computer forensics
Background of Computer forensics:
What is most worth to remember is that computer forensic is only one more from many forensic subdivisions. It’s not new, it’s not revolution.. Computer forensics use the same scientific methods like others forensics subdivisions. So computer forensics is not revolution in forensic science! It’s simple evolution of crime techniques and ideas.

Forensic origins:

Forensic roots from a Latin word, “forensic” which generally means forum or discussion. In the reign of the Romans, any criminal who has been charged with a crime is presented before an assembly of public folks. Both of the complainant and the defendant are to present their sides through their own speeches. The one who was able to explain his side with fervent delivery and argumentation typically won the case.
It is important to realize that computer forensics is only one subdivision of forensic science. It is digital, it includes most advanced computer science but still it is only branch of forensic science, an its main goal is submission of the proven claims of scientific methods and strategies to recover any significant digital traces.

Computer Forensic Timeline:

1970s • First crimes cases involving computers, mainly financial fraud
1980’s
• Financial investigators and courts realize that in some cases all the records and evidences were only on computers. • Norton Utilities, “Un-erase” tool created • Association of Certified Fraud Examiners began to seek training in what became computer forensics • SEARCH High Tech Crimes training created • Regular classes began to be taught to Federal agents in California and at FLETC in Georgia • HTCIA formed in Southern California
1984
• FBI Magnetic Media Program created. Later it become Computer Analysis and Response Team (CART)

1987 • Access Data – Cyber Forensic Company formed
1988
• Creation of IACIS, the International Association of Computer Investigative Specialists • First Seized Computer Evidence Recovery Specialists (SCERS) classes held
1993
• First International Conference on Computer Evidence held
1995
• International Organization on Computer Evidence (IOCE) formed
1997
• The G8 countries in Moscow declared that “Law enforcement personnel must be trained and equipped to address high-tech crimes”.

1998 • In March G8 appointed IICE to create international principles, guidelines and procedures relating to digital evidence
1998
• INTERPOL Forensic Science Symposium
1999
• FBI CART case load exceeds 2000 cases, examining 17 terabytes of data
2000
• First FBI Regional Computer Forensic Laboratory established
2003
• FBI CART case load exceeds 6500 cases, examining 782 terabytes of data
.

Technical definition of Computer forensics:
Computer forensics (sometimes known as computer forensic science) is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information.
Although it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail.
Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence. It has been used in a number of high profile cases and is becoming widely accepted as reliable within US and European court systems.

Why Computer Forensics?

Computer Forensic Techniques help provide a methodological and systematic approach to gathering information on computer systems and networks, which could be cryptic and hidden and which would otherwise be extremely hard to get through normal routine access to computer resources.

Normally a computer system or network on which forensic science techniques are to be applied hides the data or garbles the data through encryption, steganography or other technical methods. The process of first analyzing the system, gathering important data fragments which are prevalent over the system and interpreting it with the use of certain mechanisms and tools, is the process which is called computer forensics. Let us see what are the techniques used in computer forensics:

