Departemt of Computer Scicence
Content
DEPARTEMT OF COMPUTER
SCICENCE
FACULTY OF PHYSICAL SCIENCE
UNIVESITY OF BENIN
BENIN CITY
SEMINAR PRESENTATION ON
COMPUTER FORENSIC
INVESTIGATION
BY
AWOWO SAMUEL
PSC1113593
1 | Page
JULY 31ST 2015
2 | Page
CERTIFICATION
I hereby certify that the department seminar presentation
COMPUTER FORENSIC INVESTIGATION was presented by
Awowo Samuel in the month of JULY 2015 and was
accordingly approved.
………………………………………………….
………………………………
Prof. Mrs F.A. Egbokhare
date
Chief supervisor
………………………………………………….
………………………………
Dr. V.A. Aladeslu
Supervisor
date
………………………………………………..
………………………………
Dr. F. A. U. Imouokhome (Engr)
date
Supervisor
……………………………………………..
………………………………
Mr. E. Nwelih
Supervisor
……………………………………………….
………………………………
Mr. K.O. Otokiti
Supervisor
date
date
3 | Page
4 | Page
AKNOWLEDEGEMENT
Thanks be to God who gave me the grace and strength to
attain the desired goal in bringing this seminar research to a
light.
Am indeed grateful to all my supervisor for their patience and
guidance in the supervision of this work and to other lecturers
in the Department for their impact intellectually.
Lastly, I express my profound gratitude to my parents Rev and
Mrs. V.M Awowo, and all who contributed intellectually,
morally, spiritually, physically and financially to make this work
successful.
5 | Page
TABLE OF CONTENT
1. Title page
2. Certification
3. Acknowledgement
4. Table of content
5. Introduction
6. Purpose of computer forensic
7. Classes of forensic investigation
8. What happens when a file is deleted
9. Typical Computer Forensic Investigations
10.
Who uses Computer Forensics
11.
Computer Forensic software
12.
EnCase Forensic
13.
Conclusion
14.
References
6 | Page
ABSTRACT
This paper provides an introduction to the discipline of
Computer Forensics. With computers being involved in an
increasing number, and type, of crimes the trace data left on
electronic media can play a vital part in the legal process. To
ensure acceptance by the courts, accepted processes and
procedures have to be adopted and demonstrated which are
not dissimilar to the issues surrounding traditional forensic
investigations. This paper provides a straightforward overview
of the three steps involved in the examination of digital media:
* Acquisition of data,
* Investigation of evidence, * Reporting and presentation of
evidence.
1 | Page
INTRODUCTION
Computer Forensics
Computer Forensics can be defined simply, as a process of
applying scientific and analytical techniques to computer
Operating Systems and File Structures in determining the
potential for Legal Evidence. This is the collection, preservation,
analysis
and
presentation
of
computer-related
evidence
.Determining the past actions that have taken place on a
computer system using computer forensic techniques
Purpose of Computer Forensics
Forensics, also known as forensic science, is the application of
science to questions that are of interest to the legal profession.
Forensics is not limited to analyzing evidence from a murder
scene; it can also be applied to technology. As computers are
the foundation for communicating and recording information, a
new area known as computer forensics, which uses technology
to search for computer evidence of a crime, can attempt to
retrieve information—even if it has been altered or erased—
that can be used in the pursuit of the attacker or criminal.
2 | Page
CLASSES OF FORENSIC INVESTIGATION
Incident Response (Live System Analysis): Live forensics
considers the value of the data that may be lost by powering
down a system and collect it while the system is still running.
The other objective of live forensics is to minimize impacts to
the integrity of data while collecting evidence from the suspect
system.
Post-Mortem
Analysis:
Post-mortem
computer
forensics
analysis is a process that helps determine if an incident
response has failed to adequately contain a threat and to assist
in selecting increased security measures. It is critical to
understand that post-mortem computer forensics analysis is
not the same technical process as forensic incident response.
Only when failures occur during the incident response process
is there a need for the investigative team to perform postmortem computer forensics.
