SlideShare une entreprise Scribd logo

02 Types of Computer Forensics Technology - Notes

Kranthi
Kranthi
FormationTechnologie
1  sur  11
Télécharger pour lire hors ligne
COMPUTER FORENSICS UNIT I – PART II 1 1. TYPES OF MILITARY COMPUTER FORENSIC TECHNOLOGY  Key objectives of cyber forensics include rapid discovery of evidence, estimation of potential impact of the malicious activity on the victim, and assessment of the intent and identity of the perpetrator.  Real-time tracking of potentially malicious activity is especially difficult when the pertinent information has been intentionally hidden, destroyed, or modified in order to elude discovery.  National Law Enforcement and Corrections Technology Center (NLECTC) works with criminal justice professionals to identify urgent and emerging technology needs.  NLECTC centers demonstrate new technologies, test commercially available technologies and publish results — linking research and practice.  National Institute of Justice (NIJ) sponsors research and development or identifies best practices to address those needs.  The information directorate entered into a partnership with the NIJ via the auspices of the NLECTC, to test the new ideas and prototype tools. The Computer Forensics Experiment 2000 (CFX-2000) resulted from this partnership. COMPUTER FORENSIC EXPERIMENT-2000 (CFX-2000) ****  CFX-2000 is an integrated forensic analysis framework.  The central hypothesis of CFX-2000 is that it is possible to accurately determine the motives, intent, targets, sophistication, identity, and location of cyber criminals and cyber terrorists by deploying an integrated forensic analysis framework.  The cyber forensic tools involved in CFX-2000 consisted of commercial off-the-shelf software and directorate-sponsored R&D prototypes. CFX includes SI-FI integration environment.  The Synthesizing Information from Forensic Investigations (SI-FI) integration environment supports the collection, examination, and analysis processes employed during a cyber-forensic investigation.  The SI-FI prototype uses digital evidence bags (DEBs), which are secure and tamperproof containers used to store digital evidence.  Investigators can seal evidence in the DEBs and use the SI-FI implementation to collaborate on complex investigations. Types of Computer Forensics Technology
COMPUTER FORENSICS UNIT I – PART II 2  Authorized users can securely reopen the DEBs for examination, while automatic audit of all actions ensures the continued integrity of their contents.  The teams used other forensic tools and prototypes to collect and analyze specific features of the digital evidence, perform case management and timelining of digital events, automate event link analysis, and perform steganography detection.  The results of CFX-2000 verified that the hypothesis was largely correct and that it is possible to ascertain the intent and identity of cyber criminals.  As electronic technology continues its explosive growth, researchers need to continue vigorous R&D of cyber forensic technology in preparation for the onslaught of cyber reconnaissance probes and attacks. CFX-2000 Schematic 2. TYPES OF LAW ENFORCEMENT COMPUTER FORENSIC TECHNOLOGY Computer forensics tools and techniques have become important resources for use in internal investigations, civil lawsuits, and computer security risk management. Law enforcement and military agencies have been involved in processing computer evidence for years. Computer Evidence Processing Procedures Processing procedures and methodologies should conform to federal computer evidence processing standards.
COMPUTER FORENSICS UNIT I – PART II 3 1. Preservation of Evidence  Computer evidence is fragile and susceptible to alteration or erasure by any number of occurrences.  Computer evidence can be useful in criminal cases, civil disputes, and human resources/ employment proceedings.  Black box computer forensics software tools are good for some basic investigation tasks, but they do not offer a full computer forensics solution.  SafeBack software overcomes some of the evidence weaknesses inherent in black box computer forensics approaches.  SafeBack technology has become a worldwide standard in making mirror image backups since 1990. MIRROR IMAGE BACKUP SOFTWARE - SAFEBACK *****  SafeBack is used to create mirror-image (bit-stream) backup files of hard disks or to make a mirror- image copy of an entire hard disk drive or partition.  SafeBack image files cannot be altered or modified to alter the reproduction. This is because SafeBack is an industry standard self-authenticating computer forensics tool that is used to create evidence-grade backups of hard drives. PRIMARY USES  Used to create evidence-grade backups of hard disk drives on Intel-based computer systems.  Used to exactly restore archived SafeBack images to another computer hard disk drive of equal or larger storage capacity.  Used as an evidence preservation tool in law enforcement and civil litigation matters.  Used as an intelligence gathering tool by military agencies. PROGRAM FEATURES AND BENEFITS  DOS based for ease of operation and speed.  Provides a detailed audit trail of the backup process for evidence documentation purposes.  Checks for possible data hiding when sector cyclic redundancy checks (CRCs) do not match on the target hard disk drive. These findings are automatically recorded in the SafeBack audit log file.  Allows the archive of non-DOS and non-Windows hard disk drives (Unix on an Intel-based computer system).  Allows for the backup process to be made via the printer port.
COMPUTER FORENSICS UNIT I – PART II 4  Duplicate copies of hard disk drives can be made from hard disk to hard disk in direct mode.  SafeBack image files can be stored as one large file or separate files of fixed sizes. This feature is helpful in making copies for archive on CDs.  Tried and proven evidence-preservation technology with a 10 years legacy of success in government agencies.  Does not compress relevant data to avoid legal arguments that the original computer evidence was altered through data compression or software translation.  It is fast and efficient. In spite of the extensive mathematical validation, the latest version of SafeBack runs faster than prior versions. Processing speeds are much faster when state-of-the-art computer systems are used to make the backup.  Makes copies in either physical or logical mode at the option of the user.  Copies and restores multiple partitions containing one or more operating systems.  Can be used to accurately copy and restore most hard disk drives including Windows NT, Windows 2000, and Windows XP in a raid configuration.  