SlideShare a Scribd company logo

Computer forensics

Download as PPT, PDF
Shreya Singireddy
Shreya Singireddy

computer forensics: consists of history, their need, types of crime, how experts work, rules of evidence, forensic tools, tools based on different categories. extremely detailed ppt, consists of information difficult to find. very useful for paper presentation competitions.

1 of 34
COMPUTER FORENSICS A Paper Presentation
INTRODUCTION • Computer forensics is a branch of Forensic Science that uses investigation and analysis techniques to find and determine legal evidence found in computer and digital storage mediums. • The core goals of it are: (1) Preservation (2)Identification (3)Extraction (4)Documentation (5)Interpretation
• Computer Forensics is referred to as computer forensics analysis, electronic and data discovery. • Computer Analysis and Computer Examination is the process of methodically examining electronic media (Hard disks, Disk tapes, Floppy disks, etc.) for evidence.
HISTORY • The field of Computer Forensics began in 1980’s after personal computers became a viable option for the consumer. • In 1984, an FBI program was created. For a time it was known as magnet media program. • It is now known as Computer Analysis and Response Team (CART). • Michael Anderson, the father of Computer Forensics, began to work on it.
TIMELINE OF COMPUTER FORENSICS • 1995- International Organization on Computer Evidence (IOCE) was formed. • 1997- The G8 countries declared that “Law Enforcement personnel must be trained and equipped to address hi-tech crimes”. • 1998- INTERPOL Forensic Science symposium was held. • 1999- FBI CART case load exceeds 2000 cases examining, 17 terabytes of data.
• 2000- First FBI Regional Computer Forensic Laboratory established. • 2003- FBI CART case load exceeds 6500 cases, examining 782 terabytes of data.
NEED FOR COMPUTER FORENSICS • The main purpose of it is mainly due to the wide variety of computer crimes that take place in recent times. • The loss caused depends upon the sensitivity of computer data or the information for which the crime has been committed. • An efficient backup of data is required especially which is stored in a single system. • The main objective of computer forensics is to produce evidence in the court that leads to the punishment of the actual.
TYPES OF DIGITAL CRIMES Breach of Computer Security Fraud/Theft Copyright Violation Identity Theft Burglary Suicide Obscenity
HOW DO FORENSIC EXPERTS WORK? Each forensic expert follows the following steps when they are going to handle a case: • Make an initial assessment about the type of case that is going to be investigated • Determine a preliminary design or approach to the case • Determine the reasons needed • Obtain a copy of disk drive
• Identify and minimize or avoid the risks • Investigate the data that is recovered • Complete the case report
RULES OF EVIDENCE There are basically five rules to be followed by the experts to follow while collecting evidence: Admissible: Admissible stands for that the evidence must be usable. If the evidence is not usable, then it is considered not present. Authentic: The expert must be able to explain that the evidence is related to the incident in a relevant manner.
Complete: The evidence collected must show every perspective of the evidence. If it shows the possible attacker’s involvement, it must be able prove his/her innocence. Reliable: The evidence collection must be authentic and it must not cast doubt on it’s reliability.  Believable: The evidence presented must be understandable and believable to the jury.
FORENSIC TOOLS • The forensic tools are the software and hardware used for gathering data from the media storage devices of the computer that is believed to be used to commit any crime.
