UNIT-1

INTRODUCTION TO COMPUTER FORENSICS

Digital forensics is the art of recovering and analyzing the contents found on digital

devices such as desktops, notebooks/netbooks, tablets, smartphones, etc., was little-

known a few years ago. However, with the growing incidence of cybercrime, and the

increased adoption of digital devices, this branch of forensics has gained significant

importance in the recent past, augmenting what was conventionally limited to the

recovery and analysis of biological and chemical evidence during criminal

investigations.

EVOLUTION OF COMPUTER FORENSICS:

The timeline of computer forensics could be summarized as:

Table 1: Computer Forensics Timeline

Year Event

1835 Scotland Yard's Henry Goddard became the first person to

use physical analysis to connect a bullet

to the murder weapon.

1836 James Marsh developed a chemical test to detect arsenic,

 which was used during a murder trial.

1892 Sir Francis Galton established the first system for classifying

fingerprints.

1896 Sir Edward Henry, based on the direction, flow, pattern and

other characteristics in fingerprints.

1920 American physician Calvin Goddard created the comparison

microscope to help determine which

bullets came from which shell casings.

1930 Karl Landsteiner won the Nobel Prize for classifying human

blood into its various groups.

1970 Aerospace Corporation in California developed a method for

detecting gunshot residue using

scanning electron microscopes.

1984 FBI Magnetic Media program, which was later renamed to

Computer Analysis and Response Team

(CART), was created and it is believed to be the beginning of

computer forensic.

1988 International Association of Computer Investigative

Specialists (IACIS) was formed.

1995 International Organization on Computer Evidence (IOCE)

was formed.

1997 G8 nations declared that “Law enforcement personnel must

be trained and equipped to address high-

 tech crimes”.

 G8 appointed IICE to create international principles,

1998 guidelines and procedures relating to digital evidence.

 1st INTERPOL Forensic Science Symposium was held.

2000 First FBI Regional Computer Forensic Laboratory

established.

DEFINITION OF COMPUTER FORENSICS:

“Computer forensics is the practice of collecting, analysing and reporting on digital

data in a way that is legally admissible”. It can be used in the detection and prevention

of crime and in any dispute where evidence is stored digitally. It is the use of

specialized techniques for recovery, authentication and analysis of electronic data when

a case involves issues relating to reconstruction of computer usage, examination of

residual data, and authentication of data by technical analysis or explanation of

technical features of data and computer usage.

It uses specialized techniques for recovery, authentication, and analysis of computer

data, typically of data which may have been deleted or destroyed.

STAGES OF COMPUTER FORENSICS PROCESS:

The overall computer forensics process is sometimes viewed as comprising four

stages8:

 Acquire: Identifying and Preserving

 Analyse: Technical Analysis

  Evaluate: What the Lawyers Do

 Present: Present digital evidence in a manner that is legally acceptable in any

legal proceedings.

It uses specialized techniques for recovery, authentication, and analysis of computer

data, typically of data which may have been deleted or destroyed.

TYPES:

1. Disk Forensics: It deals with extracting raw data from the primary or secondary

storage of the device by searching active, modified, or deleted files.

2. Network Forensics: It is a sub-branch of Computer Forensics that involves

monitoring and analysing the computer network traffic.

3. Database Forensics: It deals with the study and examination of databases and

their related metadata.

4. Malware Forensics: It deals with the identification of suspicious code and

studying viruses, worms, etc.

5. Email Forensics: It deals with emails and their recovery and analysis, including

deleted emails, calendars, and contacts.

6. Memory Forensics: Deals with collecting data from system memory (system

registers, cache, RAM) in raw form and then analysing it for further

investigation.

7. Mobile Phone Forensics: It mainly deals with the examination and analysis of

phones and smartphones and helps to retrieve contacts, call logs, incoming, and

outgoing SMS, etc., and other data present in it.

