1. Prepared and presented by Group 5: 1. NGABOYERA Valens 2. TWAGIRAMUNGU Serge 3. KAYIRANGA Augustin 4. BAYINGANA Aimable 5. SAMVURA Jean de Dieu 6. RUKUNDO Benjamin 7. NKURANGA John Titus 8. SHEMA Eugene

3. Definitions 1. Computer forensics as the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it. 2. Computer forensics is the collection, preservation, analysis and presentation of computer-related evidence. In summary, it helps determine the WHO, WHAT, WHERE, and WHEN related to a computer-based crime or violation.

4. Procedures used in forensic investigation Forensic investigators typically follow a standard set of procedures: After physically isolating the device in question to make sure it cannot be accidentally contaminated, investigators make a digital copy of the device's storage media. Once the original media has been copied, it is locked in a safe or other secure facility to maintain its pristine condition. All investigation is done on the digital copy.

5. Computer incidences involving forensic investigation Evidence can be sought in a wide range of computer incidents, including but not limited to:  Theft of Company Secrets (client, customer or employee lists)  Employee Sabotage or Terrorism  Credit Card Fraud  Financial Crimes  Embezzlement (money or information)  Economic Crimes  Harassment (sexual)  Child Pornography  Major Crimes  Identity Theft (short or long-term plans)

6. Legal cases where electronic evidence is required  Prove that something happened. You might find evidence in an e-mail indicating sexual harassment; in financial files indicating fraud or IRS violations; or in file transfers indicating theft of intellectual property, for example.  Prove that someone did not do something. Image files of child exploitation on a person's office PC might have been downloaded by someone else because the PC had no password or firewall protection.  Figure out what the facts prove or demonstrate. You might discover private e-mail messages, texting, financial accounts, or other online activities that demonstrate contract or patent violations, hidden assets, infidelity, theft of intellectual property, misuse of company networks, or illegal activities

8. They hide themselves behind widely known vulnerabilities One common practice that attackers employ to evade detection is to break into poorly secured computers and use those hijacked systems as proxies through which they can launch and route attacks worldwide. Although such attacks are an international problem, there is no international response, which frustrates local law enforcement seeking cooperation from countries where these proxy servers typically reside. The hardest problem in finding the source of these attacks is attribution. Each data packet sent over the Internet contains information about its source and its destination. The source field can be changed [spoofed] by an attacker to make it seem like it's coming from someplace it's not.

9. They delete logs Careful intruders attempt to hide or remove evidence of an intrusion by deleting logs, altering date stamps, and installing their own utilities to subvert the operating system. Programs like hacker defender (hxdef.czweb.org) alter the kernel and return false information to system calls, rendering useless most tools that incident responders have traditionally used to examine a live system for signs of compromise

10. They work around firewall restrictions using time-activated backdoors Locating the intruders is also becoming more challenging. Sophisticated intruders hide their locations and work around firewall restrictions using time-activated backdoors that periodically “phone home,” initiating a connection from inside the victim network to a remote host that the intruder controls. Some of these backdoors create a tunnel through firewalls that the intruder can use to communicate with compromised hosts, even establishing a Windows Terminal Service session when this protocol is blocked by a firewall.

12. When a crime involving electronics is suspected, a computer forensics investigator takes each of the following steps to reach a successful conclusion. Therefore, once an e-government website is broken by hackers, these steps will be followed to do digital investigation: 1. Obtain authorization to search and seize. 2. Secure the area, which may be a crime scene. 3. Document the chain of custody of every item that was seized. 4. Bag, tag, and safely transport the equipment and e- evidence. 5. Acquire the e-evidence from the equipment by using forensically sound methods and tools to create a forensic image of the e-evidence.

13. Cont’d 6. Design your review strategy of the e-evidence, including lists of keywords and search terms. 7. Examine and analyze forensic images of the e- evidence (never the original!) according to your strategy. 8. Interpret and draw inferences based on facts gathered from the e-evidence. 9. Describe your analysis and findings in an easy-to- understand and clearly written report. 10. Give testimony under oath in a deposition or courtroom.

15. Model forensics policy specifications that countries in Africa should put in place: 1. All access to DBs must be monitored. 2. Access logs and Administration logs to DBs should be preserved on regular basis 3. Access and activity to Web server should be monitored 4. Web server logs should be preserved on a regular basis 5. Firewall and Snort logs should be preserved on a regular basis 6. Router logs should be preserved for 6 months 7. Network should be tested regularly for congestion situation by overloading it until it begins to drop traffic 8. Network capacity should be increased before traffic hits the level where packets will be dropped

16. Important mechanisms to adopt for the success of the forensics policy : 1. Identify digital assets that have big value. 2. Perform a risk assessment for potential loss and threat to those assets 3. Remove assets that do not warrant the effort of prosecution 4. Identify associated data needed for these assets along with collection and storage needs 5. Write the forensic policy in terms of digital assets, forensic events, data collection and storage. 6. Ensure adequate forensics policy enforcement is in place