Understanding Computer Forensics

Computer forensics refers to a set of methodological procedures and techniques that help
identify, gather, preserve, extract, interpret, document, and present evidence from computing
equipment, such that any discovered evidence is acceptable during a legal and/or administrative
proceeding.
Objectives of Computer Forensics
1. Identify, gather, and preserve the evidence of a cybercrime.
2. Estimate the potential impact of malicious activity on the victim and assess the intent
of the perpetrator.
3. Minimize tangible and intangible losses to the organization.
4. Protect the organization from similar incidents in the future.
5. Gather evidence of cybercrimes in a forensically sound manner.
6. Support the prosecution of the perpetrator of an incident..

Need for Computer Forensics

1. To ensure the overall integrity and continued existence of IT systems and network
infrastructure within the organizations.
2. To extract, process, and interpret the factual evidence such that it proves the attacker's
actions in court.
3. To efficiently track down perpetrators from different parts of the world.
4. To protect the organization's financial resources and valuable time.

When Do You Use Computer Forensics?

1. Prepare for incidents by securing and strengthening defense mechanisms.
2. Identify actions needed for incident response.
3. Act against copyright and intellectual property theft/misuse.
4. Estimate and minimize damage to resources in a corporate setup.
5. Set security parameters and formulate norms for forensic readiness.

Types of Cybercrimes
Cybercrime: Any illegal act involving computing devices, networks, systems, or applications.
Categories:
1. Internal/Insider Attacks: Performed by individuals with authorized access (e.g.,
employees, partners).
2. External Attacks: Executed by external attackers exploiting security loopholes or using
social engineering techniques.
Examples of Cybercrimes:
1. Espionage
2. Phishing/Spoofing
3. Intellectual Property Theft
4. Privilege Escalation Attacks
5. SQL Injection
6. Cyberterrorism
7. Data Manipulation
8. Denial of Service (DoS)
9. Trojan Horse Attacks
10. Cyber Defamation
11. Brute-Force Attacks
12. Cyberwarfare

Impact of Cybercrimes at the Organizational Level

1. Loss of confidentiality, integrity, and availability of information stored in organizational
systems.
2. Theft of sensitive data.
3. Sudden disruption of business activities.
4. Loss of customer and stakeholder trust.
5. Substantial reputational damage.
6. Huge financial losses.
7. Penalties arising from the failure to comply with regulations.

Roles of Digital Evidence

Examples of cases where digital evidence may assist the forensic investigator in the
prosecution or defense of a suspect:
1. Identity theft
2. Malicious attacks on the computer systems themselves
3. Information leakage
4. Unauthorized transmission of information
5. Theft of commercial secrets
6. Use/abuse of the Internet
7. Production of false documents and accounts
8. Unauthorized encryption/password protection of documents
9. Abuse of systems
10. Email communication between suspects/conspirators
Sources of Potential Evidence
User-Created Files
1. Address books
2. Database files
3. Media (images, graphics, audio, video, etc.) files
4. Documents (text, spreadsheet, presentation, etc.) files
5. Internet bookmarks, favorites, etc.
User-Protected Files
1. Compressed files
2. Misnamed files
3. Encrypted files
4. Password-protected files
5. Hidden files
6. Steganography
Computer-Created Files
1. Backup files
2. Log files
3. Configuration files
4. Printer spool files
5. Cookies
6. Swap files
7. System files
8. History files
9. Temporary files
Rules of Evidence
Digital evidence collection must be governed by five basic rules that make it admissible in a
court of law:
1. Understandable: Evidence must be clear and understandable to the judges.
2. Admissible: Evidence must be related to the fact being proved.
3. Authentic: Evidence must be real and appropriately related to the incident.
4. Reliable: There must be no doubt about the authenticity or veracity of the evidence.
5. Complete: The evidence must prove the attacker’s actions or his/her innocence.

Best Evidence Rule

1. It states that the court only allows the original evidence of a document, photograph, or
recording at the trial rather than a copy.
2. However, the duplicate can be accepted as evidence, provided the court finds the party’s
reasons for submitting the duplicate to be genuine.
The principle underlying the best evidence rule is that the original evidence is considered as the
best evidence.

Scientific Working Group on Digital Evidence (SWGDE)

Principle 1

• In order to ensure that the digital evidence is collected, preserved, examined, or

transferred in a manner safeguarding the accuracy and reliability of the evidence, law
enforcement and forensic organizations must establish and maintain an effective quality
system.
Standards and Criteria 1.1

• All agencies that seize and/or examine digital evidence must maintain an appropriate
SOP document.
• All elements of an agency's policies and procedures concerning digital evidence must be
clearly set forth in this SOP document, which must be issued under the agency's
management authority.
Standards and Criteria 1.2

• Agency management must review the SOPs on an annual basis to ensure their
continued suitability and effectiveness.
Standards and Criteria 1.3

• Procedures used must be generally accepted in the field or supported by data gathered
and recorded in a scientific manner.
Standards and Criteria 1.4
 • The agency must maintain written copies of appropriate technical procedures.
Standards and Criteria 1.5

• The agency must use hardware and software that are appropriate and effective for the
seizure or examination procedure.
Standards and Criteria 1.6

• All activity relating to the seizure, storage, examination, or transfer of the digital evidence
must be recorded in writing and be available for review and testimony.
Standards and Criteria 1.7

• Any action that has the potential to alter, damage, or destroy any aspect of the original
evidence must be performed by qualified persons in a forensically sound manner.

