Computer Forensics By Chris Brown

Computer Forensics Defined Applying computer science to aid in the legal process Utilization of predefined set of procedures to thoroughly examine a computer system with the use of software and tools.

History of Computer Forensics Dated back 30 years when it first appeared in courts. When computer evidence first appeared in courts, At first, judges treated computer forensics evidence as any other piece of evidence. As technology evolved, it became necessary to distinguish guidelines on the interpretation of computer evidence that simply was different from conventional physical evidence. This interpretation came in the form of the US Federal Rules of Evidence of Computer forensics also gave way to three other important acts

Governmental Acts Economic Espionage Act of 1996 – dealt with trade secret theft Electronic Communications Privacy Act of 1986 – dealt with the interception of electronic communications Computer Security Act of 1987 – dealt with the security of government computer systems

Major Duties of Computer Forensic Experts 1) Identifying sources of digital evidence 2) Preserving this evidence 3) Analyzing this evidence 4) Presenting the findings from analysis

Identifying sources of digital evidence One of the most important time frames in computer forensics is the initial response to a computer related crime and how to identify vital evidence necessary to make a legal case against perpetrator. Different environments of criminal activity mean different approaches to collecting evidence. For example, in a corporate setting, a perpetrators workstation can be located and a imaging of the hard drive and related media can be done while in a criminal situation that requires law enforcement, a search warrant must be obtained before any collection of evidence can be done.

Preserving this evidence Similar to a police investigation, all printouts, notes, disk media, keydrives, MP3 players, security tokens, or other physical evidence or removable storage device are collected for analysis in a lab. Digital photographs of the scene are also taken before any hardware is dealt with. The way in which the hardware is dealt with, and specifically the hard drive is by the use of imaging.

Imaging Imaging is the process of creating an exact duplicate of the original evidence. This duplication can be accomplished by a standalone hard-drive duplicator or a software imaging tool. Examples of such tools include DCFLdd and IXimager. Once the entire hard drive is copied, the original is physically secured in storage to prevent tampering. The actual imaging process is verified through the use of the SHA-1 message digest algorithm (with a program such as sha1sum).

Analyzing the evidence The actual forensic analysis is done through the use of special tools that display information important to investigators. Examples of such tools include:  AccessData’s FTK  Guidance Software’s EnCase  Brian Carrier’s Sleuth Kit In a typical analysis:  A manual review of all materials on media is conducted  Windows registry is reviewed for suspicious activity  Passwords are cracked and discovered  Keyword searches are done for the topic of the crime  A review of extracted s and images is done

Conclusion Computer forensics is a vital part of the computer security process. As more knowledge is obtained about how crimes are committed with the use of computers, more forensic tools can be fine tuned to gather evidence more efficiently and combat the crime wave on technology.

Reference b7MJ:homepage.cs.uri.edu/courses/fall2005/csc 492s2/readings/ComputerForensics.doc+comput er+forensics+history&hl=en&ct=clnk&cd=6&gl=u s&client=firefox-a