Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics An Intro to Computer Crime. Computer Forensics BTK  The BTK Killer ( B lind, T orture, K ill)  Dennis Rader - Feb 2005 Charged with.

Published byAlvin West Modified over 8 years ago

Similar presentations

Presentation on theme: "Computer Forensics An Intro to Computer Crime. Computer Forensics BTK  The BTK Killer ( B lind, T orture, K ill)  Dennis Rader - Feb 2005 Charged with."— Presentation transcript:

1 Computer Forensics An Intro to Computer Crime

2 Computer Forensics BTK  The BTK Killer ( B lind, T orture, K ill)  Dennis Rader - Feb 2005 Charged with committing 10 murders beginning in 1974 in the Wichita, KS area.  “Erased” information on a floppy disk sent to a local TV station was recovered and restored by forensic computer specialists was traced back to Christ Lutheran Church where Dennis Rader was Council President. This, along with other mounting evidence since his last murder in 2001 served to convict him.

3 Computer Forensics  Computer forensics involves the preservation, acquisition, extraction, analysis, and interpretation of computer data.  Investigators frequently encounter computers and other digital devices in all types of cases.  The most logical place to start to examine these practices is with the most common form of electronic data: the personal computer.

4 Computer Forensics  Basic Parts/Key Terms : Bit Byte CPU Cluster File slack HDD Hardware Message Digest 5/Secure hash algorithm (SHA) Motherboard OS Partition RAM slack RAM Sector Software Swap file Temporary File Unallocated Space Visible Data

5 Computer Forensics  The Personal Computer Hardware Software

6 Computer Forensics Power Supply converts power from the wall outlet to a usable format for the computer. External drive is used to read from and write to a disk. CD/DVD Drive are used to store everything from music and video to data files. Hard Disk Drive (HDD) is the component of storage in the personal computer.

7 Computer Forensics  ROM: class of storage media used in computers and other electronic devices.  Motherboard : basic purpose is to provide the electrical and logical connections by which the other components of the system communicate.  Floppy Disk Drive : used to boot an operating system or to store data. By today’s standards, they don’t hold much data  Expansion Bus with Expansion Drive: lots of wires that carry data from one hardware device to another

8 Computer Forensics  CPU (Central Processing Unit): The main chip within the computer, know as the brain of the computer.  RAM (Random-Access Memory): the volatile memory of the computer, when power is turned off, its contents are lost.  Computer Case/ Chassis : it the physical box holding the fixed internal computer components in place.

9  Input Device – the user side of the computer  i.e., keyboard, mouse, joystick, scanner Computer Forensics  Output Device – equipment through which data is obtained from the computer  i.e., monitor  HDD – primary storage component in a personal computer. Stores the OS, programs, and data files created by the user.

10 Computer Forensics The Operating System is a software program that allows the computer hardware to communicate and operate with the computer software. Without an operating system, a computer would be useless.

11 Computer Forensics The Operating System  Recognizing input from the keyboard  Sending output to the display screen  Keep track of files and directories on the disk  Controlling peripheral devices such as disk drives and printers

12 Computer Forensics  Provide a software platform on top of other programs called application programs.  Some examples of operating systems are Windows and Linux.

13  Types of HDD  IDE – Integrated drive electronics  SCSI – small computer system interface  SATA – serial ATA  HDD are formatted or mapped and have a defined layout. They are “logically” divided into sectors, clusters, tracks and cylinders. Computer Forensics

14  Sectors are the smallest unit of data by a hard disk drive. They generally consist of 512 bytes.  Bytes are a group of eight bits.  A bit takes the form of either a one or a zero, it is the smallest unit of measurement on a machine. The word bit is short for binary digit.  Clusters are a group of sectors in multiples of two. The cluster size varies from file system to file system and is typically the minimum space allocated to a file.

15  Other Common Storage Devices  CD-ROM (CD-R/RW)  USB-thumb drive  Floppy disks  Zip disks  Tapes  DVD +/R /RW Computer Forensics

16  NIC – Network Interface Card  Add-on cards that plug into the motherboard  Hard-wired devices on the motherboard  Add-on cards for laptops (PCMCIA)  USB plug-in cards  Wired/Wireless 801.11 a/b/g/n Computer Forensics

17 How the HDD is Made Up Computer Forensics

18  On each disk or platter there are tracks; these tracks are divided into sectors.  A group of sectors is a cluster.  Clusters always have sectors in groups of 2 Computer Forensics

19  There are several platters stacked vertically which are divided by sectors, clusters, tracks, and cylinders. Tracks are circles that are defined around the platter. Cylinders are groups of tracks that reside directly above and below each other.  Each file system table tracks data in different ways.

20  OS – Provides a bridge between the system hardware and the user. It lets the user interact with the hardware and manages the file system and applications  Partition – is a contiguous set of blocks that are defined and treated as an independent disk. After it is partitioned it is Formatted (high-level). i.e. floppy – FAT 12, Windows – FAT 32, Linux – EXT3 and Mac – HPFS  Each has a different way of storing data Computer Forensics

21  Consider a room full of safe deposit boxes. If a person rents two boxes located in opposite ends of the room – the db tracking the locations of the boxes is much like a file system tracking the location of data within the clusters of a HDD.  If the db managing the locations of the boxes were wiped out, the property in them would still remain; we just wouldn’t know what was where!

22 Computer Forensics Processing the Electronic Crime Scene  Before an investigator can begin processing the crime scene he/she must still ensure that the proper legal requirements are present.  Search warrant (on school property, school has say!)  Consent  The scene must be documented in as much detail as possible. The investigator must make sure not to disturb any evidence before he/she touches the computer.