Computer Forensic Capabilities
Recover deleted files
Find out what external devices have been attached and
what users accessed them
Determine what programs ran
Recover webpages
Recover emails and users who read them
3 | Page
Recover chat logs
Determine file servers used
Discover document’s hidden history
Recover phone records and SMS text messages from
mobile devices
Find malware and data collected
Typical Investigations
1. Theft of Company Secrets (client, customer or employee
lists)
2. Employee Sabotage
3. Credit Card Fraud
4. Financial Crimes
5. Embezzlement (money or information)
6. Economic Crimes
7. Harassment
8. Child Pornography
9. Major Crimes
10.
Identity Theft
Media Devices that hold Potential Data
I.
II.
III.
IV.
V.
VI.
VII.
VIII.
IX.
X.
XI.
Computers and laptops
iPads
iPods
Smartphones and most other cell phones
MP3 music players
Hard Drives
Digital Cameras
USB Memory Devices
PDAs (Personal Digital Assistants)
Backup Tapes
CD-ROMs & DVD’s
4 | Page
5 | Page
WINDOWS OPERATING SYSTEM FILE STORAGE
File Allocation Table (FAT) , exFAT
New technology file system (NTFS)
Master File Table (MFT)
File Allocation Table (FAT): The File Allocation Table file
system (FAT) is a cluster based file system first developed in
the mid 1970’s. Its latter version, FAT32 (released with Windows
95), is still widely used as the format for removable storage
devices. This is largely due to the fact that it is a convenient
way of sharing data between different operating systems. A
disadvantage of FAT32 is its maximum file size limit of 4GB. In
2006 Microsoft released exFAT to address this issue and to
improve performance on large media. Every file on a FAT hard
disk is stored in a directory (folder).
New technology file system (NTFS): The NTFS File System is
what you are likely to encounter on newer hard disk running
operating systems like Windows 7 or 2008. Whilst an MFT is
more complex, the principal of locating the start of a file and its
subsequent storage clusters is essentially the same.
What Happens when a File is deleted
6 | Page
When a file is deleted the Operating System marks the file
name in the MFT with a special character that signifies to the
computer that the file has been deleted. The computer now
looks at the clusters occupied by that file as being empty and
therefore available space to store a new file. The actual data
that was contained in the file is not deleted instead it remains
in the hard drives and the location where the content or data is,
is referenced as unallocated space.
Unallocated space: sometimes called “free space”, is logical
space on a hard drive that the operating system, e.g Windows,
can write to. To put it another way it is the opposite of
“allocated” space, which is where the operating system has
already written files to
7 | Page
COMPUTER FORENSICS APPLICATION
Cases such as Divorce cases and need proof of infidelity or
cheating, Employees stealing information, white collar crime.
In the private sector, computer forensic techniques and
methodologies are used to investigate electronic break-ins,
embezzlement, improper use of computing resources by
employees, and theft of trade secrets among other things.
Those in the insurance business may use information retrieved
from computer systems to identify fraud in workman's
compensation, automobile or personal accident cases, or arson.
Areas where computer forensic is used are;
Law enforcement
Military
University Programs
Computer Security and IT Professionals
Law Enforcement such as local, State and Federal levels,
several detectives at local levels, Inadequate funding, State
Police, FBI’s Computer Analysis and, Response Team (CART).
Military
- Test, identify, and gather evidence in the field
8 | Page
- Specialized training in imaging and identifying multiple
sources of electronic evidence
- Analyze the evidence for rapid intelligence gathering and
responding to security breach incidents
- Desktop and server forensic techniques
University Programs: Authenticity of students, result forgery,
impersonation research plagiarism etc.
Computer Security Professionals and IT Personnel:
Network traffic, Compromised networks, Insider threats,
disloyal employees, Malware, Breach of contracts, E-mail
Fraud/Spam, Theft of company documents
9 | Page
FORENSIC PROCESS
Techniques
A number of techniques are used during computer forensics
investigations and much has been written on the many
techniques used by law enforcement in particular. See
Cross-drive analysis
A forensic technique that correlates information found on
multiple hard drives. The process, still being researched,
can be used to identify social networks and to perform
anomaly detection.
Live analysis
The examination of computers from within the operating
system using custom forensics or existing sysadmin tools
to extract evidence. The practice is useful when dealing
with Encrypting File Systems, for example, where the
encryption keys may be collected and, in some instances,
the logical hard drive volume may be imaged (known as a
live acquisition) before the computer is shut down.