Accuracy is guaranteed in the backup process through the combination of mathematical CRCs that provides a level of accuracy that far exceeds the accuracy provided by 128-bit CRCs (RSA MD5).  Writes to SCSI tape backup units or hard disk drives at the option of the user. TROJAN HORSE PROGRAMS  The computer forensic expert should be able to demonstrate his or her ability to avoid destructive programs and traps that can be planted by computer users bent on destroying data and evidence.  Such programs can also be used to covertly capture sensitive information, passwords, and network logons. COMPUTER FORENSICS DOCUMENTATION  Without proper documentation, it is difficult to present findings.  If the security or audit findings become the object of a lawsuit or a criminal investigation, then documentation becomes even more important. FILE SLACK  Slack space in a file is the remnant area at the end of a file in the last assigned disk cluster, that is unused by current file data, but once again, may be a possible site for previously created and relevant evidence.  Techniques and automated tools that are used by the experts to capture and evaluate file slack.
COMPUTER FORENSICS UNIT I – PART II 5 DATA-HIDING TECHNIQUES  Trade secret information and other sensitive data can easily be secreted using any number of techniques. It is possible to hide diskettes within diskettes and to hide entire computer hard disk drive partitions. Computer forensic experts should understand such issues and tools that help in the identification of such anomalies. ANADISK - DISKETTE ANALYSIS TOOL ***** It is primarily used to identify data storage anomalies on floppy diskettes and generic hardware in the form of floppy disk controllers; bios are needed when using this software PRIMARY USES  Security reviews of floppy diskettes for storage anomalies  Duplication of diskettes that are nonstandard or that involve storage anomalies  Editing diskettes at a physical sector level  Searching for data on floppy diskettes in traditional and nontraditional storage areas  Formatting diskettes in nontraditional ways for training purposes and to illustrate data-hiding techniques PROGRAM FEATURES AND BENEFITS  DOS-based for ease of operation and speed.  No software dongle. Again, software dongles get in the way and they are restrictive.  Keyword searches can be conducted at a very low level and on diskettes that have been formatted with extra tracks. This feature is helpful in the evaluation of diskettes that may involve sophisticated data-hiding techniques.  All DOS formats are supported, as well as many non-DOS formats (Apple Macintosh, Unix TAR, and many others). If the diskette will fit in a PC floppy diskette drive, it is likely that AnaDisk can be used to analyze it.  Allows custom formatting of diskettes with extra tracks and sectors.  Scans for anomalies will identify odd formats, extra tracks, and extra sectors.  Data mismatches, concerning some file formats, are also identified when file extensions have been changed in an attempt to hide data.  This software can be used to copy almost any diskette, including most copy-protected diskettes.
COMPUTER FORENSICS UNIT I – PART II 6 E-COMMERCE INVESTIGATIONS  Net Threat Analyzer can be used to identify past Internet browsing and email activity done through specific computers. The software analyzes a computer’s disk drives and other storage areas that are generally unknown to or beyond the reach of most general computer users. Net Threat Analyzer avail-able free of charge to computer crime specialists, school officials, and police. DUAL-PURPOSE PROGRAMS  Programs can be designed to perform multiple processes and tasks at the same time. Computer forensics experts must have hands-on experience with these programs. TEXT SEARCH TECHNIQUES  Tools that can be used to find targeted strings of text in files, file slack, unallocated file space, and Windows swap files. TEXT SEARCH PLUS ***** This software is used to quickly search hard disk drives, zip disks, and floppy diskettes for key words or specific patterns of text. PRIMARY USES  Used to find occurrences of words or strings of text in data stored in files, slack, and unallocated file space  Used in exit reviews of computer storage media from classified facilities  Used to identify data leakage of classified information on non-classified computer systems  Used in internal audits to identify violations of corporate policy  Used by Fortune 500 corporations, government contractors, and government agencies in security reviews and security risk assessments  Used in corporate due diligence efforts regarding proposed mergers  Used to find occurrences of keywords strings of text in data found at a physical sector level  Used to find evidence in corporate, civil, and criminal investigations that involve computer-related evidence  Used to find embedded text in formatted word processing documents (Word-Perfect and fragments of such documents in ambient data storage areas)
COMPUTER FORENSICS UNIT I – PART II 7 PROGRAM FEATURES AND BENEFITS  DOS-based for ease of operation and speed.  No software dongle. Software dongles get in the way and they restrict your ability to process several computers at the same time.  Small memory foot print (under 60 KB), which allows the software to run on even the original IBM PC.  Compact program size, which easily fits on one floppy diskette with other forensic software utilities.  Searches files, slack, and erased space in one fast operation.  Has logical and physical search options that maintain compatibility with government security review requirements.  User-defined search configuration feature.  User configuration is automatically saved for future use.  Embedded words and strings of text are found in word processing files.  Alert for graphic files (secrets can be hidden in them).  Alert for compressed files.  High speed operation. This is the fastest tool on the market, which makes for quick searches on huge hard disk drives.  Screen and file output.  False hits don’t stop processing.  Government tested—specifically designed for security reviews in classified environments.  Currently used by hundreds of law enforcement computer crime units.  Currently in use by all of the Big 5 accounting firms.  The current version allows for up to 120 search strings to be searched for at one time. FUZZY LOGIC TOOLS USED TO IDENTIFY UNKNOWN TEXT  Computer evidence searches require that the computer specialist know what is being searched for. Many times not all is known about what may be stored on a given computer system.  In such cases, fuzzy logic tools can provide valuable leads as to how the subject computer was used.
