SlideShare une entreprise Scribd logo

Digital forensics

Télécharger en tant que DOCX, PDF
Vidoushi B-Somrah
Vidoushi B-Somrah
FormationTechnologie
1  sur  6
Digital Forensics Vidoushi D. Bahadur-Somrah _____________________________________________________ Abstract This report which is based on digital forensics contains researched information on the computer forensic, and how do investigators examine evidence obtained in order to solve crimes such as cybercrimes. Some highlights are being made on ways of hiding data alongside with methods and procedures which are used to deploy hidden information. The report also shows the effectiveness of the „Daubert guidelines‟ which are used to test digital results for validity and accuracy prior to the court of justice. Investigation on e-mail related crimes have been provided which includes some commonly known e-mail scam examples and process involve in finding the offenders. Keywords: Digital forensic; Computer forensic; Steganography; Daubert guidelines; Stegdetect; E-mail crimes and violations. ________________________________________________________________________________________________________________ 1. Introduction Digital technology has been subject to a number of innovations and improvements in various domains over the years and the Internet and wireless technologies are good examples of successful outcomes. As the use of computers together with the Internet and other digital systems become more popular and significant in our daily activities, the numbers of computer related crimes are also proportionally increased [1]. Digital systems today are the ultimate tool in money management, e.g. banking systems, and criminals / fraudsters are finding new ways to make easy money which means the use of computers to attack such systems are more evident. Unfortunately, there have been court cases before where innocent people have been prosecuted and criminals walked free due to the inability to provide and authenticate evidence by investigators. This is why today digital forensics form part of crime investigations and play an important role in identifying, collecting and solving digital evidence to find the truth. Investigators use highly sophisticated tools and procedures to identify evidence and aid solving crimes. This report mainly focuses on the digital forensic analysis of digital-related crimes and provides information on how it operates, the tools available for its successfully application and the challenges it face. Further information is also provided in this report on detection of hidden data, reliability of evidence found and email crimes. 2. Digital forensic Digital forensic is the science of identifying evidence from digital sources and which provides forensic experts with robust tools and techniques to solve complicated digital-related crimes. There are 4 technical sub- branches within digital forensic which can be applied to solve such crimes and they are listed as follows: Computer, Network, Database and Mobile-Device forensics [2]. Each technique aid to detect, collect, analyse and conclude on evidence found, which could be used in a court of law. Also, the availability of the latest software detection tools and techniques has rendered digital forensics into a more reliable and trustworthy method to identify evidence. Therefore, digital forensic is used for a number of purposes in an investigation such as to support or refute evidence and to check whether documents are legit among others [3].
3. Computer forensic Computer forensic, which forms part of digital forensics, is the technique used to extract information from a computer platform to identify evidence. It is defined as “a new discipline which combines computer science and law elements in order to collect and analyse data from computer systems, networks, wireless communications and storages devices in a way that the data is admissible as evidence in a court of law” [4, p1]. Through this technique, crimes related to computer, such as intellectual property theft, child pornography, identity theft, hacking attacks and even terrorism activities where emails are exchanged can be traced, stopped and evidence collected to prosecute the wrong doers. Sophisticated tools available today can also retrieve or recover purposely „deleted, hidden and even encrypted data‟ of any format and even from damaged media by using various methods and software capabilities to preserve the evidence found from any further damage[4]. Therefore computer forensics helps to capture vital information today which would not have been possible with traditional investigation methods. 3.1. Examining computer evidence Criminal investigations involving computer forensic are undertaken in accordance with procedures set within the science of digital forensics. These procedures depend on the type of data to be collected, and there are two types which are known as „persistent‟ and „volatile‟ data. Persistent data remains present even when the computer is switched off and are located in devices such hard drives. Volatile data is the opposite of persistent data and is lost when the computer is switched off and is commonly located in random access memory (ram), registries and cache [4]. Volatile data cannot be preserved or recovered once the computer is in an off state. As a result, investigators or forensic experts must be able to apply the correct procedures and make use of the correct tools to collect and preserve evidence. Other forms of evidence that are usually collected in an investigation are physical items. Physical items such as broken CDs, damaged hard drives, shredded paperwork, photographs etc are collected and examined in highly sophisticated laboratories to identify and preserve evidence. To identify the „hidden‟ evidence, forensic experts make use of computer software, electronics and other tools to ensure that the information required is captured and preserved from the physical evidence. Even though, forensic laboratories are highly reputable for being efficient in preserving the integrity of evidence gathered from physical items, it is also important that “computer forensics also require methods to ensure the integrity of the information contained within those physical items. The challenge to computer forensic science is to develop methods and techniques that provide valid and reliable results while protecting the real evidence (the information) from harm” [1, p5]. 4. Hidden information In the past people have used several different techniques such as invisible ink or coded message to hide information from others. With the rise of the digital age, new ways are being used to hide information in various forms such as text, audio waves, imaging, digital coding, digital watermarking, unoccupied space of storage devices and TCP/IP packets among others. These techniques are also called as „steganography‟ which can be defined as “the art of covered, or hidden, writing. The purpose of steganography is covert communication to hide a message from a third party” [5, p1]. Therefore this technique allows fraudsters to store hidden information on both computers and networks by employing any binary file format. The most common techniques used to hid secret messages are via imaging and audio file formats [5]. 4.1. Methods to hide information Fraudsters use clever methods to hide information in the digital media. Some common examples that forensic experts are fully aware of are [5]:  Unused, or emptied space in previously used files  Unused space of file header  Unused section in hard drive  Network protocols – “for example, forms a covert communications channel using the identification field in Internet Protocol (IP) packets or the Sequence Number field in Transmission Control Protocol (TCP) segments” [5, p9].