Computer forensics Technical versions & description:
|Name |Platform |License |Version |Description |
|SANS Investigative Forensics|Ubuntu | |2.1 |Multi-purpose forensic operating system |
|Toolkit - SIFT | | | | |
|WindowsSCOPE |Windows |commercial |1.0 |Memory forensics and live analysis, cyber security; |
| | | | |includes hardware based capture. |
|EnCase |Windows |commercial |6.18 |Multi-purpose forensic tool |
|FTK |Windows |commercial |3.2 |Multi-purpose tool, commonly used to index acquired |
| | | | |media. |
|Digital Forensics Framework |Windows / Linux / |GPL |1.1 |DFF is both a digital investigation tool and a |
| |MacOS | | |development platform |
|PTK Forensics |LAMP |free/commercial |2.0 |GUI for The Sleuth Kit |
|The Coroner's Toolkit |Unix-like |IBM Public License |1.19 |A suite of programs for Unix analysis |
|COFEE |Windows |Proprietary |n/a |A suite of tools for Windows developed by Microsoft, |
| | | | |only available to law enforcement |
|The Sleuth Kit |Unix-like/Windows |IPL, CPL, GPL |3.1.1 |A library of tools for both Unix and Windows |
|Categoriser 4 Pictures |Windows |Free |4.0.2 |Image categorisation tool develop, available to law |
| | | | |enforcement |
|Paraben P2 Commander |Windows |Commercial |n/a |General purpose forensic tool |
|Open Computer Forensics |Linux |LGPL/GPL |2.3.0 |Computer forensics framework for CF-Lab environment |
|Architecture | | | | |
|Safe Back |N/a |commercial |3.0 |Digital media (evidence) acquisition and backup |
|Windows To Go |n/a |commercial |n/a |Bootable operating system |
|Forensic Assistant |Windows |commercial |1.2 |User activity analyzer(E-mail, IM, Docs, Browsers), |
| | | | |plus set of forensics tools |
|Peer Lab |Windows |commercial |1.13 |File Sharing and "Instant Messaging"-analyzer |
|OS Forensics |Windows |free/commercial |0.99f |General purpose forensic tool for E-mail, Files, |
| | | | |Images & browsers. |
|X-Way Forensics |Windows |commercial |16.1 |General purpose forensic tool based on WinHex hex |
| | | | |editor. |
|bulk extractor |Windows, Linux |Public Domain |1.1 |Stream-based forensic feature extraction of e-mail |
| | | | |addresses, phone numbers, urls and other identified |
| | | | |objects. |

Application of computer forensics:

Computer forensics is a field of study concerned with the digital extraction and analysis of latent information. While a relatively new science, computer forensics has gained a reputation for being able to uncover evidence that would not have been recoverable otherwise, such as emails, text messages and document access. The application of computer forensics is given below.

Criminal cases:

Computer forensics is popularly applied in criminal cases. Computer forensics analysis may provide evidence that a crime has been committed, whether that crime involved computers directly or not. Evidence may be in the form of a document, an email, an instant message, a chat room or a photograph. This is seen frequently in narcotics cases, stalking, sexual harassment, sexual exploitation, extortion, kidnapping and even murder cases.

Domestic cases:

Computer forensics also frequently plays a role in domestic cases and is generally centered on proof of infidelity. Examples include recovered emails, chat room transcripts, instant messaging and photographs.

Security incidents:

The Center for Computer Forensics reports that 92% of all business documents and records are stored digitally and that although hackers are commonly seen as a threat to security, in reality greater risks are found within a company. Examples include theft of intellectual property (such as customer lists, new designs, company financials or trade secrets) and embezzlement. The fact is that if a person is alone with a computer for less than five minutes, it is enough time to copy a hard drive on a removable storage device.

Internal

There are many applications of computer forensics that exist within companies to monitor computer usage. While what is being monitored may not be illegal itself, it is tracked because doing so is "illegal" within the confines of the company. For example, many companies have "acceptable use policies," meaning policies prohibiting personal use of the computers. Common examples of acceptable use violations include online shopping, Internet surfing, online gambling, personal emails and instant messaging or chats.

Marketing purposes:

Computer forensics is also applicable in marketing. Examples of this can be seen on Amazon.com when recommendations are provided or “Just for you” from the iTunes Store. When a person visits a website, a memory of that website is placed in the computer's memory. Each site has different meta-tags embedded in it; meta-tags are one or two word descriptions of the site content. The advertisements that person experiences are tailored to the meta-tags of the sites visited, similar to a target demographic.
Basic Computer Forensic Techniques:

The Basic computer forensic techniques can be divided into two parts

Computer Networks:

For computer networks, the following are the forensic techniques that are most commonly used - • Packet Sniffing:
Sniffing, in normal language means sensing something and here too it has the same meaning. Data flows through the network lines just like oxygen through air, pulling out critical data packets from these networks is called packet sniffing.. • IP Address Tracing
Internet Protocol Address Tracing means to trace an IP address right down to its real address. IP Address tracing involves reverse address look up, which means, counting the number of servers that lie between source and destination. • Email Address Tracing
Sometimes it becomes important to know where an email came from. This can be achieved by analyzing email headers. Email headers consist of source machine IP address which could be used for an IP Trace.

