FACTOID # 115: American planes take-off a staggering 8.5 million times per year - almost half the number of take-offs worldwide.
 
 Home   Encyclopedia   Statistics   Countries A-Z   Flags   Maps   Education   Forum   FAQ   About 
 
WHAT'S NEW
RECENT ARTICLES
More Recent Articles »
 

SEARCH ALL

FACTS & STATISTICS    Advanced view

Search encyclopedia, statistics and forums:

 

 

(* = Graphable)

 

 


Encyclopedia > Computer forensics
Merge arrows
 It has been suggested that this article or section be merged with Digital Forensic Tools. (Discuss)
This article needs additional citations for verification.
Please help improve this article by adding reliable references. Unsourced material may be challenged and removed. (June 2007)


Image File history File links Merge-arrows. ... It has been suggested that this article or section be merged into Computer forensics. ...

Forensic science
Physiological sciences
Forensic pathology · Forensic dentistry
Forensic anthropology · Forensic entomology
Social sciences
Forensic psychology · Forensic psychiatry
Other specializations
Fingerprint analysis · Forensic Accounting
Ballistics  · Bloodstain pattern analysis
DNA analysis · Forensic toxicology
Forensic footwear evidence
Questioned document examination
Explosion analysis
Cybertechnology in forensics
Information forensics · Computer forensics
Related disciplines
Forensic engineering
Fire investigation
Vehicular accident reconstruction
People in Forensics
Edmond Locard
Bill Bass
Related articles
Crime scene · CSI Effect
Trace evidence
This box: view  talk  edit

The simple definition of computer forensics Download high resolution version (1760x1164, 1116 KB)Public domain. ... Agents of the United States Army Criminal Investigation Division investigate a crime scene Forensic science (often shortened to forensics) is the application of a broad spectrum of sciences to answer questions of interest to the legal system. ... Forensic pathology is a branch of medicine concerned with determining cause of death, usually for criminal law cases and civil law cases in some jurisdictions. ... Forensic dentistry or forensic odontology, the proper handling, examination and evaluation of dental evidence, which will be then presented in the interest of justice. ... Forensic anthropology is the application of the science of physical anthropology and human osteology (the study of the human skeleton) in a legal setting, most often in criminal cases where the victims remains are more or less skeletonized. ... Forensic entomology is the science and study of insects and other arthropods related to legal investigations. ... This article or section does not cite any references or sources. ... Forensic psychiatry is a subspeciality of psychiatry. ... A macro shot of a palm and the base of several fingers; as seen here, debris can gather between the ridges. ... Forensic Accounting is the specialty practice area of accounting that describes engagements that result from actual or anticipated disputes or litigation. ... For other uses, see Ballistics (disambiguation). ... Bloodstain pattern analysis (BPA) is one of several specialties in the field of forensic science. ... Forensic genetics refers to the application of genetic science to legal matters. ... Forensic toxicology is the use of toxicology and other disciplines such as analytical chemistry, pharmacology and clinical chemistry to aid medicolegal investigation of death, poisoning, and drug use. ... Forensic footwear evidence can be used in legal proceedings to help prove the identities of persons at the crime scene. ... Questioned document examination (QDE) is known by many names including forensic document examination, document examination, diplomatics, handwriting examination, and sometimes handwriting analysis, although the latter name is not often used as it may be confused with graphology. ... This article is concerned solely with chemical explosives. ... Information Forensics is the science of investigation into systemic processes that produce information. ... Forensic engineering is the investigation of materials, products, structures or components that fail or do not operate/function as intended, causing personal injury for example. ... Fire investigation, sometimes referred to as origin and cause investigation, is the analysis of fire-related incidents. ... Vehicular accident reconstructions are often conducted by specialized units in law enforcement agencies, to answer questions about automobile accidents, such as who was driving, where were the victims seated, were they using seat belts? Through accident reconstruction, rigorous analysis is done, with expert witnesses that can present results in trial. ... Dr. Edmond Locard (1877-1966) was a pioneer in forensic science who became known as the Sherlock Holmes of France. ... Dr. William M. Bass is a U.S. forensic anthropologist, renowned for his research on human osteology and human decomposition. ... A crime scene is a location where an illegal act took place such as molestation, rape or illegal turnip smoking, and comprises the area from which most of the physical evidence is retrieved by [[forensics|forensic scientists] for example the reknowned criminal investigator and skilled forensic scientist, who is unfortunately... The CSI Effect (sometimes referred to as the CSI syndrome) is a reference to the phenomenon of popular television shows such as the CSI franchise, the Law & Order Franchise and Crossing Jordan raising crime victims and jury members real-world expectations of forensic science, especially crime scene investigation and DNA... Trace evidence is evidence that is found at a crime scene in small but measurable amounts. ...

