SlideShare uma empresa Scribd logo

02 Types of Computer Forensics Technology - Notes

Kranthi
Kranthi
EducaçãoTecnologia
1 de 11
Baixar para ler offline
COMPUTER FORENSICS UNIT I – PART II 1 1. TYPES OF MILITARY COMPUTER FORENSIC TECHNOLOGY  Key objectives of cyber forensics include rapid discovery of evidence, estimation of potential impact of the malicious activity on the victim, and assessment of the intent and identity of the perpetrator.  Real-time tracking of potentially malicious activity is especially difficult when the pertinent information has been intentionally hidden, destroyed, or modified in order to elude discovery.  National Law Enforcement and Corrections Technology Center (NLECTC) works with criminal justice professionals to identify urgent and emerging technology needs.  NLECTC centers demonstrate new technologies, test commercially available technologies and publish results — linking research and practice.  National Institute of Justice (NIJ) sponsors research and development or identifies best practices to address those needs.  The information directorate entered into a partnership with the NIJ via the auspices of the NLECTC, to test the new ideas and prototype tools. The Computer Forensics Experiment 2000 (CFX-2000) resulted from this partnership. COMPUTER FORENSIC EXPERIMENT-2000 (CFX-2000) ****  CFX-2000 is an integrated forensic analysis framework.  The central hypothesis of CFX-2000 is that it is possible to accurately determine the motives, intent, targets, sophistication, identity, and location of cyber criminals and cyber terrorists by deploying an integrated forensic analysis framework.  The cyber forensic tools involved in CFX-2000 consisted of commercial off-the-shelf software and directorate-sponsored R&D prototypes. CFX includes SI-FI integration environment.  The Synthesizing Information from Forensic Investigations (SI-FI) integration environment supports the collection, examination, and analysis processes employed during a cyber-forensic investigation.  The SI-FI prototype uses digital evidence bags (DEBs), which are secure and tamperproof containers used to store digital evidence.  Investigators can seal evidence in the DEBs and use the SI-FI implementation to collaborate on complex investigations. Types of Computer Forensics Technology
COMPUTER FORENSICS UNIT I – PART II 2  Authorized users can securely reopen the DEBs for examination, while automatic audit of all actions ensures the continued integrity of their contents.  The teams used other forensic tools and prototypes to collect and analyze specific features of the digital evidence, perform case management and timelining of digital events, automate event link analysis, and perform steganography detection.  The results of CFX-2000 verified that the hypothesis was largely correct and that it is possible to ascertain the intent and identity of cyber criminals.  As electronic technology continues its explosive growth, researchers need to continue vigorous R&D of cyber forensic technology in preparation for the onslaught of cyber reconnaissance probes and attacks. CFX-2000 Schematic 2. TYPES OF LAW ENFORCEMENT COMPUTER FORENSIC TECHNOLOGY Computer forensics tools and techniques have become important resources for use in internal investigations, civil lawsuits, and computer security risk management. Law enforcement and military agencies have been involved in processing computer evidence for years. Computer Evidence Processing Procedures Processing procedures and methodologies should conform to federal computer evidence processing standards.
COMPUTER FORENSICS UNIT I – PART II 3 1. Preservation of Evidence  Computer evidence is fragile and susceptible to alteration or erasure by any number of occurrences.  Computer evidence can be useful in criminal cases, civil disputes, and human resources/ employment proceedings.  Black box computer forensics software tools are good for some basic investigation tasks, but they do not offer a full computer forensics solution.  SafeBack software overcomes some of the evidence weaknesses inherent in black box computer forensics approaches.  SafeBack technology has become a worldwide standard in making mirror image backups since 1990. MIRROR IMAGE BACKUP SOFTWARE - SAFEBACK *****  SafeBack is used to create mirror-image (bit-stream) backup files of hard disks or to make a mirror- image copy of an entire hard disk drive or partition.  SafeBack image files cannot be altered or modified to alter the reproduction. This is because SafeBack is an industry standard self-authenticating computer forensics tool that is used to create evidence-grade backups of hard drives. PRIMARY USES  Used to create evidence-grade backups of hard disk drives on Intel-based computer systems.  Used to exactly restore archived SafeBack images to another computer hard disk drive of equal or larger storage capacity.  Used as an evidence preservation tool in law enforcement and civil litigation matters.  Used as an intelligence gathering tool by military agencies. PROGRAM FEATURES AND BENEFITS  DOS based for ease of operation and speed.  Provides a detailed audit trail of the backup process for evidence documentation purposes.  Checks for possible data hiding when sector cyclic redundancy checks (CRCs) do not match on the target hard disk drive. These findings are automatically recorded in the SafeBack audit log file.  Allows the archive of non-DOS and non-Windows hard disk drives (Unix on an Intel-based computer system).  Allows for the backup process to be made via the printer port.
COMPUTER FORENSICS UNIT I – PART II 4  Duplicate copies of hard disk drives can be made from hard disk to hard disk in direct mode.  SafeBack image files can be stored as one large file or separate files of fixed sizes. This feature is helpful in making copies for archive on CDs.  Tried and proven evidence-preservation technology with a 10 years legacy of success in government agencies.  Does not compress relevant data to avoid legal arguments that the original computer evidence was altered through data compression or software translation.  It is fast and efficient. In spite of the extensive mathematical validation, the latest version of SafeBack runs faster than prior versions. Processing speeds are much faster when state-of-the-art computer systems are used to make the backup.  Makes copies in either physical or logical mode at the option of the user.  Copies and restores multiple partitions containing one or more operating systems.  Can be used to accurately copy and restore most hard disk drives including Windows NT, Windows 2000, and Windows XP in a raid configuration.  