Deleted files
10 | P a g e
A common technique used in computer forensics is the
recovery of deleted files. Modern forensic software have
their own tools for recovering or carving out deleted data.
Most operating systems and file systems do not always
erase
physical
file
data,
allowing
investigators
to
reconstruct it from the physical disk sectors. File carving
involves searching for known file headers within the disk
image and reconstructing deleted materials.
Stochastic forensics
A
method
which
uses
stochastic
properties
of
the
computer system to investigate activities lacking digital
artifacts. Its chief use is to investigate data theft.
Steganography
One
of
the
techniques
used
to
hide
data
is
via
steganography, the process of hiding data inside of a
picture or digital image. An example would be to hide
pornographic images of children or other information that
a given criminal does not want to have discovered.
Computer forensics professionals can fight this by looking
at the hash of the file and comparing it to the original
11 | P a g e
image (if available.) While the image appears exactly the
same, the hash changes as the data changes.
Volatile data
When seizing evidence, if the machine is still active, any
information stored solely in RAM that is not recovered before
powering down may be lost. One application of "live analysis" is
to recover RAM data (for example, using Microsoft's COFEE tool,
Windows SCOPE) prior to removing an exhibit. Capture GUARD
Gateway bypasses Windows login for locked computers,
allowing for the analysis and acquisition of physical memory on
a locked computer.
RAM can be analyzed for prior content after power loss,
because the electrical charge stored in the memory cells takes
time to dissipate, an effect exploited by the cold boot attack.
The length of time that data is recoverable is increased by low
temperatures and higher cell voltages. Holding unpowered RAM
below −60 °C helps preserve residual data by an order of
magnitude, improving the chances of successful recovery.
However, it can be impractical to do this during a field
examination.
12 | P a g e
Some of the tools needed to extract volatile data, however,
require that a computer be in a forensic lab, both to maintain a
legitimate chain of evidence, and to facilitate work on the
machine. If necessary, law enforcement applies techniques to
move a live, running desktop computer. These include a mouse
jiggler, which moves the mouse rapidly in small movements
and prevents the computer from going to sleep accidentally.
Usually, an uninterruptible power supply (UPS) provides power
during transit.
However, one of the easiest ways to capture data is by actually
saving the RAM data to disk. Various file systems that have
journaling features such as NTFS and ReiserFS keep a large
portion of the RAM data on the main storage media during
operation, and these page files can be reassembled to
reconstruct what was in RAM at that time.
ANALYSIS TOOLS
Common Computer Forensic Software
• Arcsight logger Automate analysis, alerting, reporting,
intelligence of logs and events for IT security, IT
operations, IT GRC and log analytics
13 | P a g e
• NetWitness Investigator – anaylize network traffic – mainly
used by IT professionals but now law enforcement and
other public and private firms use it- download off the
internet, not sure how reliable it is
• Quest ChangeAuditor – report and analyze what is
happening on the network. Translate raw data into user
friendly data
• Encase and the forensic tool kit are both accepted in court
and mainly used by law enforcement and government
agencies.
• FTK is database driven so won’t lose work if your
computer crashes
• Both have a user friendly interface and can do many
of the same things but encase is what most law
enforcement agencies choose to use so that is what I
will talk about in the rest of the presentation.
ENCASE FORENSIC
14 | P a g e
EnCase Forensic works on many operating system such as
Windows, Linux, Apple iOS, Sun/Oracle Solaris, Supported
smartphones.
Capabilities of encase forensic
Rapidly acquire data from the widest variety of devices
Unearth potential evidence with disk-level forensic analysis
Produce comprehensive reports on your findings
Maintain the integrity of your evidence in a format the courts
have come to
Triage
EnCase Forensic gives investigators the ability to quickly view
and search potential evidence in order to determine whether
further investigation is warranted. Add EnCase Portable and
15 | P a g e
you'll equip your forensic experts and non-experts alike to
quickly review information stored on computers in the field in
real-time - without altering or damaging the information.