... is the art and science of applying computer science to aid the legal process. Although plenty of science is attributable to computer forensics, most successful investigators possess a nose for investigations and a skill for solving puzzles, which is where the art comes in. - Chris L.T. Brown, Computer Evidence Collection and Preservation, 2006

Thus, it is more than the technological, systematic inspection of the computer system and its contents for evidence or supportive evidence of a civil wrong or a criminal act. Computer forensics requires specialized expertise and tools that goes above and beyond the normal data collection and preservation techniques available to end-users or system support personnel. One definition is analogous to "Electronic Evidentiary Recovery, known also as e-discovery, requires the proper tools and knowledge to meet the Court's criteria, whereas Computer Forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence."[1] Another is "a process to answer questions about digital states and events"[2]. This process often involves the investigation and examination computer system(s), including, but not limited to the data acquisition that resides on the media within the computer. The forensic examiner renders an opinion, based upon the examination of the material that has been recovered. After rendering an opinion and report, to determine whether they are or have been used for criminal, civil or unauthorized activities. Mostly, computer forensics experts investigate data storage devices, these include but are not limited to hard drives, portable data devices (USB Drives, External drives, Micro Drives and many more). Computer forensics experts:

  1. Identify sources of documentary or other digital evidence.
  2. Preserve the evidence.
  3. Analyze the evidence.
  4. Present the findings.

Computer forensics is done in a fashion that adheres to the standards of evidence that are admissible in a court of law. Thus, computer forensics must be techno-legal in nature rather than purely technical or purely legal. Refer to Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations for the US Department of Justice requirements for Computer Forensices and electronic evidence processing. Documentary evidence is any evidence introduced at a trial in the form of documents. ... Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. ... The law of evidence governs the use of testimony (e. ... The Federal Rules of Evidence (FRE) are the rules that govern the admissibility of evidence in the United States federal court system. ... This article is about courts of law. ... The Robert F. Kennedy Department of Justice Building in Washington, D.C. “Justice Department” redirects here. ...

Contents

Understand the suspects

It is absolutely vital for the forensics team to have a solid understanding of the level of sophistication of the suspect(s). If insufficient information is available to form this opinion, the suspects must be considered to be experts, and should be presumed to have installed countermeasures against forensic techniques. Because of this, it is critical that you appear to the equipment to be as indistinguishable as possible from its normal users until you have shut it down completely, either in a manner which probably prohibits the machine modifying the drives, or in exactly the same way they would.


If the equipment contains only a small amount of critical data on the hard drive, for example, software exists to wipe it permanently and quickly if a given action occurs. It is straightforward to link this to the Microsoft Windows "Shutdown" command, for example. However, simply "pulling the plug" isn't always a great idea, either-- information stored solely in RAM, or on special peripherals, may be permanently lost. Losing an encryption key stored solely in Random Access Memory, and possibly unknown even to the suspects themselves by virtue of having been automatically generated, may render a great deal of data on the hard drive(s) unusable, or at least extremely expensive and time-consuming to recover. Windows redirects here. ... RAM redirects here. ... A key is a piece of information that controls the operation of a cryptography algorithm. ...


Electronic evidence considerations

Electronic evidence can be collected from a variety of sources. Within a company’s network, evidence will be found in any form of technology that can be used to transmit or store data. Evidence should be collected through three parts of an offender’s network: at the workstation of the offender, on the server accessed by the offender, and on the network that connects the two. Investigators can therefore use three different sources to confirm the data’s origin. By the mid 20th century humans had achieved a mastery of technology sufficient to leave the surface of the Earth for the first time and explore space. ... In information technology, a server is an application or device that performs services for connected clients as part of a client-server architecture. ... For other senses of this word, see crime (disambiguation). ... For other uses, see Data (disambiguation). ...


Like any other piece of evidence used in a case, the information generated as the result of a computer forensics investigation must follow the standards of admissible evidence. Special care must be taken when handling a suspect’s files; dangers to the evidence include viruses, electromagnetic or mechanical damage, and even booby traps. There are a handful of cardinal rules that are used to ensure that the evidence is not destroyed or compromised: The Federal Rules of Evidence (FRE) are the rules that govern the admissibility of evidence in the United States federal court system. ... A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. ... Electromagnetism is the physics of the electromagnetic field: a field, encompassing all of space, composed of the electric field and the magnetic field. ... The simple definition of computer forensics - Chris L.T. Brown, Computer Evidence Collection and Preservation, 2006 Thus, it is more than the technological, systematic inspection of the computer system and its contents for evidence or supportive evidence of a civil wrong or a criminal act. ...

  1. Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability.

In order to verify that a tool is forensically sound, the tool should be tested in a mock forensic examination to verify the tool's performance. There are government agencies such as the Defense Cyber Crime Institute that accept requests to test specific digital forensic tools and methods for governmental agencies, law enforcement organizations, or vendors of digital forensic products at no cost to the requestor.

  1. Handle the original evidence as little as possible to avoid changing the data.
  2. Establish and maintain the chain of custody.
  3. Document everything done.
  4. Never exceed personal knowledge.