BENEFITS OF COMPUTER FORENSICS:

1. Acquiring Evidence:

Many cases remain unresolved because of a lack of evidence. Computer forensics helps

investigators get a hold of important and personal information that can reveal all about

the criminal. Many criminals make the mistake of saving data on their PCs or laptops

that get easily tracked. Even if they use protocols—a digital forensic expert can break

through all such barriers to collect information.

2. Recovering Lost Evidence:

Lost evidence is another reason why computer forensics is so important. This lost data

can put someone in jail or save an innocent person. A good digital forensic expert looks

into the device and analyses it thoroughly to recover all lost information.

3. Virus Prevention:

In case of hacks or scams, a forensic expert can look into the system to find

vulnerabilities. This is the best option to secure the network by identifying all weak

channels. Many forensic experts work for big organizations using clients’ personal

information.

4. Offers High-Level of Protection:

Once you’re aware of the problem, you can find a solution for it.

Computer forensics can identify all important loopholes so that you can create strategies

for ultimate protection.

 USES OF COMPUTER FORENSICS:

Commercial organizations have used computer forensics to their benefit in a variety

of cases such as:

 Intellectual Property theft

 Industrial espionage

 Employment disputes Fraud investigations

 Forgeries

 Bankruptcy investigations

 Inappropriate email and internet use in the work place

 Regulatory compliance

OBJECTIVES OF COMPUTER FORENSICS:

The objectives of Computer forensics are to provide guidelines for:

 Following the first responder procedure and access the victim’s computer after

incident.

 Designing procedures at a suspected crime scene to ensure that the digital

evidence obtained is not corrupted.

 Data acquisition and duplication.

 Recovering deleted files and deleted partitions from digital media to extract the

evidence and validate them.

 Provide guidelines for analysing digital media to preserve evidence, analysing logs

and deriving conclusions, investigate network traffics and logs to correlate events,

investigate wireless and web attacks, tracking emails and investigate email crimes.
 Producing computer forensic report which provides complete report on computer

forensic investigation process.

 Preserving the evidence by following the chain of custody.

 Employing the rigorous procedures necessary to have forensic results stand up to

scrutiny in a court of law.

 Presenting digital forensics results in a court of law as an expert witness.

CYBER CRIME

Computer crime, or cybercrime, is any crime that involves a computer and a

network. The computer may have been used in the commission of a crime, or it may be

the target.

"Offences that are committed against individuals or groups of individuals with a

criminal motive to intentionally harm the reputation of the victim or cause physical or

mental harm, or loss, to the victim directly or indirectly, using modern

telecommunication networks such as Internet (Chat rooms, emails, notice boards and

groups) and mobile phones (SMS/MMS)".

Such crimes may threaten a nation’s security and financial health. Issues surrounding

these types of crimes have become high-profile, particularly those surrounding hacking,

copyright infringement, child pornography, and child grooming. There are also

problems of privacy when confidential information is intercepted or disclosed, lawfully

or otherwise. Internationally, both governmental and non-state actors engage in

cybercrimes, including espionage, financial theft, and other cross-border crimes.

Activity crossing international borders and involving the interests of at least one nation

state is sometimes referred to as cyberwarfare.

Digital forensics is traditionally associated with criminal investigations and, as you

would expect, most types of investigation center on some form of computer crime.

This sort of crime can take two forms;

1. computer-based crime.

2. computer facilitated crime.

1. computer-based crime:

This is criminal activity that is conducted purely on computers, for example cyber-

bullying or spam. As well as crimes newly defined by the computing age it also

includes traditional crime conducted purely on computers (for example, child

pornography).

2. computer facilitated crime:

Crime conducted in the "real world" but facilitated by the use of computers. A classic

example of this sort of crime is fraud: computers are commonly used to communicate

with other fraudsters, to record/plan activities or to create fraudulent documents.

CYBER CRIME INVESTIGATION:

Cybercrime investigation is important because activities such as hacking, fraud, and

identity theft may result in very dangerous consequences for individuals, businesses,

and national security. Effective investigation helps recognize and avoid cybercriminals

to save digital properties and sustain online safety.

What is Cybercrime Investigation?