COMPUTER FORENSICS UNIT I – PART II 8 INTELLIGENT FORENSIC FILTER - FILTER_G/FILTER_I *****  This forensic filter utility is used to quickly make sense of nonsense in the analysis of ambient data sources (Windows swap/page files, file slack, and data associated with erased files).  It is used to quickly identify patterns of English language grammar in ambient data files. PRIMARY USES  Used as an intelligence gathering tool for quick assessments of a Windows swap/page file to identify past communications on a targeted computer  Used as a data sampling tool in law enforcement, military, and corporate investigations  Used to quickly identify patterns of English language grammar in ambient data sources  Used to identify English language communications in erased file space PROGRAM FEATURES AND BENEFITS  DOS-based for speed.  Automatically processes any data object (a swap file, a file constructed from combined file slack, a file constructed from combined unallocated space, or a Windows swap/page file.  Provides output in an ASCII text format that is ready for import into any word processing application.  Capable of quickly processing ambient data files that are up to 2 gigabytes in size. 2. Disk Structure  Computer forensic experts must understand how computer hard disks and floppy diskettes are structured and how computer evidence can reside at various levels within the structure of the disk.  They should also demonstrate their knowledge of how to modify the structure and hide data in obscure places on floppy diskettes and hard disk drives. 3. Data Encryption  Computer forensic experts should become familiar with the use of software to crack security associated with the different file structures. 4. Matching a Diskette to a Computer  Specialized techniques and tools that make it possible to conclusively tie a diskette to a computer that was used to create or edit files stored on it. Computer forensic experts should become familiar how to use special software tools to complete this process.
COMPUTER FORENSICS UNIT I – PART II 9 5. Data Compression  Computer forensic experts should become familiar with how compression works and how compression programs can be used to hide and disguise sensitive data and also learn how password- protected compressed files can be broken. 6. Erased Files  Computer forensic experts should become familiar with how previously erased files can be recovered by using DOS programs and by manually using data-recovery technique & familiar with cluster chaining. 7. Internet Abuse Identification and Detection  Computer forensic experts should become familiar with how to use specialized software to identify how a targeted computer has been used on the Internet.  This process will focus on computer forensics issues tied to data that the computer user probably doesn’t realize exists (file slack, unallocated file space, and Windows swap files). 8. The Boot Process and Memory Resident Programs  Computer forensic experts should become familiar with how the operating system can be modified to change data and destroy data at the whim of the person who configured the system.  Such a technique could be used to covertly capture keyboard activity from corporate executives, for example. For this reason, it is important that the experts understand these potential risks and how to identify them. 3. TYPES OF BUSINESS COMPUTER FORENSIC TECHNOLOGY *** The following are different types of business computer forensics technology: REMOTE MONITORING OF TARGET COMPUTERS  Data Interception by Remote Transmission (DIRT) is a powerful remote control monitoring tool that allows stealth monitoring of all activity on one or more target computers simultaneously from a remote command center.  No physical access is necessary. Application also allows agents to remotely seize and secure digital evidence prior to physically entering suspect premises.
COMPUTER FORENSICS UNIT I – PART II 10 CREATING TRACKABLE ELECTRONIC DOCUMENTS  Binary Audit Identification Transfer (BAIT) is a powerful intrusion detection tool that allows users to create trackable electronic documents.  BAIT identifies (including their location) unauthorized intruders who access, download, and view these tagged documents.  BAIT also allows security personnel to trace the chain of custody and chain of command of all who possess the stolen electronic documents. THEFT RECOVERY SOFTWARE FOR LAPTOPS AND PCS  What it really costs to replace a stolen computer:  The price of the replacement hardware & software.  The cost of recreating data, lost production time or instruction time, reporting and investigating the theft, filing police reports and insurance claims, increased insurance, processing and ordering replacements, cutting a check, and the like.  The loss of customer goodwill.  If a thief is ever caught, the cost of time involved in prosecution.  PC PHONEHOME  PC PhoneHome is a software application that will track and locate a lost or stolen PC or laptop any-where in the world. It is easy to install. It is also completely transparent to the user.  If your PC PhoneHome-protected computer is lost or stolen, all you need to do is make a report to the local police and call CD’s 24-hour command center. CD’s recovery specialists will assist local law enforcement in the recovery of your property. BASIC FORENSIC TOOLS AND TECHNIQUES  Many computer forensics workshops have been created to familiarize investigators and security personnel with the basic techniques and tools necessary for a successful investigation of Internet and computer-related crimes.  Workshop topics normally include: types of computer crime, cyber law basics, tracing email to its source, digital evidence acquisition, cracking passwords, monitoring computers remotely, tracking
COMPUTER FORENSICS UNIT I – PART II 11 online activity, finding and recovering hidden and deleted data, locating stolen computers, creating trackable files, identifying software pirates, and so on. FORENSIC SERVICES AVAILABLE Services include but are not limited to:  Lost password and file recovery  Location and retrieval of deleted and hidden files  File and email decryption  Email supervision and authentication  Threatening email traced to source  Identification of Internet activity  Computer usage policy and supervision  Remote PC and network monitoring  Tracking and location of stolen electronic files  Honeypot sting operations  Location and identity of unauthorized software users  Theft recovery software for laptops and PCs  Investigative and security software creation  Protection from hackers and viruses Source: COMPUTER FORENSICS: COMPUTER CRIME SCENE INVESTIGATION, JOHN VACCA Send your feedback to kranthi@kranthi.co.in