Accuracy is guaranteed in the backup process through the combination of mathematical CRCs that provides a level of accuracy that far exceeds the accuracy provided by 128-bit CRCs (RSA MD5).  Writes to SCSI tape backup units or hard disk drives at the option of the user. TROJAN HORSE PROGRAMS  The computer forensic expert should be able to demonstrate his or her ability to avoid destructive programs and traps that can be planted by computer users bent on destroying data and evidence.  Such programs can also be used to covertly capture sensitive information, passwords, and network logons. COMPUTER FORENSICS DOCUMENTATION  Without proper documentation, it is difficult to present findings.  If the security or audit findings become the object of a lawsuit or a criminal investigation, then documentation becomes even more important. FILE SLACK  Slack space in a file is the remnant area at the end of a file in the last assigned disk cluster, that is unused by current file data, but once again, may be a possible site for previously created and relevant evidence.  Techniques and automated tools that are used by the experts to capture and evaluate file slack.
COMPUTER FORENSICS UNIT I – PART II 5 DATA-HIDING TECHNIQUES  Trade secret information and other sensitive data can easily be secreted using any number of techniques. It is possible to hide diskettes within diskettes and to hide entire computer hard disk drive partitions. Computer forensic experts should understand such issues and tools that help in the identification of such anomalies. ANADISK - DISKETTE ANALYSIS TOOL ***** It is primarily used to identify data storage anomalies on floppy diskettes and generic hardware in the form of floppy disk controllers; bios are needed when using this software PRIMARY USES  Security reviews of floppy diskettes for storage anomalies  Duplication of diskettes that are nonstandard or that involve storage anomalies  Editing diskettes at a physical sector level  Searching for data on floppy diskettes in traditional and nontraditional storage areas  Formatting diskettes in nontraditional ways for training purposes and to illustrate data-hiding techniques PROGRAM FEATURES AND BENEFITS  DOS-based for ease of operation and speed.  No software dongle. Again, software dongles get in the way and they are restrictive.  Keyword searches can be conducted at a very low level and on diskettes that have been formatted with extra tracks. This feature is helpful in the evaluation of diskettes that may involve sophisticated data-hiding techniques.  All DOS formats are supported, as well as many non-DOS formats (Apple Macintosh, Unix TAR, and many others). If the diskette will fit in a PC floppy diskette drive, it is likely that AnaDisk can be used to analyze it.  Allows custom formatting of diskettes with extra tracks and sectors.  Scans for anomalies will identify odd formats, extra tracks, and extra sectors.  Data mismatches, concerning some file formats, are also identified when file extensions have been changed in an attempt to hide data.  This software can be used to copy almost any diskette, including most copy-protected diskettes.
COMPUTER FORENSICS UNIT I – PART II 6 E-COMMERCE INVESTIGATIONS  Net Threat Analyzer can be used to identify past Internet browsing and email activity done through specific computers. The software analyzes a computer’s disk drives and other storage areas that are generally unknown to or beyond the reach of most general computer users. Net Threat Analyzer avail-able free of charge to computer crime specialists, school officials, and police. DUAL-PURPOSE PROGRAMS  Programs can be designed to perform multiple processes and tasks at the same time. Computer forensics experts must have hands-on experience with these programs. TEXT SEARCH TECHNIQUES  Tools that can be used to find targeted strings of text in files, file slack, unallocated file space, and Windows swap files. TEXT SEARCH PLUS ***** This software is used to quickly search hard disk drives, zip disks, and floppy diskettes for key words or specific patterns of text. PRIMARY USES  Used to find occurrences of words or strings of text in data stored in files, slack, and unallocated file space  Used in exit reviews of computer storage media from classified facilities  Used to identify data leakage of classified information on non-classified computer systems  Used in internal audits to identify violations of corporate policy  Used by Fortune 500 corporations, government contractors, and government agencies in security reviews and security risk assessments  Used in corporate due diligence efforts regarding proposed mergers  Used to find occurrences of keywords strings of text in data found at a physical sector level  Used to find evidence in corporate, civil, and criminal investigations that involve computer-related evidence  Used to find embedded text in formatted word processing documents (Word-Perfect and fragments of such documents in ambient data storage areas)
COMPUTER FORENSICS UNIT I – PART II 7 PROGRAM FEATURES AND BENEFITS  DOS-based for ease of operation and speed.  No software dongle. Software dongles get in the way and they restrict your ability to process several computers at the same time.  Small memory foot print (under 60 KB), which allows the software to run on even the original IBM PC.  Compact program size, which easily fits on one floppy diskette with other forensic software utilities.  Searches files, slack, and erased space in one fast operation.  Has logical and physical search options that maintain compatibility with government security review requirements.  User-defined search configuration feature.  User configuration is automatically saved for future use.  Embedded words and strings of text are found in word processing files.  Alert for graphic files (secrets can be hidden in them).  Alert for compressed files.  High speed operation. This is the fastest tool on the market, which makes for quick searches on huge hard disk drives.  Screen and file output.  False hits don’t stop processing.  Government tested—specifically designed for security reviews in classified environments.  Currently used by hundreds of law enforcement computer crime units.  Currently in use by all of the Big 5 accounting firms.  The current version allows for up to 120 search strings to be searched for at one time. FUZZY LOGIC TOOLS USED TO IDENTIFY UNKNOWN TEXT  Computer evidence searches require that the computer specialist know what is being searched for. Many times not all is known about what may be stored on a given computer system.  In such cases, fuzzy logic tools can provide valuable leads as to how the subject computer was used.
