




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Database Management System, DBMS Study Materials, Engineering Class handwritten notes, exam notes, previous year questions, PDF free download
Typology: Essays (high school)
1 / 118
This page cannot be seen from the preview
Don't miss anything!





























































































(Affiliated to JNTUH, Hyderabad, Approved by AICTE - Accredited by NBA & NAAC – ‘A’ Grade - ISO 9001:2015 Certified) Maisammaguda, Dhulapally (Post Via. Hakimpet), Secunderabad – 500100, Telangana State, INDIA.
Computer Forensics Fundamentals: What is Computer Forensics?,Use of Computer Forensics in Law Enforecement,Computer Forensics Assistance to Human Recources/Employment Proceedings,Computer Forensics Services,Benefits of professional Forensics Methodology,Steps taken by Computer Forensics Specialists. Types of Computer Forensics Technology: - Types of Business Computer Forensic Technology.Types of Military Computer Forensic Technology,Types of Law Enforcement- Computer Forensic Technology,Types of Business Computer Forensic Technology. Computer Forensics Evidence and capture: Data Recovery Defined-Data Back-up and Recovery-The Role of Back -up in Data Recovery-The Data -Recovery Solution. UNIT - II Evidence Collection and Data Seizure: Why Collect Evidence? Collection Options- Obstacles-Types of Evidence-The Rules of Evidence-Volatile Evidence-General Procedure-Collection and Archiving-Methods of Collections-Art facts-Collection Steps -Controlling Contamination: The chain of custody. Duplication and Preservation of Digital Evidence: Preserving the Digital Crime Scene-Computer Evidence processing steps-Legal Aspects of collecting and Preserving Computer forensic Evidence. Computer image Verification and Authentication: Special needs of Evidential Authentication - Practical Consideration-Practical Implementation. UNIT - III Computer forensic analysis and validation: Determining what data to collect and analyze, validating forensic data, addressing data-hiding techniques, performing remote acquisitions Network Forensics: Network forensic overview, performing live acquisitions, developing standar procedures for network forensics, using network tools, examining the honeynet project. Processing crime at incident scenes: Identifying digital evidence, collecting evidence in private-sector incident scenes, processing law enforcement crime scenes, preparing for a search, securing a computer incident or crime scene, seizing digital evidence at the scene, storing digital evidence, obtaining a digital hash, reviewing a case.
INDEX
- UNIT- S.NO TOPIC NAME PAGE.NO - 1 Computer Forensics Fundamentals UNIT- INTRODUCTION 1.1 WHAT IS COMPUTER FORENSICS?
Computer forensics is the process of methodically examining computer media (hard disks, diskettes, tapes, etc.) for evidence. In other words, computer forensics is the collection, preservation, analysis, and presentation of computer-related evidence. Computer forensics also referred to as computer forensic analysis, electronic discovery, electronic evidence discovery, digital discovery, data recovery, data discovery, computer analysis, and computer examination. Computer evidence can be useful in criminal cases, civil disputes, and human resources/ employment proceedings.
Computer forensics assists in Law Enforcement. This can include:
Recovering deleted files such as documents, graphics, and photos.
Searching unallocated space on the hard drive, places where an abundance of data often resides.
Tracing artifacts, those tidbits of data left behind by the operating system. Our experts know how to find these artifacts and, more importantly, they know how to evaluate the value of the information they find. Processing hidden files — files that are not visible or accessible to the user — that contain past usage information. Often, this process requires reconstructing and analyzing the date codes for each file and determining when each file was created, last modified, last accessed and when deleted. Running a string-search for e-mail, when no e-mail client is obvious.
That faxes sent or received via computer may remain on the computer indefinitely? That email is rapidly becoming the communications medium of choice for businesses? That people tend to write things in email that they would never consider writing in a memorandum or letter? That email has been used successfully in criminal cases as well as in civil litigation? That email is often backed up on tapes that are generally kept for months or years? That many people keep their financial records, including investments, on computers?
