outlines:
• Definition of computer forensics
• Digital evidence and recovery:
1. Digital evidence on computer system
2. Digital evidence on network
• Challenges
Definition of computer forensics: type of investigation by collecting data and evidence from
technical devices using computer or investigation devices
Preservation, Identification, extraction, documentation and interpretation of computer media for
root cause analysis using well-defined methodologies and procedures
The functions of forensics scientist:
• Analysis of physical evidence
• Provision of expert testimony
• Furnishes of proper recognition, collection and preservation
Methodologies:
• Obtain the evidence without damaging the original
• Authenticate that the evidences have the same size of the original seized
• Analyze data without modifying it
Categories of evidence:
• Hardware
• Software: data and programs
Evidence resides:
• Computer system:
1. Logical file system: file system, RAM, physical space storage
2. Slack space
3. Unallocated space
• Computer networks:
, 1. Application layer: web pages, online documents, e-mail, news group archives,
chat room archives
2. Transportation layer: log files in host modem, ISP, firewall, router
3. Network layer
4. Data link layer
Challenges of computer forensics:
• microcomputer may have 60-GB or more storage capacity.
• There are more than 2.2 billion messages expected to be sent and received (in US) per
day
• There are more than 3 billion indexed Web pages worldwide.
• There are more than 550 billion documents online.
• Exabytes of data are stored on tape or hard drives.
• How to collect the specific, probative, and case-related information from very large
groups of files?
•Link analysis
•Visualization
• Enabling techniques for lead discovery from very large groups of files:
•Text mining
•Data mining
•Intelligent information retrieval
• Computer forensics must also adapt quickly to new products and innovations with valid
and reliable examination and analysis techniques.
02-Cyber Forensics
Communities of computer forensics:
• Law enforcement
• Military
• Business and industry
• Academia
Cyber forensics activities:
• The secure collection of digital data
• The identification of suspect data
• The examination of suspect data to determine the original and content
, • The presentation of computer-based data to the court of law
• The application of country’s law to computer practice
Forensic Principles:
• Digital/ Electronic evidence is extremely volatile!
• Once the evidence is contaminated it cannot be de-contaminated!
• The courts acceptance is based on the best evidence principle
• Chain of Custody is crucial
Cyber Forensic Principles:
1.When dealing with digital evidence, all of the general forensic and procedural principles must
be applied.
2.Upon seizing digital evidence, actions taken should not change that evidence.
3.When it is necessary for a person to access original digital evidence, that person should be
trained for the purpose.
4.All activity relating to the seizure, access, storage or transfer of digital evidence must be fully
documented, preserved and available for review.
5.An Individual is responsible for all actions taken with respect to digital evidence whilst the
digital evidence is in their possession.
6.Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence
is responsible for compliance with these principles.
Phases of forensics:
• Identification: The first step is identifying evidence and potential containers of evidence:
Small scale devices
Non-traditional storage media
Multiple possible crime scenes
Context of the investigation is very important, Do not operate in a vacuum, Do not
overlook non-electronic sources of evidence
• Collection: Care must be taken to minimize contamination, Collect or seize the system,
create forensic image, take detailed photos and notes of the computer, make sure to take
photos and notes of all connections to the computer/other devices, make 2 copies and
don’t work from the original
A file copy does not recover all data areas of the device for examination, Working from a
duplicate image
Outlines:
• Definition of computer forensics
• Digital evidence and recovery:
1. Digital evidence on computer system
2. Digital evidence on network
• Challenges
Definition of computer forensics: type of investigation by collecting data and evidence from
technical devices using computer or investigation devices
Preservation, Identification, extraction, documentation and interpretation of computer media for
root cause analysis using well-defined methodologies and procedures
The functions of forensics scientist:
• Analysis of physical evidence
• Provision of expert testimony
• Furnishes of proper recognition, collection and preservation
Methodologies:
• Obtain the evidence without damaging the original
• Authenticate that the evidences have the same size of the original seized
• Analyze data without modifying it
Categories of evidence:
• Hardware
• Software: data and programs
Evidence resides:
• Computer system:
1. Logical file system: file system, RAM, physical space storage
2. Slack space
3. Unallocated space
• Computer networks:
, 1. Application layer: web pages, online documents, e-mail, news group archives,
chat room archives
2. Transportation layer: log files in host modem, ISP, firewall, router
3. Network layer
4. Data link layer
Challenges of computer forensics:
• microcomputer may have 60-GB or more storage capacity.
• There are more than 2.2 billion messages expected to be sent and received (in US) per
day
• There are more than 3 billion indexed Web pages worldwide.
• There are more than 550 billion documents online.
• Exabytes of data are stored on tape or hard drives.
• How to collect the specific, probative, and case-related information from very large
groups of files?
•Link analysis
•Visualization
• Enabling techniques for lead discovery from very large groups of files:
•Text mining
•Data mining
•Intelligent information retrieval
• Computer forensics must also adapt quickly to new products and innovations with valid
and reliable examination and analysis techniques.
02-Cyber Forensics
Communities of computer forensics:
• Law enforcement
• Military
• Business and industry
• Academia
Cyber forensics activities:
• The secure collection of digital data
• The identification of suspect data
• The examination of suspect data to determine the original and content
, • The presentation of computer-based data to the court of law
• The application of country’s law to computer practice
Forensic Principles:
• Digital/ Electronic evidence is extremely volatile!
• Once the evidence is contaminated it cannot be de-contaminated!
• The courts acceptance is based on the best evidence principle
• Chain of Custody is crucial
Cyber Forensic Principles:
1.When dealing with digital evidence, all of the general forensic and procedural principles must
be applied.
2.Upon seizing digital evidence, actions taken should not change that evidence.
3.When it is necessary for a person to access original digital evidence, that person should be
trained for the purpose.
4.All activity relating to the seizure, access, storage or transfer of digital evidence must be fully
documented, preserved and available for review.
5.An Individual is responsible for all actions taken with respect to digital evidence whilst the
digital evidence is in their possession.
6.Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence
is responsible for compliance with these principles.
Phases of forensics:
• Identification: The first step is identifying evidence and potential containers of evidence:
Small scale devices
Non-traditional storage media
Multiple possible crime scenes
Context of the investigation is very important, Do not operate in a vacuum, Do not
overlook non-electronic sources of evidence
• Collection: Care must be taken to minimize contamination, Collect or seize the system,
create forensic image, take detailed photos and notes of the computer, make sure to take
photos and notes of all connections to the computer/other devices, make 2 copies and
don’t work from the original
A file copy does not recover all data areas of the device for examination, Working from a
duplicate image