COMPUTER FORENSICS UNIT I – PART II 8 INTELLIGENT FORENSIC FILTER - FILTER_G/FILTER_I *****  This forensic filter utility is used to quickly make sense of nonsense in the analysis of ambient data sources (Windows swap/page files, file slack, and data associated with erased files).  It is used to quickly identify patterns of English language grammar in ambient data files. PRIMARY USES  Used as an intelligence gathering tool for quick assessments of a Windows swap/page file to identify past communications on a targeted computer  Used as a data sampling tool in law enforcement, military, and corporate investigations  Used to quickly identify patterns of English language grammar in ambient data sources  Used to identify English language communications in erased file space PROGRAM FEATURES AND BENEFITS  DOS-based for speed.  Automatically processes any data object (a swap file, a file constructed from combined file slack, a file constructed from combined unallocated space, or a Windows swap/page file.  Provides output in an ASCII text format that is ready for import into any word processing application.  Capable of quickly processing ambient data files that are up to 2 gigabytes in size. 2. Disk Structure  Computer forensic experts must understand how computer hard disks and floppy diskettes are structured and how computer evidence can reside at various levels within the structure of the disk.  They should also demonstrate their knowledge of how to modify the structure and hide data in obscure places on floppy diskettes and hard disk drives. 3. Data Encryption  Computer forensic experts should become familiar with the use of software to crack security associated with the different file structures. 4. Matching a Diskette to a Computer  Specialized techniques and tools that make it possible to conclusively tie a diskette to a computer that was used to create or edit files stored on it. Computer forensic experts should become familiar how to use special software tools to complete this process.
COMPUTER FORENSICS UNIT I – PART II 9 5. Data Compression  Computer forensic experts should become familiar with how compression works and how compression programs can be used to hide and disguise sensitive data and also learn how password- protected compressed files can be broken. 6. Erased Files  Computer forensic experts should become familiar with how previously erased files can be recovered by using DOS programs and by manually using data-recovery technique & familiar with cluster chaining. 7. Internet Abuse Identification and Detection  Computer forensic experts should become familiar with how to use specialized software to identify how a targeted computer has been used on the Internet.  This process will focus on computer forensics issues tied to data that the computer user probably doesn’t realize exists (file slack, unallocated file space, and Windows swap files). 8. The Boot Process and Memory Resident Programs  Computer forensic experts should become familiar with how the operating system can be modified to change data and destroy data at the whim of the person who configured the system.  Such a technique could be used to covertly capture keyboard activity from corporate executives, for example. For this reason, it is important that the experts understand these potential risks and how to identify them. 3. TYPES OF BUSINESS COMPUTER FORENSIC TECHNOLOGY *** The following are different types of business computer forensics technology: REMOTE MONITORING OF TARGET COMPUTERS  Data Interception by Remote Transmission (DIRT) is a powerful remote control monitoring tool that allows stealth monitoring of all activity on one or more target computers simultaneously from a remote command center.  No physical access is necessary. Application also allows agents to remotely seize and secure digital evidence prior to physically entering suspect premises.
COMPUTER FORENSICS UNIT I – PART II 10 CREATING TRACKABLE ELECTRONIC DOCUMENTS  Binary Audit Identification Transfer (BAIT) is a powerful intrusion detection tool that allows users to create trackable electronic documents.  BAIT identifies (including their location) unauthorized intruders who access, download, and view these tagged documents.  BAIT also allows security personnel to trace the chain of custody and chain of command of all who possess the stolen electronic documents. THEFT RECOVERY SOFTWARE FOR LAPTOPS AND PCS  What it really costs to replace a stolen computer:  The price of the replacement hardware & software.  The cost of recreating data, lost production time or instruction time, reporting and investigating the theft, filing police reports and insurance claims, increased insurance, processing and ordering replacements, cutting a check, and the like.  The loss of customer goodwill.  If a thief is ever caught, the cost of time involved in prosecution.  PC PHONEHOME  PC PhoneHome is a software application that will track and locate a lost or stolen PC or laptop any-where in the world. It is easy to install. It is also completely transparent to the user.  If your PC PhoneHome-protected computer is lost or stolen, all you need to do is make a report to the local police and call CD’s 24-hour command center. CD’s recovery specialists will assist local law enforcement in the recovery of your property. BASIC FORENSIC TOOLS AND TECHNIQUES  Many computer forensics workshops have been created to familiarize investigators and security personnel with the basic techniques and tools necessary for a successful investigation of Internet and computer-related crimes.  Workshop topics normally include: types of computer crime, cyber law basics, tracing email to its source, digital evidence acquisition, cracking passwords, monitoring computers remotely, tracking
COMPUTER FORENSICS UNIT I – PART II 11 online activity, finding and recovering hidden and deleted data, locating stolen computers, creating trackable files, identifying software pirates, and so on. FORENSIC SERVICES AVAILABLE Services include but are not limited to:  Lost password and file recovery  Location and retrieval of deleted and hidden files  File and email decryption  Email supervision and authentication  Threatening email traced to source  Identification of Internet activity  Computer usage policy and supervision  Remote PC and network monitoring  Tracking and location of stolen electronic files  Honeypot sting operations  Location and identity of unauthorized software users  Theft recovery software for laptops and PCs  Investigative and security software creation  Protection from hackers and viruses Source: COMPUTER FORENSICS: COMPUTER CRIME SCENE INVESTIGATION, JOHN VACCA Send your feedback to kranthi@kranthi.co.in