 Audio sound – some small modification in the sound like shifting the wave frequency angle, or beat.  Image file – Modification of the original colour palette with the hidden data once it has been compressed. 4.2. Examples of hidden information in imaging and audio file Image and audio file alteration is a common method used by those who want to carry hidden data secretly. The hidden information can lead to the audio file sounding too loud or the image file appearing too bright in colour, which are some of distortion in quality as a result of altering the original file of such formats. These changes are caused by the Least Significant Bits (LSB) substitution which either overrides the original colour palettes or palette pointers in image files such as „GIF‟ files etc, or simply overrides the Pulse Code Modulation (PCM) level in the audio file. The quality of the image and audio file, which is thereafter deformed, can be detected by examining the file at code level. However, it can be quite challenging to detect hidden data as “almost all techniques used to hide the data within the file use some sort of method to randomize the actual bits in the carrier file that are modified” [5, p10]. Another method to hide information within image files is the duplication and manipulation of the color structure within the color palette and which makes the same color to appear twice in the original color palette. JPEG is an image file format in which data is relatively easy to be hidden using „LSB insertion‟. The hidden data will alter the original JPEG file and depending on its resolution, might not be detected by the naked eye. However, the change might be evident to lower resolution files. There are several algorithms used to hide information within JPEG image files, such as „JSteg‟, „JP Hide&Seek‟, „F5‟ and „OutGuess‟ [5]. These algorithms work differently to hide data into a JPEG file, for example, “JSteg sequentially embeds the hidden data in LSBs, JP Hide&Seek uses a random process to select LSBs, F5 uses a matrix encoding based on a Hamming code, and OutGuess preserves first-order statistics” [5, p16]. Unfortunately, as technology improves, there is the likelihood that more sophisticated techniques will be applied by fraudsters and which would complicate the investigation. The hidden data could be designed in a non-detectable format and appear to be original and not tempered [5]. 5. Detection of hidden information Detecting hidden information is a highly complex exercise for forensic experts. The hidden information within the evidence being investigated can be indistinguishable and appear to be not present. The carriers that are used to hide the information are more sophisticated in textures and make it difficult to detect anything. Also, if forensic experts lack the skills and experience to distinguish the techniques and tools used to hide the data, the process of retrieving the evidence together with the investigation duration is delayed. Steganalysis is a technique used to trace “hidden information based upon observing some data transfer, making no assumption about the stego algorithm” [5, p15]. This method, used since the 1990s, is used to detect hidden information. Once detected, all hidden information are extracted and the original source is disabled so it cannot be accessed and altered, and would remain in a preserved state to be used in a court of law. In cases of solving crime investigations, investigators‟ main concerns are the gathering, analysis and preservation of evidence. 5.1. Method and tools used to detect hidden data Because fraudsters are now using highly sophisticated tools to hide data, it has become increasingly difficult for forensic experts to know when, where, and which algorithm has been employed to hide data. Some of the sophisticated software tools used by forensic experts during an investigation are “WetStone Technologies‟ Gargoyle and Niels Provos‟s Stegdetect” [5, p17-18]. These software packages have been specially designed with the main goal of:  Locating the source of the hidden programs.  Detecting the form of suspected transportation files.  Extracting the secretly hidden message. The Gargoyle software by WetStone Technologies is an effective program that can locate hidden data by using “a proprietary data set (or hash set) of all of the files in the known stego software distributions, comparing
them to the hashes of the files subject to search” [5, p17]. It can identify any malicious activities such hidden data, spyware, Trojan horse etc in the files. It therefore helps to detect, disrupt and reduce attacks. The Stegdetect software by Niels Provos is another commonly used software detection tool that locates hidden data in JPEG images and it works by “using steganography schemes like „F5‟, „Invisible secret‟ among others” [5, p18]. As Stegdetect is a quality and highly robust software, it detects the hidden data as well as the technique used to hide the data onto both JPEG files [5]. Both software detection programs work effectively when there is an indication of the type of file and method used to hide messages. For example, if investigators suspect that the „S-Tools‟ type was used to hide data, this would direct them to file sources like “GIF, BMP and WAV files” [5] and „JP Hide&Seek‟ type would point them to JPEG files format. Carrier file type-specific algorithm is another method of analysis that renders the detection of hidden data easier [5]. Statistical analysis is a common way to detect untraceable information and it is a robust but much more complicated method to measure the amount of redundant data and suspicious activities in both image and audio files formats. It is a complicated technique because “some stego algorithms take pains to preserve the carrier file's first-order statistics to avoid just this type of detection” [5, p16]. Also, the randomness of the hidden and encrypted data results in being more difficult to identify due the 0s and 1s being present with equal likelihood. Therefore, to extract the hidden data by using statistical analysis is a much more complicated task and investigators must have a broad knowledge of message lengths including crypto algorithm and encryption key together with the techniques to be used to retrieve the data without compromising its integrity [5]. 6. Reliability of data found Pieces of data retrieved during the investigation process which is to be used as digital evidence must be both reliable and relevant to the case. That means that investigators have to carefully select the relevant information valid to the prosecution case. Not every data obtained from the crime scene is relevant or important. In the same way, evidence should be carefully be collected, stored and transported from the crime scene to preserve its originality. This will aid the investigators to build a solid case in the form of a chain of evidence which can prove who is involved in the criminal activity. Once the case is built and approved by the team of investigators and forensic experts, it is then confidently presented to the court of justice [3]. Digital evidence has a requirement to undergo a Daubert hearing by law prior to being formally presented in court. The Daubert hearing is a pre-trial session where the judge decides whether the tools and methods used to collect, analyse and retrieve the digital evidence is viable and can be presented in court. The Daubert guidelines state that digital evidence has to be tested against 4 general categories in order to prove its reliability and quality. The four phases are: “testing, error rate, publication, and acceptance” [3, p3].  The testing phase, methods are checked for the accuracy of the results obtained. There are two ways to test the results obtained: “False Negative and False Positives” [3, p4]. The false negative test shows whether the tools and methods used can properly retrieved the data from the system. The false positive test confirms that the tools used have not generated new data and jeopardise the results.  The error rate checks the error percentage of the output results and checks that it is within acceptable tolerance [3].  “The publication guideline shows that the procedure has been documented in a public place and has undergone a peer review” [3, p6].  The acceptance phase checks the feasibility of the tools and procedures applied during the investigation and whether it is acceptable to the scientific community [3]. 7. E-mail crimes and violations E-mail is now a very popular mean of communication from one person to another person. It is fully integrated in education and businesses as well as for personal use. The advantages of e-mail are non-dependency
