Скачать 42.34 Kb.
Running head: Computer Forensics – Analysis and Uses
Summary and Introduction
In 1985, the introduction of DNA identification to the world was done by Alec Jeffreys of England. He demonstrated its usage in a criminal investigation. He was able to free a man accused of raping and killing two young women through the methods of DNA testing. The information hidden in the human DNA was the same as those of computers and electronic storage. The amount of information (such as financial documents, images, conversations, memos, and records, etc) contained on electronic media is skyrocketing.
Forensics deals with the recovery and analysis of latent evidence, and it is the process of using scientific procedure for collecting, analyzing, and presenting latent evidence such as fingerprints left on a window, evidence recovered from blood stains, files on a hard drive, etc to the courts.
Computer forensics is the process of combining elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in an admissible ways to present evidence in a court of law.
Computer forensics involves the preservation, identification, extraction, documentation and interpretation of computer data (Kruse, and Heiser, 2002). They went describing it as more of an art than a science indicating that forensic methodology is supported by flexibility and extensive domain knowledge. It is a division of digital forensic science dealing with legal evidence found in computers and digital storage media. Its main goal is to study digital media in a forensically solid manner with the purpose of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information or situation. It is used in civil proceedings – it involves similar techniques and principles to data recovery, but with further guidelines and practices designed to develop a legal audit trail.
Latent evidence from computer forensics investigations followed the same guidelines and practices of other digital evidence. Within US and European court systems, it has been widely accepted as reliable sources and been used in a number of high profiles. The discipline of computer forensics arrived as a method to recover and investigate digital evidence for use in court. It is now used to investigate a wide variety of crime such as child pornography, fraud, cyber stalking, murder, rape, and so on.
Like DNA, the system is a promising method in helping the unparallel pursuit of evidences. The forensic sciences have seen their share of innovation, from fingerprinting to DNA profiling, and now computer forensics. It is easy to see the benefits of using computer forensics to investigate and solve crimes, and it is also proving exceptionally useful in other areas such as endangering the welfare of a child, sexual assault, embezzlement, homicide, etc. Police departments are creating their own in-house computer forensics laboratories. And the Federal Bureau of Investigations, to assist those without such resources, has created a collection of regional computer forensics laboratories across the country to analyze electronic media seized during criminal investigations.
Review of Work Done in Computer Forensic
A computer forensics examiner works as part of a law enforcement agency or just like police organization in analysis and interpretation of computer data for investigation of a crime. The specific tasks performed by forensics examiner usually involve computer data and can include anything from analysis of metadata on an e-mail to imaging and analysis of a computer hard drive. Other common tasks include re-formation of deleted computer files and use of various software programs to examine computer evidence and properly document the process for use in the court of law. A computer forensics examiner will sometimes provide testimony in court regarding computer evidence that was found and used during an investigation.
Much of the work done by a computer forensics examiner takes place during a criminal investigation or civil discovery process. The work normally involves examination and analysis of hardware, software, and computer files to provide evidence regarding a suspect or build a case for the guilt or innocence of an accused person. The work performed by a computer forensics examiner (in civil discovery) is often used to determine if someone is lying or misrepresenting the facts in a case.
Regardless of the type of case under question, a computer forensics examiner will typically evaluate large amounts of computer data such as hardware, hard drives or discs, and data files –
E-mails and documents on a computer. A computer forensics examiner can determine where an e-mail may have been sent from, and read encrypted files. Their works had been led to arrests in numerous cases, including the infamous “BTK” killer who was caught in 2005 by indicating his first name from a floppy disk he sent to police that confirmed a location in which the disk had been used. A computer forensics examiner will also typically work after an investigation to provide court testimony and expert opinions on a case. The examiner will document each step and the work performed to meet the standards of evidence that will be introduced in a court case. Once completed, he may need to present the work and defend it against cross-examination by an attorney, and will also have to explain the methods used to find evidence in a way that judges and jury members can effectively understand.
Computers can yield evidence of a wide range of criminal and other unlawful activities. Many criminals engaged in unlawful activities such as murder, robbery, burglary, gambling, kidnapping, sexual assault, extortion, drug dealing, auto theft, espionage and terrorism, gun dealing, economic crimes, confidence games, and criminal hacking and they maintain files with incriminating evidence on their computer. The information on the computer is a key to identifying a suspect; and it yields the most damning evidence.