Investigating computer crimes is about finding and stopping bad activities that happen

on computers and digital devices. It involves using special tools and methods to

examine crimes like hacking, phishing, malware, data breaches, and identity theft. The

people who do this job are called computer crime investigators. They carefully look for

evidence that law enforcement can use to catch the people doing these wrong things.

Top 5 cybercrimes:

There are many bad things people can do online. Here are the top 5 cybercrimes that

companies and people need to know about.

1. Phishing and Scams: Some people with malicious intent send counterfeit messages

or emails to misguide you into giving them your private information or downloading

malware on your computer.

2. Stealing Someone's Identity: Criminals use somebody else’s details such as credit

card numbers, and photos without permission to undertake illegal activities.

3. Ransomware Attacks: It is when bad software locks your files and data on a

computer, the criminals demand money before they unlock your files.

4. Hacking and Misusing Computer Networks: This occurs when someone gains

unauthorized access to private computers or networks and tampers with them or steals

data.

5. Internet Fraud: All the wrong things that people do while on the internet including

sending spam, and stealing from banks, among other unlawful actions fall under it.

Types of Cyber Criminals

There are different kinds of bad people who do cybercrime. Here are five types of
them.

1. Hackers: These persons are computer experts who penetrate unauthorized systems

by stealing information or causing damage. While some hack for money, others do it to

practice their ability or out of conviction.

2. Insiders: These could either be actual staff or non-full-time workers who gain more

rights on a company’s network than required, and use these illicitly to steal data,

vandalize things, and perpetrate other illegal acts.

3. Crime Groups: This refers to gangs that engage in cybercrimes for financial gain

and can be very adept at hiding.

4. Government-Sponsored: Attacking one nation’s computing infrastructure as a way

to obtain secret data, hamper their operations, or get an upper hand is currently being

done by several states.

5. Cyberterrorists: These individuals or groups initiate such attacks via the internet

for reasons of political backlash towards society. Often there are political motivations

behind the actions of many such people.

Cybercrime Investigation Tools

Investigators use special tools and programs to collect, save, and study digital evidence

when looking into cybercrimes. These tools help identify the bad people, track what

they did, and gather proof to build a case against them.

1. Digital Forensics Software: These programs recover deleted files, look at data

details, and check network logs. Common ones are EnCase, FTK, and Autopsy.

2. Network Monitoring Tools: These watch network traffic, spot suspicious activities,
and track data movement. Examples of network monitoring tools are Wireshark,

tcpdump, and Netscout.

3. Malware Analysis Tools: These study and take apart bad software to understand

how it works and where it came from. Tools like IDA Pro, OllyDbg, and Binary Ninja

are used for malware analysis.

4. Password Cracking Tools: These recover passwords from locked files, databases,

or other digital evidence. Tools like Cain and Abel, John the Ripper, and Hashcat are

used in these types of password cracking.

5. Social Media Tracking Tools: This Social media tracking tool follows what

suspects do on social media and collects evidence from those sites. Tools like

Hootsuite, Follower wonk, and Mention are used.

DIGITAL EVIDENCE:

Digital evidence refers to stored, transmitted, or collected information that is used as

proof before the court of justice. The information is stored, transmitted, or collected in

digital media like computers, mobiles, and other electronic devices. The digital

evidence may be in numerous forms including, messages, pictures, videos, and other

digital forms. There is no need for handwritten notes or fingerprint tests during an

investigation with regard to digital evidence. The digital evidence is always stored in

electronic form, not in traditional paper documents.

Digital evidence is defined as information and data of value to an investigation that is

stored on, received or transmitted by an electronic device. This evidence can be

acquired when electronic devices are seized and secured for examination. Digital
evidence:

 Is latent (hidden), like fingerprints or DNA evidence

 Crosses jurisdictional borders quickly and easily

 Can be altered, damaged or destroyed with little effort

 Can be time sensitive

ROLE OF FORENSICS INVESTIGATOR

Following are some of the important duties of a forensic investigator:

 Confirms or dispels whether a resource/network is compromised.

 Determine extent of damage due to intrusion.

 Answer the questions: Who, What, When, Where, How and Why.

 Gathering data in a forensically sound manner.

 Handle and analyse evidence.

 Prepare the report.

Present admissible evidence in court.

FORENSICS READINESS

Forensic readiness is the ability of an organization to maximize its potential to use

digital evidence whilst minimizing the costs of an investigation. In a business context

there is the opportunity to actively collect potential evidence in the form of logfiles,

emails, back-up disks, portable computers, network traffic records, and telephone

records, amongst others. This evidence may be collected in advance of a crime or

dispute, and may be used to the benefit of the collecting organization if it becomes

involved in a formal dispute or legal process.

Some of the important goals of forensics readiness are:

 To gather admissible evidence legally and without interfering with business

processes;

 To gather evidence targeting the potential crimes and disputes that may

adversely impact an organisation;

 To allow an investigation to proceed at a cost in proportion to the incident;

 To minimise interruption to the business from any investigation; and

 To ensure that evidence makes a positive impact on the outcome of any legal

action.

 Forensic readiness can offer an organization the following benefits:

evidence can be gathered to act in an organisation's defence if subject to a lawsuit;

comprehensive evidence gathering can be used as a deterrent to the insider threat

(throwing away potential evidence is simply helping to cover the tracks of a cyber-

criminal);

 In the event of a major incident, an efficient and rapid investigation can be

conducted and actions taken with minimal disruption to the business;

 A systematic approach to evidence storage can significantly reduce the costs and

time of an internal investigation;

 A structured approach to evidence storage can reduce the costs of any court-

ordered disclosure or regulatory or legal need to disclose data (e.g. in response

to a request under data protection legislation);

 Forensic readiness can extend the scope of information security to the wider
 threat from cyber crime, such as intellectual property protection, fraud, extortion

etc;

 It demonstrates due diligence and good corporate governance of the company's

information assets;

 It can demonstrate that regulatory requirements have been met;

 It can improve and facilitate the interface to law enforcement if involved;

 It can improve the prospects for a successful legal action;

 It can provide evidence to resolve a commercial dispute; and

 It can support employee sanctions based on digital evidence (for example to

prove violation of an acceptable use policy)

The following ten steps describe the key activities in forensic readiness planning:

1. Define the business scenarios that require digital evidence;

2. Identify available sources and different types of potential evidence;

3. Determine the evidence collection requirement;

4. Establish a capability for securely gathering legally admissible evidence to meet the

requirement;

5. Establish a policy for secure storage and handling of potential evidence

6. Ensure monitoring is targeted to detect and deter major incidents;

7. Specify circumstances when escalation to a full formal investigation (which may use

the digital evidence) should be launched;

8. Train staff in incident awareness, so that all those involved understand their role in

the digital evidence process and the legal sensitivities of evidence;

9. Document an evidence-based case describing the incident and its impact; and

10.Ensure legal review to facilitate action in response to the incident.

A brief description of each of the ten steps.

1. Define the business scenarios that require digital evidence: The first step in

forensic readiness is to define the purpose of an evidence collection capability. The

rationale is to look at the risk and potential impact on the business from the various

types of crimes and disputes. What is the threat to the business and what parts are

vulnerable? This is, in effect, a risk assessment, and is performed at the business

level. The aim is to understand the business scenarios where digital evidence may be

required and may benefit the organisation the event that it is required. In general the

areas where digital evidence can be applied include:

 reducing the impact from computer-related crime;

 dealing effectively with court orders to release data;

 demonstrating compliance with regulatory or legal constraints;

 producing evidence to support company disciplinary issues;

 supporting contractual and commercial agreements; and

 proving the impact of a crime or dispute.

In assessing these scenarios, this step provides an indication of the likely benefits of

being able to use digital evidence. If the identified risks, and the potential benefits of

forensic readiness, suggest a good return on investment is achievable, then an

organization needs to consider what evidence to gather for the various risk scenarios.

2. Identify available sources and different types of potential evidence: The second
 step in forensic readiness is for an organisation to know what sources of potential

evidence are present on, or could be generated by, their systems and to determine

what currently happens to the potential evidence data. Computer logs can originate

from many sources. The purpose of this step is to scope what evidence may be

available from across the range of systems and applications in use. Some basic

questions need to be asked about possible evidence sources to include.

 Where is data generated?

 What format is it in?

 How long is it stored for?

 How is it currently controlled, secured and managed?

 Who has access to the data?

 How much is produced?

 Is it archived? If so where and for how long?

 How much is reviewed?

 What additional evidence sources could be enabled?

 Who is responsible for this data?

 Who is the formal owner of the data?

 How could it be made available to an investigation?

 What business processes does it relate to?

 Does it contain personal information?

Email is an obvious example of a potential rich source of evidence that needs careful

consideration in terms of storage, archiving & auditing and retrieval. But this is not the
 only means of communication used over the internet, there is also instant messaging,

web-based email that bypasses corporate email servers, chat-rooms and newsgroups,

even voice over the internet. Each of these may need preserving and archiving.

The range of possible evidence sources includes:

 equipment such as routers, firewalls, servers, clients, portables, embedded devices

etc;

 application software such as accounting packages etc for evidence of fraud, erp

packages for employee records and activities (e.g. in case of identity theft), system

and management files etc;

 monitoring software such as intrusion detection software, packet sniffers, keyboard

loggers, content checkers, etc;

 general logs such as access logs, printer logs, web traffic, internal network logs,

internet traffic, database transactions, commercial transactions etc;

 other sources such as: cctv, door access records, phone logs, pabx data etc; and

 back-ups and archives.

3. Determine the Evidence Collection Requirement: It is now possible to decide which

of the possible evidence sources identified in step 2 can help deal with the crimes and

disputes identified in step 1 and whether further ways to gather evidence are required.

This is the evidence collection requirement. The purpose of this step is to produce an

evidence requirement statement so that those responsible for managing the business

risk can communicate with those running and monitoring information systems through

an agreed requirement for evidence. One of the key benefits of this step is the bringing
 together of IT with the needs of corporate security. IT audit logs have been

traditionally configured by systems administrators independently of corporate policy

and where such a policy exists there is often a significant gap between organisational

security objectives and the ‘bottom-up’ auditing actually implemented. The evidence

collection requirement is moderated by a cost benefit analysis of how much the

required evidence will cost to collect and what benefit it provides (see above). The

critical question for successful forensic readiness is what can be performed cost

effectively. By considering these issues in advance and choosing storage options,

auditing tools, investigation tools, and appropriate procedures it is possible for an

organisation to reduce the costs of future forensic investigations.

4. Establish a capability for securely gathering legally admissible evidence to meet

the requirement: At this point the organisation knows the totality of evidence

available and has decided which of it can be collected to address the company risks and

within a planned budget. With the evidence requirement understood, the next step is to

ensure that it is collected from the relevant sources and that it is preserved as an

authentic record. At this stage legal advice is required to ensure that the evidence can

be gathered legally and the evidence requirement can be met in the manner planned.

For example, does it involve monitoring personal emails, the use of personal data, or

‘fishing trips1 ’ on employee activities? In some countries, some or all of these

activities may be illegal. Relevant laws, in the areas of data protection, privacy and

human rights, will inevitably constrain what can actually be gathered. Some of the

guidelines are:
 monitoring should be targeted at specific problems.

 it should only be gathered for defined purposes and nothing more; and

 staff should be told what monitoring is happening except in exceptional circumstances.

Physical security of data such as back-up files or on central log servers is important

from the data protection point of view, and also for secure evidence storage. As well as

preventative measures such as secure rooms and swipe card access it is also prudent to

have records of who has access to the general location and who has access to the actual

machines containing evidence. Any evidence or paperwork associated with a specific

investigation should be given added security by, for example, storing in a safe.

Additional security of logs can also be achieved through the use of WORM storage

media.

5. Establish a policy for secure storage and handling of potential evidence: The

objective of this step is to secure the evidence for the longer term once it has been

collected and to facilitate its retrieval if required. It concerns the long-term or off-line

storage of information that might be required for evidence at a later date. A policy for

secure storage and handling of potential evidence comprises security measures to

ensure the authenticity of the data and also procedures to demonstrate that the evidence

integrity is preserved whenever it is used, moved or combined with new evidence. In

the parlance of investigators this is known as continuity of evidence (in the UK) and

chain of custody (in the US). The continuity of evidence also includes records of who

held, and who had access to, the evidence (for example from swipe control door logs).

A significant contribution to the legal collection of evidence is given by the code of

 practice on the legal admissibility and weight of information stored electronically,

published by the British Standards Institution. This document originated from a

perceived need for evidence collection in the paperless office. The problem it

addressed is if all paper documents are scanned, can the paper sources be thrown away

without loss of evidential usability? The current edition broadens the scope to all

information management systems, Ad hoc opportunistic searches, without justification,

for potentially incriminating activities or communication such as those where

information is transmitted over networks such as email systems for example. It points

out that methods of storage, hardware reliability, operation and access control, and

even the programs and source code, may be investigated in order to determine

admissibility. A closely related international standard is being developed as ISO

15801. The required output of this step is a secure evidence policy. It should document

the security measures, the legal advice and the procedural measures used to ensure the

evidence requirement is met. Upon this document rests the likely admissibility and

weight of any evidence gathered.

6. Ensure monitoring and auditing is targeted to detect and deter major incidents:

In addition to gathering evidence for later use in court, evidence sources can be

monitored to detect threatened incidents in a timely manner. This is directly analogous

to Intrusion Detection Systems (IDS), extended beyond network attack to a wide range

of behaviours that may have implications for the organisation. It is all very well

collecting the evidence. This step is about making sure it can be used in the process of

detection. By monitoring sources of evidence we can look for the triggers that mean
 something suspicious may be happening. The critical question in this step is when

should an organisation be suspicious? A suspicious event has to be related to business

risk and not couched in technical terms. Thus the onus is on managers to explain to

those monitoring the data what they want to prevent and thus the sort of behaviour that

IDS might be used to detect for example. This should be captured in a ‘suspicion’

policy that helps the various monitoring and auditing staff understand what triggers

should provoke suspicion, who to report the suspicion to, whether heightened

monitoring is required, and whether any additional security measures should be taken

as a precaution. Each type of monitoring should produce a proportion of false

positives. The sensitivity of triggers can be varied as long as the overall false positive

rate does not become so high that suspicious events cannot be properly reviewed.

Varying triggers also guards against the risk from someone who knows what the

threshold on a particular event is and makes sure any events or transactions he wishes

to hide are beneath it.

7. Specify circumstances when escalation to a full formal investigation (which may

use digital evidence) is required: Some suspicious events can be system generated,

such as by the rule-base of an IDS, or the keywords of a content checker, and some

will be triggered by human watchfulness. Each suspicious event found in step 6 needs

to be reviewed. Either an event will require escalation if it is clearly serious enough, or

it will require enhanced monitoring or other precautionary measures, or it is a false

positive. The purpose of this step is to decide how to react to the suspicious event. The

decision as to whether to escalate the situation to management will depend on any

 indications that a major business impact is likely or that a full investigation may be

required where digital evidence may be needed. The decision criteria should be

captured in an escalation policy that makes it clear when a suspicious event becomes a

confirmed incident. At this point an investigation should be launched and policy should

indicate who the points of contact are (potentially available on a 24x7 basis) and who

else needs to be involved. As with steps 3 and 6, the network and IT security managers

and the non-IT managers need to understand each other’s position. What level of

certainty or level of risk is appropriate for an escalation? What strength of case is

required to proceed? A preliminary business impact assessment should be made based

on whether any of the following are present:

 evidence of a reportable crime

 evidence of internal fraud, theft, other loss

 estimate of possible damages (a threshold may induce an escalation trigger)

 potential for embarrassment, reputation loss

 any immediate impact on customers, partners or profitability

 recovery plans have been enacted or are required; and

 the incident is reportable under a compliance regime.