on geography or location and the fast/instant and cost-effective delivery of messages. Yet, there are some threats that are linked to the usage of e-mail systems and which can affect genuine users and have severe consequences such as financial loss, privacy loss and mental persecution and fear [6]. Some of the common examples of e- mail crimes and violations that have been outlined in the past few years are listed as: job opportunity, investment, inheritance and Bank scam. 7.1. Some examples of e-mail crimes and violations  Inheritance scam The inheritance scam works by luring innocent people with a large amount of money. Fraudsters make contact with individuals and say that a relative at a particular location has claimed that you are the only relative left and hence there is a large sum of money to be inherited. However, the fraudsters claim that to „unlock‟ the money, the individual must first transfer a smaller fund to an account. They also add that the only way to gain access to the inheritance is to open an account with them, where they can get all personal and bank details. Another technique used is that the fraudsters claim that they themselves are to inherit money but need to transfer a smaller sum to the lawyers, which they claim they do not have. They ask for the innocent individual to lend them some money, which they are prepared to compensate for generously once they get their inheritance money. This scam e-mail works [7].  Bank scam The bank scam is another technique used by fraudsters to gain access to innocent people‟s account details. It takes the form of an email received by the individual stating that their account has been suspension due to an identification of unknown access. The received email has a link which re-directs the individual to a look-alike of their bank homepage. The individual then try to log into his account, which obviously never works but in doing so, has given all the personal log in details to the fraudsters. There are variations of this scam where fraudsters are trying new ways to make easy money. An example of bank scam is the „HSBC Phishing Email Scam‟ which HSBC has warned its customers about [8]. 7.2. Process of investigating e-mail crimes and violations Email is recognised in most countries as a legal piece of document and therefore can be used as evidence and in a court of law. Cybercrime investigation cases such as stalking, child pornography, money extortion and mental harassment have seen the use of email being widely used as evidence in to convict those guilty of the crime [6]. There are several phases involved during the process of e-mail crimes and violations investigations. Each investigation includes the collection and analysis of the evidence found, which are fully detailed in a report before being presented to court. The analysis of the email evidence consists of examining, copying and printing the email message; viewing and examining the email headers; examining any attachments and finally tracing the email. The investigation of email crimes are very similar to any other crimes and involve analysing the evidence to identify the person guilty of the crime [9, p394-409].  Examining, copying and printing the e-mail message Investigators need a victim‟s computer and password to examine and decode protected files during an investigation. They will also need a copy of the malicious e-mail, identify its source from IP address details and print it to identify its header. This process can be undertaken by Eudora or Outlook Express email software and suspected e-mail can be securely transferred from the inbox folder onto disks or alternative sources without jeopardising its integrity [9, p394].  Viewing and examining the e-mail headers Email header is the place where most information is normally hidden. The information consists of the source email PC operating system, hostname and e-mail application used, which investigators can use to direct them to fraudsters within no time [9, p396-399].
 Tracing the e-mail Tracing the IP address which has been retrieved from an email can sometimes be hard to locate. This is because not all information obtained can trace back to the original sender. There are some websites that can help the investigators trace the original host such as “www.arin.net, and www.freeality.com” among others [9, 404- 405]. There are number of other tools and techniques that can be used during an investigation in order to validate and authenticate the evidence found via email, such as system logs like “network equipment, and UNIX email server” [9, p405]. These system logs are used to check the source and path of the email on order to find the fraudster behind the crime. 8. Conclusion Digital forensic today is an essential part of any investigation which involve the use of new technologies to gather, analyse evidence to be used in court. It is a challenging science and researchers must continue to improve the forensic techniques, tools and software to incorporate new capabilities and counter new techniques used by fraudsters and criminals. Forensic experts must maintain the high reputation of being able to detect, extract or prevent these unauthorised encrypted messages from causing any harmful attack to government, businesses or civilians. It is believed that newer techniques will be introduced to detect hidden information and locate evidence as the fraudsters try new ways to get around existing systems. 9. References 1. M.G. Noblett. et al. Article: “Recovering and examining computer forensic evidence”. [Internet]. Publication: Volume 2, Number 4, 2000. Accessed on 09/10/2011. Available through Google document at http://docs.google.com/viewer . 2. Ehow.com [Online community]. Article: “Forensic Topics”. Published: 2010, updated 11/12/2010. Accessed on 12/10/2011 at http://www.ehow.com/list_7481819_forensics-topics.html. 3. Digital-evidence.org [Online research paper]. Article: “Open Source Digital Forensics Tools”. Author: Carrier, B. Published: 2002. Accessed on 10/10/2011 at http://www.digital-evidence.org/papers/opensrc_legal.pdf. 4. US-CERT.gov [Online United States Computer Emergency Readiness Team]. Article: “Computer Forensics”. Published: 2008. Accessed on 10/10/2011 at http://www.us-cert.gov/reading_room/forensics.pdf. 5. Citeseerx.ist.psu.edu [Online Scientific Literature Digital Library]. Article: “Overview of Steganography for the Computer Forensics Examiner”. Author: Kessler, G. C. Published: February 2004. Accessed on 10/10/2011 at http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.90.8113&rep=rep1&type=pdf . 6. Citeseerx.ist.psu.edu [Online Scientific Literature Digital Library]. Article: “Digital Forensic Analysis of E-Mails: A Trusted E-Mail Protocol”. Author: Gupta, G. et al. Publication: Volume 2, Issue 4, 2004. Accessed on 06/10/2011 at http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.63.3656&rep=rep1&type=pdf. 7. Money.uk.msn.com [Online business news]. Article: 2010's biggest email scams – “The inheritance scam”. Author: Simon Ward, senior editor. Published: 24/12/2010. Accessed on 12/10/2011 at http://money.uk.msn.com/news/crime/photos.aspx?cp- documentid=155566151&page=11 . 8. Money.uk.msn.com [Online business news]. Article: 2010's biggest email scams – “The account maintenance scam”. Author: Simon Ward, senior editor. Published: 24/12/2010. Accessed on 12/10/2011 at http://money.uk.msn.com/news/crime/photos.aspx?cp- documentid=155566151&page=12 . Kleiman, D. The Official CHFI Exam 312-49: “For Computer Hacking Forensics Investigators”. Kevin Cardwell, Dave Kleiman, Timothy Clinton, editors [internet]. Burlington:Syngress publishing Inc.;2007. Accessed on 14/10/2011. Available through google website: http://books.google.co.uk/books.