Let your experts set up specific jobs that let non-experts run
them in the field to:
Perform quick triage
Identify and eliminate computers that aren't relevant to a
case
Give complete control to the experts as to how nonexperts search those computers in the field
16 | P a g e
Using EnCase Portable to collect potential evidence in
the field can:
Instantly view images on the target machine
Review documents in real-time
Collect only relevant information quickly
Customizable job creation lets you:
Use keywords, metadata, hash values, and other criteria
to perform targeted triage and collection
Perform memory acquisition
Perform full-disk imaging
You can choose from multiple configuration options:
Easy Mode: Encase Portable can be preconfigured by your
expert team members
17 | P a g e
Advanced Mode: Expert users can create and edit the
configuration of Encase Portable instantly in the field
Make use of multiple triage and collection modes:
Live Mode: Lets you
collect memory from running
computers
Boot Mode: Enables collection form Macintosh and Linux
computers
All
metadata
is
preserved
during
triage
and
collection,
maintaining evidence integrity. In addition, all data is stored in
our court-accepted EnCase® evidence format, the most trusted
format in the forensic community.
Process
18 | P a g e
The re-engineered evidence processor lets you:
Perform more powerful queries
Process even huge files at speeds faster than any solution
in the industry
Automate tasks
Create templates based on case profiles
Readily integrate EnCase Forensic results
19 | P a g e
Use even basic team computers to perform processing
without additional software or resources
Search
Encase Forensic gives you the ability to search the tens of
thousands of files that exist on a computer with a variety of
comprehensive search choices, including:
- GREP
- Conditional
- Boolean
- Word searches
20 | P a g e
Once you've begun acquiring your potential evidence, EnCase
lets you easily analyze the following to determine whether or
not a crime may have been committed:
Where the data originated
Which type of user activity created the data
When the data was last accessed.
You can quickly bookmark important pieces of potential
evidence for quick access and inclusion in reports later in the
investigation.
Advanced Analysis
21 | P a g e
Recover files and partitions, detect deleted files by parsing
event logs, file signature analysis, and hash analysis, even
within compounded files or unallocated disk space
Multiple File Viewer Support
View hundreds of file formats in native form, built-in Registry
viewer,
integrated
photo
viewer,
see
results
on
a
timeline/calendar.
Prioritized Processing
This exclusive capability of EnCase Forensic lets you process a
subset of evidence and make it available for analysis more
quickly than was ever before possible. You can choose to
continue processing or stop processing the remaining evidence
while completing your digital investigation.
Case Analyzer Offers Deeper Insight
Case Analyzer lets you see exactly what happened on a
computer system, providing higher-level reports of metadata
consisting of multiple artifacts joined together, or specific, prefiltered data that would indicate system activity.
22 | P a g e
REPORT
Powerful, Flexible Reporting
Show in detail which information is presented and how,
depending on the purpose and target audience of the
investigation
Export information into various file formats as needed for
reporting and analysis
Include
relevant
evidence,
investigator
comments,
bookmarks, search results, search criteria, pictures, date
and time artifacts, and export those into RTF, PDF, or
HTML formats for easy distribution to everyone from fellow
investigator's to the district attorney's office
23 | P a g e
With the most powerful, flexible reporting tool of any digitalinvestigations
important
platforms,
capabilities
that
EnCase®
ensure
Forensic
you'll
gives
never
miss
you
an
important comment, bookmark, or other piece of important
information when producing and sharing a report. With the
reporting capabilities in EnCase Forensic, you can:
Powerful and Highly Customizable
The easy-to-understand templates in EnCase Forensic can be
used for any case and any audience. You can fully customize
reports with the Report Template Builder, which makes it easy
to:
Tailor a report for your audience
24 | P a g e
Define specific case information
Create custom headers, footers, and title pages
Apply Microsoft Word styles to any and all sections
CONCLUSION
Computer Forensics helps determine the WHO, WHAT, WHEN,
and WHERE related to a computer-based crime or violation. To
ensure acceptance by the courts, accepted processes and
procedures have to be adopted and demonstrated which are
not dissimilar to the issues surrounding traditional forensic
investigations.
