> S0402139 – Paper on Computer Forensics <
Computer Forensics – Prevention and Solving
Computer Crime Activity
Liddament, I. Member, IEEE, BCS
Abstract - An increase in computer and internet-
related crime activity has resulted in the study of computer
forensics, development of computer forensic tools, and the
introduction of government legislation for the prevention and
resolving of such crimes.
This article examines the use of computer crime methods and
forensic technologies that may be used for the prevention or
solving of such crimes. The paper will conclude with
suggestions on how computer forensic technologies may be
developed in the future.
Index Terms: Computer Forensics, Digital Evidence,
Computer Forensic Tools, Government Legislation
I. 1. INTRODUCTION
Due to rapid technological advancements, there has been an
increase in the amount of individuals and organisations using
computers and the Internet, and that are responsible of
committing computer and internet-related crime activities.
However, this is not limited to computers and the internet,
but also other programmable electronic devices, such as
mobile phones and Personal Digital Assistants.
This study discusses various computer crime activities, and
investigates the technologies used for their prevention or
solving.
This report will discuss 1) the Background of Computer
Forensics, 2) Computer Crime Activities, 3) Computer
Forensic Technologies, and 4) Future Development in
Computer Forensics.
II.BACKGROUND OF COMPUTER FORENSICS
Computer Forensics is the practice of gathering, analysing,
and preserving data from digital media (computers, mobile
phones, etc) in an accurate form that is admissible as
evidence in a court of law. Therefore, it is important that
computer forensic specialists follow clearly defined
methodologies and procedures.
Kruse and Heiser (2008) suggest that the collection of
evidence for computer forensics follows a similar approach
to that of a murder scene investigation. It periodically looks
for evidence within the electronic device at the crime scene,

