Social Issues in Computing : Forensics

Forensics: New dimension for Governance Presented By

Name : Karuna Kak and Anirudh Munj

PRN :12030121030 and 12030121031

Course : BCA

Batch :2012-15

Division : A

Course :Social Issues In Computing

INTRODUCTION TO FORENSICS Forensics in ICT terms generally includes

two distinct fields:

• using ICT to enhance information

gained about a crime (for example,

software that can process database

searches faster than humans can), and

• gathering information about a crime

from a computer that contains data

related to the crime.

DEFINITION OF FORENSICS

• Forensics is the use of science

and technology to investigate

and establish facts in criminal

and civil courts of law.

• The goal of any forensic

investigation will be to

prosecute the criminal or

offender successfully,

determine the root cause of an

event and determine who was

responsible.

TECHNIQUES USED IN FORENSICS

• Stringing

• Total station

• Photo composites

• Computerized matching

• Ballistics

• Fingerprints

• DNA

• Handwriting/graphology

STRINGING

• One traditional procedure at a crime scene is

to document the locale.

• On a road, the distances, speeds, directions

are part of the data set that defines the events.

Prior to the availability of high-tech IT

equipment, this process involved “stringing”: a

police technician would use string to measure

distances and angles.

• Today, laser controlled digital cameras and

computer generated algorithms have replaced

the somewhat imprecise techniques of earlier

years.

TOTAL STATION

• A device called the “Total Station” began to

replace that imprecise technology of using

strings, paper and pencils and analog

photographs during the middle of the 20th

century.

• It was a device used by engineers that was

easily adapted to forensic use because of

the (then) precise nature of the data it

provided, as opposed to the use of string,

for example.

PHOTO COMPOSITES • One of the classic results of a police investigation

into a crime is the “Wanted” poster.

• In pre-digital times, highly skilled artists were part

of the staff of a police force: people who could

interpret witness descriptions and turn them into

visual elements.

• Today, using a combination of digitally captured

images and special software, police are able not

only to create likenesses that are indistinguishable

from actual photographs, but they are also able to

put special algorithms to work that can

authentically “age” a victim/suspect within

reasonably accurate limits.

WANTED

COMPUTERIZED MATCHING • There are a number of traces that might be left at a

crime scene that can be used to identify the

criminal.

• When there is so much data to sort, catalogue and

search through, a computer or a computerized

database makes the work both faster and less

prone to error.

• Special software and hardware adapted to specific

uses also increases the likelihood of positive

identification, whether it means reconstructing a

scene from limited or missing information or

whether it means searching a large database to

find matching patterns.

BALLISTICS • Prior to the arrival of computer technology, police

experts would examine the markings on bullets

found at a crime scene under a microscope.

• They still do; however, the process has been

considerably enhanced with the assistance of

computers: much of the visual comparison can

now be automated.

• Similarly, rather than having a desk clerk search

through long files in search of serial numbers – on

weapons recovered or ammunition – centralized

databases and logged electronic records allow

police to make better use of their time.

FINGERPRINTS • The use of fingerprints to identify individuals was

known back as far as ancient times, Greek and

Babylonian records show the use of fingerprints as a

signature.

• However, it was only about the 1850s when police

investigations began to make extensive use of

fingerprints as “proof positive”.

• Although no two people have the same fingerprints,

police are often limited by the amount of data they can

search through.

• Today, police detectives can work online, with access

to a national digital archive of known fingerprints.

DNA • Similar to the case of fingerprints, but even more recent a

development is the use of DNA as positive identification in

a crime.

• DNA identification can work with any body parts to create

a very clear profile of the person the sample comes from.

• Again, the chance of identification is made better when

you have a larger database to work from.

• Police is allowed to build a better DNA database by giving

the police the legal right to collect and save a digital DNA

file for anyone who is taken to the police station.

• The fact that the police are allowed to take a DNA “swab”

even of people who are not charged with a crime has

become a major issue of privacy rights.

HANDWRITING/GRAPHOLOGY

• Handwriting analysis involves

forensic examination of such

factors as (pen) pressure, slant or

angle of letters, deviation above and

below imaginary “standard” lines

and other factors such as the size of

loops in the letters.

