Scribd
Upload
23 views63 pages

Fdocuments - in - Computer Forensics 5584a063871ca

The document discusses computer forensics, emphasizing the differences between real-world and cyber crimes, particularly in terms of theft. It outlines various types of computer crimes, such as hacking, software piracy, and phishing, and details the steps involved in computer forensics, including evidence collection, analysis, and preservation. Additionally, it highlights the challenges faced by investigating agencies and provides guidelines for securing crime scenes and handling digital evidence.

Uploaded by

Kimotok Barnabas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
23 views63 pages

Fdocuments - in - Computer Forensics 5584a063871ca

The document discusses computer forensics, emphasizing the differences between real-world and cyber crimes, particularly in terms of theft. It outlines various types of computer crimes, such as hacking, software piracy, and phishing, and details the steps involved in computer forensics, including evidence collection, analysis, and preservation. Additionally, it highlights the challenges faced by investigating agencies and provides guidelines for securing crime scenes and handling digital evidence.

Uploaded by

Kimotok Barnabas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 63

Computer

Forensics

Yogesh E. Sonawane
yogesh.dfe@gmail.com
CYBER
CRIMES
REAL-WORLD & VIRTUAL-
WORLD

Current approaches evolved to


deal with real-world crime

Cybercrime occurs in a virtual-


world and therefore presents
different issues
EXAMPLE : THEFT
Real-world theft:
Possession of property shifts completely
from A to B, i.e., A had it now B has it

Theft in Virtual-world (Cyber-theft):


Property is copied, so A “has” it and so does B
Think before
you Click
What is Computer Crime

“Unlawful acts wherein the computer is either a


tool or a target or both".

Two aspects:
•Computer as a tool to commit crime
Child porn, Threatening email, identity
theft, sexual harassment, defamation,
phishing.

•Computer itself becomes target of crime


TYPES OF COMPUTER
CRIME
 HACKING
Hacking in simple terms means illegal
intrusion into a computer system without the
permission of the computer owner/user.

 SOFTWARE PIRACY
An unauthorized copying of software.

 PORNOGRAPHY
Computer pornography covers pornographic
websites, pornographic magazines produced using
computers (to publish and print the material) and
the Internet (to download and transmit
pornographic pictures, photos.
CONT… TYPES OF COMPUTER
CRIME

 FORGED DOCUMENTS
To create fake documents such as, fake
academic certificates, mark sheets etc.

 CREDIT CARD FRAUD


Credit card fraud is a wide-ranging term for
theft and fraud committed using a credit card or
any similar payment mechanism as a fraudulent
source of funds in a transaction.

 Computer STALKING
Use of the e-mail, Internet to harass or
threaten an individual.
CONT… TYPES OF COMPUTER
CRIME

 PHISHING
In the field of computer security, phishing is the
criminally
fraudulent process of attempting to acquire sensitive
information such as usernames, passwords and credit
card details by masquerading as a trustworthy entity in
an electronic communication.

 Computer DEFAMATION
This occurs when defamation takes place with the help of
computers and / or the Internet.
e.g. Mr. X publishes defamatory matter about Ms. Y on a
website or sends e-mails containing defamatory
information to Ms. Y’s friends.
WHAT IS DIGITAL EVIDENCE?

 Digital Evidence is any information of


probative value that is either stored or
transmitted in a binary form.

 Digital Evidence includes computer evidence,


digital audio recorder, digital video recorder,
mobile phones, pen drives, CD, DVD etc.
ELECTRONIC RECORD

Electronic record - is that which is generated,

stored, sent or received by electronic means and

includes data, image or sound.


CHALLENGES FOR INVESTIGATING
AGENCIES

 Difficulty in collection of evidence


Fragility of Computer data
Fear of destruction of vital data
Vast volume to be examined
Diversity of hardware & Software.
Admissibility in the courts.
COMPUTER FORENSICS

 Definition:

 Identification, Extraction, Documentation, and


Preservation of computer media for
evidentiary and/or root cause analysis using
well-defined methodologies and procedures.
COMPUTER FORENSICS

 Methodology:

 Acquire the evidence without altering or


damaging the original.
 Authenticate that the recovered evidence is the
same as the original seized.
 Analyze the data without modifying it.
COMPUTER
FORENSICS-STEPS

Preservation Forensics Lab

Presentation

Analysis
Scene of Crime

Acquisition

Authentication

Seizure

Identification
What to carry?

Camera Note or Sketch Pads


– Blank CDs, DVDs, Pen Sealing Material –
Drives, Hash Calculator, Labels, Pens, Markers
Write-Blocker, Cross-
Over cable etc.
Storage Containers – Software / Hardware for
Anti Static Bags, Plastic onsite virtual data
Bubble Wrap retrieval and imaging
How to secure the crime
scene?
 The entire work area, office, or cubicle is a
potential crime scene, not just the
computer itself.

 No one should be allowed to touch the


computer, to include shutting the computer
down or exiting from any programs/files in
use at the time or remove anything from
How to secure the crime
scene?
Continued….
 Disconnect the power supply. Else there
can be a loss of files to hard drive crash.
 If required access system to take backup of
volatile data
omputer Forensic Steps - Scene of Crime

 Backup Volatile data in RAM / Router etc.

 Photograph / Video the scene of incidence /

crime

 Identifying Digital storage media

 Draw Network Topology


Questions to be asked the
Scene of crime
• Login Details : User Name/s and Password/s
• Encryption
• Files of interest
• E-mail accounts
• Internet service provider(s)
• Off site storage
• Hidden storage devices
WHY PRECAUTIONS
REQUIRED ?