The case of a pipe bomb murder that occurred in 1998 in the sleepy town of Fair Haven (Vermont) is another good example of work done by computer forensics. It involved a 17-year old, Chris Marquis, who was scamming the buyers by selling CB radios on the Internet – he didn't actually have radios to sell. 35-year-old Chris Dean from Pierceton (Indiana) was one of his victims conned for several hundred dollars. He attempted unsuccessfully to contact Marquis after realizing what had happened and sent several threatening e-mails as well. A pipe bomb arrived, on March 19, at Marquis' house by UPS killed Marquis and badly injured his mother through explosion. Forensics examination of the crime scene (yielded pieces of the package and the UPS shipping label that) led the FBI and local authorities to Dean.
Rationale and Systems analysis
A number of techniques are used during computer forensics investigations. Investigators use forensics software to search for three types of data: cross-drive; live analysis; and deleted files.
Cross-drive analysis – this is a forensic technique that correlates information found on multiple hard drives. It can be used for identifying social networks and performing anomaly detection. This includes correspondence between involved parties such as emails, instant messages, and social networking. Such evidence can be used to corroborate an existing relationship between victims or suspects.
Live analysis – this is the examination of computers from within the operating system using existing system admin tools to extract evidence. The practice is useful when dealing with Encrypting File Systems. Any existing data on the computer is considered live data. This could include documents, pictures, or any other files that might aid in the investigation. It can be extracted to a portable device and used as viable evidence during a trial.
Deleted files – this is another common technique used in computer forensics as the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted data. Most operating systems and file systems do not always erase physical file data. This makes it possible to be reconstructed from the physical disk sectors. File carving involves searching for known file headers within the disk image and reconstructing deleted materials. A suspect attempting to cover their tracks might not think to use disk scrubbing or encryption software, making it easy for investigators to gather the evidence they need for a conviction.
One application of live analysis is to recover RAM data such as using Microsoft's COFEE tool, windd, Windows SCOPE, prior to removing an exhibit. RAM can be analyzed for prior content after power loss, because the electrical charge stored in the memory cells takes time to dissipate –an effect exploited by the cold boot attack. The length of time for which data recovery is possible is increased by low temperatures and higher cell voltages. Holding unpowered RAM below −60 °C will help preserve the residual data by an order of magnitude, hence, improving the chances of successful recovery.
A number of open source and commercial tools exist for computer forensics investigation. Typical forensic analysis includes a manual review of material on the media, reviewing the windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and pictures for review.
Financial Forensics is a field fast catching up for Financial Fraud Investigators investigating Frauds. New tools and techniques are being developed and adopted. Earlier methods and methodologies are being extensively used to trace reflags. The most commonly used technique is Benford's Law. Further specialized software tools and applications such as Actimize and Memento are being developed to do Financial Forensics on databases.
Forensic techniques and expert knowledge are used to explain the current state of a digital artifact such as a computer system, storage medium, and electronic document. The scope of a forensic analysis can vary from simple information retrieval to reconstructing a series of events.
In court computer forensic evidence is subject to the usual requirements for digital evidence. It requires authentic, reliable, obtainable and admissible information.
Computer forensic investigations usually follow the standard digital forensic process (acquisition, analysis and reporting). Investigations are performed on static data rather than live systems. This is a change from early forensic practices resulted from a lack of specialist tools – saw investigations commonly carried out on live data.
Goals and Objectives of Computer Forensic
The ability to practice solid computer forensics will help one ensure the overall
integrity and survivability of his network infrastructure. Forensic specialist can help his organization if he consider computer forensics as a new basic element in what is known as a
defense-in-depth one approach to network and computer security. Understanding the legal and technical aspects of computer forensics will help one to capture vital information if the network is compromised and will help the prosecution of the case if the intruder is caught.
Ignoring computer forensics or practice is a risk of destroying vital evidence or having forensic evidence ruled inadmissible in a court of law. An organization may run afoul of new laws that obligate regulatory compliance and assign liability if certain types of data are not adequately protected. In the recent time, legislation makes it possible to hold organizations and companies liable in civil or criminal court of law if they fail to protect customer data.
Computer forensics is also an important way of saving organization money. Many managers are allocating a greater portion of their information technology budgets for computer and network security. It was reported by International Data Corporation (IDC) that the market for intrusion detection and vulnerability-assessment software will reach 1.45 billion dollars in the year 2006. Now organizations are deploying network security devices like intrusion detection systems (IDS), firewalls, proxies, and son on, which all report on the security status of networks. The main goal of computer forensics is to identify, collect, preserve, and analyze data in a way that preserves the integrity of the evidence collected so it can be used effectively in a legal case.