Recomendados

05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes
Kranthi
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
Kranthi
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes
Kranthi
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - Notes
Kranthi
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation
Jyothishmathi Institute of Technology and Science Karimnagar
 

Recomendados

05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes
Kranthi
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
Kranthi
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes
Kranthi
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - Notes
Kranthi
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation
Jyothishmathi Institute of Technology and Science Karimnagar
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
DATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUESDATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUES
Venkatesh Pensalwar
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Roberto Ellis
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigation
edwardbel
 
Data recovery power point
Data recovery power pointData recovery power point
Data recovery power point
tutannandi
 
data hiding techniques.ppt
data hiding techniques.pptdata hiding techniques.ppt
data hiding techniques.ppt
Muzamil Amin
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
primeteacher32
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
Cleverence Kombe
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
Manu Mathew Cherian
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
Milap Oza
 
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Initial Response and Forensic Duplication
Initial Response and Forensic Duplication
Jyothishmathi Institute of Technology and Science Karimnagar
 
Computer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS SystemsComputer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS Systems
Jyothishmathi Institute of Technology and Science Karimnagar
 
Traditional Problems Associated with Computer Crime
Traditional Problems Associated with Computer CrimeTraditional Problems Associated with Computer Crime
Traditional Problems Associated with Computer Crime
Dhrumil Panchal
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
9905234521
 
How to Recover Deleted Files for Free with Recuva
How to Recover Deleted Files for Free with RecuvaHow to Recover Deleted Files for Free with Recuva
How to Recover Deleted Files for Free with Recuva
maggiemiao
 
Live data collection_from_windows_system
Live data collection_from_windows_systemLive data collection_from_windows_system
Live data collection_from_windows_system
Maceni Muse
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
Nikhil Mashruwala
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
Somya Johri
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
mukeshkaran
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
Shreya Singireddy
 

Mais conteúdo relacionado

Mais procurados

Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
Milap Oza
 
Live data collection_from_windows_system
Live data collection_from_windows_systemLive data collection_from_windows_system
Live data collection_from_windows_system
Maceni Muse
 

Mais procurados (20)

Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
 
DATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUESDATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUES
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigation
 
Data recovery power point
Data recovery power pointData recovery power point
Data recovery power point
 
data hiding techniques.ppt
data hiding techniques.pptdata hiding techniques.ppt
data hiding techniques.ppt
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Initial Response and Forensic Duplication
Initial Response and Forensic Duplication
 
Computer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS SystemsComputer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS Systems
 
Traditional Problems Associated with Computer Crime
Traditional Problems Associated with Computer CrimeTraditional Problems Associated with Computer Crime
Traditional Problems Associated with Computer Crime
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
 