1
takes samples of the crime scene, and includes an analysis of
control samples that can be compared to other evidence.
The basic methodology that is employed by specialists will
aim to:
1. Acquire the evidence without altering or damaging
the original – this extends to law enforcement
agencies and the computer forensic specialists who
are called to the crime scene. In the instance that
evidence is contaminated by alteration or damage, it
will cease hold validity in a court of law.
2. Authenticate that you recovered evidence is the
same as the originally seized data – an audit trail of
the evidence should be carried out to ensure that
recovered evidence is not contaminated, and does
not comprise the reliability of the original seized
data.
3. Analyse the data without modifying it – this means
that computer forensic specialists should ensure that
analysis results are not tampered with, as this will
comprise the evidence presented in a court of law.
This methodology ensures that all evidence presented as part
of a computer crime is admissible in a civil or criminal court.
In addition, to using methodologies, computer forensic
specialists may employ various related-technologies to help
solve computer crimes. However, it is first necessary to
understand the various types of computer crime activity.
III. COMPUTER CRIME ACTIVITIES
Unfortunately, there are individuals and organisations who
misuse computer devices to commit crimes that may harm
individuals or organisations, and give no regard to the
various Computer and Internet laws or acts, such as the
Computer Misuse Act and Data Protection Act. These
crimes are discussed in this section.
Computer Attacks
There is a possibility of individuals making attacks on
computers in attempt to access valuable personal information
that is stored. This information may be used for illegal
activity, such as identity theft or fraud. The individual may
use malicious software to get the required information that is
stored on the computer, which may include
> S0402139 – Paper on Computer Forensics <
Another example of a computer attack is using ‘phishing’.
The phisher will direct a computer use to a fraudulent
website, where they can retrieve the necessary personal
information for the theft of an identity.
An instance of where this has occurred includes the HSBC
online banking system and myspace.com, where users were
directed to a replicated website that stole their personal
information for purposes of eliciting money transfers or
stealing contact details, and sending spam emails. Phishing
has been responsible for stealing the bank and credit details
of individuals and organisations.
Other computer attacks may involve a ‘hacker’ infiltrating a
computer or network, to install a virus, which will give them
control of the computer to delete stored data of an individual
or organisations.
The targets of computer attacks are not limited to
individuals’ information, but also corporate and national
security information, which is not publicly available. For
example, this may include information related to competitive
analysis, such as sales figures or governmental information.
A recent headline in the news has involved data security
losses within government agencies, such as the Child Benefit
Agency and HSBC (Mortgage Account Lenders and Life
Assurance Holders). This is a good instance where computer
forensics may have been used to retrieve such data through
recovery.
Additionally, in terms of national security information,
hackers may attempt to gain access to information, such as
technical details of weapon systems to neutralize military
advantages.
In the problem of terrorism, this could pose a huge threat to a
country’s national security. For example, if a terrorist group
gained access to a weapon system as mentioned above, they
could potentially trigger the activation of a nuclear weapon.
This would understandably be detrimental to the world as we
know it today, resulting in a global Armageddon. Therefore,
it is imperative that we use the highest form of security to
avoid this problem.
Storing of Inappropriate Materials
There may be individuals that use computing or mobile
devices to store materials, which are inappropriate in relation
to government legislation.
Materials that are deemed inappropriate include:
 Child pornography
 Terrorist information that would thwart international
or national security
 Holding unauthorized corporate data
Any materials that are an infringement of the Computer
Misuse Act (1990) or Data Protection laws, and are stored on
2
any computing or mobile device may result in prosecution of
the responsible individual.
Copyright Piracy
The Internet has resources whereby an internet user may
illegally download music and films, either for personal or
distributed use.
In the UK, this is illegal and any person(s) involved in the
wide distribution of downloaded materials may be
prosecuted.
Currently, Internet Service Providers are able to monitor the
downloading of materials by members of their service in
order to deter an individual from downloading illegal
content. This has an affect on those who receive royalties for
music and films in terms of financial losses.
Additionally, this is a problem is because it jeopardizes the
intellectual property rights and copyright of individuals or
organisations.
Effectively, an individuals’ work may become invalid due to
its plagiarism. This is particularly a problem in Further and
Higher Education repositories, which allow the depositing of
academic papers or learning materials, and unless restrictions
are placed upon the work, this may be a continuous problem.
Unfortunately, because there is large number of individuals
downloading content, and because of differences in
international laws, it may be difficult to impose legal
regulations and govern the use of materials uploaded to the
Internet.
However, computer forensic technologies may help in the
deterrence or solving of computer crimes.
IV. COMPUTER CRIME METHODS AND FORENSIC
TECHNOLOGIES
Following on from the previous section, what methods are
used by individuals in computer crime activities?
In order to understand how computer crime activities occur,
and how forensic technologies are used for their prevention
or solving a particular criminal case, it is important to
understand what methods are available to individuals
committing computer crimes.
Steganography
Steganography is the art or science of concealing information
within a message, which is only readable by the sender and
the intended recipient. The concept of hiding messages is to
avoid a third party from being able to read or establish that a
file document or image is concealing information.
There is a wide variety of steganography tools. However,
there are individuals that may use these tools inappropriately.
> S0402139 – Paper on Computer Forensics <
For instance, individuals may use the tool to conceal
messages that may thwart national or international security,
or give derogatory information relating to another individual
or organization.
A current problem relating to the Internet is that
steganography software is available as freeware, making it
difficult to impose laws to regulate their use for inappropriate
activity.
Encryption
In contrast to steganography, encryption can be easily seen to
be encoding a hidden message.
Encryption is used within cryptography to encode
information using algorithms known as a cipher, which is
referred to as a key. It is commonly used by military and
government organisations, although it is now being used for
civilian systems. Examples of where encryption is used
relates to computer networks, mobile telephones, Bluetooth
devices, and bank cash machines.
Again, as with steganography individuals may use encryption
in an inappropriate manner to hide messages that could