25 | P a g e
REFERENCES
Computer Forensics: Info Sec Pro Guide
http://www.computer-forensics.net/
http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?
id=1202584495563&Product_Review_Encase_Forensic_7&slretu
rn=20130405160529
http://www.scmagazine.com/best-computer-forensicstool/article/195999/
http://www.westwood.edu/programs/school-oftechnology/computer-forensics-online-degree/law-enforcementcomputer-forensics
https://www.ncjrs.gov/pdffiles1/nij/183451.pdf
Security Guide to Network Security Fundamentals
26 | P a g e
SCICENCE
FACULTY OF PHYSICAL SCIENCE
UNIVESITY OF BENIN
BENIN CITY
SEMINAR PRESENTATION ON
COMPUTER FORENSIC
INVESTIGATION
BY
AWOWO SAMUEL
PSC1113593
1 | Page
JULY 31ST 2015
2 | Page
CERTIFICATION
I hereby certify that the department seminar presentation
COMPUTER FORENSIC INVESTIGATION was presented by
Awowo Samuel in the month of JULY 2015 and was
accordingly approved.
………………………………………………….
………………………………
Prof. Mrs F.A. Egbokhare
date
Chief supervisor
………………………………………………….
………………………………
Dr. V.A. Aladeslu
Supervisor
date
………………………………………………..
………………………………
Dr. F. A. U. Imouokhome (Engr)
date
Supervisor
……………………………………………..
………………………………
Mr. E. Nwelih
Supervisor
……………………………………………….
………………………………
Mr. K.O. Otokiti
Supervisor
date
date
3 | Page
4 | Page
AKNOWLEDEGEMENT
Thanks be to God who gave me the grace and strength to
attain the desired goal in bringing this seminar research to a
light.
Am indeed grateful to all my supervisor for their patience and
guidance in the supervision of this work and to other lecturers
in the Department for their impact intellectually.
Lastly, I express my profound gratitude to my parents Rev and
Mrs. V.M Awowo, and all who contributed intellectually,
morally, spiritually, physically and financially to make this work
successful.
5 | Page
TABLE OF CONTENT
1. Title page
2. Certification
3. Acknowledgement
4. Table of content
5. Introduction
6. Purpose of computer forensic
7. Classes of forensic investigation
8. What happens when a file is deleted
9. Typical Computer Forensic Investigations
10.
Who uses Computer Forensics
11.
Computer Forensic software
12.
EnCase Forensic
13.
Conclusion
14.
References
6 | Page
ABSTRACT
This paper provides an introduction to the discipline of
Computer Forensics. With computers being involved in an
increasing number, and type, of crimes the trace data left on
electronic media can play a vital part in the legal process. To
ensure acceptance by the courts, accepted processes and
procedures have to be adopted and demonstrated which are
not dissimilar to the issues surrounding traditional forensic
investigations. This paper provides a straightforward overview
of the three steps involved in the examination of digital media:
* Acquisition of data,
* Investigation of evidence, * Reporting and presentation of
evidence.
1 | Page
INTRODUCTION
Computer Forensics
Computer Forensics can be defined simply, as a process of
applying scientific and analytical techniques to computer
Operating Systems and File Structures in determining the
potential for Legal Evidence. This is the collection, preservation,
analysis
and
presentation
of
computer-related
evidence
.Determining the past actions that have taken place on a
computer system using computer forensic techniques
Purpose of Computer Forensics
Forensics, also known as forensic science, is the application of
science to questions that are of interest to the legal profession.
Forensics is not limited to analyzing evidence from a murder
scene; it can also be applied to technology. As computers are
the foundation for communicating and recording information, a
new area known as computer forensics, which uses technology
to search for computer evidence of a crime, can attempt to
retrieve information—even if it has been altered or erased—
that can be used in the pursuit of the attacker or criminal.
2 | Page
CLASSES OF FORENSIC INVESTIGATION
Incident Response (Live System Analysis): Live forensics
considers the value of the data that may be lost by powering
down a system and collect it while the system is still running.
The other objective of live forensics is to minimize impacts to
the integrity of data while collecting evidence from the suspect
system.
Post-Mortem
Analysis:
Post-mortem
computer
forensics
analysis is a process that helps determine if an incident
response has failed to adequately contain a threat and to assist
in selecting increased security measures. It is critical to
understand that post-mortem computer forensics analysis is
not the same technical process as forensic incident response.
Only when failures occur during the incident response process
is there a need for the investigative team to perform postmortem computer forensics.
