Computer Forensics: Data Collection, Analysis and Data Collection, Analysis and

PreservationPreservation

Kikunda Eric Kajangu, Cher Vue, and John Kikunda Eric Kajangu, Cher Vue, and John MottolaMottola

ITIS-3200-001 ITIS-3200-001

Computer Forensics defined:

The use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded.

Industry companies Industry companies interested in computer interested in computer

forensicsforensicsGuidance Software (http://

www.guidancesoftware.com)◦ They are the creators of the popular GUI-based

forensic tool “EnCase”.Digital Intelligence, Inc. (http://

www.digitalintel.com/)◦ Digital Intelligence designs and builds computer

forensic software and hardware. They also offer free forensic utility software for law enforcement.

IVIZE Data Center: (http://www.ivize.net). ◦ They provide several litigation support services

including Electronic Data Discovery

Three main concepts Data collection

Data analysis

Data preservation

Data CollectionResearch challenges

◦Gathering data Ensuring the data is relevant and complete Obtaining volitile data Obtaining deleted and changed files

◦Lack of trained professionals Computer Forensics is a relatively new field Threat of System administrators corrupting

data No standards

Data CollectionEvolution of data collection

◦ Mid 1980’s X-Tree Gold and Norton Disk Edit

Limited to recovering lost or deleted files◦ 1990’s

Specialized tools began to appear Tools to perform Network investigations

◦ 1999 Boot to floppy and write to alternative media

Very slow transfer rate. (1GB/hr)◦ Current

Many tools to choose from GUI and Command Line Tools are available Fast and efficient

Data Analysis Data Analysis The main problem when dealing with electronic data

analysis is not only the size that can easily reach a very large volume to manage, but also the different number of the application associated with those files.

Electronic Data Discovery :- e-mail, Microsoft Office files, accounting databases,…- other electronically-stored information which could be relevant evidence in a law suit.

Tools to analyze electronic data in computer forensics :◦ - Needle Finder:

use a special .NET framework application in conjunction with a SQL database to process hundreds of file types and emails simultaneously and pinpoint pertinent, requested information for analysis.

◦ - E-Discovery

Data Preservation Data Preservation Data should never be analyzed using the

same machine it is collected fromForensically sound copies of all data

storage devices, primarily hard drives, must bet made.

There are two goals when making an image◦ Completeness◦ Accuracy

This is done by using standalone hard-drive duplicator or software imaging tools such as DCFLdd or Iximager

Research Challenges: What Research Challenges: What are the essential problems in are the essential problems in

this fieldthis fieldTraining

Operational Standards

International Standardization

TrainingLaw enforcement personnel

should be trained to handle itNetwork operators should also be

trained, to improve their abilities in intrusion detection,

Lawyers should receive some training to give a basic understanding of computer evidence.

Operational StandardsBasic guidelines for the evidence

collection process to be established◦Planning◦Recording◦Performance◦Monitoring◦Recording◦Reporting

International StandardizationDifferent countries each have

their own methods, standards, and laws

What is acceptable evidence in one country may not be in another

Serious problem when dealing with international crimes, as computer crime often is

Conclusions and future Conclusions and future work work

Even though it is a fascinating field, due to the nature of computers, far more information is available than there is time to analyze.

The main emphasis of future work is on recovery of data.

To improve ways to:◦ Identify the evidence◦ Determine how to preserve the evidence ◦ Extract, process, and interpret the evidence◦ Ensure that the evidence is acceptable in a

court of law

Works Cited "5 Common Mistakes in Computer Forensics." Online Security. 25 June

2003. 14 Nov.-Dec. 2007 <http://www.onlinesecurity.com/forum/article279.php>.

"Computer Forensics." Digitalintelligence. 2007. 20 Oct. 2007 <http://www.digitalintel.com/>.

"Computer Forensics." Disklabs. 2004. 15 Oct. 2007 <http://www.disklabs.com/computer-forensics.asp>.

"Computer Forensics." Techtarget. 16 Dec. 2003. 25 Oct. 2007 <http://labmice.techtarget.com/security/forensics.htm>.

"Computer Forensics." Wikipedia. 26 Nov. 2007. 28 Nov. 2007 <http://en.wikipedia.org/wiki/Computer_forensics>.

Dearsley, Tony. "United States: Computer Forensics." Mondaq. 14 June 2007. 22 Oct. 2007 <http://www.mondaq.com/article.asp?articleid=48322>.

Garner, George M. "Forensic Acquisition Utilities." Gmgsystemsinc. 2007. 11 Nov. 2007 <http://www.gmgsystemsinc.com/fau/>.

"International High Technology." Htcia. 2007. 28 Oct. 2007 <http://htcia.org/>.

“Computer Forensics-A Critical Need In Computer Science Programs” <http://www.scribd.com/doc/131838/COMPUTER-FORENSICS-A-

CRITICAL-NEED-IN-COMPUTER> “Computer Forensics Laboratory and Tools”

<http://www.scribd.com/doc/136793/COMPUTER-FORENSICS-LABORATORY-AND-TOOLs>

Works Cited Ispirian. "Following Procedure." Hgexperts. 2007. 01 Nov. 2007

<http://www.hgexperts.com/hg/article.asp?id=4804>. Monica. "A Community of Computer Forensics Professionals."

Computerforensicsworld. 26 Aug. 2007. 09 Nov. 2007 <http://www.computerforensicsworld.com/>.

Morris, Jamie. "Computer Forensics Tools." Ezinearticles. 27 Oct. 2006. 28 Oct. 2007 <http://ezinearticles.com/?Computer-Forensics-Tools&id=340154>.

Reuscher, Dori. "How to Become a Cyber-Investigator." About. 2007. 16 Nov. 2007 <http://certification.about.com/cs/securitycerts/a/compforensics.htm>.

Robinson, Judd. "An Explanation of Computer Forensics." Computerforensics. 2007. 26 Oct. 2007 <http://computerforensics.net/forensics.htm>.

Swartz, Jon. "Cybercrime Spurs College Courses in Digital Forensics." Usatoday. 06 June 2006. 14 Nov. 2007 <http://www.usatoday.com/tech/news/techinnovations/2006-06-05-digital-forensics_x.htm>.

LaBancz, Melissa. “Expert vs. Expertise: Computer Forensics and the Alternative OS” <http://www.linuxsecurity.com/content/view/117371/171>

“Computer Forensics – Past, Present And Future” <http://www.scm.uws.edu.au/compsci/computerforensics/Publications/Computer_Forensics_Past_Present_Future.pdf>