Computer Forensics

Introduction :-

Computer Forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage media. Computer forensics is also known as digital forensics. There are many definitions of computer forensics however generally, computer forensic refers to the detail investigation of the computers to carry out the required tasks. It performs the investigation of the maintained data of the computer to check out what exactly happened to the computer and who is responsible for it. The investigation process starts from the analysis of the ground situation and moves on further to the insides of the computers operating system.

Computer forensic is a broader concept which is mainly related to the crimes happening in computer which is against law. Various laws have been imposed to check out the crimes but still they exist and are difficult to find the criminal due to lack of evidence. All these difficulties can be overcome with the help of computer forensics. The main motto of computer forensic experts is not only to find the criminal but also to find out the evidence and the presentation of the evidence in a manner that leads to legal action of the culprit. The major reasons for criminal activity in computers are: 1. Unauthorized use of computers mainly stealing a username and password 2. Accessing the victims computer via the internet 3. Releasing a malicious computer program that is virus 4. Harassment and stalking in cyberspace 5. E-mail Fraud 6. Theft of company documents.

The goal of computer forensics is to explain the current state of a digital artifact. The term digital artifact can include a computer system, storage medium (such as a hard disk or CD-ROM), an electronic document .e.g. an email message or JPEG image or even a sequence of packets moving over a computer network

It is Scientific process of preserving, identifying, extracting, documenting, and interpreting data on computer.

 History
Michael Anderson Father of computer forensics special agent with IRS

Meeting in 1988 (Portland, Oregon) creation of IACIS, the International Association of Computer Investigative Specialists the first Seized Computer Evidence Recovery Specialists (SCERS) classes held

 Computer Forensics Requirement

Hardware Familiarity with all internal and external devices/components of a computer Thorough understanding of hard drives and settings Understanding motherboards and the various chipsets used Power connections Memory BIOS Understanding how the BIOS works Familiarity with the various settings and limitations of the BIOS

Operation Systems Windows 3.1/95/98/ME/NT/2000/2003/XP DOS

UNIX LINUX VAX/VMS

Software Familiarity with most popular software packages such as Office

Forensic Tools Familiarity with computer forensic techniques and the software packages that could be used

Multiple methods of computer forensics :-

Discovering data on computer system

Recovering deleted, encrypted, or damaged File information.

Monitoring live activity Detecting violations of corporate policy

According to many professionals, Computer Forensics is a four (4) step process :-

Acquisition

Physically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices

Identification

This step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites Evaluation

Evaluating the information/data recovered to determine if and how it could be used again the suspect for employment termination or prosecution in court. Presentation

This step involves the presentation of evidence discovered in a manner which is understood by lawyers, non-technically staff/management, and suitable as evidence as determined by United States and internal laws

A Computer Forensic Promises:

Not delete, damage or alter any evidence Protect the computer and files against a virus Handle all evidence properly to prevent any future damage Keep a log of all work done and by whom Keep any Client-Attorney information that is gained confidential

Advantages of Computer forensics: Ability to search through a massive amount of data

Quickly Thoroughly In any language

The main task or the advantage from the computer forensic is to catch the culprit or the criminal who is involved in the crime related to the computers. The information of the computer is advantageous in case where the involvement of hardware and software with which forensics expert is familiar. The basics of the computer design and architecture play a prominent role and the expert professional should have a great deal of knowledge about the fundamental software design and implementation. This is quite often similar from one computer system to the other. Experience of one application, software, file system or the operating system can be applied to gain the results in the other aspects of the case. The computer crime exists in many forms.

Computer Forensics deals extensively to find the evidence in order to prove the crime and the culprit behind it in a court of law. The forensics provides the organization with a support and helps them recover their loss. If it is known that the data exists then the alternate formats of the same data or the information can also be recovered. The discovery of the data or the information that can provide vital clues in the prosecution of the criminal is itself a process. A forensics expert always identifies many possibilities that to get a relevant evidence. In addition to all the benefits of utilizing the services of the computer forensics, the professional may also undertake the inspections of the location during on site premises. This may be required in the cases where the signs or clues of the physical movement are required. Some cases may also involve additional information regarding the earlier versions or the method of backups, formatted versions of data or information, which is either created or treated by the other application programs. The application programs may have different formats also. Some of the application programs include the word processors, spreadsheets, email, timeline and scheduling applications and even the usage of graphical applications. The important thing and the major advantage regarding the computer forensics is the preservation of the evidence that is collected during the process. The protection of evidence can be considered as critical. A computer forensics professional expert should ensure that computer system that is being dealt with is handled carefully. Since the subject is legalized and there are many laws hence the computer forensic professionals maintain a code of ethics. The ethicality can be considered as an advantage of the forensics in computer systems. At last the computer forensics has emerged as important part in the disaster recovery management. Most of the organizations some time or the other employs the services of the computer forensics experts. The cost of operations is also lower in comparison with the security measures that are applied.

