Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics Iram Qureshi, Prajakta Lokhande.

Published byTracy Stokes Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer Forensics Iram Qureshi, Prajakta Lokhande."— Presentation transcript:

1 Computer Forensics Iram Qureshi, Prajakta Lokhande

2 Topics to be covered  Definition  Why Computer Forensics?  Who uses Computer Forensics?  Computer forensic requirements  Steps of Computer Forensics  Handling Evidence  Handling Information  Anti-Forensics  Methods of hiding Information/data  Methods of detecting information/data

3 Definition Computer forensics is defined as the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law.

4 Why Computer Forensics? Reasons to employ techniques of computer forensics:  To analyze computer systems in legal cases.  To recover data in event of hardware or software failure.  To analyze a computer system after a break-in.  To gather evidence against an employee that an organization wishes to terminate.  To gain information about how computer systems work.

5 Who Uses Computer Forensics? Criminal Prosecutors Rely on evidence obtained from a computer to prosecute suspects and use as evidence Civil Litigations Personal and business data discovered on a computer can be used in fraud, divorce, harassment, or discrimination cases Insurance Companies Evidence discovered on computer can be used to mollify costs (fraud, worker’s compensation, arson, etc) Private Corporations Obtained evidence from employee computers can be used as evidence in harassment, fraud, and embezzlement cases

6 Who Uses Computer Forensics? (cont) Law Enforcement Officials Rely on computer forensics to backup search warrants and post- seizure handling Individual/Private Citizens Obtain the services of professional computer forensic specialists to support claims of harassment, abuse, or wrongful termination from employment

7 Computer Forensic Requirements Hardware –Familiarity with all internal and external devices/components of a computer –Thorough understanding of hard drives and settings –Understanding motherboards and the various chipsets used –Power connections –Memory

8 Computer Forensic Requirements (cont) Software –Familiarity with most popular software packages such as Office Forensic Tools –Familiarity with computer forensic techniques and the software packages that could be used

9 Steps Of Computer Forensics Computer Forensics is a four step process. Acquisition Physically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices Identification This step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites Evaluation Evaluating the information/data recovered to determine if and how it could be used again the suspect for employment termination or prosecution in court

10 Steps Of Computer Forensics (cont) Presentation This step involves the presentation of evidence discovered in a manner which is understood by lawyers, non-technically staff/management, and suitable as evidence as determined by United States and internal laws

11 Handling Evidence Admissibility of Evidence –Legal rules which determine whether potential evidence can be considered by a court –Must be obtained in a manner which ensures the authenticity and validity and that no tampering had taken place No possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to search the computer Preventing viruses from being introduced to a computer during the analysis process Extracted / relevant evidence is properly handled and protected from later mechanical or electromagnetic damage

12 Handling Information Information and data being sought after and collected in the investigation must be properly handled. Volatile Information –Network Information Communication between system and the network –Active Processes Programs and daemons currently active on the system –Logged-on Users Users/employees currently using system –Open Files Libraries in use; hidden files; Trojans (rootkit) loaded in system

13 Handling Information (cont) Non-Volatile Information –This includes information, configuration settings, system files and registry settings that are available after reboot –Accessed through drive mappings from system –This information should investigated and reviewed from a backup copy

14 Anti- Forensics Software that limits and/or corrupts evidence that could be collected by an investigator Performs data hiding and distortion Exploits limitations of known and used forensic tools Works both on Windows and LINUX based systems In place prior to or post system acquisition

15 Methods Of Hiding Data Data hiding is the process of making data difficult to find while also keeping it accessible for future use. Encryption Encryption programs allow the user to create virtual encrypted disks which can only be opened with a designated key. File level encryption Steganography Technique where information or files are hidden within another file in an attempt to hide data by leaving it in plain sight

16 Methods of hiding data (cont..) Watermarking: Hiding data within data –Information can be hidden in almost any file format. –File formats with more room for compression are best Image files (JPEG, GIF) Sound files (MP3, WAV) Video files (MPG, AVI) –The hidden information may be encrypted, but not necessarily –Numerous software applications will do this for you: Many are freely available online

17 Methods Of Detecting/Recovering Data (cont) –Software analysis Even small amounts of processing can filter out echoes and shadow noise within an audio file to search for hidden information If the original media file is available, hash values can easily detect modifications

18 Methods Of Detecting/Recovering Data (cont) –Disk analysis utilities can search the hard drive for hidden tracks/sectors/data –RAM slack –Firewall/Routing filters can be applied to search for hidden or invalid data in IP datagram headers

19 THE END t

Download ppt "Computer Forensics Iram Qureshi, Prajakta Lokhande."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Computer Forensics.

Computer Forensics.
Computer Forensics.

Computer Forensics.
Intro to Computer Forensics CSC 485/585. Objectives  Understand the roles and responsibilities of a computer forensic examiner.  Understand the “Safety.

Intro to Computer Forensics CSC 485/585. Objectives  Understand the roles and responsibilities of a computer forensic examiner.  Understand the “Safety.
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,

Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
Chapter 14: Computer and Network Forensics

Chapter 14: Computer and Network Forensics
Computer Forensics CPIS 428 – PROJECT King Abdulaziz University

Computer Forensics CPIS 428 – PROJECT King Abdulaziz University
Computer Forensics Mr.PRAWEE PROMPONMUANG M.Sc(Forensic Science) NO.515020181-9.

Computer Forensics Mr.PRAWEE PROMPONMUANG M.Sc(Forensic Science) NO
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.

COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.

Similar presentations

Ads by Google