Recommandé

01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - NotesKranthi
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 
Data recovery
Data recoveryData recovery
Data recoveryAbhinav Parihar
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionprimeteacher32
 

Recommandé

01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - NotesKranthi
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 
Data recovery
Data recoveryData recovery
Data recoveryAbhinav Parihar
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionprimeteacher32
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation Jyothishmathi Institute of Technology and Science Karimnagar
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolsN.Jagadish Kumar
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Malware forensics
Malware forensicsMalware forensics
Malware forensicsSameera Amjad
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Anpumathews
 
Deadlock in Distributed Systems
Deadlock in Distributed SystemsDeadlock in Distributed Systems
Deadlock in Distributed SystemsPritom Saha Akash
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Data recovery
Data recoveryData recovery
Data recoveryMir Majid
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsSCREAM138
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsOldsun
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 
data hiding techniques.ppt
data hiding techniques.pptdata hiding techniques.ppt
data hiding techniques.pptMuzamil Amin
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics pptNikhil Mashruwala
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Stepsgamemaker762
 
Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Ahmed Hashad
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crimemukeshkaran
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsShreya Singireddy
 

Contenu connexe

Tendances

Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolsN.Jagadish Kumar
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Anpumathews
 
Deadlock in Distributed Systems
Deadlock in Distributed SystemsDeadlock in Distributed Systems
Deadlock in Distributed SystemsPritom Saha Akash
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsSCREAM138
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsOldsun
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 
data hiding techniques.ppt
data hiding techniques.pptdata hiding techniques.ppt
data hiding techniques.pptMuzamil Amin
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Stepsgamemaker762
 
Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Ahmed Hashad
 

Tendances (20)

Anti forensic
Anti forensicAnti forensic
Anti forensic
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1
 
Deadlock in Distributed Systems
Deadlock in Distributed SystemsDeadlock in Distributed Systems
Deadlock in Distributed Systems
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Data recovery
Data recoveryData recovery
Data recovery
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 
data hiding techniques.ppt
data hiding techniques.pptdata hiding techniques.ppt
data hiding techniques.ppt
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
 
Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Data recovery with a view of digital forensics
Data recovery with a view of digital forensics
 

En vedette

Chapter 3 cmp forensic
Chapter 3 cmp forensicChapter 3 cmp forensic
Chapter 3 cmp forensicshahhardik27
 
Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...GarethKnight
 
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays Worldgueste0d962
 
Cyberwar poster english
Cyberwar poster englishCyberwar poster english
Cyberwar poster englishAbbas Badran
 