 The integrity of data is essential for making it


presentable in court of law with in acceptable
limits of law.
 The active data recovered can give us vital links.
 The deleted data too can be recovered and used
for reconstruction of events.
 Certain damaged media too can be read/viewed.
Computer Forensic Steps - Scene of Crim

 Identification

 Seizure

 Acquisition
Exhibits Seized
Identification
Identification

Front Side of Back Side of The CPU


CPU Cabinet or CPU Cabinet or
Case or Chasis Case or Chasis
Identification Continued….

Internal Hard Disk


Identification Continued….

External Hard Disk


Identification Continued….

CD/DVD Floppy
Identification Continued….

Mobile
Phones

SIM Card Memory Cards


Identification Continued….

Skimmer
Credit
Cards
Identification Continued….

Dongle
and Pen
Drives
Identification Continued….
Identification Continued….
Identification Continued….
Seizure
What is Seizure?

Definition :-
Seizure is the process of capturing the
suspect computer or storage media for
evidence collection.
Seizure
 The case related reference documents should
also be
seized from the crime scene.

For Example -
 In case of Economical Crime look for Account
Book
Details, Passbook details, Bank Transaction
Details,
ATM Credit/Debit Card Details.

 In case of Forged Documents look for reference


documents such as, Academic Certificates,
Bill Receipts, Passport, Legal Property Papers
etc.
Labeling
Labeling
Labeling
Labeling
Labeling
Packaging and
Transportation
 Properly document and label the
evidence before packaging.

 Use anti-static wrap or bubble wrap


for magnetic media.

 Avoid folding, bending or scratching


the computer media such as diskettes,
CDs, removable media etc.
Labeling
Packaging and
Transportation
 While transporting, place the
computer securely on the
floor of the vehicle where the
ride is smooth.

 Avoid radio transmissions,


electromagnetic emissions, moisture
in the vicinity of
digital evidence.
Dealing with the
Suspected Mobile
Phone
• At the time of seizing mobile phone, its
components like Battery, SIM card(s),
Memory card(s) should be removed.

• The User Manuals


should also be seized
from the scene,
if present.
Guidelines from Forensics
Continued….

 If CPU Cabinet is seized from the crime scene,


bring only hard disks for analysis. Not to bring CPU
cabinet.

 Printer, Scanner, Monitor, Keyboard, Mouse etc.


should not be seized

 Only digital storage media like Hard Disk, Pen


Drive, Floppies, CDs, DVDs, Mobile Phone etc. are
analyzed.
Acquisition
&
Authentication
Precautions while
Acquisition
• Use of Write Blocker devices:
 Thumbscrew
 FAST BLOC
 Tablue

• Need of Write Blocker


Acquisition & Authentication

 Making Forensic Duplicate copy of the Suspect


Storage
media is Acquisition.

 A Forensic Duplicate is a file that contains every


bit of
information from the source disk.

Two Ways
 Using Software
Acquisition & Authentication

 Using Software Tool requires a hardware


write blocker at source end e.g. FASTBloc FE /
Tablue and Software EnCase, FTK Imager used to
for Acquisition

 Using Hardware Tool has inbuilt write


blocker and gives better speed for acquisition
e.g. TD2, Talon, SOLO, Dossier by LogiCube etc.
Laboratory
Work
 Authentication

 Analysis

 Presentation

 Preservation
Authentication : Hash
Value
How to verify the integrity of Forensic
Duplicate?
It is also known as, “Message Digest” or
“Fingerprint”, is basically a digital signature.

The checksum is created by applying algorithm to


the file. The checksum for each file is unique to
that file.

E.g.
Analysis
Current and Emerging Cyber Forensic Tools of Law Enforcement
Analysis
Process
The Process of searching for crime relevant
data
and extract it.

The analyst has to search data in


Deleted Files Slack Space
Unallocated Space Free Space
Log Entries Registry Entries
System Files Printer Spool Files
Cookies Keywords
Analysis Process Continued….

Why is Slack Space Important?

Unallocated Space
(New Drive)

Allocated Space

Unallocated Space
(After File deletion)

Allocated Space
(Reallocated, new file)

Slack Space
Why isn’t this also slack space?
Analysis Process
Continued….

• “Keyword Search” is one of the most


important
steps of analysis.

• The keywords should be listed for getting


better
and sorted search results. These
keywords
Documentation & Preservation

• Report writing & preparation of notes

• Store the Magnetic Storage Media in a


secure area.
– Cool
– Dry
– Away from:
Generators
Magnets
Prevention Of Computer Crime

Safe Computing Tips

 Do not reveal personal information to


unknown
people or websites.

 Create hard to guess passwords and keep


them
private & change them regularly.

 Use anti-virus and update them regularly.


 Back up your important files regularly.
Safe Online Banking

 Keep your passwords/PIN codes safe and memorize


them.

 Check that the online banking website is secure.

 Logout immediately after you have completed your


transaction.

 Do not respond to emails asking for your personal


information.
When in doubt, call the institution that claims to have
sent this
email.

 Read privacy and policy statements before any


transaction.
Tips for Safe Social Networking

 Don’t reveal too much information about yourself online.

 Add people as friends to your site only if you know them


personally.

 Delete inappropriate messages from your profile.

 Do not post information about your friends as you


may put them at risk.

 What you post online is not private. It can be seen


by everyone.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy