cyber

forensics

Unit 3
Introduction To
Computer Forensics

Prof . N. Sivanesan
SKEC, Chennai
 Introduction
Computer forensics involves obtaining and analysing digital information for
use as evidence in civil, criminal, or administrative cases.
Computer forensics: The process of applying scientific methods to
collect and analyse data and information that can be used as
evidence.
Cyber crime is any criminal activity involving computers and networks. The
cyber space includes computer systems, computer networks and internet.
LAN and WAN is also part of cyber space.
Illegl music files download, stealing millions of rupees from online bank
accounts.
Cyber crime is defined as a crime in which a computer is the object of the
crime (hacking, phishing, spamming).
 a criminal case follows three stages: the complaint, the
investigation, and the prosecution. Someone files a complaint; a
specialist investigates the complaint and, with the help of a
prosecutor, collects evidence and builds a case. If a crime has been
committed, the case is tried in court.
 Three levels of law enforcement
Level 1Acquiring and seizing digital evidence, normally performed
by a police officer on the scene.
Level 2Managing high-tech investigations, teaching investigators
what to ask for, and understanding computer terminology and what
can and cant be retrieved from digital evidence. The assigned
detectives usually handle the case.
Level 3Specialist training in retrieving digital evidence, normally
conducted by a data recovery or computer forensics expert,
network forensics expert, or Internet fraud investigator. This
person might also be qualified to manage a case, depending on his
or her background.
 Elements of cyber crime
SituationEmployee abuse case.
Nature of the caseSide business conducted on the employers
computer.
Specifics of the caseThe employee is reportedly conducting a side
business.
when operating company computer systems.
Type of evidenceSmall-capacity USB drive.
Operating systemMicrosoft Windows XP.
Known disk formatFAT16.
Location of evidenceOne USB drive recovered from the employees
assigned computer.
Setting Up Your Workstation for Computer Forensics
A workstation running Windows XP or Vista
Computer forensics acquisition tool
Computer forensics analysis tool
A target drive to receive the source or suspect disk data
Spare PATA or SATA ports
USB ports
Additional useful items include the following:
Network interface card (NIC)
Extra USB ports
FireWire 400/800 ports
SCSI card
Disk editor tool
Text editor tool
Graphics viewer program
Other specialized viewing tools
Type of cybercrime
1. Hacking : persons computer is broken so that his personal or sensitive
information can be accessed.
2. Theft person violates copyrights and downloads music, movies,
games, and software.
3. Cyber stalking kind of online harassment ( email, online message)
4. Identity theft this has become a major problem with people using
the internet for cash transactions and banking services.
Peoples bank account, credit cards, debit card..
Malicious software internet based software or programs that are used
to disrupt a network.
Example of cyber crime
Online banking fraud
Fake antivirus
Standard travellers scams
Fake escrow scams
Advanced fraud
Infringing pharmaceuticals
Copyright infringing software
Copyright infringing music and video
Online payment card fraud
In person payment card fraud
Industrial cyber espionage and extortion
Welfare fraud
 Identity theft and identity fraud
Theft is the crime of using someone elses personal
information, such as an account number, drivers license,
health insurance card or social security number, to commit
fraud.
ID theft is a form of fraud.
Once an ID has been stolen it can be used to withdraw
money, open new bank accounts, apply for loans or credit
cards, and purchase vehicles or property.
Fraud is an intentional effort to deceive another individual
for personal gain.
Theft and fraud(cont..)
To apply for a new drivers license, To open new bank
accounts
To apply for credit cards, To apply for loan
To get a job. To rent an apartment
To make retail purchases, Staying in the hotel
For cyber crime, Common ways identity theft occurs:
Defrauding businesses or institutions
Stealing records from their employer
Bribing an employee who has access to the records
Conning information out of employees
Hacking into the organizations computer
 Identity theft generally three stages: acquisition, use
and discovery.
There are a lot of ways that thieves can steal an
identity. One way is to get possession of a persons
debit card(ATM card) and their personal identification
number(PIN).
Identity theft has become a major problem with people
using the internet for cash transactions and banking
services.
Four approaches used by identity thieves
Create a data breach
Purchase personal data
Use phishing to entice users to give up data
Install spyware to capture keystrokes of victims
How thieves steal tour identity
How thieves steal your identity
Phishing: emails sent by cybercriminals that pretend to be from
a legitimate person or organization with the intent of tricking
you into revealing personal information.
Spam: sent via instant messaging(IM). The IM could include
spyware, key loggers, viruses, and links phishing sites.
Spyware: this is s/w that a hacker surreptitiously installs on you
computer to collect personal information. Fake websites, change
your settings, take control of your control in the ways.
Pharming: a hacker installs malicious code on your personal
computer to direct you to fake websites without your knowledge.
Keyloggers: a key logger is a form of spyware that records
keystrokes as you type.