For Computer Systems

• File Structure
For a physical computer system, the file structure is analyzed and a look out is done for suspicious files which are scattered in every nook and corner of the system. Some of these files may be encrypted, garbled or hashed with some algorithms. Such files are then processed and decrypted for gathering digital evidence.

• Storage Media

Storage media might be in the form of physical or removable disks. These disks might have been erased (formatted) and it can become almost impossible to recover data from it. However, with the help of advanced utilities and data recovery tools this is possible. Every time data is recovered, it is not necessary that it would be in proper form, so it is seen that whatever data fragments are gathered, are put up together to form formidable digital evidence material.

• Steganography
Steganography is the art of hiding information in images, sounds or any other file format than the routine format. A piece of data or information hidden into a image or sound file is extremely difficult to catch and this can lead to waste propagation of the material through internet or other media. Stag-Analysis and decryption techniques are applied to get the data back to its original form.

• Prints
Prints are print outs which are taken from a computer printer device. Most of the computer forensic experts forget to concentrate on these print outs. These print outs are taken such that at first glance they are not visible to the naked eye. They would either be too microscopic or would be garbled or again crypt for deception. So while evaluation and gathering of digital evidence analyzing print out becomes a very important aspect and should not be neglected or handled carelessly.

Tools of the Trade:

Some of the most common tools of the trade use in Computer Forensics are: • Hex Editors • Dissemblers • Disk Analyzers • Descriptors • Packet Sniffers • DNS Tools
Computer Forensic Science is a field which is gaining heavy momentum across the world due to rise in cyber crimes and will continue to rise at a tremendous pace in the coming decade.

Future Prospects of Computer Forensics:
1: Hardware -The size of storage media & memory and the speed of processors.
We can expect that in upcoming years, computers will come standard with 5TB or more of storage and that portable media like flash drives will carry something like 250GB of data - what the average hard drive was holding one or two years ago. After some years, computers will probably be 7 or 8 times faster. So these things will hold lots and lots more data and people will fill them up with lots & lots more data. Therefore, each computer forensics job will require sorting through and analyzing many times more data than today.
2: Computer Forensic Tools - The capabilities, automated nature and cost of computer forensic tools.
We can expect that in upcoming years, computer forensic tools will be about 5 times as fast, and twice as sophisticated. That means that even with all the additional data, the average, non-automated job will take about the same effort as it does now.
However, a lot of automated tools for collection and initial processing are starting to be released. These tools can be used by less-trained people, so it may be that data collection and preliminary processing will be faster due to automation.
We expect that the cost of computer forensic tools will not go down in relative terms. However, more Open Source forensic tools will be available for free for those willing to learn to use them.
3: Bad guys - Anti-forensics tools & schemes, sophistication of hackers
There's always a race between how harmful software and cyber-marauders can be and the defenses against them. There is also software constantly being developed to stump investigation by erasing or scrambling traces of wrongdoing. This trend will continue to accelerate and there will continue to be an uneasy balance between the two sides, with lots of collateral damage. In most cases, people will continue to forget to hide or cover all of their tracks and there will still usually be evidence to find.

BUSINESS VALUE OF COMPUTER FORENSICS:

Over recent years, computers have penetrated almost every area of business and personal life. Its resources for organizations are available 24 hours a day and enable electronic business activities between clients, other organizations or state administration during which important data is exchanged. A negative consequence for such development in technology and society is the increasing number of mobile devices, portable and desktop computers and servers from which information may leak, or which may even be used for criminal activities - whether done by malicious employees of the organization or other malicious individuals. Thus it is important that all those who manage or administer information systems and networks be familiar with the protocols foreseen in case of security incidents together with the principles of computer forensics.