How to Recover Deleted Files for Free with Recuva
How to Recover Deleted Files for Free with RecuvaHow to Recover Deleted Files for Free with Recuva
How to Recover Deleted Files for Free with Recuva
 
Live data collection_from_windows_system
Live data collection_from_windows_systemLive data collection_from_windows_system
Live data collection_from_windows_system
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 

Destaque

Chapter 3 cmp forensic
Chapter 3 cmp forensicChapter 3 cmp forensic
Chapter 3 cmp forensic
shahhardik27
 
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays World
gueste0d962
 
Cyberwar poster english
Cyberwar poster englishCyberwar poster english
Cyberwar poster english
Abbas Badran
 
Legal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsLegal aspects of handling cyber frauds
Legal aspects of handling cyber frauds
Sagar Rahurkar
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
Rahul Baghla
 

Destaque (11)

Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Chapter 3 cmp forensic
Chapter 3 cmp forensicChapter 3 cmp forensic
Chapter 3 cmp forensic
 
Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays World
 
Cyberwar poster english
Cyberwar poster englishCyberwar poster english
Cyberwar poster english
 
Legal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsLegal aspects of handling cyber frauds
Legal aspects of handling cyber frauds
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
 

Semelhante a 02 Types of Computer Forensics Technology - Notes

computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
Comparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction ToolsComparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction Tools
ijtsrd
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics report
yash sawarkar
 
AD_FTKX_BRO_ENG_19Nov2014
AD_FTKX_BRO_ENG_19Nov2014AD_FTKX_BRO_ENG_19Nov2014
AD_FTKX_BRO_ENG_19Nov2014
Leonard Cibelli
 
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docxComputer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
maxinesmith73660
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 

Semelhante a 02 Types of Computer Forensics Technology - Notes (20)

Latest presentation
Latest presentationLatest presentation
Latest presentation
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
IRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud EnvironmentIRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud Environment
 
Comparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction ToolsComparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction Tools
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics report
 
AD_FTKX_BRO_ENG_19Nov2014
AD_FTKX_BRO_ENG_19Nov2014AD_FTKX_BRO_ENG_19Nov2014
AD_FTKX_BRO_ENG_19Nov2014
 
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docxComputer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
 
Digital forensics lessons
Digital forensics lessons Digital forensics lessons
Digital forensics lessons
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
 
Automated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data AcquisitionAutomated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data Acquisition
 
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...
 
4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
Best Cyberforensic Tools.pdf
Best Cyberforensic Tools.pdfBest Cyberforensic Tools.pdf
Best Cyberforensic Tools.pdf
 

Último

1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
AnaAcapella
 

Último (20)