jeopardize individual, corporate, or national security.
In addition, these methods could be used for concealing
information on hard disks, optical drives, and removable
disks, such as USB pens and flash drives.
However, it is important to understand that encryption needs
to use additional methods, such as verification of a message
authentication code, and digital signature. There are
standards and cryptography software and hardware that are
widely available to perform encryption.
Computer Forensic Technologies
It is not all doom and gloom though, as it is possible to use
computer forensic technologies to break the codes within
steganography and encryption.
The technologies discussed include steganalysis and
decryption.
Steganalysis. This is art or science of detecting messages
that are hidden using steganography; this is similar to
cryptanalysis used in cryptography, which is used to decrypt
messages that are encrypted.
The method used for steganalysis involves the identification
of several suspected information streams to determine
whether they have hidden messages encoded in them. This
may include looking at a variety of files, such as word
documents, images, or audio files. The primary goal of this
technique is to recover the information hidden in the file.
The various techniques associated with this include:
3
1. The finding of unusual patterns using filters of disk
analysis utilities. A disadvantage of this technique
is that firewalls may be configured to filter out
packets that contain inappropriate data in reserved
fields.
2. Visual detection can be used for analyzing repetitive
patterns, which may reveal a steganography tool or
hidden information. This technique involves
comparing the original cover message to the
steganography image and noting any visible
differences. This is a known-carrier attack, which
will allow the comparison of several images to
analyse emerging patterns to show the signatures of
a steganography tool.
Cryptanalysis. In comparison to steganalysis, cryptanalysis
shows evidence that intercepted encrypted data contains a
message.
Cryptanalysis is effectively the science of code-breaking or
cracking codes using algorithms to extract the required
cipher or key.
Cryptanalytic methods employed by intelligence agencies
currently remain unpublished. However, there are some
methods, which have been published on the Internet,
including differential and linear cryptanalysis.
Differential Cryptanalysis. This is primarily concerned
with blocking ciphers, although it may be used to stream
ciphers and cryptographic hash functions.
The analysis uses pairs of plaintext that are related by a
constant difference. The analyst will then compute the
difference of ciphertexts to detect statistical patterns in their
distribution. The resulting pair of differences is known as
differential. The analyst will analyse the differentials using
the following equation:
(ΔX,ΔY), where (and
denotes exclusive or) for each such S-box S.
An S-box is a component of the cryptographic system, which
uses a substitution box or table to input and output values.
The equation shown above allows the cryptanalyst to find a
statistical correlation between the key values and cipher
transformations. They will then use plaintext to develop the
key.
In a basic analysis, one ciphertext is expected to be frequent,
to distinguish a more random one.
Linear Cryptanalysis. This is an alternative method used
for block ciphers and stream ciphers. It is used to find a
linear approximation for keyed S-boxes in a cipher to reveal
the key that has been used for a particular action.
The discovery of linear cryptanalysis is attributed to Mitsuru
Matsui, who applied this method to FEAL, which was
> S0402139 – Paper on Computer Forensics <
developed in 1987, and is an alternative method to the Data
Encryption Standard. He went on to publish an attack on the
Data Encryption Standard, which lead to the first
experimental cryptanalysis of a cipher in an open community
(Matsui, 1993; 1994).
Subsequently, there have been suggestions of refinements to
the attack using multiple linear approximations or using non-
linear expressions.
This method will often be part of new cipher designs for
security purposes.
An equation that may be used to extract these approximations
will be an affine transformation equation.
The following equation is associated with mapping parallel
data that may be used in relation to S-boxes.
In addition, to these technologies there are also acquisition
technologies that may be used to extract hidden information
or files.
Acquisition Technologies
In relation to child pornography, the government can only
consider introducing laws to prevent computer and internet
users not to download such inappropriate content. However,
due to the mass scale of the internet, it is difficult to impose
legal restrictions on the uploading and downloading child
pornography.
However, this can be monitored through ‘watching’ the
users’ activities on the internet. To help convict an
individual of such crimes would be to use forensic
technologies relating to acquisition of the downloaded
materials.
Although, an individual may try methods of deleting
information from their computer, they will leave traces of the
deleted files on the hard disk. This is not just true for the
hard disk, but also optical drives, USB drives, Flash drives,
and other memory cards that are used in mobile phones or
personal digital assistants etc.
Therefore, computer forensic specialists will need to use
relevant computer forensic methods for memory and
hardware acquisition for files, which are hidden.
This will involve identifying the system layers where
evidence could be hidden. These are known as layers of
abstraction, which can be defined as a function of inputs and
outputs (Carrier, 2003). This technique allows investigators
to identify the expected data, which can then be ignored
when searching for evidence.
Data may be hidden in the bad sectors or tracks of a hard
disk. The figure below shows a diagram of a hard disk.
4
Figure 1
A – Track, B – Sector Track, C – Sector, D – Cluster
To allow the admissibility of the hard disk as evidence in a
court of law, the specialist will create a bit-stream image of
the original storage device and confirm that the copy is
identical using a checksum algorithm. This algorithm uses
one value based on the input from a copy, and another value
based on the device being copied. This will allow testing for
irregularities and any contamination to the evidence.
Other areas that may need searching include hidden data in
partitions, and file system. After which the specialist will
use steganalysis and cryptanalysis for decoding and
decrypting any extracted data.
It is important to note that the retrieval of hidden files is a
difficult task and may be time-consuming.
V. FUTURE DEVELOPMENTS
Following on from the findings of this study, this section
gives suggestions on how computer forensics may be
developed in the future for the prevention and solving of
computing device-related crime.
As suggested by this study it is important that citizens of any
country with the luxury of using computers adhere strictly to
computer and internet laws. A suggestion to govern the
computer and internet-related activity of individuals and
organisations would be to establish an International
Regulatory Body to introduce relevant laws to prevent any
misuse for any crime-related activity.
In relation to further and higher education, a possible
suggestion would be to incorporate a security feature into
existing repositories for academic materials. This would
allow contributors to restrict the use of their materials for
such acts of plagiarism, and infringement to intellectual
property rights, copyright, or digital rights management.
> S0402139 – Paper on Computer Forensics < 5