Recommandé

Digital Forensic
Digital ForensicDigital Forensic
Digital ForensicCleverence Kombe
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxBhupeshkumar Nanhe
 
computer forensics
computer forensicscomputer forensics
computer forensicsVaibhav Tapse
 

Recommandé

Digital Forensic
Digital ForensicDigital Forensic
Digital ForensicCleverence Kombe
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxBhupeshkumar Nanhe
 
computer forensics
computer forensicscomputer forensics
computer forensicsVaibhav Tapse
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsyash sawarkar
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital ForensicsManik Bhola
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniInvestigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniDr Raghu Khimani
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its roleSudeshna Basak
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsVidoushi B-Somrah
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Digital Forensic Case Study
Digital Forensic Case StudyDigital Forensic Case Study
Digital Forensic Case StudyMyAssignmenthelp.com
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedurenewbie2019
 
cyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemscyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemsMayank Diwakar
 
Computer forencis
Computer forencisComputer forencis
Computer forencisTeja Bheemanapally
 

Contenu connexe

Tendances

Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital ForensicsManik Bhola
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniInvestigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniDr Raghu Khimani
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its roleSudeshna Basak
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedurenewbie2019
 

Tendances (20)

Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital Forensics
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniInvestigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes
 
Network forensic
Network forensicNetwork forensic
Network forensic
 
Digital Forensic Case Study
Digital Forensic Case StudyDigital Forensic Case Study
Digital Forensic Case Study
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
 

Similaire à Digital forensics

cyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemscyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemsMayank Diwakar
 
What is Digital Forensics.docx
What is Digital Forensics.docxWhat is Digital Forensics.docx
What is Digital Forensics.docxAliAshraf68199
 
A Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsA Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsSamantha Vargas
 
Evidence and data
Evidence and dataEvidence and data
Evidence and dataAtul Rai
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensiknewbie2019
 
Design for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic SystemDesign for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic SystemCSCJournals
 
Review on Computer Forensic
Review on Computer ForensicReview on Computer Forensic
Review on Computer ForensicEditor IJCTER
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Stepsgamemaker762
 
Lessons v on fraud awareness (digital forensics) [autosaved]
Lessons v on fraud awareness (digital forensics) [autosaved]Lessons v on fraud awareness (digital forensics) [autosaved]
Lessons v on fraud awareness (digital forensics) [autosaved]Kolluru N Rao
 
Lessons v on fraud awareness (digital forensics)
Lessons v on fraud awareness (digital forensics)Lessons v on fraud awareness (digital forensics)
Lessons v on fraud awareness (digital forensics)CA.Kolluru Narayanarao
 
