What
is Computer Forensics? (Some definitions)
- “The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable.” (McKemmish, 1999)
- “Gathering and analyzing data in a manner as freedom distortion or bias as possible to reconstruct data or what has happened in the past on a system.” (Farmer & Vennema,1999)
- Computer forensics is the application of computer investigation and analysis techniques in the interests of determining potential legal evidence.
- Forensic Computing, also known as Evidential Computing and even sometimes Data Recovery, is the specialist process of imaging and processing computer data which is reliable enough to be used as evidence in court(http://www.vogon-international.com/index.htm)
What
will Computer Forensics do?
- Computer forensics, innovators of image copying technology, defined the principles of the science of computer forensics and formalized an approved and accepted methodology to COLLECT, ANALYSE and PRESENT suspect data to a Court of Law.
- Computer forensics evidence is frequently sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud.
- Computer forensics specialists draw on an array of methods for discovering data that resides in a computer system.
- Experts in forensics computing can frequently recover files that have been deleted, encrypted, or damaged, sometimes as long as years earlier.
- Evidence gathered by computer forensics experts is useful and often necessary during discovery, depositions, and actual litigation.
Some
areas of Computer Forensics
- Image Capture - The Imaging process is fundamental to any computer investigation.
- Image Processing - The processing software consists of two modules, GenX and GenText, running automatically to index and extract text from all areas of the target image.
- Investigation - Once the processing has taken place full searches of all areas of the disk takes only seconds.
Case
study of Computer Forensics (what is computer forensics look like?)
- Hacker
- Human resources
- Money on disk
- Hidden bits
- Disk swap
- Tapes rarely lie...
- Narcotics
- Fraud
- Theft
- Corporate or University internal investigation
- FBI or (unlikely) Sheriff investigation
- Computer Security Research
- Post Mortem or Damage Assessment
- Child Pornography
- Espionage & Treason
- Corporate or University Policy Violation
…
The
broad tests for evidence
( from Sherlock Holmes to current forensic scientist )
( from Sherlock Holmes to current forensic scientist )
authenticity
- does the material come from where it purports?
reliability
- can the substance of the story the material tells be believed and is it
consistent? In the case of computer-derived material are there reasons for
doubting the correct working of the computer?
completeness
- is the story that the material purports to tell complete? Are there other
stories which the material also tells which might have a bearing on the legal
dispute or hearing?
conformity
with common law and legislative rules - acceptable levels of freedom from
interference and contamination as a result of forensic investigation and other
post-event handling
Elements
of Computer Forensics
well-defined
procedures to address the various tasks
an
anticipation of likely criticism of each methodology on the grounds of failure
to demonstrate authenticity, reliability, completeness and possible
contamination as a result of the forensic investigation
the
possibility for repeat tests to be carried out, if necessary by experts hired
by the other side
check-lists
to support each methodology
an
anticipation of any problems in formal legal tests of admissibility
the
acceptance that any methods now described would almost certainly be subject to
later modification
Four
steps of forensic process
Acquisition
Identification–
Technical Analysis
Evaluation–
What the Lawyers Do
Presentation
Divergences
from conventional forensic investigation
the
main reason is the rate of change of computer technology
a
key feature of computer forensics is the examination of data media
computer
architectures have show profound change in the same short period
computer
peripherals keep on changing as well
wide
area telecoms methods are being used more and more.
the
growth of e-mail
the
growth of client / server applications, the software outcome of the more
complex hardware architectures.
the
greater use of EDI and other forms of computer-based orders, bills of lading,
payment authorizations, etc.
computer
graphics
the
greater use of computer-controlled procedures
the
methods of writing and developing software have changed also
Computer
Forensics Situations
documents
- to prove authenticity; alternatively to demonstrate a forgery.
reports,
computer generated from human input.
real
evidence - machine readable measurements, etc.
reports,
generated from machine readable measurements, etc.
electronic
transactions - to prove that a transaction took place - or to demonstrate that
a presumption that it had taken place was incorrect.
conclusions
reached by "search“- programs which have searched documents, reports, etc.
event
reconstruction- to show a sequence of events or transactions passing through a
complex computer system.
liability
in situations where CAD designs have relied on auto-completion or filling in by
a program conclusions of computer "experts" - the results of expert
systems.
Some
litigations
Civil
Matters
Breach
of Contract
Asset
recovery
Tort,
including negligence
Breach
of Confidence
Defamation
Breach
of securities industry legislation and regulation and /or Companies Acts
Employee
disputes
Copyright
and other intellectual property disputes
Consumer
Protection law obligations (and other examples of no-fault liability)
Data
Protection law legislation
Criminal
Matters
Theft
Acts, including deception
Criminal
Damage
Demanding
money with menaces
Companies
Law, Securities Industry and banking offences
Criminal
offences concerned with copyright and intellectual property
Drug
offences
Trading
standards offences
Official
Secrets
Computer
Misuse Act offences
Computer
Forensics Methods (1)
safe
seizure of computer systems and files, to avoid contamination and/or
interference
safe
collection of data and software
safe
and non-contaminating copying of disks and other data media
reviewing
and reporting on data media
sourcing
and reviewing of back-up and archived files
recovery
/ reconstruction of deleted files - logical methods
recovery
of material from "swap" and "cache" files
recovery
of deleted / damaged files - physical methods
Computer
Forensics Methods (2)
core-dump:
collecting an image of the contents of the active memory of a computer at a
particular time
estimating
if files have been used to generate forged output
reviewing
of single computers for "proper" working during relevant period,
including service logs, fault records, etc.
proving
/ testing of reports produced by complex client / server applications
reviewing
of complex computer systems and networks for "proper" working during
relevant period, including service logs, fault records, etc.
review
of system / program documentation for: design methods, testing, audit,
revisions, operations management.
Computer
Forensics Methods(3)
reviewing
of applications programs for "proper" working during relevant period,
including service logs, fault records, etc.
identification
and examination of audit trails
identification
and review of monitoring logs
telecoms
call path tracing (PTTs and telecoms utilities companies only)
reviewing
of access control services - quality and resilience of facilities (hardware and
software, identification / authentication services)
reviewing
and assessment of access control services - quality of security management
reviewing
and assessment of encryption methods - resilience and implementation
Computer
Forensics Methods (4)
setting
up of pro-active monitoring in order to detect unauthorised or suspect activity
monitoring
of e-mail
use
of special "alarm" or "trace" programs
use
of "honey pots"
inter-action
with third parties, e.g. suppliers, emergency response teams, law enforcement
agencies
reviewing
and assessment of measuring devices, etc. and other sources of real evidence,
including service logs, fault records, etc.
use
of routine search programs to examine the contents of a file
use
of purpose-written search programs to examine the contents of a file
Computer
Forensics Methods (5)
reconciliation
of multi-source files
examination
of telecoms devices, location of associated activity logs and other records
perhaps held by third parties
event
reconstruction
complex
computer intrusion
complex
fraud
system
failure
disaster
affecting computer driven machinery or process
review
of "expert" or rule-based systems
reverse
compilation of suspect code
use
of computer programs which purport to provide simulations or animations of
events: review of accuracy, reliability and quality