BASIC TOOLS Some of the basic and commonly used computer forensic tools are: Registry Recon: It extracts registry information from a piece of evidence (disk image etc.) whether that information was active, backed up to deleted and rebuild all the registries represented by the extracted information.
Computer forensics
SANS Investigative Tool kit: It is pre- configured with all the tools to perform a detailed forensic examination. The new Ubuntu base with additional tools like replaying of entire computer activity in detail.
OTHER TYPES OF FORENSIC TOOLS Forensic tools are divided into various categories based on their specialization: Memory Forensic Tools Mobile Device Tools Network Forensic Tools Database Forensic Tools
MEMORY FORENSIC TOOLS Memory forensic tools are used to acquire and analyze a computers volatile memory. Some of them are: CMAT: Compile Memory Analysis Tool is a self- contained memory analysis tool that analyses Windows OS memory and extracts information about running processes.
Computer forensics
Memoryze: This tool can acquire live memory images and analyze memory dumps. It is inclusive of Microsoft Windows.
MOBILE DEVICE FORENSIC TOOLS Mobile forensic tool tend to have hardware and software components. Cellebrite Mobile Forensics: It is a Universal Forensic extraction device which is both hardware and software. It is used to gather evidence from mobile devices and mobile media cards, Sims and GPS devices.
Computer forensics
MicroSystemation XRY: XRY is a digital forensic product by MicroSystemation used to recover information from mobile phones, smart phones, GPS, navigation tools and Tablets computers.
NETWORK FORENSIC TOOLS Network forensic tools are designed to capture and analyze network packets either from LAN or Internet. Wire Shark: It captures and analyzes packets. In short, it’s a protocol analyzer.
Computer forensics
TCP flow: It is a TCP/IP session reassembles. It records the TCP flow and stores the data such that it is convenient for protocol analysis.
DATABASE FORENSIC TOOLS Database forensic tools is related to the investigations applied on database and metadata. HashKeeper: It uses an algorithm to establish unique numeric identifiers (hash values) for files known to be good or bad. It was developed to reduce the amount of time required to examine files on digital media.
Computer forensics
Arbutus: Arbutus data tool is a window based analysis and conversion tool that fraud investigators use to analyze server or mainframe data.
APPLICATIONS • Uncover evidences of illegal activities such as credit card fraud, intellectual property theft etc. • Investigate and find for crimes that were not directly committed via computer but for which the accused might have stored evidence on computer data storage devices. • Detect and close computer system security holes through ‘legal hacking’. • Tracking the activities of terrorists by using Internet.
A HIGH-PROFILE CASE SOLVED!!! MICHEAL JACKSON’S ACCIDENTAL DEATH MYSTERY WAS SOLVED BECAUSE OF COMPUTER FORENSICS. IT WAS FOUND OUT THAT IT WAS DUE TO A HIGH DOSAGE OF PROPOFOL (a sedative).
DR. CONRAD MURRAY( Michael Jackson’s personal physician) WAS ARRESTED FOR ‘INVOLUNTARY MANSLAUGHTER’. CRUCIAL EVIDENCE WAS GATHERED FROM HIS SEIZED LAPTOP BY THE FORENSIC EXPERTS WHICH PROVED THAT HE DID GIVE MICHAEL A HIGH DOSE OF PROPOFOL. HE IS CURRENTLY SERVING A 4 YEAR SENTENCE .
CONCLUSION • Cyber crimes are increasing in number day to day. • The Forensic Department has been efficiently delivering it’s duties by controlling the crime rate on the digital side. • Almost in all cases the persons involved have been found out. • On the other hand, it is the duty of judiciary to resolve any disputes and punish the accused.
THANK YOU