To get round to the heart of fortress
To get round to the heart of fortressTo get round to the heart of fortress
To get round to the heart of fortressSTO STRATEGY
 
cyberlaws and cyberforensics,biometrics
cyberlaws and cyberforensics,biometricscyberlaws and cyberforensics,biometrics
cyberlaws and cyberforensics,biometricsMayank Diwakar
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Sagar Rahurkar
 

Similaire à Digital forensics (20)

cyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemscyber law and forensics,biometrics systems
cyber law and forensics,biometrics systems
 
Computer forencis
Computer forencisComputer forencis
Computer forencis
 
What is Digital Forensics.docx
What is Digital Forensics.docxWhat is Digital Forensics.docx
What is Digital Forensics.docx
 
Post-Genesis Digital Forensics Investigation
Post-Genesis Digital Forensics InvestigationPost-Genesis Digital Forensics Investigation
Post-Genesis Digital Forensics Investigation
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
 
A Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsA Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis Tools
 
Evidence and data
Evidence and dataEvidence and data
Evidence and data
 
3170725_Unit-1.pptx
3170725_Unit-1.pptx3170725_Unit-1.pptx
3170725_Unit-1.pptx
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensik
 
Design for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic SystemDesign for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic System
 
Review on Computer Forensic
Review on Computer ForensicReview on Computer Forensic
Review on Computer Forensic
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
 
3170725_Unit-1.pptx
3170725_Unit-1.pptx3170725_Unit-1.pptx
3170725_Unit-1.pptx
 
Lessons v on fraud awareness (digital forensics) [autosaved]
Lessons v on fraud awareness (digital forensics) [autosaved]Lessons v on fraud awareness (digital forensics) [autosaved]
Lessons v on fraud awareness (digital forensics) [autosaved]
 
Lessons v on fraud awareness (digital forensics)
Lessons v on fraud awareness (digital forensics)Lessons v on fraud awareness (digital forensics)
Lessons v on fraud awareness (digital forensics)
 
To get round to the heart of fortress
To get round to the heart of fortressTo get round to the heart of fortress
To get round to the heart of fortress
 
cyberlaws and cyberforensics,biometrics
cyberlaws and cyberforensics,biometricscyberlaws and cyberforensics,biometrics
cyberlaws and cyberforensics,biometrics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Computer Forensics.pptx
Computer Forensics.pptxComputer Forensics.pptx
Computer Forensics.pptx
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...
 

Dernier

ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxMaryGraceBautista27
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 

Dernier (20)

ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptx
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 