Computer Forensic Capabilities
Recover deleted files
Find out what external devices have been attached and
what users accessed them
Determine what programs ran
Recover webpages
Recover emails and users who read them
3 | Page
Recover chat logs
Determine file servers used
Discover document’s hidden history
Recover phone records and SMS text messages from
mobile devices
Find malware and data collected
Typical Investigations
1. Theft of Company Secrets (client, customer or employee
lists)
2. Employee Sabotage
3. Credit Card Fraud
4. Financial Crimes
5. Embezzlement (money or information)
6. Economic Crimes
7. Harassment
8. Child Pornography
9. Major Crimes
10.
Identity Theft
Media Devices that hold Potential Data
I.
II.
III.
IV.
V.
VI.
VII.
VIII.
IX.
X.
XI.
Computers and laptops
iPads
iPods
Smartphones and most other cell phones
MP3 music players
Hard Drives
Digital Cameras
USB Memory Devices
PDAs (Personal Digital Assistants)
Backup Tapes
CD-ROMs & DVD’s
4 | Page
5 | Page
WINDOWS OPERATING SYSTEM FILE STORAGE
File Allocation Table (FAT) , exFAT
New technology file system (NTFS)
Master File Table (MFT)
File Allocation Table (FAT): The File Allocation Table file
system (FAT) is a cluster based file system first developed in
the mid 1970’s. Its latter version, FAT32 (released with Windows
95), is still widely used as the format for removable storage
devices. This is largely due to the fact that it is a convenient
way of sharing data between different operating systems. A
disadvantage of FAT32 is its maximum file size limit of 4GB. In
2006 Microsoft released exFAT to address this issue and to
improve performance on large media. Every file on a FAT hard
disk is stored in a directory (folder).
New technology file system (NTFS): The NTFS File System is
what you are likely to encounter on newer hard disk running
operating systems like Windows 7 or 2008. Whilst an MFT is
more complex, the principal of locating the start of a file and its
subsequent storage clusters is essentially the same.
What Happens when a File is deleted
6 | Page
When a file is deleted the Operating System marks the file
name in the MFT with a special character that signifies to the
computer that the file has been deleted. The computer now
looks at the clusters occupied by that file as being empty and
therefore available space to store a new file. The actual data
that was contained in the file is not deleted instead it remains
in the hard drives and the location where the content or data is,
is referenced as unallocated space.
Unallocated space: sometimes called “free space”, is logical
space on a hard drive that the operating system, e.g Windows,
can write to. To put it another way it is the opposite of
“allocated” space, which is where the operating system has
already written files to
7 | Page
COMPUTER FORENSICS APPLICATION
Cases such as Divorce cases and need proof of infidelity or
cheating, Employees stealing information, white collar crime.
In the private sector, computer forensic techniques and
methodologies are used to investigate electronic break-ins,
embezzlement, improper use of computing resources by
employees, and theft of trade secrets among other things.
Those in the insurance business may use information retrieved
from computer systems to identify fraud in workman's
compensation, automobile or personal accident cases, or arson.
Areas where computer forensic is used are;
Law enforcement
Military
University Programs
Computer Security and IT Professionals
Law Enforcement such as local, State and Federal levels,
several detectives at local levels, Inadequate funding, State
Police, FBI’s Computer Analysis and, Response Team (CART).
Military
- Test, identify, and gather evidence in the field
8 | Page
- Specialized training in imaging and identifying multiple
sources of electronic evidence
- Analyze the evidence for rapid intelligence gathering and
responding to security breach incidents
- Desktop and server forensic techniques
University Programs: Authenticity of students, result forgery,
impersonation research plagiarism etc.
Computer Security Professionals and IT Personnel:
Network traffic, Compromised networks, Insider threats,
disloyal employees, Malware, Breach of contracts, E-mail
Fraud/Spam, Theft of company documents
9 | Page
FORENSIC PROCESS
Techniques
A number of techniques are used during computer forensics
investigations and much has been written on the many
techniques used by law enforcement in particular. See
Cross-drive analysis
A forensic technique that correlates information found on
multiple hard drives. The process, still being researched,
can be used to identify social networks and to perform
anomaly detection.
Live analysis
The examination of computers from within the operating
system using custom forensics or existing sysadmin tools
to extract evidence. The practice is useful when dealing
with Encrypting File Systems, for example, where the
encryption keys may be collected and, in some instances,
the logical hard drive volume may be imaged (known as a
live acquisition) before the computer is shut down.
Deleted files
10 | P a g e
A common technique used in computer forensics is the
recovery of deleted files. Modern forensic software have
their own tools for recovering or carving out deleted data.
