LECTURE 5 COMPUTER FORENSICS

Computer forensics is the discipline that combines elements of law and computer science to collect and
analyze data from computer systems, networks, wireless communications, and storage devices in a way that is
admissible as evidence in a court of law.
It is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage
media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim
of preservation, identification, extraction, documentation and interpretation of computer data.
Forensic methodology is backed by flexibility and extensive domain knowledge.
The process is used in computer forensic investigations and consists of three steps: acquisition, analysis and
reporting.

Computer forensics vs. computer security

Computer security and computer forensics are distinct but related disciplines due to the degree of overlap of raw
material used by both fields.
Computer security aims to preserve a system as it is meant to be (as per the security policies) whereas com-
puter forensics sets out to explain how a policy became violated.

The main difference can be seen as one of system integrity versus culpability for an event or set of events.
Whereas the two fields may use similar data sources, they have different and sometimes opposing aims. For ex-
ample, security countermeasures such as encryption or data wiping tools may work against the computer foren-
sic investigation. The security measures will complicate the investigation as the data must be decrypted prior to
analysis. In addition, security functions tend to only implement minimal logging by design. Therefore, not all the
information required will be available to the forensic analyst.
Computer security is an established field of computer science, whilst computer forensics is an emergent area. In-
creasingly, computer security will involve forensic investigation techniques, and vice versa. Both fields have
much to learn from each other.

Uses of computer forensics

There are many applications of computer forensics tools and techniques other than for criminal prosecution,
such as:
 Determine root cause of an event to ensure no repeat
 Identify responsibility for an action
 Internal investigation within the organisation
 Intelligence operations
 Audit
 Recovering lost data
Law enforcement agencies have been among the earliest and heaviest users of computer forensics and
consequently have often been at the forefront of developments in the field.
There are few areas of crime or dispute where computer forensics cannot be applied.
Computers may hold evidence in the form of emails, internet history, documents or other files relevant to crimes
such as murder, kidnap, fraud and drug trafficking.
It also has ‘metadata’ associated with those files. A computer forensic examination may reveal when a document
first appeared on a computer, when it was last edited, when it was last saved or printed and which user carried
out these actions.
More recently, commercial organizations have used computer forensics to their benefit in a variety of cases such
as;
 Intellectual Property theft
 Industrial espionage
 Employment disputes
 Fraud investigations
 Forgeries
 Matrimonial issues
1
  Bankruptcy investigations
 Inappropriate email and internet use in the work place
 Regulatory compliance

What can a Computer Forensic examination provide?

 Data Recovery of deleted, encrypted or hidden computer files even after a hard drive has been reformat-
ted or repartitioned
 Passwords for password protected or encrypted files
 Determination of:
o Web sites that have been visited
o Files that have been uploaded or downloaded
o When files (docs, pictures, etc) were last accessed/deleted
o User login times and passwords
 Discovery of:
o Attempts to conceal, destroy, or fabricate evidence
o Text that was removed from the final document version
o Faxes sent or received on a computer
o Email, texts webmail, and attachments, even if deleted
o Other types of communications strings (IM chat logs)

Properties of digital evidence

 Digital evidence is any data stored or transmitted using a computer that supports or refutes a theory of how
an offense occurred or that addresses critical elements of the offense such as intent.
 Digital evidence is extremely fragile similar to a fingerprint.
 Digital evidence is also “Latent” which means it can not been seen in it’s natural state, much like DNA. Any
actions that can alter, damage or destroy digital evidence will be scrutinized by the courts.
 Digital evidence is often constantly changing and can be very time sensitive
 Digital evidence can transcend borders with ease and speed

Types of investigations
Internal: no search warrant needed, quickest investigation – Corporate investigation that involves IT
administrator reviewing documents that they should not be viewing.
Civil: other side may own the data, may need subpoena – One party sues another over ownership of intellectual
property, must acquire and authenticate digital evidence so it can be submitted in court.
Criminal: highest stakes, accuracy and documentation must be of highest quality, slowest moving – Child porn
investigation that involves possession and distribution of contraband.