Disadvantages of Computer Forensics :-

The major disadvantage of the computer forensics is the privacy concern. It may happen in some cases that the privacy of the client is compromised. It is the duty of the computer forensics expert to maintain the high standards and the keep in mind the sensitivity of the case and maintain the privacy and secrecy of the data or the information of the clients interests. But in some circumstances it becomes almost impossible for the computer forensics professional to maintain the secrecy of the data or the information. This may happen if the information is necessary to prove the crime and should be produced as the evidence in the court of law in order to prove the crime. There are other disadvantages as well regarding the computer forensics. It is also possible that some sensitive data or information that is important to the client may be lost in order to find the evidence. The forensics professional must maintain the concern that the data information or the possible evidence is not destroyed, damaged, or even otherwise be compromised by the procedures that are utilized for the purpose of investigating a computer system.

There are also the chances of introduction of some malicious programs in the computer system that may corrupt the data at a later stage of time. During the analysis process care should be taken that no possible computer virus is released or introduced in the computer system. IT is also possible that the hardware of the computer system is damaged physically. The evidence that is physically extracted and the relevant evidence should be properly handled as well as protected from later damage that may either mechanical or electromagnetic in nature. The integrity of the data and the information that is acquired should be preserved. The custody of the data that is acquired as the evidence is the responsibility of the computer forensics team. During the time case is solved; it may be required that the data or the information is stored in the court. In some cases it is also possible that the data is in dispute and neither of the disputing parties can use the data. Due to this reason the business operations may also be affected. The duty of the computer forensics expert is to ensure that justice is delivered as fast as possible so that the inconvenience and the subsequent loss to the organization can be avoided. It is also important the information that is acquired during the forensic exploration is ethically and legally respected. More over despite some of the limitations of the Computer Forensics the subject is still perceived. Also the advantages and the benefits of the subject have wide applications in various situations. Measures should be taken and the care of the professional employed for the computer forensics is a must to avoid any subsequent damage to the computer system. It is also possible in cases that the operations cost may exceed. Steps should be taken to minimize the cost.

Need for Computer Forensics:The purpose of computer forensics is mainly due to the wide variety of computer crimes that take place. In the present technological advancements it is common for every organization to employ the services of the computer forensics experts. There are

various computer crimes that occur on small scale as well as large scale. The loss caused is dependent upon the sensitivity of the computer data or the information for which the crime has been committed. The computer forensics has become vital in the corporate world. There can be theft of the data from an organization in which case the organization may sustain heavy losses. For this purpose computer forensics are used as they help in tracking the criminal. The need in the present age can be considered as much severe due to the internet advancements and the dependency on the internet. The people that gain access to the computer systems without proper authorization should be dealt in. The network security is an important issue related to the computer world. The computer forensics is a threat against the wrong doers and the people with the negative mindsets. The computer forensics is also efficient where in the data is stored in a single system for the backup. The data theft and the intentional damage of the data in a single system can also be minimized with the computer forensics. There are hardware and software that employ the security measures in order to track the changes and the updating of the data or the information. The user information is provided in the log files that can be effectively used to produce the evidence in case of any crime a legal manner. The main purpose of the computer forensics is to produce evidence in the court that can lead to the punishment of the actual. The forensic science is actually the process of utilizing the scientific knowledge for the purpose of collection, analysis, and most importantly the presentation of the evidence in the court of law. The word forensic itself means to bring to the court. The need or the importance of the computer forensics is to ensure the integrity of the computer system. The system with some small measures can avoid the cost of operating and maintaining the security. The subject provides in depth knowledge for the understanding of the legal as well as the technical aspects of computer crime. It is very much useful from a technical stand point, view.