Most operating systems and file systems do not always
erase
physical
file
data,
allowing
investigators
to
reconstruct it from the physical disk sectors. File carving
involves searching for known file headers within the disk
image and reconstructing deleted materials.
Stochastic forensics
A
method
which
uses
stochastic
properties
of
the
computer system to investigate activities lacking digital
artifacts. Its chief use is to investigate data theft.
Steganography
One
of
the
techniques
used
to
hide
data
is
via
steganography, the process of hiding data inside of a
picture or digital image. An example would be to hide
pornographic images of children or other information that
a given criminal does not want to have discovered.
Computer forensics professionals can fight this by looking
at the hash of the file and comparing it to the original
11 | P a g e
image (if available.) While the image appears exactly the
same, the hash changes as the data changes.
Volatile data
When seizing evidence, if the machine is still active, any
information stored solely in RAM that is not recovered before
powering down may be lost. One application of "live analysis" is
to recover RAM data (for example, using Microsoft's COFEE tool,
Windows SCOPE) prior to removing an exhibit. Capture GUARD
Gateway bypasses Windows login for locked computers,
allowing for the analysis and acquisition of physical memory on
a locked computer.
RAM can be analyzed for prior content after power loss,
because the electrical charge stored in the memory cells takes
time to dissipate, an effect exploited by the cold boot attack.
The length of time that data is recoverable is increased by low
temperatures and higher cell voltages. Holding unpowered RAM
below −60 °C helps preserve residual data by an order of
magnitude, improving the chances of successful recovery.
However, it can be impractical to do this during a field
examination.
12 | P a g e
Some of the tools needed to extract volatile data, however,
require that a computer be in a forensic lab, both to maintain a
legitimate chain of evidence, and to facilitate work on the
machine. If necessary, law enforcement applies techniques to
move a live, running desktop computer. These include a mouse
jiggler, which moves the mouse rapidly in small movements
and prevents the computer from going to sleep accidentally.
Usually, an uninterruptible power supply (UPS) provides power
during transit.
However, one of the easiest ways to capture data is by actually
saving the RAM data to disk. Various file systems that have
journaling features such as NTFS and ReiserFS keep a large
portion of the RAM data on the main storage media during
operation, and these page files can be reassembled to
reconstruct what was in RAM at that time.
ANALYSIS TOOLS
Common Computer Forensic Software
• Arcsight logger Automate analysis, alerting, reporting,
intelligence of logs and events for IT security, IT
operations, IT GRC and log analytics
13 | P a g e
• NetWitness Investigator – anaylize network traffic – mainly
used by IT professionals but now law enforcement and
other public and private firms use it- download off the
internet, not sure how reliable it is
• Quest ChangeAuditor – report and analyze what is
happening on the network. Translate raw data into user
friendly data
• Encase and the forensic tool kit are both accepted in court
and mainly used by law enforcement and government
agencies.
• FTK is database driven so won’t lose work if your
computer crashes
• Both have a user friendly interface and can do many
of the same things but encase is what most law
enforcement agencies choose to use so that is what I
will talk about in the rest of the presentation.
ENCASE FORENSIC
14 | P a g e
EnCase Forensic works on many operating system such as
Windows, Linux, Apple iOS, Sun/Oracle Solaris, Supported
smartphones.
Capabilities of encase forensic
Rapidly acquire data from the widest variety of devices
Unearth potential evidence with disk-level forensic analysis
Produce comprehensive reports on your findings
Maintain the integrity of your evidence in a format the courts
have come to
Triage
EnCase Forensic gives investigators the ability to quickly view
and search potential evidence in order to determine whether
further investigation is warranted. Add EnCase Portable and
15 | P a g e
you'll equip your forensic experts and non-experts alike to
quickly review information stored on computers in the field in
real-time - without altering or damaging the information.