Additionally, this study suggests that as computer crimes

evolve with technological advancements, computer forensic
specialists will have to improve their tools for the extraction
of evidence that is admissible in court.

This means that steganalysis and cryptanalysis methods will

have to be improved and changed as criminals become
evermore intelligent in analyzing these methods for use in
computer crime activities, such as infiltrating an individuals
or organisations computer system. This may be resolved by
developing new and more complex algorithms to avoid code
breaking to hack into systems or files, which are not publicly
available.

Finally, the specialists of computer forensics will have to

adopt their methodologies and technologies to ensure that
crimes are solved or prevented, as the future may see figures
of computer crimes growing, and becoming more intelligent.

VI. REFERENCES

http://www.mi5.gov.uk/output/Page567.html

http://www.lancs.ac.uk/iss/rules/cmisuse.htm#definition

http://www.cotse.com/tools/stega.htm
http://en.wikipedia.org/wiki/Encryption

http://en.wikipedia.org/wiki/Steganalysis

http://wordnet.princeton.edu/perl/webwn?s=analogous

http://www.infosyssec.com/infosyssec/Steganography/steganalysis.htm

http://en.wikipedia.org/wiki/Cryptanalysis#Modern_cryptanalysis

http://en.wikipedia.org/wiki/Differential_cryptanalysis#Attack_mechanics

http://en.wikipedia.org/wiki/Linear_cryptanalysis

http://members.fortunecity.co.uk/berndroellgen/cryterms.html

http://en.wikipedia.org/wiki/Industrial_espionage

http://www.internetrights.org.uk/index.shtml?
AA_SL_Session=8fa795873994ed10dd54938b98227a99&x=605

http://www.digital-evidence.org/papers/ijde_define.pdf

http://icrontic.com/articles/how_hard_drives_work

http://www.digitalforensics.ch/nikkel05.pdf