[1st International Conference on
Management of Technology and
Information Security ( ICMIS-2010 )]
An Examination into Computer Forensic Tools
Lokendra Kumar Tiwari
Department of Electronics & Comm. AllD. Univ.
Arun Kumar Singh
Department of CSED, MNNIT Allahabad
• Computer Forensics
• Forensic Expert.
• Goals of Comp. Forensics
• Forensics Procedure
• Key Principal of Forensics
• Forensic Tools.
• Demonstration of Tools
Forensics is not by itself a science
(‘‘forensic: of, used in, courts of law’’—
Concise Oxford Dictionary).
Forensic means to apply a discipline, any
discipline, to the law. It is the job of forensics
to inform the court.
So, you can be a computer scientist, and if
you apply computer science to inform the
court, you are a forensic computer scientist.
• A key skill in forensic computer science is the
challenge that lies in ‘‘informing the court’’
• This requires specialized expertise and training
in a range of computing and non-computing
skills—legal knowledge, evidence management,
data storage and retrieval, and not least,
The forensic expert is a person who has the knowledge
Provisions of Indian Evidence Act,
Code of Criminal Procedure,
Indian Penal Code,
Constitution of India and Constitution of other countries,
and also other related statutes.
forensic expert has to assist the court hence he must have
knowledge of any technology (say computer science)
The primary goals of the computer forensic
analysis process are:
To help participants determine what undesirable
events occurred, any.
To gather, process, store, and preserve evidence to
support the prosecution of the culprit(s), if desired.
To use that knowledge to prevent future occurrences.
(Detection & prevention).
Collection & Preservation. (Chain of custody)
Computer forensic analysis within the forensic
Alphonse Bertillon- [freezing the scene]: in 1879
introduce a methodical way of documenting the scene by
photographing, for example, bodies, items, footprints,
bloodstains in situ with relative measurements of location,
position, and size Bertillon is thus the first known forensic
Bertillonage : system of identifying individuals over 200
separate body measurements, was in use till 1910 and was
only rendered obsolete by the discovery that fingerprints
Key Principal of Forensics
• Edmond Locard articulated one of the forensic
science’s key rules, known as Locard’s
• “The principle states that when two items or
persons come into contact, there will be an
exchange of physical traces. Something is
brought, and something is taken away, so that
suspects can be tied to a crime scene by
detecting these traces”.
• National security
• Custom & Excise
• Law enforcement agents
• Businesses (embezzlement, industrial espionage,
stealing confidential information, and racial or sexual
• Corporate crime [according to report the accountants and
auditors for Enron not only used e-mail to communicate but also
subsequently deleted these e-mails]
Problems In Indian Context.
No Standard for Computer Forensic is yet
No Guidelines for Companies dealing with
electronic data, during disputes.
No recognition to any of the forensics tool.
Issues related to anti-forensics are not talked
Over All Scenario
To date, computer forensics has been primarily driven by
vendors and applied technologies with very little consideration
being given to establishing a sound theoretical foundation
The national and international judiciary has already begun
to question the ‘‘scientific’’ validity of many of the ad hoc
procedures and methodologies and is demanding proof of
some sort of theoretical foundation and scientific rigor.
Commercial software tools are also a problem
because software developers need to protect their
code to prevent competitors from stealing their
However, since most of the code is not made
public, it is very difficult for the developers to
verify error rates of the software, and so
reliability of performance is still questionable
The specialized tools used by a computer
forensic expert are viewed as intolerably expensive
by many corporations, and as a result many
corporations simply choose not to invest any
meaningful money into computer forensics. This
trend amplifies cyber crime rates
Open source software’s were also not been
tested or verified for the effectiveness to serve the
above purposes (Open for research)
The growing demand for security and certainty in
cyber space leads to more stringent laws.
The violation and maintaining of these laws (cyber
laws) must be distinguished from classical criminal
activities and criminal law enforcement.
The dynamics between these different forms of law
violation and law enforcement is important and
shall be addressed.
• Proposed amendment in IT ACT 2000.
“70A. (1) The Indian Computer Emergency Response Team (CERT-In)
shall serve as the national nodal agency in respect of Critical
Information Infrastructure for coordinating all actions relating to
information security practices, procedures, guidelines, incident
prevention, response and report.
(2) For the purposes of sub-section (1), the Director of the Indian
Computer Emergency Response Team may call for information
pertaining to cyber security from the service providers, intermediaries
or any other person.
• National E-Governance Plan 2007.
Computer Forensic is the need of an Hour….
Computer Forensic Tools
Forensic Tool Kit:
FTK is developed by
Corporation (USA); it
enables law enforcement
and corporate security
professionals to perform
complete and in-depth
Main Window of FTK
Encase Forensic developed by Guidance
Software USA is the industry standard in
computer forensic investigation technology.
With an intuitive Graphical User Interface
(GUI), superior analytics, enhanced
email/Internet support and a powerful
scripting engine, EnCase provides
investigators with a single robust tool,
capable of conducting large-scale and very
complex investigations from beginning to
Main Window of Encase
Cyber Check Suites:
The IT Act 2000 is India's first attempt
to combat cyber crime. To assist in the
enforcement of the IT Act, the
Department of Information Technology,
Ministry of Communications and
Information Technology, has setup a
Technical Resource Centre for Cyber
Forensics at C-DAC,
Cyber Check is a forensic analysis tool
developed by C-DAC
Probe Window of Cyber Check Suite
Comparison between Encase Version 6.0, FTK, and Cyber
• Encase Forensic is very useful forensic solution
but it lacks following important feature:
• In Encase forensic there is no password
cracking/recovery facility. So if during
investigation process the examiner detected any
password protected files then he had to rely on
third party tools.
Recovery of Deleted E-mail
• Computer forensics by Michael Sheetz published by John
Wiley and Sons
• Cyber crime Impact in the new millennium by R.C Mishra.
• Roadmap for digital forensic Research [Report From the
First Digital Forensic Research Workshop]
• Forensic Corpora: A Challenge for Forensic Research
Simson L. Garfinkel April 10, 2007
• Computer and Intrusion Forensics by Mohay,Anderson
Collie,Devel Published by Artech House.