LET’S TALK ABOUT - COMPUTER FORENSICS

-


LET’S TALK ABOUT - COMPUTER FORENSICS

PART 1


BASIC CONCEPT
Computer forensics (also known as computer forensic science is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.


The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail. Although it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. NOTE: child pornography, abuse, unauthorized material, copyrights, illegal software, virus making and related, hacking, robbing and selling personal and business information.



Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence.


OVERVIEW
In the early 1980s personal computers became more accessible to consumers, leading to their increased use in criminal activity. At the same time, several new "computer crimes" were recognized (such as hacking). The discipline of computer forensics emerged during this time as a method to recover and investigate digital evidence for use in court. Since then computer crime and computer related crime has grown, and has jumped 67% between 2002 and 2003. Today it is used to investigate a wide variety of crime, including child pornography, fraud, espionage, cyberstalking, murder and rape. The discipline also features in civil proceedings as a form of information gathering.

 

Forensic techniques and expert knowledge are used to explain the current state of a digital artifact; such as a computer system, storage medium (e.g. hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image). The scope of a forensic analysis can vary from simple information retrieval to reconstructing a series of events.

They describe the discipline as "more of an art than a science", indicating that forensic methodology is backed by flexibility and extensive domain knowledge.

FORENSIC PROCESS
Computer forensic investigations usually follow the standard digital forensic process or phases:
1.    Acquisition
2.    Examination
3.    Analysis, and
4.    Reporting

Investigations are performed on static data (i.e. acquired images) rather than "live" systems. This is a change from early forensic practices where a lack of specialist tools led to investigators commonly working on live data.


TECHNIQUES

  1. CROSS-DRIVE ANALYSIS: A forensic technique that correlates information found on multiple hard drives. The process, still being researched, can be used to identify social networks and to perform anomaly detection.
  2. LIVE ANALYSIS: The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence. The practice is useful when dealing with Encrypting File Systems.
  3. DELETED FILES: A common technique used in computer forensics is the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted data. Most operating systems and file systems do not always erase physical file data, allowing investigators to reconstruct it from the physical disk sectors. File carving involves searching for known file headers within the disk image and reconstructing deleted materials.
  4. STOCHASTIC FORENSICS: A method which uses stochastic properties of the computer system to investigate activities lacking digital artifacts. Its chief use is to investigate data theft.
  5. STEGANOGRAPHY: One of the techniques used to hide data is via steganography, the process of hiding data inside of a picture or digital image. An example would be to hide pornographic images of children or other information that a given criminal does not want to have discovered. Computer forensics professionals can fight this by looking at the hash of the file and comparing it to the original image (if available.) While the image appears exactly the same, the hash changes as the data changes.


DATA EVIDENCE AND TECHNICAL ASPECTS (known as VOLATILE DATA)
When seizing evidence, if the machine is still active, any information stored solely in RAM that is not recovered before powering down may be lost. One application of "live analysis" is to recover RAM data prior to removing an exhibit. CaptureGUARD Gateway bypasses Windows login for locked computers, allowing for the analysis and acquisition of physical memory on a locked computer.

RAM can be analyzed for prior content after power loss, because the electrical charge stored in the memory cells takes time to dissipate, an effect exploited by the cold boot attack. The length of time that data is recoverable is increased by low temperatures and higher cell voltages. Holding unpowered RAM below −60 °C helps preserve residual data by an order of magnitude, improving the chances of successful recovery. However, it can be impractical to do this during a field examination.

Some of the tools needed to extract volatile data, however, require that a computer be in a forensic lab, both to maintain a legitimate chain of evidence, and to facilitate work on the machine. Law enforcement applies techniques to move a live, running desktop computer. These include a mouse jiggler, which moves the mouse rapidly in small movements and prevents the computer from going to sleep accidentally. Usually, an uninterruptible power supply (UPS) provides power during transit.

However, one of the easiest ways to capture data is by actually saving the RAM data to disk. Various file systems that have journaling features such as NTFS and ReiserFS keep a large portion of the RAM data on the main storage media during operation, and these page files can be reassembled to reconstruct what was in RAM at that time.



ANALYSIS TOOLS
A number of open source and commercial tools exist for computer forensics investigation. Typical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and pictures for review.


LET ME KNOW YOUR COMMENTS

Comments

Post a Comment

Popular posts from this blog

REASONS TO REPLACE YOUR COMPUTER FAN AND HEATSINK

-
Image
REASONS TO REPLACE YOUR COMPUTER FAN AND HEATSINK A computer's fan and heatsink are two of its most important components. The primary role of both is to cool down the processor and keep it from overheating. A laptop or notebook does not have to be outside in hot, humid weather to overheat. In fact, even if a computer is kept away from extreme heat altogether, it can still overheat. That is because a computer's processor is responsible for processing information and giving instructions to other components in the computer. A processor can get very busy as a result, especially when it is running multiple programs simultaneously. As a result, it heats up, and if there is nothing to cool it down, it can malfunction and break down, costing the owner hundreds or even thousands of dollars. This is why a good fan and heatsink are necessary. The more demand placed on the processor, the more effective the fan and heatsink must be. This guide identifies five issues
Read more

LET’S TALK ABOUT PC AUDIO SPEAKERS

-
Image
LET’S TALK ABOUT PC AUDIO SPEAKERS Computer speakers are one of those PC accessories that are almost essential; and you can spend anywhere from $10.00 to $1,000.00 for quality PC speakers, depending on your budget.   There are tons of tons of speakers with features and different prices as we know. But as I always say: WHAT and HOW is what I am looking for. For sample: I have this one in my office and works properly, the only disadvantage is that has no RADIO and only can be played with micro SD and plugged to my computer. And only pay like $20-$25. USB charged and the battery longs for 6 hours. https://www.energysistem.com/en/products/music_box/music_box_series_/42198-energy_mini_music_box_z100_r_black Here there is some thoughts and share some personal ideas about this topic. I enjoy listening to music a lot, and because my computer is the main source for my digital music collection, a decent speaker system is essential. Expensive is not alway
Read more

LET’S TALK ABOUT - NETWORK FORENSICS

-
Image
LET’S TALK ABOUT - NETWORK FORENSICS BASIC CONCEPT Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation. Network forensics generally has two uses. The first, relating to security, involves monitoring a network for anomalous traffic and identifying intrusions. An attacker might be able to erase all log files on a compromised host; network-based evidence might therefore be the only evidence available for forensic analysis. The second form relates to law enforcement. In this case analysis of captured network traffic can include tasks such as reassembling transferred files, searching for keywor
Read more