The importance of computer forensics is evident in tracking the cases of the child pornography and email spamming. The computer forensics has been efficiently used to track down the terrorists from the various parts of the world. The terrorists using the internet as the medium of communication can be tracked down and their plans can be known. There are many tools that can be used in combination with the computer forensics to find out the geographical information and the hide outs of the criminals. The IP address plays an important role to find out the geographical position of the terrorists. The security personnel deploy the effective measures using the computer forensics. The Intrusion Detecting Systems are used for that purpose.

Methods of Hiding Data:-

1. Manipulating HTTP requests by changing (unconstrained) order of elements

The order of elements can be preset as a 1 or 0 bit No public software is available for use yet, but the government uses this method for its agents who wish to transfer sensitive information online

Undetectable because there is no standard for the order of elements and it is, in essence, just normal web browsing

2.

Encryption: -

The encryption of any information in a computer system is done to maintain the privacy or secrecy of the subject. The encrypted file is stored in some location that is not easily identifiable. This is done so that there is no leakage of the file. Even in extreme cases when a file is found and opened by any person then also person should not be able to read to the file.

The contents of the file or data after encryption are not in a readable format. But it is also desired for the person who is encrypting the file to again decrypt it. The file should be decrypted before it can be read. The information regarding the decryption is available only to the person who is authorized for reading the information.

Software used for Computer Forensics:There are many software tools available that can be used to assist the process the computer forensics. Computer forensics professionals apply most of the software tools to gain the information required. Software computer forensics products like the EnCase tools help the forensics expert to track the criminal easily. The software tool can be efficiently used for IP Theft and for the violations of the Human Resource or Company Policy. These can also be efficiently used for fraud detection and prevention. In case of IP theft the software tools reduces the severity and its frequency. This is done by giving the organization the ability to conduct the proactive IP audits. This help in locating the critical IP. It is also useful in investigating the key points that can cause risk. Legal steps can be taken as preventive measures and the risk can be avoided by performing reactive discovery to protect and assess in the cases where IP theft is evident. It is efficient in case of IP theft.

 Conclusion:Thus we made conclusion on the study of computer forensics as With computers becoming more and more involved in our everyday lives, both professionally and socially, there is a need for computer forensics. This field will enable crucial electronic evidence to be found, whether it was lost, deleted, damaged, or hidden, and used to prosecute individuals that believe they have successfully beaten the system.

References:1. 2.

^ http://www.computer forensics.com _ Computer Forensic.html ^http://www.wekipedia.com _ definition of computer forensics.

3. ^http://rapidshare.com/Computer_Forensics.rar._abstract.

Abstract :Forensic computing is the process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable. From the above definition we can clearly identify four components :IDENTIFYING :this is the process of identifying things such as what evidence is present, where and how it is stored, and which operating system is being used. From this information the investigator can identify the appropriate recovery methodologies, and the tools to be used. PRESERVING :This is the process of preserving the integrity of digital evidence, ensuring the chain of custody is not broken. The data needs to preserve (copied) on stable media such as CD-ROM, using reproducible methodologies. All steps taken to capture the data must be documented. Any changes to the evidence should

be documented, including what the change was and the reason for the change. You may need to prove the integrity of the data in the court of law ANALYSING :this is the process of reviewing and examining the data. The advantage of copying this data onto CD-ROMs is the fact it can be viewed without the risk of accidental changes, therefore maintaining the integrity whilst examining the changes. PRESENTING :this is the process of presenting the evidence in a legally acceptable and understandable manner. If the matter is presented in court the jury who may have little or no computer experience, must all be able to understand what is presented and how it relates to the original, otherwise all efforts could be futile. Far more information is retained on the computer than most people realize. Its also more difficult to completely remove information than is generally thought. For these reasons (and many more), computer forensics can often find evidence or even completely recover, lost or deleted information, even if the information was intentionally deleted.

The goal of computer forensics is to retrieve the data and interpret as much information about it as possible as compared to data recovery where the goal is to retrieve the lost data.

Government Polytechnic, Amravati

(An Autonomous Institute of Maharashtra)

PROJECT REPORT

ON

COMPUTER FORENSICS
Prepared By:-

Gopal P. Rathi
(07CM040) Guide By: Department:Fafat Madam M. A. Ali Sir Head Of

DEPARTMENT OF COMPUTER ENGINEERING