• While much of this is based on

visual observation, software that

can scan and then automatically,

digitally compare these features is

making this science more reliable

as a tool for detection.

STUXNET

• Largest and costliest development effort in malware history

• A team of highly capable programmers

• In-depth knowledge of industrial processes

• The complexity of the code indicates that only a nation-state

would have the capabilities to produce it

• The self-destruct and other safeguards within the code imply

that a Western government was responsible, with lawyers

evaluating the worm's ramifications

DIGITAL FORENSIC (DF) • DF involves the

preservation

identification

extraction

documentation

of digital evidence stored as data or

magnetically encoded information.

• This includes the

recovery

analysis

presentation

of digital evidence in a way that is admissible

and appropriate in a court of law.

DIGITAL FORENSICS AS A MULTI-DIMENSIONAL DISCIPLINE

• We consider the dimensions of Information Security as a baseline

when defining dimensions for DF.

• The following dimensions were identified for digital forensics:

Corporate Governance

Policy

Legal and Ethical

People

Technology

• The dimensions are inter-related and can not exist in isolation.

CORPORATE GOVERNANCE DIMENSION • The Corporate Governance dimension will handle the management

aspects of DF in an organization.

• Management is responsible for the security posture of an

organization.

• Management can only manage security incidents if for example the

root cause of the event is determined and appropriate action to

rectify it can be taken – this may involve forensic investigations.

• The Corporate Governance dimension includes strategic governance

and operational governance.

• Typically strategic governance will be from a strategic perspective,

while operational governance will provide management directives on

an operational level.

POLICY DIMENSION

• A general forensic investigation policy is required to provide a

framework for DF policies in the organisation.

• Examples of other policies are how to handle evidence, how to

seize evidence and how to conduct covert or overt investigations.

Policies are normally supported by procedures and guidelines.

• Procedures also need to be set up so that the investigations will be

able to stand up to legal scrutiny in court.

• These procedures must also be scientifically sound and proven to

maintain the integrity of the evidence and process.

POLICY DIMENSION Six categories of policies to facilitate Digital Forensic Investigations (DFI):

Retaining Information

Planning the Response

Training

Accelerating the Investigation

Preventing Anonymous Activities

Protecting the Evidence

LEGAL AND ETHICAL DIMENSION

• The Legal and Ethical dimension of DF is very important in

organizations.

• In Cyberspace there is no universal or common ‘Cyber law’.

Various judiciary systems exist in different countries.

• The forensic investigator must be familiar with local legal and

international laws, treaty requirements and industry specific

legal requirements when preparing to present a case that will

be able to stand up to legal scrutiny in court.

• Ethical aspects of DF is becoming more and more important.

PEOPLE DIMENSION • People are the most important part of any organisation and normally

the weakest link in the security chain of the organization.

• When an incident occurs it is most likely that people will contaminate

the evidence while figuring out what has happened. Training is

therefore essential. Therefore, there is a huge need for forensic

awareness training.

• This dimension will look at training and awareness programs in an

organization.

• The profile and composition of a DF team is also very important.

• One person normally does not have all the required skills to conduct

an investigation. Therefore the team should consist of a team leader,

network specialist, code specialist, business process specialist and

a quality manager.

TECHNOLOGY DIMENSION

• No DF investigation can be conducted without a DF toolkit.

• Various specialised software and / or physical hardware tools will

make up the DF toolkit as different tools are used for different

purposes.

• The way the tools are utilised as well as the acceptance of a

specific tool by the legal authorities are vital for any forensic

investigation.

• The forensic and legal community has accepted certain industry

standard tools e.g. EnCase (Meyers M, Rogers M, 2004).

REFERENCES

• Digital Forensics: A Multi-dimensional Discipline,

CP Grobler, Prof B Louwrens, University of Johannesburg,

Department of Business IT

• Developing digital forensic governance, Marthie Grobler,

Council for Scientific and Industrial Research (CSIR)

• Social Issues in Computing, Exploring the Ways Computers

Affect Our Lives, Colin Edmonds, June 2009