Trojan horse: malicious program that appears to be harmless.
Types of computer forensics techniques
Computer forensics is the science of locating,
extracting and analysing types of data from
difference devices, which specialists then
interpret to serve as legal evidence.
Digital forensics is the scientific acquisition,
analysis and preservation of data contained in
electronic media whose information can be used
as evidence in court of law.
 CF Four step process
Acquisition : physically or remotely obtaining possession of the
computer, all n/w , mapping from the system, and external physical
storage devices.
Identification: this step involves identifying what data could be
recovered and electronically retrieving it by running various
computer forensic tools and software suite.
Evaluation: evaluating the information/ data recovered to determine if
and how it could be used again the suspect for employment
termination or prosecution in court.
Presentation: this step involves the presentation of evidence
discovered in a manner which is understood by lawyers by united
states and internal laws.
 Need for computer forensic techniques
Legal cases: computer forensic techniques are frequently used to
analyse computer systems belonging to defendants.
To recover data: in the event of software failure or hardware
failure
To analyse: computer system must be analyse after a break in To
gather evidence against an employee that an organization wish to
terminate.
Forensics techniques for finding, preserving and preparing
evidence.
Incident response methodology
An incident is an unexpected event occurring when an attack, whether
natural or human made, affects information resources and/or assets,
causing actual damage or disruption to a businesss assets.
Incident response is a set of procedures that commence when an incident is detected.
Some common types of computer incidents include the following
1. employee misuse of systems
2.malicious code(viruses, worms, Trojan horse)
3.intrusions or hacking
4.unauthorized electronic monitoring
5.website defacement or vandalism
6.unauthorized access to confidential information
7.automatd scanning tools and probes
8.insider sabotage.
 Components of incident response
Pre incident preparation: take actions to prepare the organization
and the CSIRT before an incident occurs.
Detection of incidents: identify a potential computer security incident.
Initial response:- perform an initial investigation, recording the basic
details surrounding the incident, assembling the incident response
team, and notifying the individuals who need to know about the
incident.
Formulate response strategy: based on the results of all the known
facts, determine the best response and obtain management approval.
determine what civil, criminal, administrative or other actions are
appropriate to take, based on the conclusions drawn from the
investigation.
Investigate the incident: perform a thorough collection
of data. review the data collected to determine what
happened, when it happened, who it did it, and how it
can be prevented in the future.
Reporting: accurately report information about the
investigation in a manner useful to decision makers.
Resolution: employ security measures and procedural
changes, record lessons learned, and develop long
term fixes for any problems identified.
Stages of investigative process of digital forensics
Preservation: preservation stage corresponds to freezing the crime
scene. It involves operation such as preventing people from using
computers during collection, stopping on going deletion processes, and
choosing the safest way to collect information.
Collection: collection stage consists in findings and collecting digital
information that may be relevant to the investigation. Collection of digital
information means collection of the equipment containing the information
or records the information on some medium.
Examination: it is search of digital evidence. The output of examination is
data objects found in the collected information which includes log and
data files containing specific phrases, times tamps..
Analysis: The aim of analysis is to draw conclusions based on evidence
found.
 Computer language
Gathering and analysing digital information are as follows.
Boot software: computer is booted by using boot software for imaging and /or
analysis without making changes to the hard disk.
Computer forensic software; this type of software is used for imaging and
analysing digital information
Forensic: software write blockers are used to allow acquisition of digital
information on a hard drive without changing and altering the contents.
Hash authentication software is used to validate that a copy of digital
information is identical to the original information.
Analysis software helps for analysing digital information
Bit stream imaging software is used to create an image of all areas of a data
carrier. A bit stream images is an exact replica of each bit contained in the data
carrier.
 Network language
It is essential that computer investigators understand the
language behind the technology.
Tcp/ip
Imap(internet message access protocol)
offline mode, online mode, disconnected mode.
Offfline mode: pop3
Online mode:
Disconnected mode: both offline and online modes are
supported.
Understanding Computer Investigation
Investigation is a process that develops
and tests hypotheses to answer questions
about events that occurred. In general,
computer forensics investigates data that
can be retrieved from a computers hard
disk or other storage media.
Data recovery, deleted by mistake or lost
during a power surge or server crash, for
example.