CIT 429 LECTURE SERIES · aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information. •The discipline of computer forensics

CIT 429 LECTURE SERIES

Topic: Computer ForensicsBy

Dr. A.O. AkinwunmiComputer Science programme

College of Computing and Communication Studies

Computer Crime

• One of the biggest threats facing businesses and corporations today is that of computer crime or Cybercrime or cyber-attacks and threats.

• If these are large enough in scale and magnitude, it could even be considered as an act of Cyber terrorism, in which a significant impact can be felt in both regarding cost and human emotion.

• Whenever something like this occurs, two of the most common questions that get asked are:• How did it happen?

• How can this be prevented from happening again in the future?

2

What is Computer Crime?

• Computer crime is any criminal offense, activity or issue that involves computers

• Computer misuse tends to fall into two categories:• Computer is used to commit a crime

• Computer itself is a target of a crime. Computer is the victim. Computer Security Incident.

3

Computer is Used to Commit a Crime

• Computer is used in illegal activities: child pornography, threatening letters, e-mail spam or harassment, extortion, fraud and theft of intellectual property, embezzlement – all these crimes leave digital tracks.

• Investigation into these types of crimes include searching computers that are suspected of being involved in illegal activities

• Analysis of gigabytes of data looking for specific keywords, examining log files to see what happened at certain times

4

Computer Security Incident

• Unauthorized or unlawful intrusions into computing systems

• Scanning a system - the systematic probing of ports to see which ones are open

• Denial–of–Service (DoS) attack - any attack designed to disrupt the ability of authorized users to access data

• Malicious Code – any program or procedure that makes unauthorized modifications or triggers unauthorized actions (virus, worm, Trojan horse)

5

Computer Incident Response

• This is an organized approach to addressing and managing the aftermath of a security breach or cyberattack.

• The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.

6

Computer Forensics or Digital Forensics• The terms computer forensics and digital forensics are often used

interchangeably to refer to the investigation of any computer, computer-related device or digital device for legal purposes.

• Technically, the term computer forensics refers to the investigation of computers.

• Digital forensics includes not only computers but also any digital device, such as digital networks, cell phones, flash drives and digital cameras.

• It is a branch of digital forensic science pertaining to evidence found in computers and digital storage media.

7

Purpose of Computer Forensics• The purpose of computer and digital forensics is to determine if a device

was used for illegal purposes, ranging from computer hacking to storing illegal pornography or records of other illegal activity.

• It entails examining digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.

• The discipline of computer forensics emerged during the time when the use of computer grew and the use for criminal activities increased as a method to recover and investigate digital evidence for use in court.

• Since then computer crime and computer related crime has grown, and has jumped 67% between 2002 and 2003.

8

Purpose of Computer Forensics Cont’d• Today it is used to investigate a wide variety of crime, including child

pornography, fraud, espionage, cyberstalking, murder and rape.

• The discipline also features in civil proceedings as a form of information gathering (for example, Electronic discovery).

• In court, computer forensic evidence is subject to the usual requirements for digital evidence.

• This requires that information be authentic, reliably obtained, and admissible.

• Different countries have specific guidelines and practices for evidence recovery

9

Definition of Computer Forensics and Its Importance

• It is the discipline that combines the elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law.

• Digital Forensics is defined as the process of preservation, identification, extraction, and documentation of computer evidence which can be used by the court of law.

• It is a science of finding evidence from digital media like a computer, mobile phone, server, or network.

• It provides the forensic team with the best techniques and tools to solve complicated digital-related cases.

10

Computer Forensics data

• Obviously, when a Cyber-attack has occurred, collecting all relevant evidence is of utmost importance to answer the questions which were outlined in above.

• However, keep in mind that the forensics examiner/investigator is particularly interested in a particular piece of evidence, which is known specifically as “latent data.”

• In the Cybersecurity world, this kind of data (also known as “ambient data”) is not easily seen or accessible upon first glance at the scene of a Cyber-attack.

• In other words, it takes a much deeper level of investigation by the computer forensics expert to unearth them. Obviously, this data has many uses to it, but it was implemented in such a way that access to it has been extremely limited.