23  Crime Scene Documentation  Sketching and Photographing  Floor plan of network, overall layout, close-ups of any running computer on the network.  All the connections to the main frame, peripheral devices and notation of serial numbers (Photos)  “Encase”, Forensic Toolkit (FTK), Forensic Autopsy Software – Forensic software applications capable of imaging and assisting in the analysis of data. Computer Forensics

24  Forensic Software comes equipped with a method to obtain forensic images and compress data if need be. Computer Forensics

25  Investigators must decide:  Perform a live acquisition of the data  Perform a system shutdown (i.e. with a server)  “Pull the Plug”  Combination of all three Computer Forensics  BEFORE Disconnecting  Labeling all peripherals of the computer to the port  Numbering scheme to ID peripherals if more than 1 computer

26  Forensic Image Acquisition  Least Intrusive Method to obtain data without destroying evidentiary data  Remove HDD and place in Laboratory Forensic Computer so that a “Forensic Image” or copy can be created in a ‘read-only’ format  Must be able to PROVE there were no ‘Writes’ to the forensic image  Copy “Empty areas of the Drive” Computer Forensics

27  Analysis of Electronic Data – Based on the skill of the Computer Forensic Technologist  Most Common Types of Evidentiary Data  Visible Data – all data that the OS is presently aware of and thus is readily accessible to the user  Data/Work Product Files – data from any software program. White Collar crimes-MS Word or WordPerfect, EXCEL or Peachtree or QuickBooks, etc. A suspect’s computer may contain valuable information in these files  Such as Bank Account Records, Counterfeiting pictures, and questionable E-Mails. Computer Forensics

28  Swap File Data – a file or defined space on the HDD used to conserve RAM. Data is paged or swapped to this file or space to free – up RAM for use by applications that are open.  Temporary Files–temporarily written by an application to perform a function or a backup copy while working on a project. Some are automatically written as a program is running without the user telling the program to ‘save’. Computer Forensics

29  Swap Files, Temporary Files, and Print Spools (data sent to a printer) can all be used to recover data not easily accessible to the average user and usually, even the suspect. Computer Forensics

30  Latent Data – Areas of files and disks that are typically not apparent to the computer user & sometimes the OS but contains data all the same. Examples:  Slack Space-file & RAM  Unallocated Space  Defragmented Space  Swap Files and Space  Deleted Files Computer Forensics

31  Deleted Files  When files are deleted, they still remain on the Hard Drive. The first character of a filename is replaced with the Greek letter sigma.  This renders the file inaccessible to the average user.  Forensic Scientists have programs that can access these files and obtain evidence. Computer Forensics

32  The files you save on your computer rarely are ever totally gone.  Forensic Scientists can access a plethora of data from a Hard Drive even if it is deleted, defragmented, and reformatted.  This data can be used to incriminate or exonerate the suspect. Computer Forensics

Download ppt "Computer Forensics An Intro to Computer Crime. Computer Forensics BTK  The BTK Killer ( B lind, T orture, K ill)  Dennis Rader - Feb 2005 Charged with."

Similar presentations

Computer Hardware.

Computer Hardware.
Basic Computer Vocabulary

Basic Computer Vocabulary
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Computer Basics Whats that thingamagige?. Parts of a computer.

Computer Basics Whats that thingamagige?. Parts of a computer.
Types of Computers & Computer Hardware Computer Technology.

Types of Computers & Computer Hardware Computer Technology.
The physical parts of Computer

The physical parts of Computer
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Basic Computer Components

Basic Computer Components
Computer Parts There are many parts that work together to make a computer work.

Computer Parts There are many parts that work together to make a computer work.
IC3 GS3 Standard Computing Fundamentals Module

IC3 GS3 Standard Computing Fundamentals Module
Parts of a Computer.

Parts of a Computer.
Computers They're Not Magic! (for the most part)‏ Adapted from Ryan Moore.

Computers They're Not Magic! (for the most part)‏ Adapted from Ryan Moore.
CS 0008 Day 2 1. Today Hardware and Software How computers store data How a program works Operators, types, input Print function Running the debugger.

CS 0008 Day 2 1. Today Hardware and Software How computers store data How a program works Operators, types, input Print function Running the debugger.
Hardware and Software Basics. Computer Hardware  Central Processing Unit - also called “The Chip”, a CPU, a processor, or a microprocessor  Memory (RAM)

Hardware and Software Basics. Computer Hardware  Central Processing Unit - also called “The Chip”, a CPU, a processor, or a microprocessor  Memory (RAM)
Computer Basics Flashcards #2

Computer Basics Flashcards #2
What is Computer Hardware

What is Computer Hardware
History of computers What your computer can do depends upon two things: the hardware your computer has, and the software that can be run on your computer. 

History of computers What your computer can do depends upon two things: the hardware your computer has, and the software that can be run on your computer. 
COMPONENTS OF THE SYSTEM UNIT

COMPONENTS OF THE SYSTEM UNIT
17-1 PRENTICE HALL ©2008 Pearson Education, Inc. Upper Saddle River, NJ 07458 FORENSIC SCIENCE An Introduction By Richard Saferstein COMPUTER FORENSICS.

17-1 PRENTICE HALL ©2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE An Introduction By Richard Saferstein COMPUTER FORENSICS.
Instructor: Li Ma Department of Computer Science Texas Southern University, Houston August, 2011.

Instructor: Li Ma Department of Computer Science Texas Southern University, Houston August, 2011.

Similar presentations

Ads by Google