Legal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsLegal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsSagar Rahurkar
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 

En vedette (10)

Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Chapter 3 cmp forensic
Chapter 3 cmp forensicChapter 3 cmp forensic
Chapter 3 cmp forensic
 
Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays World
 
Cyberwar poster english
Cyberwar poster englishCyberwar poster english
Cyberwar poster english
 
Legal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsLegal aspects of handling cyber frauds
Legal aspects of handling cyber frauds
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
 

Similaire à 02 Types of Computer Forensics Technology - Notes

Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
IRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud EnvironmentIRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud EnvironmentIRJET Journal
 
Comparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction ToolsComparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction Toolsijtsrd
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics reportyash sawarkar
 
AD_FTKX_BRO_ENG_19Nov2014
AD_FTKX_BRO_ENG_19Nov2014AD_FTKX_BRO_ENG_19Nov2014
AD_FTKX_BRO_ENG_19Nov2014Leonard Cibelli
 
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docxComputer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docxmaxinesmith73660
 
Digital forensics lessons
Digital forensics lessons Digital forensics lessons
Digital forensics lessons Amr Nasr
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Automated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data AcquisitionAutomated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data AcquisitionIJERA Editor
 
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...Studio Fiorenzi Security & Forensics
 
4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)JIEMS Akkalkuwa
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
 
Best Cyberforensic Tools.pdf
Best Cyberforensic Tools.pdfBest Cyberforensic Tools.pdf
Best Cyberforensic Tools.pdfBytecode Security
 

Similaire à 02 Types of Computer Forensics Technology - Notes (20)

Latest presentation
Latest presentationLatest presentation
Latest presentation
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
IRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud EnvironmentIRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud Environment
 
Comparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction ToolsComparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction Tools
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics report
 
AD_FTKX_BRO_ENG_19Nov2014
AD_FTKX_BRO_ENG_19Nov2014AD_FTKX_BRO_ENG_19Nov2014
AD_FTKX_BRO_ENG_19Nov2014
 
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docxComputer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
 
Digital forensics lessons
Digital forensics lessons Digital forensics lessons
Digital forensics lessons
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
 
Automated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data AcquisitionAutomated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data Acquisition
 
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...
 
4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
Best Cyberforensic Tools.pdf
Best Cyberforensic Tools.pdfBest Cyberforensic Tools.pdf
Best Cyberforensic Tools.pdf
 

Dernier

Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxMusic 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxleah joy valeriano
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 

Dernier (20)

Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxMusic 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 