Here we explain the requirements for the implementation of computer forensics in a business environment in an efficient and legal way.

Keywords: security incidents, computer safety, data collection and analysis, security policies, legal framework

1. Security incidents

The protection of vital IT resources requires not only the implementation of cautionary measures and security policies aimed at their protection but also the possibility of a quick and efficient reaction, should such security incidents occur. However, it is not easy to respond to security incidents. The appropriate answer to the security incident requires technical knowledge as well as communication and coordination between the staff responsible for intervention. Within organizations, often the system and network administrators are the first to face such an incident and are also the first responders, so it is essential that they know the basic areas of computer forensics and the procedures they have to take care of during interventions on the compromised computer system or network.

Adequately to incidents, it is necessary to be able to recognize them. In the following text there is a list and explanation of security incidents for which the correct response is to use computer forensics methods.

• Attack by malicious programs

Malicious programs are called viruses, Trojan horses, worms and scripts by which malicious users obtain permission from the organization computers or computer networks, to obtain possession of authorized users‟ passwords or to change log files for the purpose of hiding unauthorized activity. Malicious programs that are programmed to hide their presence create great problems as their presence on the computer is very hard to discover. Besides this, malicious programs such as viruses or worms have the possibility of multiplying in great numbers, so stopping their spreading is quite a challenging job to be undertaken.

• Unauthorized access:

Unauthorized access includes a set of security incidents, starting from irregular user log-in within the system itself. In the case when a malicious user logs into the system with the username and password of an organization employee, to the unauthorized access of a malicious user to files and directories situated on local or network disks using higher (or administrator) authorizations. Example: the passwords of authorized users which are transferred through the network, and use them for further malicious activities.

• Malicious use of the service:

Entering into possession of information within the organization can be achieved by abusing the server and programs that provide the service using the security failures within them. Examples of this are the abuse of web or FTP server services – by taking over control, the malicious user can enter inappropriate content and use the server for their further distribution.

• Inappropriate usage of information resources:

It can be said that the inappropriate usage of information resources is using the information resource for purposes not determined by security policies, such as using the official computer for saving inappropriate (e.g. pirate) software.

• Spying:

Confidential information of organizations and state administration bodies can be of great value to other organizations and governments, so intrusion into information systems for the purpose of spying and stealing information is a serious security incident.

• Hoaxes:

Hoaxes refer to the spreading of false information regarding the presence of security errors in programs. Users are misled by false information and alerted to particular false threats and on occasion are also asked to delete important programs on the computer they are working on, thus causing damage.

2. Organizational policies, security and computer forensics:

Implementing adequate tools and security policies and enabling computer forensics when necessary, helps organizations to create integrity and sustainability of their infrastructure. It is important that each organization consider computer forensics as a new basic element in the so-called „defense in-depth “strategy to insure the computers and network infrastructure of the organization. Shows the international framework of organizational structures that enables a more rapid undertaking of investigations in the case of security incidents and a higher quality of electronic evidence. During these procedures, employees are exposed to multiple authorities and must, as well as laws respect all organizational and security policies established on the basis of the mission and targets of the organization, and which, in turn, they must reconcile with the legal regulations.

The wider definition of the aim of computer security is to ensure that the system functions as defined by the security policies. The purpose of computer forensics is to discover and explain how a particular security policy has been breached. Policies in the implementation of computer systems security and forensics:

There is a specific overlap between the data that is necessary for computer systems security and that which can be used for computer forensics. Many security measures, if implemented completely, facilitate computer forensics: Event logs, computer systems access logs, error logs, traces of attempts to access computers, etc. are just some of these. Countermeasures for unauthorized access to the computer, such as smart cards for access to the computer itself, security policies for the complexity of passwords or a limited number of unsuccessful logins, together with the policy of registering the unsuccessful login, leave traces for further analysis.