11

Examples of latent data• Information which is in computer storage but is not readily referenced in the file

allocation tables;

• Information which cannot be viewed readily by the operating system or commonly used software applications;

• Data which has been purposely deleted and is now located in:

• Unallocated spaces in the hard drive;

• Swap files;

• Print spooler files;

• Memory dumps;

• The slack space between the existing files and the temporary cache.

12

Importance of Computer Forensics• The importance of computer forensics to a business or a corporation is of

paramount importance. For instance, there is often the thinking that simply fortifying the lines of defense with firewalls, routers, etc. will be enough to thwart off any Cyber-attack.

• To the security professional, he or she knows that this is untrue, given the extremely sophisticated nature of today’s Cyber hacker.

• This premise is also untrue from the standpoint of computer forensics. While these specialized pieces of hardware do provide information to a certain degree as to what generally transpired during a Cyber-attack, they very often do not possess that deeper layer of data to provide those clues as to what exactly happened.

13

Importance of Computer Forensics Cont’d• This underscores the need for the organization also to implement those

security mechanisms (along with hardware above) which can provide these specific pieces of data (examples of this include those security devices which make use of artificial intelligence, machine learning, business analytics, etc.).

• Thus, deploying this kind of security model in which the principles of computer forensics are also adopted is also referred to as “Defense in Depth.”

• By having these specific pieces of data, there is a much greater probability that the evidence presented will be considered as admissible in a court of law, thus bringing the perpetrators who launched Cyber-attack to justice.

14

History of Digital forensics

• Hans Gross (1847 -1915): First use of scientific study to head criminal investigations

• FBI (1932): Set up a lab to offer forensics services to all field agents and other law authorities across the USA.

• In 1978 the first computer crime was recognized in the Florida Computer Crime Act.

• Francis Galton (1982 - 1911): Conducted first recorded study of fingerprints

• In 1992, the term Computer Forensics was used in academic literature.

• 1995 International Organization on Computer Evidence (IOCE) was formed.

• In 2000, the First FBI Regional Computer Forensic Laboratory established.

• In 2002, Scientific Working Group on Digital Evidence (SWGDE) published the first book about digital forensic called "Best practices for Computer Forensics".

• In 2010, Simson Garfinkel identified issues facing digital investigations.

15

Objectives of computer forensics• It helps to recover, analyze, and preserve computer and related materials in such

a manner that it helps the investigation agency to present them as evidence in a court of law.

• It helps to postulate the motive behind the crime and identity of the main culprit.

• Designing procedures at a suspected crime scene which helps you to ensure that the digital evidence obtained is not corrupted.

• Data acquisition and duplication: Recovering deleted files and deleted partitions from digital media to extract the evidence and validate them.

• Helps you to identify the evidence quickly, and also allows you to estimate the potential impact of the malicious activity on the victim

• Producing a computer forensic report which offers a complete report on the investigation process.

• Preserving the evidence by following the chain of custody.

16

Computer Forensics Process

• Computer forensics work procedure or work process can be divided into 5 major parts

17

Computer Forensics Process Cont’d

• Identification• The first process of computer forensics is to identify the scenario or to understand

the case. • At this stage, the investigator has to identify the purpose of investigation, type of

incident, parties that involved in the incidence, and the resources that are required to fulfill the needs of the case.

• Collection• The collection (chain of custody) is one of the important steps because your entire

case is based on the evidence collected from the crime scene. • Collection is the data acquisition process from the relevant data sources while

maintaining the integrity of data. • Timely execution of the collection process is crucial in order to maintain the

confidentiality and integrity of the data. Important evidence may lost if not acted as required.

18

Computer Forensics Process Cont’d• Examination

• The aim of third process is to examine the collected data by following standard procedures, techniques, tools and methodology to extract the meaningful information related to the case.

• Analysis• Since all five processes are linked together, the analysis is the procedure to

analyze the data acquired after examination process.

• At this stage, the investigator search for the possible evidence against the suspect, if any. Use the tools and techniques to analyze the data.

• Techniques and tools should be justified legally, because it helps you to create and present your report in front of the court.

19

Computer Forensics Process Cont’d• Reporting

• This is the final, but the most important step.

• At this step, an investigator needs to document the process used to collect, examine and analyze the data.

• The investigation report also consists the documentation of how the tools and procedures were being selected.

• The objective of this step is to report and present the findings justified by evidences.