How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 

02 Types of Computer Forensics Technology - Notes

  • 1. COMPUTER FORENSICS UNIT I – PART II 1 1. TYPES OF MILITARY COMPUTER FORENSIC TECHNOLOGY  Key objectives of cyber forensics include rapid discovery of evidence, estimation of potential impact of the malicious activity on the victim, and assessment of the intent and identity of the perpetrator.  Real-time tracking of potentially malicious activity is especially difficult when the pertinent information has been intentionally hidden, destroyed, or modified in order to elude discovery.  National Law Enforcement and Corrections Technology Center (NLECTC) works with criminal justice professionals to identify urgent and emerging technology needs.  NLECTC centers demonstrate new technologies, test commercially available technologies and publish results — linking research and practice.  National Institute of Justice (NIJ) sponsors research and development or identifies best practices to address those needs.  The information directorate entered into a partnership with the NIJ via the auspices of the NLECTC, to test the new ideas and prototype tools. The Computer Forensics Experiment 2000 (CFX-2000) resulted from this partnership. COMPUTER FORENSIC EXPERIMENT-2000 (CFX-2000) ****  CFX-2000 is an integrated forensic analysis framework.  The central hypothesis of CFX-2000 is that it is possible to accurately determine the motives, intent, targets, sophistication, identity, and location of cyber criminals and cyber terrorists by deploying an integrated forensic analysis framework.  The cyber forensic tools involved in CFX-2000 consisted of commercial off-the-shelf software and directorate-sponsored R&D prototypes. CFX includes SI-FI integration environment.  The Synthesizing Information from Forensic Investigations (SI-FI) integration environment supports the collection, examination, and analysis processes employed during a cyber-forensic investigation.  The SI-FI prototype uses digital evidence bags (DEBs), which are secure and tamperproof containers used to store digital evidence.  Investigators can seal evidence in the DEBs and use the SI-FI implementation to collaborate on complex investigations. Types of Computer Forensics Technology
  • 2. COMPUTER FORENSICS UNIT I – PART II 2  Authorized users can securely reopen the DEBs for examination, while automatic audit of all actions ensures the continued integrity of their contents.  The teams used other forensic tools and prototypes to collect and analyze specific features of the digital evidence, perform case management and timelining of digital events, automate event link analysis, and perform steganography detection.  The results of CFX-2000 verified that the hypothesis was largely correct and that it is possible to ascertain the intent and identity of cyber criminals.  As electronic technology continues its explosive growth, researchers need to continue vigorous R&D of cyber forensic technology in preparation for the onslaught of cyber reconnaissance probes and attacks. CFX-2000 Schematic 2. TYPES OF LAW ENFORCEMENT COMPUTER FORENSIC TECHNOLOGY Computer forensics tools and techniques have become important resources for use in internal investigations, civil lawsuits, and computer security risk management. Law enforcement and military agencies have been involved in processing computer evidence for years. Computer Evidence Processing Procedures Processing procedures and methodologies should conform to federal computer evidence processing standards.
  • 3. COMPUTER FORENSICS UNIT I – PART II 3 1. Preservation of Evidence  Computer evidence is fragile and susceptible to alteration or erasure by any number of occurrences.  Computer evidence can be useful in criminal cases, civil disputes, and human resources/ employment proceedings.  Black box computer forensics software tools are good for some basic investigation tasks, but they do not offer a full computer forensics solution.  SafeBack software overcomes some of the evidence weaknesses inherent in black box computer forensics approaches.  SafeBack technology has become a worldwide standard in making mirror image backups since 1990. MIRROR IMAGE BACKUP SOFTWARE - SAFEBACK *****  SafeBack is used to create mirror-image (bit-stream) backup files of hard disks or to make a mirror- image copy of an entire hard disk drive or partition.  SafeBack image files cannot be altered or modified to alter the reproduction. This is because SafeBack is an industry standard self-authenticating computer forensics tool that is used to create evidence-grade backups of hard drives. PRIMARY USES  Used to create evidence-grade backups of hard disk drives on Intel-based computer systems.  Used to exactly restore archived SafeBack images to another computer hard disk drive of equal or larger storage capacity.  Used as an evidence preservation tool in law enforcement and civil litigation matters.  Used as an intelligence gathering tool by military agencies. PROGRAM FEATURES AND BENEFITS  DOS based for ease of operation and speed.  Provides a detailed audit trail of the backup process for evidence documentation purposes.  Checks for possible data hiding when sector cyclic redundancy checks (CRCs) do not match on the target hard disk drive. These findings are automatically recorded in the SafeBack audit log file.  Allows the archive of non-DOS and non-Windows hard disk drives (Unix on an Intel-based computer system).  Allows for the backup process to be made via the printer port.
  • 4. COMPUTER FORENSICS UNIT I – PART II 4  Duplicate copies of hard disk drives can be made from hard disk to hard disk in direct mode.  SafeBack image files can be stored as one large file or separate files of fixed sizes. This feature is helpful in making copies for archive on CDs.  Tried and proven evidence-preservation technology with a 10 years legacy of success in government agencies.  Does not compress relevant data to avoid legal arguments that the original computer evidence was altered through data compression or software translation.  It is fast and efficient. In spite of the extensive mathematical validation, the latest version of SafeBack runs faster than prior versions. Processing speeds are much faster when state-of-the-art computer systems are used to make the backup.  Makes copies in either physical or logical mode at the option of the user.  Copies and restores multiple partitions containing one or more operating systems.  Can be used to accurately copy and restore most hard disk drives including Windows NT, Windows 2000, and Windows XP in a raid configuration.  