Nevertheless, in practice, only minimal measures of recording are used, because of the influence they could have on the system performances. Files with event logs have configured fixed sizes in order to avoid filling up the disk space, whilst the logic of recording within them is such that the old values are overwritten with the new ones and data needed for forensics investigation is lost. Numerous security countermeasures are based on cleaning the computer system of data which is unnecessary for normal operation, such as deleting the history of web pages which have been viewed, in addition to temporary files. Procedures for accelerating system performance can also delete forensic data. One of these procedures is disk defragmentation, by which data on the disk is reorganized and disk content is overwritten in spaces where incompletely deleted files may be situated. Antivirus programs, when performing automatic virus cleaning, may also effect data, so it is important that all automatic activities are recorded in files with event logs and when viruses are found, that they are not deleted, but put, e.g. „into quarantine‟.

Managing security risks and estimating security threats are generally effective in protecting the computer system. However, as the majority of organizations are focused on prevention and system performance rather than on enabling procedures of computer forensics, it is more than obvious that due to this, data collected in the case of security incidents will be either incomplete or there will be no collected data.

Therefore, it is necessary to determine policies within the organization by which the system will work optimally and all security policies needed for the implementation of computer forensic procedures in cases of security incidents will be implemented.

3. Important legal frameworks necessary for computer forensics:

Nowadays people are more and more conscious of protecting their privacy. However, the protection of

Applicable law and regulations

Organizational policy

Computer security policy

Computer security enforcement

Users

Organizational mission and objectives

Company operations

Privacy and resolving security incidents or computer crimes are two almost conflicting activities. Legal implementation agencies have to have access to as much of the data as possible stored in an electronic form, such as for Internet banking, a list of telephone calls, electronic mail, internet connections, etc. whilst citizens are concerned about the abuse of their private data and privacy. So, one part of the law takes care of the protection of privacy and private data, whilst the other part of legislation consists of laws punishing the computer criminal and determining punishments for those who provoke security incidents.

• Private data and privacy protection laws

There is a Private data and privacy protection law that “regulates the protection of private data of physical persons as well as the supervision of collecting, processing and using this personal data” But, what is not defined is a privacy protection law which would determine which personal information may be collected. It is very possible that the aforementioned law may not have any influence on data collecting during computer forensics procedures when this computer forensics procedure is being carried out on the basis of a court order, but may influence organization security policies, particularly when this refers to recording users‟ activities which would thus acquire a level of privacy.

Limitations of Computer Forensics:
The major limitations of the computer forensics are given below: 1. To maintain the secrecy of the data or Information:
It is the duty of the computer forensics expert to maintain the high standards and the keep in mind the sensitivity of the case and maintain the privacy and secrecy of the data or the information of the client’s interests. But in some circumstances it becomes almost impossible for the computer forensics professional to maintain the secrecy of the data or the information. This may happen if the information is necessary to prove the crime and should be produced as the evidence in the court of law in order to prove the crime.

2. Sensitive data or information can lost in order to find the evidence:
There are other disadvantages as well regarding the computer forensics. It is also possible that some sensitive data or information that is important to the client may be lost in order to find the evidence. The forensics professional must maintain the concern that the data information or the possible evidence is not destroyed, damaged, or even otherwise be compromised by the procedures that are utilized for the purpose of investigating a computer system.

