Computer Forensics

By: D.Rama Sumanth 083R1A0551 CSE

Abstract:
In todays day and age, there is no such thing as 100% secure. But with the stroke of a key, the bad guys can erase all of their data and hide their tracks when using computers for not so legal purposes, or can they? Just because you hit the delete key doesnt mean that the evidence is gone. Today, there is a growing demand for computer forensics professionals to aid in the fight against those that would use the very technology we depend theft, on against viruses, us. malware, We see the evidence every day, identity computer intrusion and more. But what about the things we dont think or hear about? programs, The or emails, even the downloaded corporate

perhaps more crucial, is the development of a methodology in digital forensics that encompasses the forensic analysis of all genres of This digital paper crime explores scene the investigations. development of the computer forensics, its basics, anti forensics and computer forensics tools.

Introduction
The field of computer forensics is relatively young. In the early days of computing, courts considered evidence from computers to be no different from any other kind of evidence. As computers became more advanced and sophisticated, opinion shifted -- the courts learned that computer evidence was easy to corrupt, destroy or change.

espionage that we only used to read about. What about those threats such as the latest and greatest viruses that attack our cell phones, PDAs, etc. Law enforcement is in a perpetual race with criminals in the application of digital technologies, and requires the development of tools to systematically search digital devices for pertinent evidence. Another part of this race, and

Investigators realized that there was a need to develop specific tools and processes evidence to search computers affecting for the without

information itself. Detectives partnered with computer scientists to discuss the appropriate procedures and tools they'd need to use to retrieve evidence from a computer. Gradually, they developed the procedures that now make up the field of computer forensics. Usually, detectives have to Every computer investigation is somewhat unique. Some investigations might only require a week to complete, but others could take months. Here are some factors that can impact the length of an investigation:

secure a warrant to search a suspect's computer for evidence. The warrant must include where detectives can search and what sort of evidence they can look for. In other words, a detective can't just serve a warrant and look wherever he or she likes for anything suspicious. In addition, the warrant's terms can't be too general. Most judges require detectives to be as specific as possible when requesting a warrant.

The expertise of the The number of

detectives

computers being searched

The amount of storage Whether the suspect

detectives must sort through.

attempted to hide or delete information

The

presence

of

encrypted files or files that are protected by passwords

Phases of a Computer Forensics Investigation

Judd Robbins, a computer scientist and leading expert in computer forensics, lists the following steps investigators should follow to retrieve computer evidence: 1. Secure the computer system to ensure that the equipment and data are safe. 2. files Find every file on the that are by encrypted, passwords, computer system, including protected overwritten. 3. deleted possible Recover using as much as information but

7. 8.

Document every step Be prepared to testify

of the procedure. in court as an expert witness in computer forensics. All of these steps are important, the first the step is prove may critical. that not system, If they the be investigators secured evidence can't

computer find

they

admissible. It's also a big job. In the early days of computing, the system might have included a PC and a few floppy disks. Today, it could include multiple computers, disks, thumb drives, external drives, peripherals and Web servers.

hidden or deleted, but not yet

applications

that can detect and retrieve deleted data. 4. Reveal the contents of to detect and the access Some criminals have found ways to make it even more difficult for investigators to find information on their systems. They use programs and applications known as anti-forensics. disks, are all hidden files with programs designed 5. 6. of presence of hidden data. Decrypt protected files. Analyze special areas the computer's parts that

including

normally inaccessible.

Detectives have to be aware of these programs and how to disable them if they want to access the information in computer systems.

specific file format could skip over important evidence because it looked like it wasn't relevant. It's also possible to hide one file inside another. Executable files -- files that computers recognize as programs -are particularly problematic. Programs called packers can insert executable files into other kinds of files, while tools called binders can bind multiple executable files together. Encryption is another way to hide data. When you encrypt data, you use a complex set of rules called an algorithm to make the data unreadable. Without the key, detectives have to use computer programs designed to crack the encryption algorithm. The more sophisticated the algorithm, the longer it will take to decrypt it without a key. Other anti-forensic tools can change the metadata attached to files. Metadata includes information like when a file was created or last altered. Normally you can't change this information, but there are programs that can let a person alter the metadata attached to files. Imagine examining a file's metadata and discovering that it says the file won't exist for another three years and was last accessed a century

Anti-Forensics
Anti-forensics can be a computer investigator's worst nightmare. Programmers design anti-forensic tools to make it hard or impossible to retrieve information during an investigation. Essentially, anti-forensics refers to any technique, gadget or software designed to hamper a computer investigation.