Computer forensics professionals should be able to successfully perform complex evidence recovery procedures with the skill and expertise that lends credibility to your case. For example, they should be able to perform the following services:
Following federal guidelines, computer forensics experts should act as the representative, using their knowledge of data storage technologies to track down evidence. The experts should also be able to assist officials during the equipment seizure process.
When one party must seize data from another, two concerns must be addressed: the data must not be altered in any way the seizure must not put an undue burden on the responding party The computer forensics experts should acknowledge both of these concerns by making an exact duplicate of the needed data. When experts works on the duplicate data, the integrity of the original is maintained.
Using proprietary tools, your computer forensics experts should be able to safely recover
and analyze otherwise inaccessible evidence. The ability to recover lost evidence is made possible by the expert’s advanced understanding of storage technologies.
Computer forensics experts should also be able to search over 200,000 electronic documents in seconds rather than hours. The speed and efficiency of these searches make the discovery process less complicated and less intrusive to all parties involved.
Computer forensics experts should extract the relevant data from old and un-readable devices, convert it into readable formats, and place it onto new storage media for analysis.
Computer forensics experts should be able to explain complex technical processes in an easy-to- understand fashion. This should help judges and juries comprehend how computer evidence is found, what it consists of, and how it is relevant to a specific situation.
Computer forensics experts should offer various levels of service, each designed to suit your individual investigative needs. For example, they should be able to offer the following services:
Standard service : Computer forensics experts should be able to work on your case during nor-mal business hours until your critical electronic evidence is found. On-site service : Computer forensics experts should be able to travel to your location to
A knowledgeable computer forensics professional should ensure that a subject computer system is carefully handled to ensure that:
The computer forensics specialist should take several careful steps to identify and attempt to retrieve possible evidence that may exist on a subject’s computer system. For example, the following steps should be taken:
(the remnant area at the end of a file in the last assigned disk cluster, that is unused by current file data, but once again, may be a possible site for previously created and relevant evidence).
Key objectives of cyber forensics include rapid discovery of evidence, estimation of potential impact of the malicious activity on the victim, and assessment of the intent and identity of the perpetrator. Real-time tracking of potentially malicious activity is especially difficult when the pertinent information has been intentionally hidden, destroyed, or modified in order to elude discovery. National Law Enforcement and Corrections Technology Center (NLECTC) works with criminal justice professionals to identify urgent and emerging technology needs. NLECTC centers demonstrate new technologies, test commercially available technologies and publish results — linking research and practice. National Institute of Justice (NIJ) sponsors research and development or identifies best practices to address those needs. The information directorate entered into a partnership with the NIJ via the auspices of the NLECTC, to test the new ideas and prototype tools. The Computer Forensics Experiment 2000 (CFX-2000) resulted from this partnership.
Computer forensics tools and techniques have become important resources for use in internal investigations, civil lawsuits, and computer security risk management. Law enforcement and military agencies have been involved in processing computer evidence for years.
Computer Evidence Processing Procedures Processing procedures and methodologies should conform to federal computer evidence processing standards.
Computer evidence is fragile and susceptible to alteration or erasure by any number of occurrences. Computer evidence can be useful in criminal cases, civil disputes, and human resources/
CFX-2000 Schematic
employment proceedings. Black box computer forensics software tools are good for some basic investigation tasks, but they do not offer a full computer forensics solution. SafeBack software overcomes some of the evidence weaknesses inherent in black box computer forensics approaches. SafeBack technology has become a worldwide standard in making mirror image backups since 1990.
TROJAN HORSE PROGRAMS
The computer forensic expert should be able to demonstrate his or her ability to avoid destructive programs and traps that can be planted by computer users bent on destroying data and evidence. Such programs can also be used to covertly capture sensitive information, passwords, and network logons.
COMPUTER FORENSICS DOCUMENTATION
Without proper documentation, it is difficult to present findings. If the security or audit findings become the object of a lawsuit or a criminal investigation, then documentation becomes even more important. FILE SLACK
Slack space in a file is the remnant area at the end of a file in the last assigned disk cluster, that is unused by current file data, but once again, may be a possible site for previously created and relevant evidence. Techniques and automated tools that are used by the experts to capture and evaluate file slack.