3. Physically damage of computer hardware or software attack by virus:
There are also the chances of introduction of some malicious programs in the computer system that may corrupt the data at a later stage of time. During the analysis process care should be taken that no possible computer virus is released or introduced in the computer system. IT is also possible that the hardware of the computer system is damaged physically.
The evidence that is physically extracted and the relevant evidence should be properly handled as well as protected from later damage that may either mechanical or electromagnetic in nature. The integrity of the data and the information that is acquired should be preserved. The custody of the data that is acquired as the evidence is the responsibility of the computer forensics team. 4. Effects in business operations:
During the time case is solved; it may be required that the data or the information is stored in the court. In some cases it is also possible that the data is in dispute and neither of the disputing parties can use the data. Due to this reason the business operations may also be affected. The duty of the computer forensics expert is to ensure that justice is delivered as fast as possible so that the inconvenience and the subsequent loss to the organization can be avoided.
It is also important the information that is acquired during the forensic exploration is ethically and legally respected. More over despite some of the limitations of the Computer Forensics the subject is still perceived. Also the advantages and the benefits of the subject have wide applications in various situations. Measures should be taken and the care of the professional employed for the computer forensics is a must to avoid any subsequent damage to the computer system.

Conclusion:

Computer forensics has been present for some time as a computer discipline but lately it has become more specialized and an accepted technique for providing a response to security incidents. Evidence collected in this way is also valid in court.

Computer forensic procedures are well known and defined and should be adhered to when responding to security incidents. It is particularly important to collect data from the compromised computer with as little intervention as possible, but is also necessary to take care regarding the verification of collected data – even more importantly if they are to be presented in court. The quality of collected data will also depend on the implementation of organizational and security policies of an organization as well as computer security measures. While some of these measures are helpful, others are against the rules of computer forensics, so it is necessary to find the most favorable midpoint between computer security measures, system performances and protecting data important for computer forensics.

In order to punish malicious users discovered by computer forensics measures, a legal regulation has to exist. Croatia has foreseen in its Criminal law punishment for all those who provoke security incidents and, on the basis of these laws, compensation for committed damages can be applied for.

Although more care is being taken with computer security, undoubtedly computer forensics will be increasingly necessary, as every day faster development of new technologies and a growing number of networked organizations increase the risk of computers, information and information systems being abused.

References:
Michael G. Noblett; Mark M. Pollitt, Lawrence A. Presley (October 2000). "Recovering and examining computer forensic evidence". http://bartholomewmorgan.com/resources/RecoveringComputerEvidence.doc. Retrieved 26 July 2010. A Yasinsac; RF Erbacher, DG Marks, MM Pollitt (2003). "Computer forensics education". IEEE Security & Privacy. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.1.9510&rep=rep1&type=pdf. Retrieved 26 July 2010.
Warren G. Kruse; Jay G. Heiser (2002). Computer forensics: incident response essentials. Addison-Wesley. pp. 392. ISBN 0201707195. http://books.google.com/books?id=nNpQAAAAMAAJ. Retrieved 6 December 2010.
Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4. http://books.google.com/?id=Xo8GMt_AbQsC&dq=Digital%20Evidence%20and%20Computer%20Crime,%20Second%20Edition.
Various (2009). Eoghan Casey. ed. Handbook of Digital Forensics and Investigation. Academic Press. pp. 567. ISBN 0123742676. http://books.google.co.uk/books?id=xNjsDprqtUYC. Retrieved 27 August 2010.
Garfinkel, S. (August 2006). "Forensic Feature Extraction and Cross-Drive Analysis". http://www.simson.net/clips/academic/2006.DFRWS.pdf.
"EXP-SA: Prediction and Detection of Network Membership through Automated Hard Drive Analysis". http://www.nsf.gov/awardsearch/showAward.do?AwardNumber=0730389.
Maarten Van Horenbeeck (24). "Technology Crime Investigation". http://www.daemon.be/maarten/forensics.html. Retrieved 18 August 2010. Aaron Phillip; David Cowen, Chris Davis (2009). Hacking Exposed: Computer Forensics. McGraw Hill Professional. pp. 544. ISBN 0071626778. http://books.google.co.uk/books?id=yMdNrgSBUq0C. Retrieved 27 August 2010.
J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten (2008-02-21). Lest We Remember: Cold Boot Attacks on Encryption Keys. Princeton University. http://citp.princeton.edu/memory/. Retrieved 2009-11-20.