20

Computer Forensics Team • Law enforcement and security agencies are responsible for

investigating a computer crime, however every organization should have the capability to solve their basic issues and investigation by themselves.

• Even an organization can hire experts from small or mid-size computer investigation firms.

• Also an organization can create its own firm that provides computer forensic services. To do so, you need a forensics lab, permission from the government to establish a forensics business, the right tools with the right people and rules/policies to run the business effectively and efficiently.

21

Key people that a computer investigation firm should have: • Investigators:

• This is a group of people (number depends on the size of the firm) who handle and solve the case. It is their job to use the forensic tools and techniques in order to find the evidence against the suspect. They may call the law enforcement agencies, if required. Investigators are supposed to act immediately after the occurrence of the event that is suspected of criminal activity

• Photographer: • To record the crime scene is as important as investigating it.

• The photographer’s job is to take photographs of the crime scene (IT devices and other equipment).

22

Key people that a computer investigation firm should have:• Incident Handlers (first responder):

• Every organization, regardless of type, should have incident handlers in their IT department.

• The responsibility of these people is to monitor and act if any computer security incidence happen, such as breaching of network policy, code injection, server hijacking, RAT or any other malicious code installation.

• They generally use the variety of computer forensics tools to accomplish their job.

• IT Engineers and technicians (other support staff): • This is the group of people who run the daily operation of the firm. They are IT

engineers and technicians to maintain the forensics lab. • This team should consist of network administrator, IT support, IT security engineers

and desktop support. • The key role of this team is to make sure the smooth organizational functions,

monitoring, troubleshooting, data recovery and to maintain the required backup.

23

Key people that a computer investigation firm should have:• Attorney:

• Since computer forensics directly deal with investigation and to submit the case in the court, so an attorney should be a part of this team.

24

First Responder

• The first responder and the function of the first responder is crucial for computer forensics and investigation.

• The first responder is the first person notified, and take action to the security incident.

• The first responder is a role that could be assigned to anyone, including IT security engineers, network administrator and others.

• The person who is responsible to act as a first responder should have knowledge, skills and the toolkit of first responders.

25

Responsibilities of First Responder• The first responder should be ready to handle any situation and

his/her action should be planned and well documented. Some core responsibilities are as follows: • Figure out or understand the situation, event and problem.

• Gather and collect the information from the crime scene

• Discuss the collected information with the other team members

• Document each and everything

• First responder or incident handlers should have first-hand experience of Information security, different operating systems and their architectures.

26

Rules of Computer Forensics • There are certain rules and boundaries that should be kept in mind

while conducting an investigation. • Minimize or eliminate the chances to examining the original evidence: Make the

accurate and exact copy of the collected information to minimize the option of examining the original. This is the first and the most important rule that should be considered before doing any investigation, create duplicates and investigate the duplicates. You should make the exact copy in order to maintain the integrity of the data.

• Don't Proceed if it is beyond your knowledge. If you see a roadblock while investigating, then stop at that moment and do not proceed if it is beyond your knowledge and skills, consult or ask an experienced to guide you in a particular matter. This is to secure the data, otherwise the data might be damaged which is unbearable. Do not take this situation as a challenge, go and get additional training because we are in the learning process and we love to learn.

27

Rules of Computer Forensics Cont’d• Follow the rules of evidence. The rule of evidence must be followed during the

investigation process to make sure that the evidence will be accepted in court.• Create Document. Document the behavior, if any changes occur in evidence. An

investigator should document the reason, result and the nature of change occurred with the evidence. Let say, restarting a machine may change its temporary files, note it down.

• Get the written permission and follow the local security policy Before starting an investigation process, you should make sure to have a written permission with instruction related to the scope of your investigation.• It is very important because during the investigation you need to get access or need to make

copies of the sensitive data, if the written permission is not with you then you may find yourself in trouble for breaching the IT security policy.

• Be ready to testify Since you are collecting the evidence than you should make yourself ready to testify it in the court, otherwise the collected evidence may become inadmissible.

28

Rules of Computer Forensics Cont’d• Your action should be repeatable

• Do not work on trial-and -error, else no one is going to believe you and your investigation. • Make sure to document every step taken. You should be confident enough to perform the same action

again to prove the authenticity of the evidence.

• Work fast to reduce data loss • Work fast to eliminate the chances of data loss, volatile data may be lost if not collected in time. • While automation can also be introduced to speed up the process, do not create a rush situation.