8. Train staff, so that all those involved understand their role in the digital evidence

process and the legal sensitivities of evidence: A wide range of staff may become

involved in a computer security incident. The aim of this step is to ensure that

appropriate training is developed to prepare staff for the various roles they may play

before, during and after an incident. It is also necessary to ensure that staff is
 competent to perform any roles related to the handling and preservation of evidence.

There will be some issues relevant to all staff if they become involved in an incident.

The following groups will require more specialised awareness training for example:

 the investigating team;

 corporate HR department;

 corporate PR department (to manage any public information about the incident);

 'owners' of business processes or data;

 line management, profit centre managers;

 corporate security;

 system administrators;

 IT management;

 legal advisers; and

 senior management (potentially up to board level).

At all times those involved should act according to ‘need to know’ principles. They

should be particularly aware whether any staff, such as ‘whistle blowers’ an

investigators, need to be protected from possible retaliation by keeping their names and

their involvement confidential. Training may also be required to understand the

relationships and necessary communications with external organisations that may

become involved.

9. Present an evidence-based case describing the incident and its impact: The aim of

an investigation is not just to find a culprit or repair any damage. An investigation has

to provide answers to questions and demonstrate why those answers are credible. The
 questions go along the lines of who, what, why, when, where and how. Credibility is

provided by evidence and a logical argument. The purpose of this step is to produce a

policy that describes how an evidence-based case should be assembled. A case file

may be required for a number of reasons:

 to provide a basis for interaction with legal advisers and law enforcement;

 to support a report to a regulatory body;

 to support an insurance claim;

 to justify disciplinary action;

 to provide feedback on how such an incident can be avoided in future;

 to provide a record in case of a similar event in the future (supports the corporate

memory so that even if there are changes in personnel it will still be possible to

understand what has happened); and

 to provide further evidence if required in the future, for example if no action is deemed

necessary at this point but further developments occur.

10. Ensure legal review to facilitate action in response to the incident: At certain points

during the collating of the cyber-crime case file it will be necessary to review the case

from a legal standpoint and get legal advice on any follow-up actions. Legal advisers

should be able to advise on the strength of the case and suggest whether additional

measures should be taken; for example, if the evidence is weak is it necessary to catch

an internal suspect red handed by monitoring their activity and seizing their PC? Any

progression to a formal action will need to be justified, cost-effective and assessed as

likely to end in the company’s favour. Although the actual decision of how to proceed
 will clearly be post-incident, considerable legal preparation is required in readiness.

Legal advisors should be trained and experienced in the appropriate cyberlaws and

evidence admissibility issues. They need to be prepared to act on an incident, pursuant

to the digital evidence that has been gathered and the case presented in step 9. Legal

advice should also recognise that the legal issues may span legal jurisdictions e.g.

states in the US, member states in the EU. Advice from legal advisers will include:

 any liabilities from the incident and how they can be managed;

 finding and prosecuting/punishing (internal versus external culprits);

 legal and regulatory constraints on what action can be taken;

 reputation protection and PR issues;

 when/if to advise partners, customers and investors;

 how to deal with employees;

 resolving commercial disputes; and

 any additional measures required.

1.1 SUMMARY

1. Computer forensics is the practice of collecting, analysing and reporting on digital data

in a way that is legally admissible.

2. Computer forensics requires specialized expertise that goes beyond normal data

collection and preservation techniques available to end-users or system support

personnel.

3. Computer crime, or cybercrime, is any crime that involves a computer and a network.

4. Activity crossing international borders and involving the interests of at least one nation
 state is sometimes referred to as cyberwarfare.