02 Types of Computer Forensics Technology - Notes

  • 1. COMPUTER FORENSICS UNIT I – PART II 1 1. TYPES OF MILITARY COMPUTER FORENSIC TECHNOLOGY  Key objectives of cyber forensics include rapid discovery of evidence, estimation of potential impact of the malicious activity on the victim, and assessment of the intent and identity of the perpetrator.  Real-time tracking of potentially malicious activity is especially difficult when the pertinent information has been intentionally hidden, destroyed, or modified in order to elude discovery.  National Law Enforcement and Corrections Technology Center (NLECTC) works with criminal justice professionals to identify urgent and emerging technology needs.  NLECTC centers demonstrate new technologies, test commercially available technologies and publish results — linking research and practice.  National Institute of Justice (NIJ) sponsors research and development or identifies best practices to address those needs.  The information directorate entered into a partnership with the NIJ via the auspices of the NLECTC, to test the new ideas and prototype tools. The Computer Forensics Experiment 2000 (CFX-2000) resulted from this partnership. COMPUTER FORENSIC EXPERIMENT-2000 (CFX-2000) ****  CFX-2000 is an integrated forensic analysis framework.  The central hypothesis of CFX-2000 is that it is possible to accurately determine the motives, intent, targets, sophistication, identity, and location of cyber criminals and cyber terrorists by deploying an integrated forensic analysis framework.  The cyber forensic tools involved in CFX-2000 consisted of commercial off-the-shelf software and directorate-sponsored R&D prototypes. CFX includes SI-FI integration environment.  The Synthesizing Information from Forensic Investigations (SI-FI) integration environment supports the collection, examination, and analysis processes employed during a cyber-forensic investigation.  The SI-FI prototype uses digital evidence bags (DEBs), which are secure and tamperproof containers used to store digital evidence.  Investigators can seal evidence in the DEBs and use the SI-FI implementation to collaborate on complex investigations. Types of Computer Forensics Technology
  • 2. COMPUTER FORENSICS UNIT I – PART II 2  Authorized users can securely reopen the DEBs for examination, while automatic audit of all actions ensures the continued integrity of their contents.  The teams used other forensic tools and prototypes to collect and analyze specific features of the digital evidence, perform case management and timelining of digital events, automate event link analysis, and perform steganography detection.  The results of CFX-2000 verified that the hypothesis was largely correct and that it is possible to ascertain the intent and identity of cyber criminals.  As electronic technology continues its explosive growth, researchers need to continue vigorous R&D of cyber forensic technology in preparation for the onslaught of cyber reconnaissance probes and attacks. CFX-2000 Schematic 2. TYPES OF LAW ENFORCEMENT COMPUTER FORENSIC TECHNOLOGY Computer forensics tools and techniques have become important resources for use in internal investigations, civil lawsuits, and computer security risk management. Law enforcement and military agencies have been involved in processing computer evidence for years. Computer Evidence Processing Procedures Processing procedures and methodologies should conform to federal computer evidence processing standards.
  • 3. COMPUTER FORENSICS UNIT I – PART II 3 1. Preservation of Evidence  Computer evidence is fragile and susceptible to alteration or erasure by any number of occurrences.  Computer evidence can be useful in criminal cases, civil disputes, and human resources/ employment proceedings.  Black box computer forensics software tools are good for some basic investigation tasks, but they do not offer a full computer forensics solution.  SafeBack software overcomes some of the evidence weaknesses inherent in black box computer forensics approaches.  SafeBack technology has become a worldwide standard in making mirror image backups since 1990. MIRROR IMAGE BACKUP SOFTWARE - SAFEBACK *****  SafeBack is used to create mirror-image (bit-stream) backup files of hard disks or to make a mirror- image copy of an entire hard disk drive or partition.  SafeBack image files cannot be altered or modified to alter the reproduction. This is because SafeBack is an industry standard self-authenticating computer forensics tool that is used to create evidence-grade backups of hard drives. PRIMARY USES  Used to create evidence-grade backups of hard disk drives on Intel-based computer systems.  Used to exactly restore archived SafeBack images to another computer hard disk drive of equal or larger storage capacity.  Used as an evidence preservation tool in law enforcement and civil litigation matters.  Used as an intelligence gathering tool by military agencies. PROGRAM FEATURES AND BENEFITS  DOS based for ease of operation and speed.  Provides a detailed audit trail of the backup process for evidence documentation purposes.  Checks for possible data hiding when sector cyclic redundancy checks (CRCs) do not match on the target hard disk drive. These findings are automatically recorded in the SafeBack audit log file.  Allows the archive of non-DOS and non-Windows hard disk drives (Unix on an Intel-based computer system).  Allows for the backup process to be made via the printer port.
  • 4. COMPUTER FORENSICS UNIT I – PART II 4  Duplicate copies of hard disk drives can be made from hard disk to hard disk in direct mode.  SafeBack image files can be stored as one large file or separate files of fixed sizes. This feature is helpful in making copies for archive on CDs.  Tried and proven evidence-preservation technology with a 10 years legacy of success in government agencies.  Does not compress relevant data to avoid legal arguments that the original computer evidence was altered through data compression or software translation.  It is fast and efficient. In spite of the extensive mathematical validation, the latest version of SafeBack runs faster than prior versions. Processing speeds are much faster when state-of-the-art computer systems are used to make the backup.  Makes copies in either physical or logical mode at the option of the user.  Copies and restores multiple partitions containing one or more operating systems.  Can be used to accurately copy and restore most hard disk drives including Windows NT, Windows 2000, and Windows XP in a raid configuration.  Accuracy is guaranteed in the backup process through the combination of mathematical CRCs that provides a level of accuracy that far exceeds the accuracy provided by 128-bit CRCs (RSA MD5).  