Computer Forensics Mitchell Potter Brent Thompson

1
Computer ForensicsMitchell PotterBrent Thompson
2
What is Computer Forensics?

• It is the collection, preservation, analysis, and
  court presentation of computer-related evidence.
• Involves the identification, preservation,
  extraction, documentation, and interpretation of
  this digital evidence.

3
Computer Forensics vs. Physical Forensics

• Physical forensics focuses on identification and
  individualization
• Both of those processes compare an item from a
  crime scene to identify the class of the item
• Computer forensics focuses on finding the
  evidence and analyzing it

4
Why is Computer Forensics Needed?

• Computer evidence is fragile and can be easily
  erased or compromised unless special handling is
  used.
• Forensic tools use non-invasive techniques to
  recover deleted, hidden, and temporary files that
  could be critical to an investigation and are
  invisible to normal users.

5
Who Needs the Digital Evidence?

• Law Enforcement
• Military
• Security Agencies (Secret Service, CIA, FBI, NSA)
• Company execs

6
What is Possible with Computer Forensics?

• Recovery of deleted data
• Discovery of when files were modified, created,
  deleted and organized
• What applications were installed
• Which websites have been visited

7
What is Not Possible

• If the digital media is completely (physically)
  destroyed, recovery is impossible
• If digital media is securely overwritten,
  recovery is very complicated or impossible

8
Examples on When Computer Forensics is Needed.

• Insurance fraud
• Illegal software uses
• Hacking
• Email misuse
• Money laundering
• Destruction/altering of data
• Intellectual property theft

9
Examples of Digital Evidence

• Documents
• Spreadsheets
• Emails/Attachments
• Programs
• Databases
• Internet Activity
• Temporary Files
• Deleted Files
• Other media such as CDs, removable drives, disks
  etc.

10
Sources of Digital Evidence

• Cell Phones
• Landline phones and answering machines
• Video games systems, especially Xbox
• GPS devices
• Digital cameras
• Computers

11
Computer Forensics Steps

• Send a preservation of evidence letter to all
  parties
• Analysis of what you are searching for
• Collect all media for analysis
• Interview witnesses about computer usage (if
  corporate or shared computer)
• Make copies of residual data
• Write-protect and virus check all media
• Preserve the Chain of Custody
• Examine the evidence
• Authenticate the Evidence

12
Computer Forensics Methods

• Safe seizure of computer systems and collection
  of data
• Copy the data before analysis
• Review the data, recover deleted files
• Keep detailed reports of all findings

13
Computer Forensics Elements

• Check-lists to support each methodology
• The possibility of repeat tests to be carried out
• Anticipation of criticism of each methodology
• Well defined procedures to address all tasks done
  during the analysis of the digital evidence

14
Computer Statistics

• 95 of the Worlds information is being generated
  and stored in digital form.
• Only about a third of that information is printed
  out.
• Emails can be on the senders computer, servers in
  between, and backups
• 1 TB hard drive would require 50,000 trees to be
  turned into paper

15
Computer Forensics Challenges

• Being able to demonstrate the authenticity of the
  evidence
• Integrity and security of data is an issue in
  courts
• Acceptance of computer technology by judges,
  jury, etc.
• Establishing the chain of custody

16
Why Computer Crime is Hard to Prosecute.

• Lack of understanding of technology
• Lack of physical evidence
• Complexity of cases

17
Examples of Computer Forensic Tools

• EnCase is used to make forensic copies of data
  and recover deleted data
• Helix is used for copying of hard drives and
  analyzing
• Password crackers or recovery
• Checksum generators
• PDA and Cell phone decryptors
• Mail, cookies, and digital image recovery and
  analysis

18
Questions?