1. ISN 3244 - Network and
Computer Forensics
BY
ENGR. JOHNSON C. UBAH
B.ENG, M.ENG, HCNA, ASM
2. Course overview
This course provides an introduction to the methodology and procedures associated
with digital forensic analysis in a network environment and also in a computer
system. Students will develop an understanding of the fundamentals associated with
the topologies, protocols, and applications required to conduct forensic analysis in a
network environment. Students will learn about the importance of network forensic
principles, legal considerations, digital evidence controls, and documentation of
forensic procedures. This course will incorporate demonstrations and laboratory
exercises to reinforce the student’s practical knowhow.
3. Objectives
The needs for computer forensic experts are growing in corporations, law firms,
insurance agencies, and law enforcement. Organizations are now realizing that
evidence retrieved from computers and other digital media are becoming more
relevant to convicting hackers and criminals. Though this digital evidence can be
powerful, but if it is not retrieved through proper investigative procedure, it can
be easily damaged and ruled inadmissible in a court of law.
4. Course objective
Upon successful completion of this course the student will understand:
How to look for digital evidence in both wired and wireless networks and on a computer
system.
Perform end to end forensic investigations
Collect evidence from log files
Understand the importance of time synchronization in event logs
How to use typical forensic investigation tools
Follow a scientific approach to investigate network security events and incidents
5. Topics covered
oIntroduction to computer forensic
oOverview of hardware and operating system
oData recovery
oDigital evidence controls
oComputer forensic tools
oNetwork forensic
oMobile network forensic
oComputer crime and legal issues
oWireless attack investigation
7. What is computer forensic?
Digital Forensics is defined as the process of preservation,
identification, extraction, and documentation of computer evidence
which can be used by the court of law.
It is a science of finding evidence from digital media like a computer,
mobile phone, server, or network.
8. Why forensic?
It provides the forensic team with the best techniques and tools to
solve complicated digital-related cases.
Digital Forensics helps the forensic team to analyzes, inspect,
identifies, and preserve the digital evidence residing on various types
of electronic devices.
9. Objectives of computer forensic
It helps to recover, analyze, and preserve computer and related materials in such
a manner that it helps the investigation agency to present them as evidence in a
court of law.
It helps to postulate the motive behind the crime and identity of the main
culprit.
Designing procedures at a suspected crime scene which helps you to ensure that
the digital evidence obtained is not corrupted.
10. Objectives of computer forensic
Data acquisition and duplication: Recovering deleted files and deleted partitions
from digital media to extract the evidence and validate them.
Helps you to identify the evidence quickly, and also allows you to estimate the
potential impact of the malicious activity on the victim
Producing a computer forensic report which offers a complete report on the
investigation process.
Preserving the evidence by following the chain of custody.
11. Process of Digital forensics
Digital forensics entails the following steps:
◦ Identification
◦ Preservation
◦ Analysis
◦ Documentation
◦ Presentation
13. Forensic process
Identification
It is the first step in the forensic process. The identification process mainly
includes things like what evidence is present, where it is stored, and lastly, how
it is stored (in which format).
Electronic storage media can be personal computers, Mobile phones, PDAs, etc.
Preservation
In this phase, data is isolated, secured, and preserved. It includes preventing
people from using the digital device so that digital evidence is not tampered
with.
14. Forensic process
Analysis
In this step, investigation agents reconstruct fragments of data and draw
conclusions based on evidence found. However, it might take numerous
iterations of examination to support a specific crime theory.
Documentation
In this process, a record of all the visible data must be created. It helps in
recreating the crime scene and reviewing it. It Involves proper documentation of
the crime scene along with photographing, sketching, and crime-scene mapping.
15. Forensic process
Presentation
In this last step, the process of summarization and explanation of
conclusions is done.
However, it should be written in a layperson's terms using abstracted
terminologies. All abstracted terminologies should reference the
specific details.
16. Overview of the digital forensics analysis
methodology
The Cybercrime Lab illustrates an overview of the process with the figure below.
The three steps, Preparation/Extraction, Identification, and Analysis, are
highlighted because they are the focus.
17. Preparation/extraction
Examiners begin by asking whether there is enough information to proceed. They make
sure a clear request is in hand and that there is sufficient data to attempt to answer it. If
anything is missing, they coordinate with the requester. Otherwise, they continue to set
up the process.
◦ Validation of all hardware and software, to ensure that they work properly.
◦ Duplicates the forensic data provided in the request and verifies its integrity
◦ After examiners verify the integrity of the data to be analyzed, a plan is developed to
extract data.
18. Examiners list leads explicitly to help focus the examination. As they develop
new leads, they add them to the list, and as they exhaust leads, they mark them
"processed" or "done."
For each search lead, examiners extract relevant data and mark that search lead
as processed. They add anything extracted to a second list called an "Extracted
Data List." Examiners pursue all the search leads, adding results to this second
list. Then they move to the next phase of the methodology, identification.
19. Examiners repeat the process of identification for each item on the Extracted
Data List.
First, they determine what type of item it is. If it is not relevant to the forensic
request, they simply mark it as processed and move on.
If an item is relevant to the forensic request, examiners document it on a third
list, the Relevant Data List. This list is a collection of data relevant to answering
the original forensic request.
Identification
20. Identification
After processing the Extracted Data list, examiners go back to any new leads
developed. For any new data search leads, examiners consider going back to the
Extraction step to process them. Similarly, for any new source of data that might
lead to new evidence, examiners consider going all the way back to the process
of obtaining and imaging that new forensic data.