Those who investigate computers have to have a clear comprehension of the kind of potential evidence they are looking for in order to structure their search. Crimes involving a computer can range across the spectrum of criminal activities. It could be from child pornography to theft of personal data to destruction of intellectual property. The investigator must pick the appropriate tools to use in the cases of deleted, damaged, or encrypted files. They must be familiar with an array of methods or procedures and software to prevent further damage in the recovery process.
Two basic types of data are collected in computer forensics: Persistent data –those that are on a local hard drive or another medium and are preserved when the computer is turned off; Volatile data – are those stored in memory, or exists in transit, that will be lost when the computer loses power or is turned off. Volatile data resides in registries, cache, and random access memory. The data is ephemeral, hence, it is essential an investigator knows reliable ways to capture it.
System administrators and security personnel must also have a basic understanding of how routine computer and network administrative tasks can affect both the forensic process and the subsequent ability to recover data that may be critical to the identification and analysis of a security incident.
Advancements in forensic technology have revolutionized the task given to law enforcement officials when deciphering a criminal investigation. Crime scene forensics are the more commonly-explored tools used by forensics scientists to prove witness accounts and follow leads. Computers have now become a viable source of legal evidence in everything from identity theft to murder. Computer forensics mainly assess evidence found on the hard drive of a desktop or laptop computer, but the field has branched out to include data retrieval from cell phones and remote internet servers as well.
Legal Aspects of Computer Forensics
Anyone overseeing network security must be aware of the legal implications of forensic activity. Security professionals need to consider their policy decisions and technical actions in the context of existing laws. One must have authorization before he monitors and collects information related to a computer intrusion. There are also legal ramifications to using security monitoring tools.
Computer forensics is a relatively new discipline to the courts and many of the existing laws used to prosecute computer-related crimes, legal precedents, and practices related to computer forensics are in a state of flux. New court rulings are issued that affect how computer forensics is applied. The best source of information in this area is the United States Department of Justice’s Cyber Crime web site. It lists recent court cases involving computer forensics and computer crime, and it has guides about how to introduce computer evidence in court and what standards do apply. The important point for forensics investigators is that evidence must be collected in a way that is legally admissible in a court case.
Increasingly, laws are being passed that require organizations to safeguard the privacy of personal data. It is becoming necessary to prove that an organization is complying with computer security best practices. Organization that has added a computer forensics capability to its arsenal will be able to show that it followed a sound security policy and potentially avoid lawsuits or regulatory audits if there is an incident that affects critical data.
There are three areas of law related to computer security that are very important to be familiar with. First, the United States Constitution –The Fourth Amendment –allows for protection against unreasonable search and seizure, and it allows for protection against self-incrimination. Although the amendments were written before there were problems caused by people misusing computers, the principles in them apply to how computer forensics is practiced.
Second, anyone concerned with computer forensics must know how three U.S. Statutory laws affect them: Wiretap Act (18 U.S.C. 2510-22), Pen Registers and Trap and Trace Devices Statute (18 U.S.C. 3121-27), and Stored Wired and Electronic Communication Act (18 U.S.C. 2701-120). Violations of any one of these statutes during the practice of computer forensics could constitute a federal felony punishable by a fine and or imprisonment.
Third, the U.S. Federal rules of evidence about authentication, reliability, hearsay, and best evidence must be comprehended. In the United States, there are two primary areas of legal governance affecting cyber security actions related to the collection of network data: authority to monitor and collect the data; and the admissibility of the collection methods. Of all the three, the U.S. Constitution and United States Statutory Laws primarily govern the collection process, while the Federal Rules of Evidence deal mostly with admissibility.
Possession of the technical skills and ability to preserve critical information related to a suspected security incident in a forensically sound manner and awareness of the legal issues related to forensics will be of a great asset to system administrators and their organization. Should an intrusion lead to a court case, the organization with computer forensics capability will be at a distinct advantage.
Because so much information may be useful to police and other law enforcement agencies, seizing a computer has become standard practice during an investigation. Computer forensics is blossoming into an important part of the forensic sciences. Though it is recognized how useful its conclusions are for all types of investigations, but some have questioned when the police have a right to search a computer or use computer forensics findings as evidence. Document called “United States Department of Justice Search and Seizure Guidelines, Computer Crime and Intellectual Property Section, Criminal Division” was published and made available online at www.usdoj.gov/criminal/cybercrime/searching.html by the government. It discussed acts and topics such as searching and seizing computers with and without warrants and it also contains numerous suggestions for law enforcement and generous amounts of case law.