Accuracy is guaranteed in the backup process through the combination of mathematical CRCs that provides a level of accuracy that far exceeds the accuracy provided by 128-bit CRCs (RSA MD5).  Writes to SCSI tape backup units or hard disk drives at the option of the user. TROJAN HORSE PROGRAMS  The computer forensic expert should be able to demonstrate his or her ability to avoid destructive programs and traps that can be planted by computer users bent on destroying data and evidence.  Such programs can also be used to covertly capture sensitive information, passwords, and network logons. COMPUTER FORENSICS DOCUMENTATION  Without proper documentation, it is difficult to present findings.  If the security or audit findings become the object of a lawsuit or a criminal investigation, then documentation becomes even more important. FILE SLACK  Slack space in a file is the remnant area at the end of a file in the last assigned disk cluster, that is unused by current file data, but once again, may be a possible site for previously created and relevant evidence.  Techniques and automated tools that are used by the experts to capture and evaluate file slack.
  • 5. COMPUTER FORENSICS UNIT I – PART II 5 DATA-HIDING TECHNIQUES  Trade secret information and other sensitive data can easily be secreted using any number of techniques. It is possible to hide diskettes within diskettes and to hide entire computer hard disk drive partitions. Computer forensic experts should understand such issues and tools that help in the identification of such anomalies. ANADISK - DISKETTE ANALYSIS TOOL ***** It is primarily used to identify data storage anomalies on floppy diskettes and generic hardware in the form of floppy disk controllers; bios are needed when using this software PRIMARY USES  Security reviews of floppy diskettes for storage anomalies  Duplication of diskettes that are nonstandard or that involve storage anomalies  Editing diskettes at a physical sector level  Searching for data on floppy diskettes in traditional and nontraditional storage areas  Formatting diskettes in nontraditional ways for training purposes and to illustrate data-hiding techniques PROGRAM FEATURES AND BENEFITS  DOS-based for ease of operation and speed.  No software dongle. Again, software dongles get in the way and they are restrictive.  Keyword searches can be conducted at a very low level and on diskettes that have been formatted with extra tracks. This feature is helpful in the evaluation of diskettes that may involve sophisticated data-hiding techniques.  All DOS formats are supported, as well as many non-DOS formats (Apple Macintosh, Unix TAR, and many others). If the diskette will fit in a PC floppy diskette drive, it is likely that AnaDisk can be used to analyze it.  Allows custom formatting of diskettes with extra tracks and sectors.  Scans for anomalies will identify odd formats, extra tracks, and extra sectors.  Data mismatches, concerning some file formats, are also identified when file extensions have been changed in an attempt to hide data.  This software can be used to copy almost any diskette, including most copy-protected diskettes.
  • 6. COMPUTER FORENSICS UNIT I – PART II 6 E-COMMERCE INVESTIGATIONS  Net Threat Analyzer can be used to identify past Internet browsing and email activity done through specific computers. The software analyzes a computer’s disk drives and other storage areas that are generally unknown to or beyond the reach of most general computer users. Net Threat Analyzer avail-able free of charge to computer crime specialists, school officials, and police. DUAL-PURPOSE PROGRAMS  Programs can be designed to perform multiple processes and tasks at the same time. Computer forensics experts must have hands-on experience with these programs. TEXT SEARCH TECHNIQUES  Tools that can be used to find targeted strings of text in files, file slack, unallocated file space, and Windows swap files. TEXT SEARCH PLUS ***** This software is used to quickly search hard disk drives, zip disks, and floppy diskettes for key words or specific patterns of text. PRIMARY USES  Used to find occurrences of words or strings of text in data stored in files, slack, and unallocated file space  Used in exit reviews of computer storage media from classified facilities  Used to identify data leakage of classified information on non-classified computer systems  Used in internal audits to identify violations of corporate policy  Used by Fortune 500 corporations, government contractors, and government agencies in security reviews and security risk assessments  Used in corporate due diligence efforts regarding proposed mergers  Used to find occurrences of keywords strings of text in data found at a physical sector level  Used to find evidence in corporate, civil, and criminal investigations that involve computer-related evidence  Used to find embedded text in formatted word processing documents (Word-Perfect and fragments of such documents in ambient data storage areas)
  • 7. COMPUTER FORENSICS UNIT I – PART II 7 PROGRAM FEATURES AND BENEFITS  DOS-based for ease of operation and speed.  No software dongle. Software dongles get in the way and they restrict your ability to process several computers at the same time.  Small memory foot print (under 60 KB), which allows the software to run on even the original IBM PC.  Compact program size, which easily fits on one floppy diskette with other forensic software utilities.  Searches files, slack, and erased space in one fast operation.  Has logical and physical search options that maintain compatibility with government security review requirements.  User-defined search configuration feature.  User configuration is automatically saved for future use.  Embedded words and strings of text are found in word processing files.  Alert for graphic files (secrets can be hidden in them).  Alert for compressed files.  High speed operation. This is the fastest tool on the market, which makes for quick searches on huge hard disk drives.  Screen and file output.  False hits don’t stop processing.  Government tested—specifically designed for security reviews in classified environments.  Currently used by hundreds of law enforcement computer crime units.  Currently in use by all of the Big 5 accounting firms.  The current version allows for up to 120 search strings to be searched for at one time. FUZZY LOGIC TOOLS USED TO IDENTIFY UNKNOWN TEXT  Computer evidence searches require that the computer specialist know what is being searched for. Many times not all is known about what may be stored on a given computer system.  In such cases, fuzzy logic tools can provide valuable leads as to how the subject computer was used.
