Forensics by 7RZQPQld


									       Computer Forensics:
Data Collection, Analysis and Preservation

    Kikunda Eric Kajangu, Cher Vue, and John Mottola
Computer Forensics defined:

  The use of analytical and investigative
  techniques to identify, collect, examine and
  preserve evidence/information which is
  magnetically stored or encoded.
      Industry companies interested
          in computer forensics
   Guidance Software (
    ◦ They are the creators of the popular GUI-based forensic tool
   Digital Intelligence, Inc. (
    ◦ Digital Intelligence designs and builds computer forensic
      software and hardware. They also offer free forensic utility
      software for law enforcement.
   IVIZE Data Center: (
    ◦ They provide several litigation support services including
      Electronic Data Discovery
Three main concepts
   Data collection

   Data analysis

   Data preservation
Data Collection
   Research challenges
    ◦ Gathering data
      Ensuring the data is relevant and complete
      Obtaining volitile data
      Obtaining deleted and changed files
    ◦ Lack of trained professionals
      Computer Forensics is a relatively new field
      Threat of System administrators corrupting data
      No standards
Data Collection
   Evolution of data collection
    ◦ Mid 1980’s
       X-Tree Gold and Norton Disk Edit
         Limited to recovering lost or deleted files
    ◦ 1990’s
       Specialized tools began to appear
         Tools to perform Network investigations
    ◦ 1999
       Boot to floppy and write to alternative media
         Very slow transfer rate. (1GB/hr)
    ◦ Current
       Many tools to choose from
         GUI and Command Line Tools are available
         Fast and efficient
Data Analysis
 The main problem when dealing with electronic data analysis
  is not only the size that can easily reach a very large volume
  to manage, but also the different number of the application
  associated with those files.
 Electronic Data Discovery :
      - e-mail, Microsoft Office files, accounting databases,…
      - other electronically-stored information which could be relevant
      evidence in a law suit.
   Tools to analyze electronic data in computer forensics :
    ◦ - Needle Finder:
      use a special .NET framework application in conjunction with a SQL
      database to process hundreds of file types and emails simultaneously
      and pinpoint pertinent, requested information for analysis.
    ◦ - E-Discovery
Data Preservation
 Data should never be analyzed using the same
  machine it is collected from
 Forensically sound copies of all data storage devices,
  primarily hard drives, must bet made.
 There are two goals when making an image
    ◦ Completeness
    ◦ Accuracy
   This is done by using standalone hard-drive duplicator
    or software imaging tools such as DCFLdd or
Research Challenges: What are the
  essential problems in this field

   Training

   Operational Standards

   International Standardization
 Law enforcement personnel should be
  trained to handle it
 Network operators should also be
  trained, to improve their abilities in
  intrusion detection,
 Lawyers should receive some training to
  give a basic understanding of computer
Operational Standards
   Basic guidelines for the evidence
    collection process to be established
    ◦   Planning
    ◦   Recording
    ◦   Performance
    ◦   Monitoring
    ◦   Recording
    ◦   Reporting
International Standardization
 Different countries each have their own
  methods, standards, and laws
 What is acceptable evidence in one
  country may not be in another
 Serious problem when dealing with
  international crimes, as computer crime
  often is
    Conclusions and future work
 Even though it is a fascinating field, due to the nature
  of computers, far more information is available than
  there is time to analyze.
 The main emphasis of future work is on recovery of
 To improve ways to:
    ◦ Identify the evidence
    ◦ Determine how to preserve the evidence
    ◦ Extract, process, and interpret the evidence
    ◦ Ensure that the evidence is acceptable in a court of law
                          Works Cited
   "5 Common Mistakes in Computer Forensics." Online Security. 25 June 2003. 14
    Nov.-Dec. 2007 <>.
   "Computer Forensics." Digitalintelligence. 2007. 20 Oct. 2007
   "Computer Forensics." Disklabs. 2004. 15 Oct. 2007
   "Computer Forensics." Techtarget. 16 Dec. 2003. 25 Oct. 2007
   "Computer Forensics." Wikipedia. 26 Nov. 2007. 28 Nov. 2007
   Dearsley, Tony. "United States: Computer Forensics." Mondaq. 14 June 2007. 22 Oct.
    2007 <>.
   Garner, George M. "Forensic Acquisition Utilities." Gmgsystemsinc. 2007. 11 Nov.
    2007 <>.
   "International High Technology." Htcia. 2007. 28 Oct. 2007 <>.
   “Computer Forensics-A Critical Need In Computer Science Programs”
   <
   “Computer Forensics Laboratory and Tools”
                          Works Cited
   Ispirian. "Following Procedure." Hgexperts. 2007. 01 Nov. 2007
   Monica. "A Community of Computer Forensics Professionals."
    Computerforensicsworld. 26 Aug. 2007. 09 Nov. 2007
   Morris, Jamie. "Computer Forensics Tools." Ezinearticles. 27 Oct. 2006. 28 Oct. 2007
   Reuscher, Dori. "How to Become a Cyber-Investigator." About. 2007. 16 Nov. 2007
   Robinson, Judd. "An Explanation of Computer Forensics." Computerforensics. 2007.
    26 Oct. 2007 <>.
   Swartz, Jon. "Cybercrime Spurs College Courses in Digital Forensics." Usatoday. 06
    June 2006. 14 Nov. 2007
   LaBancz, Melissa. “Expert vs. Expertise: Computer Forensics and the Alternative OS”
   “Computer Forensics – Past, Present And Future”

To top