Trade secret information and other sensitive data can easily be secreted using any number of techniques. It is possible to hide diskettes within diskettes and to hide entire computer hard disk drive partitions. Computer forensic experts should understand such issues and tools that help in the identification of such anomalies.
Specialized techniques and tools that make it possible to conclusively tie a diskette to a computer that was used to create or edit files stored on it. Computer forensic experts should become familiar how to use special software tools to complete this process.
Computer forensic experts should become familiar with how compression works and how compression programs can be used to hide and disguise sensitive data and also learn how password- protected compressed files can be broken.
Computer forensic experts should become familiar with how previously erased files can be recovered by using DOS programs and by manually using data-recovery technique & familiar with cluster chaining.
Computer forensic experts should become familiar with how to use specialized software to identify how a targeted computer has been used on the Internet. This process will focus on computer forensics issues tied to data that the computer user probably doesn’t realize exists (file slack, unallocated file space, and Windows swap files).
Computer forensic experts should become familiar with how the operating system can be modified to change data and destroy data at the whim of the person who configured the system. Such a technique could be used to covertly capture keyboard activity from corporate executives, for example. For this reason, it is important that the experts understand these potential risks and how to identify them.
The following are different types of business computer forensics technology:-
Data Interception by Remote Transmission ( DIRT ) is a powerful remote control monitoring tool that allows stealth monitoring of all activity on one or more target computers simultaneously from a remote command center. No physical access is necessary. Application also allows agents to remotely seize and secure digital evidence prior to physically entering suspect premises. CREATING TRACKABLE ELECTRONIC DOCUMENTS
Binary Audit Identification Transfer ( BAIT ) is a powerful intrusion detection tool that allows users to create trackable electronic documents. BAIT identifies (including their location) unauthorized intruders who access, download, and view these tagged documents. BAIT also allows security personnel to trace the chain of custody and chain of command of all who possess the stolen electronic documents.
THEFT RECOVERY SOFTWARE FOR LAPTOPS AND PCS
What it really costs to replace a stolen computer: The price of the replacement hardware & software. The cost of recreating data, lost production time or instruction time, reporting and investigating the theft, filing police reports and insurance claims, increased insurance, processing and ordering replacements, cutting a check, and the like. The loss of customer goodwill. If a thief is ever caught, the cost of time involved in prosecution.
PC PHONEHOME
PC PhoneHome is a software application that will track and locate a lost or stolen PC or laptop any-where in the world. It is easy to install. It is also completely transparent to the user.
Data recovery is the process in which highly trained engineers evaluate and extract data from damaged media and return it in an intact format. Many people, even computer experts, fail to recognize data recovery as an option during a data crisis. But it is possible to retrieve files that have been deleted and passwords that have been forgotten or to recover entire hard drives that have been physically damaged.
Back-up Obstacles
Back-up Window : The back-up window is the period of time when back-ups can be run. The back-up window is generally timed to occur during nonproduction periods when network bandwidth and CPU utilization are low. Network bandwidth : If a network cannot handle the impact of transporting hundreds of gigabytes of data over a short period of time, the organization’s centralized backup strategy is not viable. System throughput : Three I/O bottlenecks are commonly found in traditional backup schemes. These are
Lack-of Resources : Many companies fail to make appropriate investments in data protection until it is too late.
There are many factors that affect back-up. For example:
Storage costs are decreasing : The cost per megabyte of primary (online) storage has fallen dramatically over the past several years and continues to do so as disk drive technologies advance. Systems have to be on-line continuously : Because systems must be continuously online, the dilemma becomes that you can no longer take files offline long enough to perform backup. The role of Back-up has changed : The role of backup now includes the responsibility for recovering user errors and ensuring that good data has been saved and can quickly be restored.
CONVENTIONAL TAPE BACK-UP IN TODAY’S MARKET
A typical tape management system consists of a dedicated workstation with the front-end interfaced to the network and the back-end controlling a repository of tape devices. The media server runs tape management software. It can administer backup devices throughout an enterprise and can run continuous parallel backups and restores. An alternative to tape backup is to physically replicate or mirror all data and keep two copies online at all times. The advantage is that the data does not have to be restored, so there are no issues with immediate data availability. ISSUES WITH TODAY’S BACK-UP NETWORK BACKUP creates network performance problems. Using the production network to carry backup data, as well as for normal user