Computer Forensics Mitchell Potter Brent Thompson What is

Computer Forensics Mitchell Potter Brent Thompson

What is Computer Forensics? • It is the collection, preservation, analysis, and court presentation of computer-related evidence. • Involves the identification, preservation, extraction, documentation, and interpretation of this digital evidence.

Computer Forensics vs. Physical Forensics • Physical forensics focuses on identification and individualization • Both of those processes compare an item from a crime scene to identify the class of the item • Computer forensics focuses on finding the evidence and analyzing it

Why is Computer Forensics Needed? • Computer evidence is fragile and can be easily erased or compromised unless special handling is used. • Forensic tools use non-invasive techniques to recover deleted, hidden, and temporary files that could be critical to an investigation and are invisible to normal users.

Who Needs the Digital Evidence? • Law Enforcement • Military • Security Agencies (Secret Service, CIA, FBI, NSA) • Company execs

What is Possible with Computer Forensics? • Recovery of deleted data • Discovery of when files were modified, created, deleted and organized • What applications were installed • Which websites have been visited

What is Not Possible • If the digital media is completely (physically) destroyed, recovery is impossible • If digital media is securely overwritten, recovery is very complicated or impossible

Examples on When Computer Forensics is Needed. • • Insurance fraud Illegal software uses Hacking Email misuse Money laundering Destruction/altering of data Intellectual property theft

Examples of Digital Evidence • • • Documents Spreadsheets Emails/Attachments Programs Databases Internet Activity Temporary Files Deleted Files Other media such as CD’s, removable drives, disks etc.

Sources of Digital Evidence • • • Cell Phones Landline phones and answering machines Video games systems, especially Xbox GPS devices Digital cameras Computers

Computer Forensics Steps • • • Send a preservation of evidence letter to all parties Analysis of what you are searching for Collect all media for analysis Interview witnesses about computer usage (if corporate or shared computer) Make copies of residual data Write-protect and virus check all media Preserve the Chain of Custody Examine the evidence Authenticate the Evidence

Computer Forensics Methods • Safe seizure of computer systems and collection of data • Copy the data before analysis • Review the data, recover deleted files • Keep detailed reports of all findings

Computer Forensics Elements • • Check-lists to support each methodology The possibility of repeat tests to be carried out Anticipation of criticism of each methodology Well defined procedures to address all tasks done during the analysis of the digital evidence

Computer Statistics • 95% of the World’s information is being generated and stored in digital form. • Only about a third of that information is printed out. • Emails can be on the senders computer, servers in between, and backups • 1 TB hard drive would require 50, 000 trees to be turned into paper

Computer Forensics Challenges • Being able to demonstrate the authenticity of the evidence • Integrity and security of data is an issue in courts • Acceptance of computer technology by judges, jury, etc. • Establishing the chain of custody

Why Computer Crime is Hard to Prosecute. • Lack of understanding of technology • Lack of physical evidence • Complexity of cases

Examples of Computer Forensic Tools • En. Case is used to make forensic copies of data and recover deleted data • Helix is used for copying of hard drives and analyzing • Password crackers or recovery • Checksum generators • PDA and Cell phone decryptors • Mail, cookies, and digital image recovery and analysis

Questions?