There are dozens of ways people can hide information. Some programs can fool computers by changing the information in files' headers. A file header is normally invisible to humans, but it's extremely important -- it tells the computer what kind of file the header is attached to. Some programs let you change the information in the header so that the computer thinks it's a different kind of file. Detectives looking for a

ago. If the metadata is compromised, it makes it more difficult to present the evidence as reliable.

Electronic when

Evidence are

in

Criminal allowed to

Investigations." The document explains investigators include computers in a search, what kind of information is admissible, how the rules of hearsay apply to computer information and guidelines for conducting a search. If the investigators believe the computer system is only acting as a storage device, they usually aren't allowed to seize the hardware itself. This limits any evidence investigation to the field. On the other hand, if the investigators believe the hardware itself is evidence, they can seize the hardware and bring it to another location. For example, if the computer is stolen property, then the investigators could seize the hardware.

Some computer applications will erase data if an unauthorized user tries to access the system. Some programmers have examined how computer forensics programs work and have tried to create applications that either block or attack the programs themselves. If computer forensics specialists come up against such a criminal, they have to use caution and ingenuity to retrieve data. A few people use anti-forensics to demonstrate how vulnerable and unreliable computer data can be.

Standards Evidence

of

Computer

In the United States, the rules are extensive for seizing and using computer evidence. The U.S. Department of Justice has a manual titled "Searching and Seizing Computers and Obtaining In order to use evidence from a computer prosecution system must in court, the the authenticate

evidence. That is, the prosecution must be able to prove that the information

presented as evidence came from the suspect's computer and that it remains unaltered. Another consideration the courts take into account with computer evidence is hearsay. Hearsay is a term referring to statements made outside of a court of law. In most cases, courts can't allow hearsay as evidence. The courts have determined that information on a computer does not constitute hearsay in most cases, and is therefore admissible. Courts determine this on a case-by-case basis.

and reconstruct hard drives bit by bit.

Hashing

tools

compare original hard disks to copies.

Investigators use file

recovery programs to search for and restore deleted data. There are several programs a computer's Analysis random software access sifts designed to preserve the information in

memory (RAM). through all the information on a hard drive, looking for specific content.

Computer Forensics Tools

Programmers have created many computer forensics applications. For many police departments, the choice of tools depends on department budgets and available expertise. Here make possible:

Encryption decoding software

and password cracking software are useful for accessing protected data.

are

few

computer

forensics programs and devices that computer Disk investigations imaging These tools are only useful as long as investigators follow the right procedures. Otherwise, a good defense lawyer could or suggest that any evidence gathered in the computer investigation isn't reliable. Of course, a few anti-forensics experts

software records the structure and contents of a hard drive.

Software

hardware write tools copy

argue that no computer evidence is completely reliable. Whether courts continue to

but there are also some unique aspects to computer investigations. Each year, there is an increase in the number of digital crimes worldwide. As technology evolves, software changes, and users become digitally savvy, the crimes they commit are becoming more sophisticated. Law enforcement is in a perpetual race with these criminals to ensure that the playing field remains level.

accept computer evidence as reliable remains to be seen. Anti-forensics experts argue that it's only a matter of time before someone proves in a court of law that manipulating computer data without being detected is both possible and plausible. If that's the case, courts may have a hard time justifying the inclusion of computer evidence in a trial or investigation.

Advantages
Ability to search through a massive amount of data
o o o

Quickly Thoroughly In any language

Conclusion
The forensics purpose techniques of is to computer search, Part of this race includes

preserve and analyze information on computer systems to find potential evidence for a trial. Many of the techniques detectives use in crime scene investigations have digital counterparts, developing tools that have the ability to systematically search digital devices for pertinent evidence. Another part of this

race, and perhaps more crucial, is the development of a methodology in digital forensics that encompasses the forensic analysis of all genres of digital crime scene investigations. Thus by Computer Forensics we can trace out the criminals and punish them according to the law and provides security to the computers and its data.

References
Caloyannides, Michael A. Computer Forensics and Privacy. Artech House, Inc. 2001. Digital Forensics Research Workshop. A Road Map for Digital Forensics Research 2001 www.dfrws.org http://www.fish.com/forensics/cl ass.html. http://www.fbi.gov/hq/lab/handb ook/scene1.htm. http://www.howstuffworks.com http://abcnews.go.com/sections/u s/DailyNews/cybercrime_000117 .html. http://www.fbi.gov/hq/lab/handb ook/scene1.htm.