More Related Content

Computer forensics

  • 2. INTRODUCTION • Computer forensics is a branch of Forensic Science that uses investigation and analysis techniques to find and determine legal evidence found in computer and digital storage mediums. • The core goals of it are: (1) Preservation (2)Identification (3)Extraction (4)Documentation (5)Interpretation
  • 3. • Computer Forensics is referred to as computer forensics analysis, electronic and data discovery. • Computer Analysis and Computer Examination is the process of methodically examining electronic media (Hard disks, Disk tapes, Floppy disks, etc.) for evidence.
  • 4. HISTORY • The field of Computer Forensics began in 1980’s after personal computers became a viable option for the consumer. • In 1984, an FBI program was created. For a time it was known as magnet media program. • It is now known as Computer Analysis and Response Team (CART). • Michael Anderson, the father of Computer Forensics, began to work on it.
  • 5. TIMELINE OF COMPUTER FORENSICS • 1995- International Organization on Computer Evidence (IOCE) was formed. • 1997- The G8 countries declared that “Law Enforcement personnel must be trained and equipped to address hi-tech crimes”. • 1998- INTERPOL Forensic Science symposium was held. • 1999- FBI CART case load exceeds 2000 cases examining, 17 terabytes of data.
  • 6. • 2000- First FBI Regional Computer Forensic Laboratory established. • 2003- FBI CART case load exceeds 6500 cases, examining 782 terabytes of data.
  • 7. NEED FOR COMPUTER FORENSICS • The main purpose of it is mainly due to the wide variety of computer crimes that take place in recent times. • The loss caused depends upon the sensitivity of computer data or the information for which the crime has been committed. • An efficient backup of data is required especially which is stored in a single system. • The main objective of computer forensics is to produce evidence in the court that leads to the punishment of the actual.
  • 8. TYPES OF DIGITAL CRIMES Breach of Computer Security Fraud/Theft Copyright Violation Identity Theft Burglary Suicide Obscenity
  • 9. HOW DO FORENSIC EXPERTS WORK? Each forensic expert follows the following steps when they are going to handle a case: • Make an initial assessment about the type of case that is going to be investigated • Determine a preliminary design or approach to the case • Determine the reasons needed • Obtain a copy of disk drive
  • 10. • Identify and minimize or avoid the risks • Investigate the data that is recovered • Complete the case report
  • 11. RULES OF EVIDENCE There are basically five rules to be followed by the experts to follow while collecting evidence: Admissible: Admissible stands for that the evidence must be usable. If the evidence is not usable, then it is considered not present. Authentic: The expert must be able to explain that the evidence is related to the incident in a relevant manner.
  • 12. Complete: The evidence collected must show every perspective of the evidence. If it shows the possible attacker’s involvement, it must be able prove his/her innocence. Reliable: The evidence collection must be authentic and it must not cast doubt on it’s reliability.  Believable: The evidence presented must be understandable and believable to the jury.
  • 13. FORENSIC TOOLS • The forensic tools are the software and hardware used for gathering data from the media storage devices of the computer that is believed to be used to commit any crime.
  • 14. BASIC TOOLS Some of the basic and commonly used computer forensic tools are: Registry Recon: It extracts registry information from a piece of evidence (disk image etc.) whether that information was active, backed up to deleted and rebuild all the registries represented by the extracted information.
  • 16. SANS Investigative Tool kit: It is pre- configured with all the tools to perform a detailed forensic examination. The new Ubuntu base with additional tools like replaying of entire computer activity in detail.
  • 17. OTHER TYPES OF FORENSIC TOOLS Forensic tools are divided into various categories based on their specialization: Memory Forensic Tools Mobile Device Tools Network Forensic Tools Database Forensic Tools
  • 18. MEMORY FORENSIC TOOLS Memory forensic tools are used to acquire and analyze a computers volatile memory. Some of them are: CMAT: Compile Memory Analysis Tool is a self- contained memory analysis tool that analyses Windows OS memory and extracts information about running processes.
  • 20. Memoryze: This tool can acquire live memory images and analyze memory dumps. It is inclusive of Microsoft Windows.
  • 21. MOBILE DEVICE FORENSIC TOOLS Mobile forensic tool tend to have hardware and software components. Cellebrite Mobile Forensics: It is a Universal Forensic extraction device which is both hardware and software. It is used to gather evidence from mobile devices and mobile media cards, Sims and GPS devices.
  • 23. MicroSystemation XRY: XRY is a digital forensic product by MicroSystemation used to recover information from mobile phones, smart phones, GPS, navigation tools and Tablets computers.
  • 24. NETWORK FORENSIC TOOLS Network forensic tools are designed to capture and analyze network packets either from LAN or Internet. Wire Shark: It captures and analyzes packets. In short, it’s a protocol analyzer.
  • 26. TCP flow: It is a TCP/IP session reassembles. It records the TCP flow and stores the data such that it is convenient for protocol analysis.
  • 27. DATABASE FORENSIC TOOLS Database forensic tools is related to the investigations applied on database and metadata. HashKeeper: It uses an algorithm to establish unique numeric identifiers (hash values) for files known to be good or bad. It was developed to reduce the amount of time required to examine files on digital media.
  • 29. Arbutus: Arbutus data tool is a window based analysis and conversion tool that fraud investigators use to analyze server or mainframe data.
  • 30. APPLICATIONS • Uncover evidences of illegal activities such as credit card fraud, intellectual property theft etc. • Investigate and find for crimes that were not directly committed via computer but for which the accused might have stored evidence on computer data storage devices. • Detect and close computer system security holes through ‘legal hacking’. • Tracking the activities of terrorists by using Internet.
  • 31. A HIGH-PROFILE CASE SOLVED!!! MICHEAL JACKSON’S ACCIDENTAL DEATH MYSTERY WAS SOLVED BECAUSE OF COMPUTER FORENSICS. IT WAS FOUND OUT THAT IT WAS DUE TO A HIGH DOSAGE OF PROPOFOL (a sedative).
  • 32. DR. CONRAD MURRAY( Michael Jackson’s personal physician) WAS ARRESTED FOR ‘INVOLUNTARY MANSLAUGHTER’. CRUCIAL EVIDENCE WAS GATHERED FROM HIS SEIZED LAPTOP BY THE FORENSIC EXPERTS WHICH PROVED THAT HE DID GIVE MICHAEL A HIGH DOSE OF PROPOFOL. HE IS CURRENTLY SERVING A 4 YEAR SENTENCE .
  • 33. CONCLUSION • Cyber crimes are increasing in number day to day. • The Forensic Department has been efficiently delivering it’s duties by controlling the crime rate on the digital side. • Almost in all cases the persons involved have been found out. • On the other hand, it is the duty of judiciary to resolve any disputes and punish the accused.