It is advisable for examiners to inform the requester of their initial findings. It is
also a good time for examiners and the requester to discuss what they believe
the return on investment will be for pursuing new leads.
21. Analysis
In the analysis phase, examiners connect all the dots and paint a complete
picture for the requester. For every item on the Relevant Data List,
examiners answer questions like who, what, when, where, and how. They
try to explain which user or application created, edited, received, or sent
each item, and how it originally came into existence. Examiners also
explain where they found it. Most importantly, they explain why all this
information is significant and what it means to the case.
22.
23. Analysis
Often examiners can produce the most valuable analysis by looking at when
things happened and producing a timeline that tells a coherent story.
◦ For each relevant item, examiners try to explain when it was created, accessed, modified,
received, sent, viewed, deleted, and launched.
Examiners document all their analysis, and other information relevant to the
forensic request, and add it all to a fifth and final list, the "Analysis Results List.“
◦ This is a list of all the meaningful data that answers who, what, when, where, how, and other
questions.
Finally, after examiners cycle through these steps enough times, they can
respond to the forensic request. They move to the Forensic Reporting phase.
This is the step where examiners document findings so that the requester can
understand them and use them in the case.
24. Lists used in forensic analysis
oSearch lead list
oExtracted lead list
oRelevant lead list
oNew source of data list
oAnalysis result list
26. Challenges faced by computer forensic
Here, are major challenges faced by the Digital Forensic:
◦ The increase of PC's and extensive use of internet access
◦ Easy availability of hacking tools
◦ Lack of physical evidence makes prosecution difficult.
◦ The large amount of storage space into Terabytes that makes this investigation
job difficult.
◦ Any technological changes require an upgrade or changes to solutions
27. Example Uses of Digital Forensics
In recent time, commercial organizations have used digital forensics
in following a type of cases:
◦ Intellectual Property theft
◦ Industrial espionage
◦ Employment disputes
◦ Fraud investigations
◦ Inappropriate use of the Internet and email in the workplace
◦ Forgeries related matters
◦ Bankruptcy investigations
◦ Issues concern with the regulatory compliance
28. Advantages of Digital forensics
Here, are pros/benefits of Digital forensics
◦ To ensure the integrity of the computer system.
◦ To produce evidence in the court, which can lead to the punishment of the culprit.
◦ It helps the companies to capture important information if their computer systems or
networks are compromised.
◦ Efficiently tracks down cybercriminals from anywhere in the world.
◦ Helps to protect the organization's money and valuable time.
◦ Allows to extract, process, and interpret the factual evidence, so it proves the cybercriminal
action's in the court.
29. Disadvantages of Digital Forensics
Here, are major cos/ drawbacks of using Digital Forensic
◦ Digital evidence accepted into court. However, it is must be proved that there is no tampering
◦ Producing electronic records and storing them is an extremely costly affair
◦ Legal practitioners must have extensive computer knowledge
◦ Need to produce authentic and convincing evidence
◦ If the tool used for digital forensic is not according to specified standards, then in the court of
law, the evidence can be disapproved by justice.
◦ Lack of technical knowledge by the investigating officer might not offer the desired result
30. Computer evidence
Computer evidence is data that is harvested from a computer hard drive and
utilized in the process of a crime investigation.
Because it is relatively easy to corrupt data stored on a hard drive, forensics
experts go to great lengths to secure and protect computers that are seized as
part of the investigative process.
Extracting the data must take place under highly controlled circumstances, and
must be accomplished by law enforcement professionals that are specifically
trained in the process.
31. Computer crime
Alternatively referred to as
cyber crime, e-crime,
electronic crime, or hi-tech
crime.
Computer crime is an act
performed by a knowledgeable
computer user, sometimes
referred to as a hacker that
illegally browses or steals a
company's or individual's
private information.
32. Computer crimes
Cybercrime, also called computer crime, the use of a computer as an
instrument to further illegal ends, such as committing fraud, trafficking in
child pornography and intellectual property, stealing identities, or
violating privacy.
Cybercrime, especially involving the Internet, represents an extension of
existing criminal behaviour alongside some novel illegal activities.
33. Types of cybercrime/computer crime
oBlackmail
oIdentity theft
oFraud
oChild pornography
oDigital privacy
o Money laundering
o Counterfeiting
o Spam
o Hacking
o Denial of service attacks
34. Preserving Evidence
Preserving evidence should be the top priority of those entrusted with gathering
and collecting evidence. Evidence collection protocols apply to both pre-
collection and post-collection evidence. If evidence is not properly preserved
prior to collection, it may be contaminated or destroyed. If evidence is not
properly preserved and stored prior to forensic analysis or testing, it may
deteriorate, destroying or devaluing it as a source of information.
35. Preserving Evidence
Those responsible for collecting evidence must understand and employ a variety
of evidence preservation protocols, depending on the type of evidence.
Nevertheless, some guidelines apply to all evidence, such as limitations on the
number of individuals allowed to handle the evidence, use of safeguards to
minimize contamination, proper collection documentation, acceptable chain-of-
evidence documentation, and evidence appropriate storage. As evidence
collection methodologies improve, forensic experts develop new protocols to
preserve that evidence.
36. Memorializing the Crime Scene
To preserve the appearance of a crime scene, as well as the loci of
relevant objects to one another, a crime scene investigator should
photograph the crime scene. To improve the usefulness of the
photographs for later examination, the investigator should photograph
the area from various angles and distances. To give these photographs
additional meaning, he should illustrate the scene with a scaled drawing.
Further, he should memorialize in writing important impressions,
observations and measurements of the scene that photographs cannot
capture or record, including smells, temperature, and humidity.