Writes to SCSI tape backup units or hard disk drives at the option of the user. TROJAN HORSE PROGRAMS  The computer forensic expert should be able to demonstrate his or her ability to avoid destructive programs and traps that can be planted by computer users bent on destroying data and evidence.  Such programs can also be used to covertly capture sensitive information, passwords, and network logons. COMPUTER FORENSICS DOCUMENTATION  Without proper documentation, it is difficult to present findings.  If the security or audit findings become the object of a lawsuit or a criminal investigation, then documentation becomes even more important. FILE SLACK  Slack space in a file is the remnant area at the end of a file in the last assigned disk cluster, that is unused by current file data, but once again, may be a possible site for previously created and relevant evidence.  Techniques and automated tools that are used by the experts to capture and evaluate file slack.
  • 5. COMPUTER FORENSICS UNIT I – PART II 5 DATA-HIDING TECHNIQUES  Trade secret information and other sensitive data can easily be secreted using any number of techniques. It is possible to hide diskettes within diskettes and to hide entire computer hard disk drive partitions. Computer forensic experts should understand such issues and tools that help in the identification of such anomalies. ANADISK - DISKETTE ANALYSIS TOOL ***** It is primarily used to identify data storage anomalies on floppy diskettes and generic hardware in the form of floppy disk controllers; bios are needed when using this software PRIMARY USES  Security reviews of floppy diskettes for storage anomalies  Duplication of diskettes that are nonstandard or that involve storage anomalies  Editing diskettes at a physical sector level  Searching for data on floppy diskettes in traditional and nontraditional storage areas  Formatting diskettes in nontraditional ways for training purposes and to illustrate data-hiding techniques PROGRAM FEATURES AND BENEFITS  DOS-based for ease of operation and speed.  No software dongle. Again, software dongles get in the way and they are restrictive.  Keyword searches can be conducted at a very low level and on diskettes that have been formatted with extra tracks. This feature is helpful in the evaluation of diskettes that may involve sophisticated data-hiding techniques.  All DOS formats are supported, as well as many non-DOS formats (Apple Macintosh, Unix TAR, and many others). If the diskette will fit in a PC floppy diskette drive, it is likely that AnaDisk can be used to analyze it.  Allows custom formatting of diskettes with extra tracks and sectors.  Scans for anomalies will identify odd formats, extra tracks, and extra sectors.  Data mismatches, concerning some file formats, are also identified when file extensions have been changed in an attempt to hide data.  This software can be used to copy almost any diskette, including most copy-protected diskettes.
  • 6. COMPUTER FORENSICS UNIT I – PART II 6 E-COMMERCE INVESTIGATIONS  Net Threat Analyzer can be used to identify past Internet browsing and email activity done through specific computers. The software analyzes a computer’s disk drives and other storage areas that are generally unknown to or beyond the reach of most general computer users. Net Threat Analyzer avail-able free of charge to computer crime specialists, school officials, and police. DUAL-PURPOSE PROGRAMS  Programs can be designed to perform multiple processes and tasks at the same time. Computer forensics experts must have hands-on experience with these programs. TEXT SEARCH TECHNIQUES  Tools that can be used to find targeted strings of text in files, file slack, unallocated file space, and Windows swap files. TEXT SEARCH PLUS ***** This software is used to quickly search hard disk drives, zip disks, and floppy diskettes for key words or specific patterns of text. PRIMARY USES  Used to find occurrences of words or strings of text in data stored in files, slack, and unallocated file space  Used in exit reviews of computer storage media from classified facilities  Used to identify data leakage of classified information on non-classified computer systems  Used in internal audits to identify violations of corporate policy  Used by Fortune 500 corporations, government contractors, and government agencies in security reviews and security risk assessments  Used in corporate due diligence efforts regarding proposed mergers  Used to find occurrences of keywords strings of text in data found at a physical sector level  Used to find evidence in corporate, civil, and criminal investigations that involve computer-related evidence  Used to find embedded text in formatted word processing documents (Word-Perfect and fragments of such documents in ambient data storage areas)
  • 7. COMPUTER FORENSICS UNIT I – PART II 7 PROGRAM FEATURES AND BENEFITS  DOS-based for ease of operation and speed.  No software dongle. Software dongles get in the way and they restrict your ability to process several computers at the same time.  Small memory foot print (under 60 KB), which allows the software to run on even the original IBM PC.  Compact program size, which easily fits on one floppy diskette with other forensic software utilities.  Searches files, slack, and erased space in one fast operation.  Has logical and physical search options that maintain compatibility with government security review requirements.  User-defined search configuration feature.  User configuration is automatically saved for future use.  Embedded words and strings of text are found in word processing files.  Alert for graphic files (secrets can be hidden in them).  Alert for compressed files.  High speed operation. This is the fastest tool on the market, which makes for quick searches on huge hard disk drives.  Screen and file output.  False hits don’t stop processing.  Government tested—specifically designed for security reviews in classified environments.  Currently used by hundreds of law enforcement computer crime units.  Currently in use by all of the Big 5 accounting firms.  The current version allows for up to 120 search strings to be searched for at one time. FUZZY LOGIC TOOLS USED TO IDENTIFY UNKNOWN TEXT  Computer evidence searches require that the computer specialist know what is being searched for. Many times not all is known about what may be stored on a given computer system.  In such cases, fuzzy logic tools can provide valuable leads as to how the subject computer was used.