The Association of Chief Police Officers (ACPO) Principles of Digital

Evidence

Principle 1

• No action taken by law enforcement agencies or their agents should change data
held on a computer or storage media which may subsequently be relied upon in
court.

Principle 2

• In exceptional circumstances, where a person finds it necessary to access

original data held on a computer or storage media, that person must be
competent to do so and be able to explain his/her actions and the impact of those
actions on the evidence, in the court.

Principle 3

• An audit trail or other record of all processes applied to computer-based

electronic evidence should be created and preserved. An independent third
party should be able to examine those processes and achieve the same result.

Principle 4

• The person in charge of the investigation (the case officer) has overall
responsibility for ensuring that the law and these principles are adhered to.
Forensic Readiness

• Forensic readiness refers to an organization’s ability to optimally use digital

evidence in a limited period of time and with minimal investigation costs.

Benefits:

• Fast and efficient investigation with minimal disruption to the business.

• Provides security from cybercrimes such as intellectual property theft, fraud, or
extortion.
• Offers structured storage of evidence that reduces the cost and time of an
investigation.
• Improves law enforcement interface.
• Helps the organization use the digital evidence in its own defense.

Forensic Readiness and Business Continuity

• Forensic readiness helps maintain business continuity by allowing quick and

easy identification of the impacted components and replacing them to continue
the services and business.

Forensic readiness allows businesses to:

• Quickly determine the incidents.

• Collect legally sound evidence and analyze it to identify attackers.
• Minimize the required resources.
• Quickly recover from damage with less downtime.
• Gather evidence to claim insurance.
• Legally prosecute the perpetrators and claim damages.

Lack of forensic readiness may result in:

• Loss of clients due to damage to the organization’s reputation.

• System downtime.
• Data manipulation, deletion, and theft.
• Inability to collect legally sound evidence.
Forensics Readiness Planning

• Forensic readiness planning refers to a set of processes to be followed to achieve and

maintain forensic readiness.

Steps in Forensic Readiness Planning:

1. Identify the potential evidence required for an incident.

2. Determine the sources of evidence.
3. Define a policy that determines the pathway to legally extract electronic evidence with
minimal disruption.
4. Establish a policy to handle and store the acquired evidence in a secure manner.
5. Identify if the incident requires full or formal investigation.
6. Create a process for documenting the procedure.
7. Establish a legal advisory board to guide the investigation process.
8. Keep an incident response team ready to review the incident and preserve the
evidence.

Need for a Forensic Investigator

Cybercrime Investigation

• Forensic investigators, by virtue of their skills and experience, help organizations and
law enforcement agencies investigate and prosecute the perpetrators of cybercrimes.

Sound Evidence Handling

• If a technically inexperienced person examines the evidence, it might become

inadmissible in a court of law.

Incident Handling and Response

• Forensic investigators help organizations maintain forensic readiness and implement

effective incident handling and response.

Roles and Responsibilities of a Forensics Investigator

A forensic investigator performs the following tasks:

• Determines the extent of any damage done during the crime.

• Recovers data of investigative value from computing devices involved in crimes.
• Creates an image of the original evidence without tampering with it to maintain its
integrity.
• Guides the officials carrying out the investigation.
 • Analyzes the evidence data found.
• Prepares the analysis report.
• Updates the organization about various attack methods and data recovery techniques,
and maintains a record of them.
• Addresses the issue in a court of law and attempts to win the case by testifying in
court.

What Makes a Good Computer Forensics Investigator?

• Interviewing skills to gather extensive information about the case from the client or
victim, witnesses, and suspects.
• Excellent writing skills to detail findings in the report.
• Strong analytical skills to find the evidence and link it to the suspect.
• Excellent communication skills to explain their findings to the audience.
• Remains updated about new methodologies and forensic technology.
• Well-versed in more than one computer platform (including Windows, Macintosh, and
Linux).
• Knowledge of various technologies, hardware, and software.
• Develops and maintains contact with computing, networking, and investigating
professionals.
• Has knowledge of the laws relevant to the case.

Computer Forensics and Legal Compliance

• Legal compliance in computer forensics ensures that any evidence that is collected and
analyzed is admissible in a court of law.
• Compliance with certain regulations and standards plays an important part in computer
forensic investigation and analysis, some of which are as follows:

1. Gramm-Leach-Bliley Act (GLBA)

2. Federal Information Security Modernization Act of 2014 (FISMA)
3. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
4. General Data Protection Regulation (GDPR)