Computer forensics is the acquisition, examination, and reporting of information found on computers and networks that pertain to a criminal or civil investigation. Everything that someone does on a computer or a network leaves traces — from deleted files and registry entries to the Internet history cache and automatic Word backup files. E-mail headers and instant messaging logs give clues as to the intermediate servers through which information has traversed. Server logs provide information about every computer system accessing a Web site.
Forensics entails the use of science to investigate and establish facts in a criminal or civil court. Physical evidence such as tire tracks and bullets, and medical evidence like blood and DNA are well accepted in courts as well as the hearts and minds of the law enforcement community and the public. But the role of computer forensics and digital investigations are less well known and much less well understood.
Computers’ usage is significant for protecting the innocent as well as prosecuting the guilty. The law enforcement community has made a major commitment in resources and funds to increase the use of computer forensics in investigations. Attorneys today should have at least a basic understanding of computer forensics and when its use is practical.
Technology advancements in the field of computer forensics are being made every day. Law enforcement software is redesigned to bypass security measures as more people invest in better encryption devices, leading to more arrests and convictions in otherwise difficult cases. The creative and futuristic technologies in shows like CSI, Law & Order franchise, Court TV's Forensic Files, and many more, are starting to become not just realities, but commonplace examples of the analysis of computer evidence. As we have come to expect from television, there is a grain of truth in the oversimplification of the facts.
Cyber forensics is increasing in importance for the law enforcement community for number of reasons. Computers and the Internet represent the fastest growing technology tools used by criminals and it will continue for the foreseeable future. Cybercrimes and white collar crimes are lucrative for being non-violent crimes, and yield high profits. It was reported that cybercrime in the United States yielded more income than the illegal drug trades. It has low risk of capture. And if a suspect is caught and convicted, the conviction usually result in relatively short prison sentences. The judges and juries seem to view of cybercriminals as intelligent, misguided individuals rather than as the cyber thugs.
The Internet is a significant problem for legal investigations, and the biggest issue is jurisdiction. With crimes such as identity theft, Nigerian 419 (and other) scams, phishing, fraud, and other acts enabled by the global Internet, it is now easy and possible for a criminal in one country to perpetrate a crime against a person in another country, all the while using servers located in a third country.
The exchange of child pornography, largely shut down in the United States by the postal service, is rampant on the Internet. Luring, cyber stalking, traveling and other child sexual exploitation activities have been dramatically enabled because of the global reach of the Net. Laws vary from country to country; a felony in one country might not even be illegal in another.
The Internet is totally changing crime scene investigation. Access to the Internet is nearly ubiquitous in the industrialized countries allowing a criminal to gain access from a different computer at a different location every time they logon. While it may be easy to show a particular computer used to access a given server at a given date and time, it may be very hard to prove whose fingers were on the keyboard especially in a public place such as library. And Internet access and storage devices are becoming smaller, cheaper, faster, and more mobile every day.
Computer forensics and digital investigations have become an integral part of police work in the new millennium. Computers are now as much a part of the modern law enforcement officer's daily routine as the baton, sidearm, two-way radio, or handcuffs.
CERIAS: Digital Forensics Resources. Retrieved February 15, 2012 from
Department of Justice: Searching and Seizing Computers and Obtaining Electronic
Evidence in Criminal Investigations. Retrieved February 16, 2012 from http://www.cybercrime.gov/s&smanual2002.htm
Computer Forensics, Cybercrime and Steganography Resources. Retrieved February 15, 2012 from http://www.forensics.nl/links/
Computer Forensics World. Retrieved February 18, 2012 from http://www.computerforensicsworld.com
Computer Professionals for Social Diversity: Computer Crime Directory.
http://www.cpsr.org/cpsr/computer_crime. Retrieved February 17, 2012 from
Cornell University: Federal Rules of Evidence. Retrieved February 15, 2012 from
Gary, k (2005). The Role of Computer Forensics in Law Enforcement. Retrieved February 15, 2012 from http://www.garykessler.net/library/role_of_computer_forensics.html
Casey, E (2000). Digital Evidence and Computer Crime (Second Edition). San Diego, CA:
Academic Press. Retrieved February 15, 2012.
Nelson, B (2004). Guide to Computer Forensics and Investigations. Boston, MA: Thomson
Course Technology. Retrieved February 18, 2012.