Digital forensics

  • 1. Digital Forensics Vidoushi D. Bahadur-Somrah _____________________________________________________ Abstract This report which is based on digital forensics contains researched information on the computer forensic, and how do investigators examine evidence obtained in order to solve crimes such as cybercrimes. Some highlights are being made on ways of hiding data alongside with methods and procedures which are used to deploy hidden information. The report also shows the effectiveness of the „Daubert guidelines‟ which are used to test digital results for validity and accuracy prior to the court of justice. Investigation on e-mail related crimes have been provided which includes some commonly known e-mail scam examples and process involve in finding the offenders. Keywords: Digital forensic; Computer forensic; Steganography; Daubert guidelines; Stegdetect; E-mail crimes and violations. ________________________________________________________________________________________________________________ 1. Introduction Digital technology has been subject to a number of innovations and improvements in various domains over the years and the Internet and wireless technologies are good examples of successful outcomes. As the use of computers together with the Internet and other digital systems become more popular and significant in our daily activities, the numbers of computer related crimes are also proportionally increased [1]. Digital systems today are the ultimate tool in money management, e.g. banking systems, and criminals / fraudsters are finding new ways to make easy money which means the use of computers to attack such systems are more evident. Unfortunately, there have been court cases before where innocent people have been prosecuted and criminals walked free due to the inability to provide and authenticate evidence by investigators. This is why today digital forensics form part of crime investigations and play an important role in identifying, collecting and solving digital evidence to find the truth. Investigators use highly sophisticated tools and procedures to identify evidence and aid solving crimes. This report mainly focuses on the digital forensic analysis of digital-related crimes and provides information on how it operates, the tools available for its successfully application and the challenges it face. Further information is also provided in this report on detection of hidden data, reliability of evidence found and email crimes. 2. Digital forensic Digital forensic is the science of identifying evidence from digital sources and which provides forensic experts with robust tools and techniques to solve complicated digital-related crimes. There are 4 technical sub- branches within digital forensic which can be applied to solve such crimes and they are listed as follows: Computer, Network, Database and Mobile-Device forensics [2]. Each technique aid to detect, collect, analyse and conclude on evidence found, which could be used in a court of law. Also, the availability of the latest software detection tools and techniques has rendered digital forensics into a more reliable and trustworthy method to identify evidence. Therefore, digital forensic is used for a number of purposes in an investigation such as to support or refute evidence and to check whether documents are legit among others [3].
  • 2. 3. Computer forensic Computer forensic, which forms part of digital forensics, is the technique used to extract information from a computer platform to identify evidence. It is defined as “a new discipline which combines computer science and law elements in order to collect and analyse data from computer systems, networks, wireless communications and storages devices in a way that the data is admissible as evidence in a court of law” [4, p1]. Through this technique, crimes related to computer, such as intellectual property theft, child pornography, identity theft, hacking attacks and even terrorism activities where emails are exchanged can be traced, stopped and evidence collected to prosecute the wrong doers. Sophisticated tools available today can also retrieve or recover purposely „deleted, hidden and even encrypted data‟ of any format and even from damaged media by using various methods and software capabilities to preserve the evidence found from any further damage[4]. Therefore computer forensics helps to capture vital information today which would not have been possible with traditional investigation methods. 3.1. Examining computer evidence Criminal investigations involving computer forensic are undertaken in accordance with procedures set within the science of digital forensics. These procedures depend on the type of data to be collected, and there are two types which are known as „persistent‟ and „volatile‟ data. Persistent data remains present even when the computer is switched off and are located in devices such hard drives. Volatile data is the opposite of persistent data and is lost when the computer is switched off and is commonly located in random access memory (ram), registries and cache [4]. Volatile data cannot be preserved or recovered once the computer is in an off state. As a result, investigators or forensic experts must be able to apply the correct procedures and make use of the correct tools to collect and preserve evidence. Other forms of evidence that are usually collected in an investigation are physical items. Physical items such as broken CDs, damaged hard drives, shredded paperwork, photographs etc are collected and examined in highly sophisticated laboratories to identify and preserve evidence. To identify the „hidden‟ evidence, forensic experts make use of computer software, electronics and other tools to ensure that the information required is captured and preserved from the physical evidence. Even though, forensic laboratories are highly reputable for being efficient in preserving the integrity of evidence gathered from physical items, it is also important that “computer forensics also require methods to ensure the integrity of the information contained within those physical items. The challenge to computer forensic science is to develop methods and techniques that provide valid and reliable results while protecting the real evidence (the information) from harm” [1, p5]. 4. Hidden information In the past people have used several different techniques such as invisible ink or coded message to hide information from others. With the rise of the digital age, new ways are being used to hide information in various forms such as text, audio waves, imaging, digital coding, digital watermarking, unoccupied space of storage devices and TCP/IP packets among others. These techniques are also called as „steganography‟ which can be defined as “the art of covered, or hidden, writing. The purpose of steganography is covert communication to hide a message from a third party” [5, p1]. Therefore this technique allows fraudsters to store hidden information on both computers and networks by employing any binary file format. The most common techniques used to hid secret messages are via imaging and audio file formats [5]. 4.1. Methods to hide information Fraudsters use clever methods to hide information in the digital media. Some common examples that forensic experts are fully aware of are [5]:  Unused, or emptied space in previously used files  Unused space of file header  Unused section in hard drive  Network protocols – “for example, forms a covert communications channel using the identification field in Internet Protocol (IP) packets or the Sequence Number field in Transmission Control Protocol (TCP) segments” [5, p9].
