Introduction to Computer
Dr. David Dampier and the
Center for Computer Security Research
What is Forensics?
Forensics is the art and study of
argumentation and formal debate. It uses
the application of a broad spectrum of
sciences to answer questions of interest
to the legal system.
Forensic Science is the science and
technology that is used to investigate and
establish facts in criminal or civil courts
Criminal Justice Fundamentals
How a case usually plays out:
Law Enforcement notified of crime
Evidence is gathered – may require search
Suspects are developed
Interviews or interrogations are conducted
Suspect is charged
Case w/evidence is turned over to
What is Computer Forensics?
Computer forensics is forensics applied to
information stored or transported on
It “involves the preservation, identification,
extraction, documentation, and interpretation
of computer media for evidentiary and/or root
Procedures are followed, but flexibility is
expected and encouraged, because the unusual
will be encountered.
What is Computer Crime?
Three situations where you might find evidence on a
Device used to conduct the crime
Theft of intellectual property
Device is the target of the crime
Device is used to support the crime
What is evidence in terms of
Can be anything!
As small as a few bytes
Could be, and hopefully will be complete files
Could be Deleted
Could be Encrypted
Likely will be fragments of files
A few Words
A couple of sentences
Hopefully some paragraphs
Registry entries, or log entries!
Where do we find it?
How might the information be
Might be plain data with no hidden
The data could be encrypted
Data could be hidden
Could be hostile code
Encrypting data could guard the data in two
Use of Ciphers
Files might need to be decrypted
Decryption program generally stored fairly close to the file
to be decrypted.
Probably password protected.
Data could be obfuscated
encryption is some method of modifying data so that it is meaningless and
unreadable in it’s encrypted form. It also must be reasonably secure, that is it must
not be easily decrypted without the proper key. Anything less than that is
obfuscation. This is data that is rendered unusable by some means, but is not
considered as a serious form of encryption.
Data could be compressed
Data could be hidden in plain sight –
innocent looking data has alternate
Data could be hidden within File system 11
Data Hiding (contd.)
Data could be hidden in a file
Steganography - science of writing hidden messages in such a way
that no-one apart from the sender and intended recipient even realizes there is
a hidden message
Hidden data might not be in file
Slack, swap, free space
Presume that any unknown code is hostile.
Guilty until proven innocent.
Any code used by an unauthorized person to gain
advantage or power over someone else should be
– Remote access – Resource theft
– Data gathering – Circumvention of
– Sabotage access control
– Social status
– Eluding detection
How do we go about the business
of Computer Forensics?
Three A’s of Computer Forensics
Acquire the evidence without altering or
damaging the original.
Authenticate that your recovered
evidence is the same as the originally
Analyze the data without modifying it.
Acquire the evidence
How do we seize the computer?
How do we handle computer evidence?
What is chain of custody?
Documenting the Investigation
Authenticate the Evidence
Prove that the evidence is indeed what
the criminal left behind.
Contrary to what the defense attorney might
want the jury to believe, readable text or
pictures don’t magically appear at random.
Calculate a hash value for the data
Always work from an image of the
evidence and never from the original.
Prevent damage to the evidence
Make two backups of the evidence in most
Analyze everything, you may need clues
from something seemingly unrelated.
Password crackers CD-R Utilities
Hard Drive Tools Text search tools
Fdisk on Linux Drive Imaging
QVP Linux dd
Diskview Disk Wiping
Thumbsplus Forensic Toolkits
Unerase tools Forensic Computers
The Coroner’s Toolkit
Digital Crime Scene
No one right way to do it!
System Preservation Evidence Searching Event Reconstruction
Phase Phase Phase
Carrier, B., Page. 5, Figure 1.1