Network forensics
Network forensics involves the recovery and analysis of information from computer networks suspected of hav-
ing been compromised or accessed in an unauthorised manner and is closely related to the computer security
field of intrusion detection. Its purpose is to allow investigators to reason about the circumstances or causes of
the activity under investigation and to (possibly) provide evidence for any resulting legal case.

Network forensics encompasses:

 Detecting, responding and assigning responsibility for attacks against our systems
 The use of security devices and their audit information for evidentiary data
 Using networks for passive information gathering during the investigation

In general, network forensics investigations will use event log analysis and timelining to determine the follow-
ing:
 Who: is responsible for the activity
 What: has the attacker done, e.g. files accessed, backdoor placed on system, etc.

2
  When: each event occurred
 Where: identify the location or host that the attack took place from, e.g. their IP address
 Why: why did the person hack you, what were their motives
 How: which tools were used or vulnerabilities exploited
With many illegal activities involving network technologies, these types of investigation are growing in number
and form an important element of computer forensics.

Computer forensics process

Model of Computer Forensics which aims to simplify the investigation process irrespective of the computer
forensics tools and techniques used.

1. Prior to an investigation, the analyst must make some preparations. For example, what is the purpose of the
investigation? This will ultimately determine the tools and techniques used throughout the resulting investi-
gation.
2. Evidence must be collected. This must be conducted robustly and maintain the integrity of the evidence.
Once the evidence is collected, a copy of the material is made and all analysis is performed on the copy.
This ensures that the original evidence is not altered in any way.
3. The analysis of the evidence is conducted with forensics tools. For example, analysing the hard drive of a
computer requires the recreation of the logical structure of underlying operating system. Once this is done,
the analyst may have to triage and view both extant and deleted files to build a picture of the suspect’s ac-
tivities.
4. The analyst will then report any suspicious or malicious files and supply supporting evidence. For example,
the time and date the file was created, accessed or modified and which user was responsible.
Finally, the analyst must present evidence. In law enforcement, this is to a court of law. Increasingly, with the
growth of the field in internal corporate investigations, this will be to management.

Guidelines
For evidence to be admissible it must be reliable and not prejudicial, meaning that at all stages of a computer
forensic investigation admissibility should be considered a priority.
The four main principles from this guide (with references to law enforcement removed) are as follows:
1. No action should change data held on a computer or storage media which may be subsequently relied upon
in court.
2. In circumstances where a person finds it necessary to access original data held on a computer or storage me-
dia, that person must be competent to do so and be able to give evidence explaining the relevance and the
implications of their actions.
3. An audit trail or other record of all processes applied to computer-based electronic evidence should be cre-
ated and preserved. An independent third-party should be able to examine those processes and achieve the
same result.
4. The person in charge of the investigation has overall responsibility for ensuring that the law and these princi-
ples are adhered to.
3
Issues facing computer forensics

The issues facing computer forensics examiners can be broken down into three broad categories: technical, legal
and administrative.

Two basic types of data are collected in computer forensics.

Persistent data is the data that is stored on a local hard drive (or another medium) and is preserved when the
computer is turned off.

Volatile data is any data that is stored in memory, or exists in transit, that will be lost when the computer loses
power or is turned off. Volatile data resides in registries, cache, and random access memory (RAM). Since
volatile data is passing, it is essential an investigator knows reliable ways to capture it.

Techniques used during computer forensics investigations.