  • 3.  Audio sound – some small modification in the sound like shifting the wave frequency angle, or beat.  Image file – Modification of the original colour palette with the hidden data once it has been compressed. 4.2. Examples of hidden information in imaging and audio file Image and audio file alteration is a common method used by those who want to carry hidden data secretly. The hidden information can lead to the audio file sounding too loud or the image file appearing too bright in colour, which are some of distortion in quality as a result of altering the original file of such formats. These changes are caused by the Least Significant Bits (LSB) substitution which either overrides the original colour palettes or palette pointers in image files such as „GIF‟ files etc, or simply overrides the Pulse Code Modulation (PCM) level in the audio file. The quality of the image and audio file, which is thereafter deformed, can be detected by examining the file at code level. However, it can be quite challenging to detect hidden data as “almost all techniques used to hide the data within the file use some sort of method to randomize the actual bits in the carrier file that are modified” [5, p10]. Another method to hide information within image files is the duplication and manipulation of the color structure within the color palette and which makes the same color to appear twice in the original color palette. JPEG is an image file format in which data is relatively easy to be hidden using „LSB insertion‟. The hidden data will alter the original JPEG file and depending on its resolution, might not be detected by the naked eye. However, the change might be evident to lower resolution files. There are several algorithms used to hide information within JPEG image files, such as „JSteg‟, „JP Hide&Seek‟, „F5‟ and „OutGuess‟ [5]. These algorithms work differently to hide data into a JPEG file, for example, “JSteg sequentially embeds the hidden data in LSBs, JP Hide&Seek uses a random process to select LSBs, F5 uses a matrix encoding based on a Hamming code, and OutGuess preserves first-order statistics” [5, p16]. Unfortunately, as technology improves, there is the likelihood that more sophisticated techniques will be applied by fraudsters and which would complicate the investigation. The hidden data could be designed in a non-detectable format and appear to be original and not tempered [5]. 5. Detection of hidden information Detecting hidden information is a highly complex exercise for forensic experts. The hidden information within the evidence being investigated can be indistinguishable and appear to be not present. The carriers that are used to hide the information are more sophisticated in textures and make it difficult to detect anything. Also, if forensic experts lack the skills and experience to distinguish the techniques and tools used to hide the data, the process of retrieving the evidence together with the investigation duration is delayed. Steganalysis is a technique used to trace “hidden information based upon observing some data transfer, making no assumption about the stego algorithm” [5, p15]. This method, used since the 1990s, is used to detect hidden information. Once detected, all hidden information are extracted and the original source is disabled so it cannot be accessed and altered, and would remain in a preserved state to be used in a court of law. In cases of solving crime investigations, investigators‟ main concerns are the gathering, analysis and preservation of evidence. 5.1. Method and tools used to detect hidden data Because fraudsters are now using highly sophisticated tools to hide data, it has become increasingly difficult for forensic experts to know when, where, and which algorithm has been employed to hide data. Some of the sophisticated software tools used by forensic experts during an investigation are “WetStone Technologies‟ Gargoyle and Niels Provos‟s Stegdetect” [5, p17-18]. These software packages have been specially designed with the main goal of:  Locating the source of the hidden programs.  Detecting the form of suspected transportation files.  Extracting the secretly hidden message. The Gargoyle software by WetStone Technologies is an effective program that can locate hidden data by using “a proprietary data set (or hash set) of all of the files in the known stego software distributions, comparing
  • 4. them to the hashes of the files subject to search” [5, p17]. It can identify any malicious activities such hidden data, spyware, Trojan horse etc in the files. It therefore helps to detect, disrupt and reduce attacks. The Stegdetect software by Niels Provos is another commonly used software detection tool that locates hidden data in JPEG images and it works by “using steganography schemes like „F5‟, „Invisible secret‟ among others” [5, p18]. As Stegdetect is a quality and highly robust software, it detects the hidden data as well as the technique used to hide the data onto both JPEG files [5]. Both software detection programs work effectively when there is an indication of the type of file and method used to hide messages. For example, if investigators suspect that the „S-Tools‟ type was used to hide data, this would direct them to file sources like “GIF, BMP and WAV files” [5] and „JP Hide&Seek‟ type would point them to JPEG files format. Carrier file type-specific algorithm is another method of analysis that renders the detection of hidden data easier [5]. Statistical analysis is a common way to detect untraceable information and it is a robust but much more complicated method to measure the amount of redundant data and suspicious activities in both image and audio files formats. It is a complicated technique because “some stego algorithms take pains to preserve the carrier file's first-order statistics to avoid just this type of detection” [5, p16]. Also, the randomness of the hidden and encrypted data results in being more difficult to identify due the 0s and 1s being present with equal likelihood. Therefore, to extract the hidden data by using statistical analysis is a much more complicated task and investigators must have a broad knowledge of message lengths including crypto algorithm and encryption key together with the techniques to be used to retrieve the data without compromising its integrity [5]. 6. Reliability of data found Pieces of data retrieved during the investigation process which is to be used as digital evidence must be both reliable and relevant to the case. That means that investigators have to carefully select the relevant information valid to the prosecution case. Not every data obtained from the crime scene is relevant or important. In the same way, evidence should be carefully be collected, stored and transported from the crime scene to preserve its originality. This will aid the investigators to build a solid case in the form of a chain of evidence which can prove who is involved in the criminal activity. Once the case is built and approved by the team of investigators and forensic experts, it is then confidently presented to the court of justice [3]. Digital evidence has a requirement to undergo a Daubert hearing by law prior to being formally presented in court. The Daubert hearing is a pre-trial session where the judge decides whether the tools and methods used to collect, analyse and retrieve the digital evidence is viable and can be presented in court. The Daubert guidelines state that digital evidence has to be tested against 4 general categories in order to prove its reliability and quality. The four phases are: “testing, error rate, publication, and acceptance” [3, p3].  The testing phase, methods are checked for the accuracy of the results obtained. There are two ways to test the results obtained: “False Negative and False Positives” [3, p4]. The false negative test shows whether the tools and methods used can properly retrieved the data from the system. The false positive test confirms that the tools used have not generated new data and jeopardise the results.  The error rate checks the error percentage of the output results and checks that it is within acceptable tolerance [3].  “The publication guideline shows that the procedure has been documented in a public place and has undergone a peer review” [3, p6].  The acceptance phase checks the feasibility of the tools and procedures applied during the investigation and whether it is acceptable to the scientific community [3]. 7. E-mail crimes and violations E-mail is now a very popular mean of communication from one person to another person. It is fully integrated in education and businesses as well as for personal use. The advantages of e-mail are non-dependency
