03-03-2011, 02:44 PM
[attachment=9453]
Computer Forensic
Computer Forensics also called
cyber-forensics, is the detailed examination of computer systems in an investigation.
Computer forensics involves the preservation, identification, extraction, documentation, interpretation of computer media for evidentiary, root cause analysis.
CF Scope and Characteristics
Scope: The collection and search of specific data that will serve as acceptable evidence in a court of law.
Computer forensics deals with:
• Storage media (e.g. hard disks),
• The examination and analysis of network logs.
The most repeatable and scientific process.
An expert follows a step-by-step methodology, preserving the integrity of the evidence.
Uses of Computer Forensics
Discovering data on computer system
Recovering deleted, encrypted, or damaged file information
Recovering evidence post formatting hard drive.
Performing investigation after multiple users had taken over the system.
Who Uses Computer Forensics ?
Criminal Prosecutors
– Rely on evidence obtained from a computer to prosecute suspects and use as evidence
Insurance Companies
– Evidence discovered on computer can be used to mollify costs (fraud, worker’s compensation, arson, etc)
Individual/Private Citizens
– Obtain the services of professional computer forensic specialists to support claims of harassment, abuse, or wrongful termination from employment
Main Principles
Scope: To protect the investigator, the evidence, and the accused party and his/her rights.
Principles regarding Ethics:
−The investigator must have the authority to seize and search a computer.
−The search should have clearly defined goals.
Principles regarding process:
−A set of rules eliminates the possibility of tampering with evidence.
Steps Of Computer Forensics
According to many professionals, Computer Forensics is a four step process.
Acquisition
• Physically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices.
Identification
• This step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites.
Evaluation
• Evaluating the data recovered to determine if and how it could be used against the suspect for employment termination or prosecution in court.
Presentation
• This step involves the presentation of evidence discovered in a manner which is understood by lawyers, non-technically staff , and suitable as evidence as determined by United States and internal laws.
Forensic Process
Computer Forensic Requirements
Hardware
Familiarity with all internal and external components of a computer.
Thorough understanding of hard drives and settings.
Power connections
Memory
BIOS
Understanding how the BIOS works
Familiarity with the various settings and limitations of the BIOS
Computer Forensic Requirements (Cont)
Operation Systems
Windows 95/98/NT/2000/2003/XP
DOS
UNIX
LINUX
Software
Familiarity with most popular software packages
such as Office
Forensic Tools
Familiarity with computer forensic techniques and the software packages that could be used
Anti-Forensics
Software that limits or corrupts evidence that could be collected by an investigator
Performs data hiding and distortion
Exploits limitations of known and used forensic tools
Works both on Windows and LINUX based systems
In place prior to or post system acquisition
Limitations
A forensics examination can, at best, identify the computer involved in an incident.
Placing a specific person at that computer is extremely difficult without additional evidence.
Finding evidence that a computer was used to access other systems, is much more difficult.
A forensics examination that does not also involve other corroborating evidence source cannot be conclusive.
Conclusion and Future Work
Forensics is an extremely valuable tool in the investigation of computer security incidents.
Considerable legal issues arise when investigating computer systems.
Intrusion Detection might support Computer Forensics in the future, and vice versa.