1. Live analysis: The examination of computers from within the operating system using custom forensics or
existing sysadmin tools to extract evidence. The practice is useful when dealing with Encrypting File
Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard
drive volume may be imaged (known as a live acquisition) before the computer is shut down.
2. Deleted files: A common technique used in computer forensics is the recovery of deleted files. Modern
forensic software have their own tools for recovering or carving out deleted data. Most operating systems
and file systems do not always erase physical file data, allowing investigators to reconstruct it from the
physical disk sectors. File carving involves searching for known file headers within the disk image and
reconstructing deleted materials.
3. Cross-drive analysis:- A forensic technique that correlates information found on multiple hard drives. The
process, still being researched, can be used to identify social networks and to perform anomaly detection.
4. Stochastic forensics: -A method which uses stochastic properties of the computer system to investigate
activities lacking digital artifacts. Its chief use is to investigate data theft.
5. Steganography: - One of the techniques used to hide data is via steganography, the process of hiding data
inside of a picture or digital image. This process is often used to hide pornographic images of children as
well as information that a given criminal does not want to have discovered. Computer forensics
professionals can fight this by looking at the hash of the file and comparing it to the original image (if
available.) While the image appears exactly the same, the hash changes as the data changes.

Technical issues
Encryption – Encrypted files or hard drives can be impossible for investigators to view without the correct key
or password. Examiners should consider that the key or password may be stored elsewhere on the computer or
on another computer which the suspect has had access to. It could also reside in the volatile memory of a
computer which is usually lost on computer shut-down; another reason to consider using live acquisition
techniques as outlined above.
Increasing storage space – Storage media hold ever greater amounts of data, which for the examiner means that
their analysis computers need to have sufficient processing power and available storage to efficiently deal with
searching and analysing enormous amounts of data.
New technologies – Computing is a continually evolving field, with new hardware, software and operating
systems emerging constantly. No single computer forensic examiner can be an expert on all areas, though they
may frequently be expected to analyse something which they haven’t previously encountered. In order to deal
with this situation, the examiner should be prepared and able to test and experiment with the behaviour of new
technologies. Networking and sharing knowledge with other computer forensic examiners is very useful in this
respect as it’s likely someone else has already come across the same issue.
Anti-forensics – Anti-forensics is the practice of attempting to spoil computer forensic analysis. This may
include encryption, the over-writing of data to make it unrecoverable, the modification of files’ metadata and file
obfuscation (disguising files). As with encryption, the evidence that such methods have been used may be stored
elsewhere on the computer or on another computer which the suspect has had access to. In our experience, it is
4
very rare to see anti-forensics tools used correctly and frequently enough to totally obscure either their presence
or the presence of the evidence they were used to hide.

Legal issues
Legal arguments may confuse or distract from a computer examiner’s findings. An example here would be the
‘Trojan Defence’. A Trojan is a piece of computer code disguised as something genuine but which has a hidden
and malicious purpose. Trojans have many uses, and include key-logging), uploading and downloading of files
and installation of viruses. A lawyer may be able to argue that actions on a computer were not carried out by a
user but were automated by a Trojan without the user’s knowledge; such a Trojan Defence has been successfully
used even when no trace of a Trojan or other malicious code was found on the suspect’s computer. In such cases,
a competent opposing lawyer, supplied with evidence from a competent computer forensic analyst, should be
able to dismiss such an argument.

Administrative issues
Accepted standards – There are a plethora of standards and guidelines in computer forensics, few of which
appear to be universally accepted. The reasons for this include: standard-setting bodies being tied to particular
legislations; standards being aimed either at law enforcement or commercial forensics but not at both; the
authors of such standards not being accepted by their peers; or high joining fees dissuading practitioners from
participating.

Fit to practice – In many jurisdictions there is no qualifying body to check the competence and integrity of
computer forensics professionals. In such cases anyone may present themselves as a computer forensic expert,
which may result in computer forensic examinations of questionable quality and a negative view of the
profession as a whole.

Qualities of a good investigator

 Highest level of ethics
 Unbiased
 State facts not opinions (unless requested to do so)
 Aware of when to call for help
 Has good documentation skills
 Good communications skills
 Follows same process/methodology every time

Exercise
Define the following:- Hacking, Denial of Service attack, Metadata, Write blocker, Bit copy, and Key-
logging.
I think that a computer in my company may contain important evidence. What do I NOT do?