  • 8. COMPUTER FORENSICS UNIT I – PART II 8 INTELLIGENT FORENSIC FILTER - FILTER_G/FILTER_I *****  This forensic filter utility is used to quickly make sense of nonsense in the analysis of ambient data sources (Windows swap/page files, file slack, and data associated with erased files).  It is used to quickly identify patterns of English language grammar in ambient data files. PRIMARY USES  Used as an intelligence gathering tool for quick assessments of a Windows swap/page file to identify past communications on a targeted computer  Used as a data sampling tool in law enforcement, military, and corporate investigations  Used to quickly identify patterns of English language grammar in ambient data sources  Used to identify English language communications in erased file space PROGRAM FEATURES AND BENEFITS  DOS-based for speed.  Automatically processes any data object (a swap file, a file constructed from combined file slack, a file constructed from combined unallocated space, or a Windows swap/page file.  Provides output in an ASCII text format that is ready for import into any word processing application.  Capable of quickly processing ambient data files that are up to 2 gigabytes in size. 2. Disk Structure  Computer forensic experts must understand how computer hard disks and floppy diskettes are structured and how computer evidence can reside at various levels within the structure of the disk.  They should also demonstrate their knowledge of how to modify the structure and hide data in obscure places on floppy diskettes and hard disk drives. 3. Data Encryption  Computer forensic experts should become familiar with the use of software to crack security associated with the different file structures. 4. Matching a Diskette to a Computer  Specialized techniques and tools that make it possible to conclusively tie a diskette to a computer that was used to create or edit files stored on it. Computer forensic experts should become familiar how to use special software tools to complete this process.
  • 9. COMPUTER FORENSICS UNIT I – PART II 9 5. Data Compression  Computer forensic experts should become familiar with how compression works and how compression programs can be used to hide and disguise sensitive data and also learn how password- protected compressed files can be broken. 6. Erased Files  Computer forensic experts should become familiar with how previously erased files can be recovered by using DOS programs and by manually using data-recovery technique & familiar with cluster chaining. 7. Internet Abuse Identification and Detection  Computer forensic experts should become familiar with how to use specialized software to identify how a targeted computer has been used on the Internet.  This process will focus on computer forensics issues tied to data that the computer user probably doesn’t realize exists (file slack, unallocated file space, and Windows swap files). 8. The Boot Process and Memory Resident Programs  Computer forensic experts should become familiar with how the operating system can be modified to change data and destroy data at the whim of the person who configured the system.  Such a technique could be used to covertly capture keyboard activity from corporate executives, for example. For this reason, it is important that the experts understand these potential risks and how to identify them. 3. TYPES OF BUSINESS COMPUTER FORENSIC TECHNOLOGY *** The following are different types of business computer forensics technology: REMOTE MONITORING OF TARGET COMPUTERS  Data Interception by Remote Transmission (DIRT) is a powerful remote control monitoring tool that allows stealth monitoring of all activity on one or more target computers simultaneously from a remote command center.  No physical access is necessary. Application also allows agents to remotely seize and secure digital evidence prior to physically entering suspect premises.
  • 10. COMPUTER FORENSICS UNIT I – PART II 10 CREATING TRACKABLE ELECTRONIC DOCUMENTS  Binary Audit Identification Transfer (BAIT) is a powerful intrusion detection tool that allows users to create trackable electronic documents.  BAIT identifies (including their location) unauthorized intruders who access, download, and view these tagged documents.  BAIT also allows security personnel to trace the chain of custody and chain of command of all who possess the stolen electronic documents. THEFT RECOVERY SOFTWARE FOR LAPTOPS AND PCS  What it really costs to replace a stolen computer:  The price of the replacement hardware & software.  The cost of recreating data, lost production time or instruction time, reporting and investigating the theft, filing police reports and insurance claims, increased insurance, processing and ordering replacements, cutting a check, and the like.  The loss of customer goodwill.  If a thief is ever caught, the cost of time involved in prosecution.  PC PHONEHOME  PC PhoneHome is a software application that will track and locate a lost or stolen PC or laptop any-where in the world. It is easy to install. It is also completely transparent to the user.  If your PC PhoneHome-protected computer is lost or stolen, all you need to do is make a report to the local police and call CD’s 24-hour command center. CD’s recovery specialists will assist local law enforcement in the recovery of your property. BASIC FORENSIC TOOLS AND TECHNIQUES  Many computer forensics workshops have been created to familiarize investigators and security personnel with the basic techniques and tools necessary for a successful investigation of Internet and computer-related crimes.  Workshop topics normally include: types of computer crime, cyber law basics, tracing email to its source, digital evidence acquisition, cracking passwords, monitoring computers remotely, tracking
  • 11. COMPUTER FORENSICS UNIT I – PART II 11 online activity, finding and recovering hidden and deleted data, locating stolen computers, creating trackable files, identifying software pirates, and so on. FORENSIC SERVICES AVAILABLE Services include but are not limited to:  Lost password and file recovery  Location and retrieval of deleted and hidden files  File and email decryption  Email supervision and authentication  Threatening email traced to source  Identification of Internet activity  Computer usage policy and supervision  Remote PC and network monitoring  Tracking and location of stolen electronic files  Honeypot sting operations  Location and identity of unauthorized software users  Theft recovery software for laptops and PCs  Investigative and security software creation  Protection from hackers and viruses Source: COMPUTER FORENSICS: COMPUTER CRIME SCENE INVESTIGATION, JOHN VACCA Send your feedback to kranthi@kranthi.co.in