Increase the human workforce where needed.

• Always start collecting data from volatile evidence.

• Don't shut down before collecting evidence• This is a rule of thumb, since the collection of data or evidence itself is important for an investigation.

• You should make sure not to shut down the system before you collect all the evidence. If the system is shut down, then you will lose the volatile data. Shutdown and rebooting should be avoided at all cost.

• Don't run any program on the affected • Collect all the evidence, copy them, create many duplicates and work on them. Do not run any program,

otherwise you may trigger something that you don't want to trigger. Think of a Trojan horse.

29

3 A's of Computer Forensics

• Computer forensics methodology has been presented by Kruse and Heiser in their book titled “Computer Forensics: Incident Response Essentials”. They have provided the 3A's of computer forensics that are applicable for Windows and other OS as well.• Acquire the evidence without altering or damaging the original.

• Authenticate that the recovered evidence is same as the original seized data.

• Analyze data without any alterations

30

Types of Digital Forensics• There are various types of digital forensics available:

• Disk Forensics:

• It deals with extracting data from storage media by searching active, modified, or deleted files.

• Network Forensics:

• It is a sub-branch of digital forensics. It is related to monitoring and analysis of computer network traffic to collect important information and legal evidence.

• Wireless Forensics:

• It is a division of network forensics. The main aim of wireless forensics is to offers the tools need to collect and analyze the data from wireless network traffic.

• Database Forensics:

• It is a branch of digital forensics relating to the study and examination of databases and their related metadata.

31

Types of Digital Forensics• Malware Forensics:

• This branch deals with the identification of malicious code, to study their payload, viruses, worms, etc.

• Email Forensics

• Deals with recovery and analysis of emails, including deleted emails, calendars, and contacts.

• Memory Forensics:

• It deals with collecting data from system memory (system registers, cache, RAM) in raw form and then carving the data from Raw dump.

• Mobile Phone Forensics:

• It mainly deals with the examination and analysis of mobile devices. It helps to retrieve phone and SIM contacts, call logs, incoming, and outgoing SMS/MMS, Audio, videos, etc.

32

Challenges faced by Digital Forensics

• Here, are major challenges faced by the Digital Forensic:• The increase of PC's and extensive use of internet access

• Easy availability of hacking tools

• Lack of physical evidence makes prosecution difficult.

• The large amount of storage space into Terabytes that makes this investigation job difficult.

• Any technological changes require an upgrade or changes to solutions.

33

Uses of Digital Forensics• In recent time, commercial organizations have used digital forensics in

following a type of cases:• Intellectual Property theft

• Industrial espionage

• Employment disputes

• Fraud investigations

• Inappropriate use of the Internet and email in the workplace

• Forgeries related matters

• Bankruptcy investigations

• Issues concern with the regulatory compliance

34

Advantages of Digital forensics

• Here, are pros/benefits of Digital forensics• To ensure the integrity of the computer system.

• To produce evidence in the court, which can lead to the punishment of the culprit.

• It helps the companies to capture important information if their computer systems or networks are compromised.

• Efficiently tracks down cybercriminals from anywhere in the world.

• Helps to protect the organization's money and valuable time.

• Allows to extract, process, and interpret the factual evidence, so it proves the cybercriminal action's in the court.

35

Disadvantages of Digital Forensics• Here, are major cos/ drawbacks of using Digital Forensic

• Digital evidence accepted into court. However, it is must be proved that there is no tampering

• Producing electronic records and storing them is an extremely costly affair

• Legal practitioners must have extensive computer knowledge

• Need to produce authentic and convincing evidence

• If the tool used for digital forensic is not according to specified standards, then in the court of law, the evidence can be disapproved by justice.

• Lack of technical knowledge by the investigating officer might not offer the desired result

36

References• Introduction to Computer Forensics and Digital Investigation InfoSec

Institute Irfan Shakeel

• International handbook on computer Crime by Ulrich Sieber, Published by John Wiley & Sons. New York

• Computer Forensics, Incident Response Essentials, Warren G. Kruse II, Jay G. Heiser, Addison-Wesley

• Incident Response and Computer Forensics, Kevin Mandia, Chris Prosise, Matt Pepe, McGraw-Hill

37