  • 8. COMPUTER FORENSICS UNIT I – PART II 8 INTELLIGENT FORENSIC FILTER - FILTER_G/FILTER_I *****  This forensic filter utility is used to quickly make sense of nonsense in the analysis of ambient data sources (Windows swap/page files, file slack, and data associated with erased files).  It is used to quickly identify patterns of English language grammar in ambient data files. PRIMARY USES  Used as an intelligence gathering tool for quick assessments of a Windows swap/page file to identify past communications on a targeted computer  Used as a data sampling tool in law enforcement, military, and corporate investigations  Used to quickly identify patterns of English language grammar in ambient data sources  Used to identify English language communications in erased file space PROGRAM FEATURES AND BENEFITS  DOS-based for speed.  Automatically processes any data object (a swap file, a file constructed from combined file slack, a file constructed from combined unallocated space, or a Windows swap/page file.  Provides output in an ASCII text format that is ready for import into any word processing application.  Capable of quickly processing ambient data files that are up to 2 gigabytes in size. 2. Disk Structure  Computer forensic experts must understand how computer hard disks and floppy diskettes are structured and how computer evidence can reside at various levels within the structure of the disk.  They should also demonstrate their knowledge of how to modify the structure and hide data in obscure places on floppy diskettes and hard disk drives. 3. Data Encryption  Computer forensic experts should become familiar with the use of software to crack security associated with the different file structures. 4. Matching a Diskette to a Computer  Specialized techniques and tools that make it possible to conclusively tie a diskette to a computer that was used to create or edit files stored on it. Computer forensic experts should become familiar how to use special software tools to complete this process.
  • 9. COMPUTER FORENSICS UNIT I – PART II 9 5. Data Compression  Computer forensic experts should become familiar with how compression works and how compression programs can be used to hide and disguise sensitive data and also learn how password- protected compressed files can be broken. 6. Erased Files  Computer forensic experts should become familiar with how previously erased files can be recovered by using DOS programs and by manually using data-recovery technique & familiar with cluster chaining. 7. Internet Abuse Identification and Detection  Computer forensic experts should become familiar with how to use specialized software to identify how a targeted computer has been used on the Internet.  This process will focus on computer forensics issues tied to data that the computer user probably doesn’t realize exists (file slack, unallocated file space, and Windows swap files). 8. The Boot Process and Memory Resident Programs  Computer forensic experts should become familiar with how the operating system can be modified to change data and destroy data at the whim of the person who configured the system.  Such a technique could be used to covertly capture keyboard activity from corporate executives, for example. For this reason, it is important that the experts understand these potential risks and how to identify them. 3. TYPES OF BUSINESS COMPUTER FORENSIC TECHNOLOGY *** The following are different types of business computer forensics technology: REMOTE MONITORING OF TARGET COMPUTERS  Data Interception by Remote Transmission (DIRT) is a powerful remote control monitoring tool that allows stealth monitoring of all activity on one or more target computers simultaneously from a remote command center.  No physical access is necessary. Application also allows agents to remotely seize and secure digital evidence prior to physically entering suspect premises.
  • 10. COMPUTER FORENSICS UNIT I – PART II 10 CREATING TRACKABLE ELECTRONIC DOCUMENTS  Binary Audit Identification Transfer (BAIT) is a powerful intrusion detection tool that allows users to create trackable electronic documents.  BAIT identifies (including their location) unauthorized intruders who access, download, and view these tagged documents.  BAIT also allows security personnel to trace the chain of custody and chain of command of all who possess the stolen electronic documents. THEFT RECOVERY SOFTWARE FOR LAPTOPS AND PCS  What it really costs to replace a stolen computer:  The price of the replacement hardware & software.  The cost of recreating data, lost production time or instruction time, reporting and investigating the theft, filing police reports and insurance claims, increased insurance, processing and ordering replacements, cutting a check, and the like.  The loss of customer goodwill.  If a thief is ever caught, the cost of time involved in prosecution.  PC PHONEHOME  PC PhoneHome is a software application that will track and locate a lost or stolen PC or laptop any-where in the world. It is easy to install. It is also completely transparent to the user.  If your PC PhoneHome-protected computer is lost or stolen, all you need to do is make a report to the local police and call CD’s 24-hour command center. CD’s recovery specialists will assist local law enforcement in the recovery of your property. BASIC FORENSIC TOOLS AND TECHNIQUES  Many computer forensics workshops have been created to familiarize investigators and security personnel with the basic techniques and tools necessary for a successful investigation of Internet and computer-related crimes.  Workshop topics normally include: types of computer crime, cyber law basics, tracing email to its source, digital evidence acquisition, cracking passwords, monitoring computers remotely, tracking
  • 11. COMPUTER FORENSICS UNIT I – PART II 11 online activity, finding and recovering hidden and deleted data, locating stolen computers, creating trackable files, identifying software pirates, and so on. FORENSIC SERVICES AVAILABLE Services include but are not limited to:  Lost password and file recovery  Location and retrieval of deleted and hidden files  File and email decryption  Email supervision and authentication  Threatening email traced to source  Identification of Internet activity  Computer usage policy and supervision  Remote PC and network monitoring  Tracking and location of stolen electronic files  Honeypot sting operations  Location and identity of unauthorized software users  Theft recovery software for laptops and PCs  Investigative and security software creation  Protection from hackers and viruses Source: COMPUTER FORENSICS: COMPUTER CRIME SCENE INVESTIGATION, JOHN VACCA Send your feedback to kranthi@kranthi.co.in