5. The ancient Chinese used fingerprints to identify business documents.

6. Sir Francis Galton established the first system for classifying fingerprints.

7. International Association of Computer Investigative Specialists(IACIS) is an

international non-profit corporation composed of volunteer computer forensic

professionals dedicated to training and certifying practitioners in the field of forensic

computer science.

8. The First FBI Regional Computer Forensic Laboratory established in 2000 at San

Diego.

9. The survival and integrity of any given network infrastructure of any company or

organization strongly depends on the application of computer forensics.

10. Forensic readiness is the ability of an organisation to maximise its potential to use

digital evidence whilst minimising the costs of an investigation.

11. Monitoring should be targeted at specific problems.

12. Physical security of data such as back-up files or on central log servers is important

from the data protection point of view, and also for secure evidence storage.

13. A policy for secure storage and handling of potential evidence comprises security

measures to ensure the authenticity of the data and also procedures to demonstrate that

the evidence integrity is preserved whenever it is used, moved or combined with new

evidence.

14. In addition to gathering evidence for later use in court, evidence sources can be

monitored to detect threatened incidents in a timely manner.

 15. Some suspicious events can be system generated, such as by the rule-base of an IDS, or

the keywords of a content checker, and some will be triggered by human watchfulness.

16. The decision as to whether to escalate the situation to management will depend on any

indications that a major business impact is likely or that a full investigation may be

required where digital evidence may be needed.

17. It is necessary to ensure that staff is competent to perform any roles related to the

handling and preservation of evidence.

18. The aim of an investigation is not just to find a culprit or repair any damage. An

investigation has to provide answers to questions and demonstrate why those answers

are credible.

19. At certain points during the collating of the cyber-crime case file it will be necessary to

review the case from a legal standpoint and get legal advice on any follow-up actions.

CHECK YOUR PROGRESS

1. Fill in the blanks

i. was one of the first applications of forensics.

ii. FBI Magnetic Media program was later renamed to .

iii. is provided by evidence and a logical argument.

iv. At all times those involved should act according to principles.

v. IACIS stands for .

vi. The first step in forensic readiness is to define the of an evidence

collection capability.
vii. It is not just the content of emails, documents and other files which may be of interest

to investigators but also the associated with those files.

viii. IDS stands for .

ix. The decision criteria should be captured in an policy that makes

it clear when a suspicious event becomes a confirmed incident.

x. IOCE stands for International .

2. State true or false

i. Cybercrime, is any crime that involves a computer and a network.

ii. Computer based crime is criminal activity that is conducted purely on computers, for

example cyber-bullying or spam.

iii. The goal of forensic readiness is to gather admissible evidence legally and without

interfering with business processes.

iv. FBI Magnetic Media program started in 1994.

v. IOCE aims to bring together organizations actively engaged in the field of digital and

multimedia evidence to foster communication and cooperation as well as to ensure

quality and consistency within the forensic community.

vi. Logs can originate from only one source in a computer.

vii. The range of possible evidence sources includes equipment such as routers, firewalls,

servers, clients, portables, embedded devices etc.

viii. Email is an obvious example of a potential rich source of evidence that needs careful

consideration in terms of storage, archiving and auditing and retrieval.

ix. Staff should not be told what monitoring is happening except in exceptional
 circumstances.

ANSWERS TO CHECK YOUR PROGRESS

1. Fill in the blanks

i. Fingerprinting

ii. Computer Analysis and Response Team (CART).

iii. Credibility

iv. need to know

v. International Association of Computer Investigative Specialists

vi. purpose

vii. metadata

viii. Intrusion Detection Systems.

ix. escalation

x. International Organization on Computer Evidence.

2. State true or false

i. True

ii. True

iii. True

iv. False
 v. True

vi. False

vii. True

viii. True

ix. False

1.2 MODEL QUESTIONS

1. What are the four stages of computer forensic process?

2. What are the uses of computer forensics?

3. What are the objectives of computer forensics?

4. What is the role of a forensics investigator?

5. What is forensics readiness plan?

6. What are the benefits of forensic readiness?

7. What are various steps involved in forensic readiness planning?

8. What is continuity of evidence?