Computer forensics
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

COMPUTER FORENSICS PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

COMPUTER FORENSICS. By Jason Ford and Anthony Kniffin. Overview. What is Computer Forensics? The need for Computer Forensics. Examples of Crimes. Methods Attackers use. What an Investigator must know and do. What is Computer Forensics?.

Download Presentation


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Computer forensics


By Jason Ford and Anthony Kniffin



  • What is Computer Forensics?

  • The need for Computer Forensics.

  • Examples of Crimes.

  • Methods Attackers use.

  • What an Investigator must know and do.

What is computer forensics

What is Computer Forensics?

  • By Definition: Computer Forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded.

  • The objective of Computer Forensics is usually to provide digital evidence of a specific or general activity.

Computer forensics1

Computer Forensics

  • Computer Forensics Experts:

    1. Identify sources of documentary or other digital evidence.

    2. Preserve the evidence.

    3. Analyze the evidence.

    4. Present the findings.

Computer forensics2

Computer Forensics

  • Many types of criminal and civil proceedings can and do make use of evidence revealed by computer forensics specialists:

    • Criminal Prosecutors use computer evidence in a variety of crimes where incriminating documents can be found: homicides, financial fraud, drug and embezzlement record-keeping, and child pornography.

    • Civil litigations can readily make use of personal and business records found on computer systems that bear on: fraud, divorce, discrimination, and harassment cases.

    • Insurance Companies may be able to mitigate costs by using discovered computer evidence of possible fraud in accident, arson, and workman's compensation cases.

    • Corporations often hire computer forensics specialists to ascertain evidence relating to: sexual harassment, embezzlement, theft or misappropriation of trade secrets and other internal/confidential information.

    • Law Enforcement Officials frequently require assistance in pre-search warrant preparations and post-seizure handling of the computer equipment.

    • Individuals sometimes hire computer forensics specialists in support of possible claims of: wrongful termination, sexual harassment, or age discrimination.

What is digital evidence

What is Digital Evidence?

  • Definition: Digital data that can establish that a crime has been committed or can provide a link between a crime and its victim or a crime and its perpetrator.

  • Categories:

    • Text files

    • Audio files

    • Video files

    • Image files

Why is computer forensics needed

Why is Computer Forensics needed?

  • Employee internet abuse (common, but decreasing)

  • Unauthorized disclosure of corporate information and data (accidental and intentional)

  • Industrial espionage

  • Damage assessment (following an incident)

  • Criminal fraud and deception cases

  • More general criminal cases (many criminals simply store information on computers, intentionally or unwittingly)

Some examples

Some Examples:

  • Former Chief Computer Program Designer Arraigned for Alleged $10 Million Computer Software Bomb:

    • Timothy Lloyd sentenced to 41 months in prison.

    • Launched a programming bomb on Omega Engineering Corp.’s network that resulted in $10 million in damages.

    • Lost all design and production software used by the U.S. Navy and NASA, and led to 80 jobs lost.

    • The Evidence:

      • The logic bomb itself

      • Date and time the file was created

      • Username of the file creator

Another example

Another Example:

  • Hacker pleads guilty to illegally accessing New York Time computer network

    • Adrian Lamo hacked into the New York Times and accessed over 3,000 contributors accounts, including Rush Limbaugh and former President Jimmy Carters.

    • Investigators found he added an entry for himself too and listed his phone number as 505-HACK.

    • He also created five fake accounts and ran up a $300,000 bill from the New York Times.

    • He now faces a maximum of 15 years in prison and $500,000 fine.

Methods attackers use

Methods Attackers use

  • Some things that an attacker might do to enter your system or cover his tracks:

    • Key Loggers (

    • Cracking your password

    • Hide incriminating files.

    • And more…

Key loggers

Key Loggers

  • Key loggers can either be a program or piece of hardware

  • Designed to log every keystroke made by the user. Including, Emails, Usernames, and Passwords.

  • Can store up to 4mb of data and include data and time stamps.

  • If a user does not realize that a key logger is attached to his system, the attacker can get any information the user types.

Cracking passwords

Cracking Passwords

  • An attacker can use a variety of password cracking techniques:

    • Password Guessing

      • If you know a lot about the user then this could be easier then you would think.

    • Dictionary-Based Attacks

    • Brute-Force Attacks

    • Default Passwords

      • How many people have changed the BIOS password on your computer?

Hiding files

Hiding Files

  • If an attacker has incriminating files on his computer and wants to hid them, it can be pretty simple.

  • File Signatures:

    • A file signature is a sequence of characters located within the first 20 bytes of a file.

    • Files has signatures corresponding to what type of file it is.

    • If you are hiding a picture file, change the files signature to a text file.

Methods the computer forensic analyst could use

Methods the Computer Forensic Analyst could use

  • Again, Key Loggers

  • Methods of finding hidden files.

  • Tracking attackers through Email

  • Preserving Evidence

Key loggers1

Key Loggers

  • Key Loggers can also be used to help find attackers

  • Corporations use them to help keep track of what their employees are typing on their computers

  • They can also use them as a monitoring device for detecting unauthorized access.

  • Computer Forensic Analyst can use these loggers as evidence if the attacker used a machine with one on it.

Finding hidden files

Finding hidden files

  • To find a file that has been hidden by the attacker changing it signature, a investigator might run a Perl Script that will compare the files signature with a list of correct signatures.

  • If the attacker changed the name of the file and the extension of the file, trying to hide it, but forgot to change the signature to the corresponding extension, the script will find the file and let you know something is not right about it.

Tracking attackers through emails

Tracking attackers through Emails

  • How can you find out who is sending Email that could be blackmailing you or incriminating you or your business.

  • You can use a program (like NeoTrace), which will visually show you were the Email originated from.

  • Email Headers:

    • Investigators can examine Email headers to determine who sent the Email and where the Email was sent from.

    • Can also find out where the Email has travel in order to get to its destination

Email header example

Email Header Example

Return-path: [email protected]

Received: from ([]) by (iPlanet Messaging Server 5.2)

Received: from [] by via HTTP

Message-id: [email protected]

  • What can you determine from this header:

    • Recipients IP address


    • Senders IP address


    • Reference Number of the Email.

      • 59571

    • Date and time the Email was sent.

      • May 6th, 2004 at 11:54:12

Preserving evidence

Preserving Evidence

  • Things Investigators must follow in order to collect legal evidence:

    • They must have warrant to collect information from a suspects computer.

    • Must keep all evidence as if it was never touched by them.

    • Must know what is admissible in court

    • They also must collect and record all vital information about the computer itself and its disk drives.

    • If they contaminate any evidence, all of may become unsuitable to testify with.



  • Windows Forensics and Incident Recovery by Harlan Carvey, 2005

  • Computer Forensics by Michael G. Solomon and Diane Barrett, 2005

  • The unofficial Guide to Ethical Hacking by Ankit Fadia, 2006

  • Casey, Eoghan, Digital Evidence and Computer Crime: Forensic Science, Computer and the Internet, Academic Press, 2000






  • Login