Let your experts set up specific jobs that let non-experts run
them in the field to:
Perform quick triage
Identify and eliminate computers that aren't relevant to a
case
Give complete control to the experts as to how nonexperts search those computers in the field
16 | P a g e
Using EnCase Portable to collect potential evidence in
the field can:
Instantly view images on the target machine
Review documents in real-time
Collect only relevant information quickly
Customizable job creation lets you:
Use keywords, metadata, hash values, and other criteria
to perform targeted triage and collection
Perform memory acquisition
Perform full-disk imaging
You can choose from multiple configuration options:
Easy Mode: Encase Portable can be preconfigured by your
expert team members
17 | P a g e
Advanced Mode: Expert users can create and edit the
configuration of Encase Portable instantly in the field
Make use of multiple triage and collection modes:
Live Mode: Lets you
collect memory from running
computers
Boot Mode: Enables collection form Macintosh and Linux
computers
All
metadata
is
preserved
during
triage
and
collection,
maintaining evidence integrity. In addition, all data is stored in
our court-accepted EnCase® evidence format, the most trusted
format in the forensic community.
Process
18 | P a g e
The re-engineered evidence processor lets you:
Perform more powerful queries
Process even huge files at speeds faster than any solution
in the industry
Automate tasks
Create templates based on case profiles
Readily integrate EnCase Forensic results
19 | P a g e
Use even basic team computers to perform processing
without additional software or resources
Search
Encase Forensic gives you the ability to search the tens of
thousands of files that exist on a computer with a variety of
comprehensive search choices, including:
- GREP
- Conditional
- Boolean
- Word searches
20 | P a g e
Once you've begun acquiring your potential evidence, EnCase
lets you easily analyze the following to determine whether or
not a crime may have been committed:
Where the data originated
Which type of user activity created the data
When the data was last accessed.
You can quickly bookmark important pieces of potential
evidence for quick access and inclusion in reports later in the
investigation.
Advanced Analysis
21 | P a g e
Recover files and partitions, detect deleted files by parsing
event logs, file signature analysis, and hash analysis, even
within compounded files or unallocated disk space
Multiple File Viewer Support
View hundreds of file formats in native form, built-in Registry
viewer,
integrated
photo
viewer,
see
results
on
a
timeline/calendar.
Prioritized Processing
This exclusive capability of EnCase Forensic lets you process a
subset of evidence and make it available for analysis more
quickly than was ever before possible. You can choose to
continue processing or stop processing the remaining evidence
while completing your digital investigation.
Case Analyzer Offers Deeper Insight
Case Analyzer lets you see exactly what happened on a
computer system, providing higher-level reports of metadata
consisting of multiple artifacts joined together, or specific, prefiltered data that would indicate system activity.
22 | P a g e
REPORT
Powerful, Flexible Reporting
Show in detail which information is presented and how,
depending on the purpose and target audience of the
investigation
Export information into various file formats as needed for
reporting and analysis
Include
relevant
evidence,
investigator
comments,
bookmarks, search results, search criteria, pictures, date
and time artifacts, and export those into RTF, PDF, or
HTML formats for easy distribution to everyone from fellow
investigator's to the district attorney's office
23 | P a g e
With the most powerful, flexible reporting tool of any digitalinvestigations
important
platforms,
capabilities
that
EnCase®
ensure
Forensic
you'll
gives
never
miss
you
an
important comment, bookmark, or other piece of important
information when producing and sharing a report. With the
reporting capabilities in EnCase Forensic, you can:
Powerful and Highly Customizable
The easy-to-understand templates in EnCase Forensic can be
used for any case and any audience. You can fully customize
reports with the Report Template Builder, which makes it easy
to:
Tailor a report for your audience
24 | P a g e
Define specific case information
Create custom headers, footers, and title pages
Apply Microsoft Word styles to any and all sections
CONCLUSION
Computer Forensics helps determine the WHO, WHAT, WHEN,
and WHERE related to a computer-based crime or violation. To
ensure acceptance by the courts, accepted processes and
procedures have to be adopted and demonstrated which are
not dissimilar to the issues surrounding traditional forensic
investigations.
25 | P a g e
REFERENCES
Computer Forensics: Info Sec Pro Guide
http://www.computer-forensics.net/
http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?
id=1202584495563&Product_Review_Encase_Forensic_7&slretu
rn=20130405160529
http://www.scmagazine.com/best-computer-forensicstool/article/195999/
http://www.westwood.edu/programs/school-oftechnology/computer-forensics-online-degree/law-enforcementcomputer-forensics
https://www.ncjrs.gov/pdffiles1/nij/183451.pdf
Security Guide to Network Security Fundamentals
26 | P a g e