  • 5. on geography or location and the fast/instant and cost-effective delivery of messages. Yet, there are some threats that are linked to the usage of e-mail systems and which can affect genuine users and have severe consequences such as financial loss, privacy loss and mental persecution and fear [6]. Some of the common examples of e- mail crimes and violations that have been outlined in the past few years are listed as: job opportunity, investment, inheritance and Bank scam. 7.1. Some examples of e-mail crimes and violations  Inheritance scam The inheritance scam works by luring innocent people with a large amount of money. Fraudsters make contact with individuals and say that a relative at a particular location has claimed that you are the only relative left and hence there is a large sum of money to be inherited. However, the fraudsters claim that to „unlock‟ the money, the individual must first transfer a smaller fund to an account. They also add that the only way to gain access to the inheritance is to open an account with them, where they can get all personal and bank details. Another technique used is that the fraudsters claim that they themselves are to inherit money but need to transfer a smaller sum to the lawyers, which they claim they do not have. They ask for the innocent individual to lend them some money, which they are prepared to compensate for generously once they get their inheritance money. This scam e-mail works [7].  Bank scam The bank scam is another technique used by fraudsters to gain access to innocent people‟s account details. It takes the form of an email received by the individual stating that their account has been suspension due to an identification of unknown access. The received email has a link which re-directs the individual to a look-alike of their bank homepage. The individual then try to log into his account, which obviously never works but in doing so, has given all the personal log in details to the fraudsters. There are variations of this scam where fraudsters are trying new ways to make easy money. An example of bank scam is the „HSBC Phishing Email Scam‟ which HSBC has warned its customers about [8]. 7.2. Process of investigating e-mail crimes and violations Email is recognised in most countries as a legal piece of document and therefore can be used as evidence and in a court of law. Cybercrime investigation cases such as stalking, child pornography, money extortion and mental harassment have seen the use of email being widely used as evidence in to convict those guilty of the crime [6]. There are several phases involved during the process of e-mail crimes and violations investigations. Each investigation includes the collection and analysis of the evidence found, which are fully detailed in a report before being presented to court. The analysis of the email evidence consists of examining, copying and printing the email message; viewing and examining the email headers; examining any attachments and finally tracing the email. The investigation of email crimes are very similar to any other crimes and involve analysing the evidence to identify the person guilty of the crime [9, p394-409].  Examining, copying and printing the e-mail message Investigators need a victim‟s computer and password to examine and decode protected files during an investigation. They will also need a copy of the malicious e-mail, identify its source from IP address details and print it to identify its header. This process can be undertaken by Eudora or Outlook Express email software and suspected e-mail can be securely transferred from the inbox folder onto disks or alternative sources without jeopardising its integrity [9, p394].  Viewing and examining the e-mail headers Email header is the place where most information is normally hidden. The information consists of the source email PC operating system, hostname and e-mail application used, which investigators can use to direct them to fraudsters within no time [9, p396-399].
  • 6. Tracing the e-mail Tracing the IP address which has been retrieved from an email can sometimes be hard to locate. This is because not all information obtained can trace back to the original sender. There are some websites that can help the investigators trace the original host such as “www.arin.net, and www.freeality.com” among others [9, 404- 405]. There are number of other tools and techniques that can be used during an investigation in order to validate and authenticate the evidence found via email, such as system logs like “network equipment, and UNIX email server” [9, p405]. These system logs are used to check the source and path of the email on order to find the fraudster behind the crime. 8. Conclusion Digital forensic today is an essential part of any investigation which involve the use of new technologies to gather, analyse evidence to be used in court. It is a challenging science and researchers must continue to improve the forensic techniques, tools and software to incorporate new capabilities and counter new techniques used by fraudsters and criminals. Forensic experts must maintain the high reputation of being able to detect, extract or prevent these unauthorised encrypted messages from causing any harmful attack to government, businesses or civilians. It is believed that newer techniques will be introduced to detect hidden information and locate evidence as the fraudsters try new ways to get around existing systems. 9. References 1. M.G. Noblett. et al. Article: “Recovering and examining computer forensic evidence”. [Internet]. Publication: Volume 2, Number 4, 2000. Accessed on 09/10/2011. Available through Google document at http://docs.google.com/viewer . 2. Ehow.com [Online community]. Article: “Forensic Topics”. Published: 2010, updated 11/12/2010. Accessed on 12/10/2011 at http://www.ehow.com/list_7481819_forensics-topics.html. 3. Digital-evidence.org [Online research paper]. Article: “Open Source Digital Forensics Tools”. Author: Carrier, B. Published: 2002. Accessed on 10/10/2011 at http://www.digital-evidence.org/papers/opensrc_legal.pdf. 4. US-CERT.gov [Online United States Computer Emergency Readiness Team]. Article: “Computer Forensics”. Published: 2008. Accessed on 10/10/2011 at http://www.us-cert.gov/reading_room/forensics.pdf. 5. Citeseerx.ist.psu.edu [Online Scientific Literature Digital Library]. Article: “Overview of Steganography for the Computer Forensics Examiner”. Author: Kessler, G. C. Published: February 2004. Accessed on 10/10/2011 at http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.90.8113&rep=rep1&type=pdf . 6. Citeseerx.ist.psu.edu [Online Scientific Literature Digital Library]. Article: “Digital Forensic Analysis of E-Mails: A Trusted E-Mail Protocol”. Author: Gupta, G. et al. Publication: Volume 2, Issue 4, 2004. Accessed on 06/10/2011 at http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.63.3656&rep=rep1&type=pdf. 7. Money.uk.msn.com [Online business news]. Article: 2010's biggest email scams – “The inheritance scam”. Author: Simon Ward, senior editor. Published: 24/12/2010. Accessed on 12/10/2011 at http://money.uk.msn.com/news/crime/photos.aspx?cp- documentid=155566151&page=11 . 8. Money.uk.msn.com [Online business news]. Article: 2010's biggest email scams – “The account maintenance scam”. Author: Simon Ward, senior editor. Published: 24/12/2010. Accessed on 12/10/2011 at http://money.uk.msn.com/news/crime/photos.aspx?cp- documentid=155566151&page=12 . Kleiman, D. The Official CHFI Exam 312-49: “For Computer Hacking Forensics Investigators”. Kevin Cardwell, Dave Kleiman, Timothy Clinton, editors [internet]. Burlington:Syngress publishing Inc.;2007. Accessed on 14/10/2011. Available through google website: http://books.google.co.uk/books.