If such steps are not followed the original data may be changed, ruined or become tainted, and so any results generated will be challenged and may not hold up in a court of law. Other things to take into consideration are: This article is about courts of law. ...

  1. The time that business operations are inconvenienced.
  2. How sensitive information which is unintentionally discovered will be handled.

In any investigation in which the owner of the digital evidence has not given consent to have his or her media examined – as in most criminal cases – special care must be taken to ensure that you as the forensic specialist have legal authority to seize, image, and examine each device. Besides having the case thrown out of court, the examiner may find him or herself on the wrong end of a hefty civil lawsuit. As a general rule, if you aren't sure about a specific piece of media, do not examine it. Amateur forensic examiners should keep this in mind before starting any unauthorized investigation.


Some of the most valuable information obtained in the course of a forensic examination will come from the computer user themself. In accordance with applicable laws, statutes, organizational policies, and other applicable regulations, an interview of the computer user can often yield invaluable information regarding the system configuration, applications, and most important, software or hardware encryption methodology and keys utilized with the computer. Forensic analysis can become exponentially easier when analysts have passphrase(s) utilized by the user open encrypted files or containers used on the local computer system, or on systems mapped to the local computer through a local network or the internet.


Secure the machine and the data

Unless completely unavoidable, data should never be analyzed using the same machine it is collected from. Instead, forensically sound copies of all data storage devices, primarily hard drives, must be made. Exceptional consideration to this practice are detailed below regarding live system considerations. Typical hard drives of the mid-1990s. ...


To ensure that the machine can be analyzed as completely as possible, the following sequence of steps must be followed:


Examine the machine's surroundings

A USB keydrive
A USB keydrive
XD Picture Card
Secure Digital card
Secure Digital card

The collection phase starts off with the computer forensic team analyzing its surroundings. Similar to police investigating a crime in any other case, all printouts, disks, notes, and other physical evidence must be collected to take back to the laboratory for analysis. Furthermore, an investigating team must take digital photographs of the surrounding environment before any of the hardware is dealt with. This initial collection phase sets the tone for the rest of the investigation and therefore the evidence must be locked away securely, with limited access granted to authorized team members only. Image File history File links USB_flash_drive. ... Image File history File links USB_flash_drive. ... Image File history File links Xd-memory-card-comparison. ... Image File history File links Xd-memory-card-comparison. ... Secure Digital 16Mb card made by Toshiba. ... Secure Digital 16Mb card made by Toshiba. ... This article does not cite any references or sources. ... The Nikon Coolpix 950 Casio Exilim Digital photography, as opposed to film photography, uses an electronic sensor to record the image as a piece of electronic data rather than as chemical changes on film. ...


Look for notes, concealed or in plain view, that may contain passwords or security instructions. Secure any recordable media, including music mixes. Also look for removable storage devices such as keydrives, MP3 players or security tokens. See Category:Solid-state computer storage media. JumpDrive redirects here. ... Apple iPod, the best-selling hard drive-based player An embedded hard drive-based player (Creative ZEN Vision:M) An MP3 CD player (Philips Expanium) More commonly referred to as an MP3 player, a digital audio player or DAP is a portable, handheld digital music player that stores, organizes and... Several types of security tokens. ...


Examine the Live System and record open applications

If the machine is still active, any intelligence which can be gained by examining the applications currently open should be recorded. If the machine is suspected of being used for illegal communications, such as terrorist traffic, not all of this information may be stored on the hard drive. If information stored solely in RAM is not recovered before powering down it may be lost, so acquiring the data while the RAM is still powered is a priority. For most practical purposes, it is not possible to completely scan contents of RAM modules in a running computer. Though specialized hardware could do this, the computer may have been modified to detect chassis intrusion (some Dell machines, for example, can do this stock; software need only monitor for it) and removing the cover could cause the system to dump the contents. Ideally, prior intelligence or surveillance will indicate what action should be taken to avoid losing this information. RAM redirects here. ... Dell, Inc. ...


Several Open Source tools are available to conduct an analysis of open ports, mapped drives (including through an active VPN connection), and of significant importance, open or mounted encrypted files (containers) on the live computer system. Additionally, through Microsoft's implementation of the Encrypted File System (EFS), once a system is powered down, the difficulty to examine previously mounted EFS files and directory structures is substantially increased. Utilizing open source tools and commercially available products, it is possible to obtain an image of these mapped drives and the open encrypted containers in an unencrypted format. For Windows based systems, these Open Source tools include Knoppix and Helix. Commercial imaging tools include Access Data's Forensic Tool Kit and Guidance Software's EnCase application. Both companies make available their imaging tools for free; however, in order to analyze the data imaged using these tools you will need to purchase a full licensed version of the application. Disk encryption is a computer security technique that encrypts data stored on a computers mass storage and automatically decrypts the information when an authorized user requests it. ... Knoppix, or KNOPPIX, is a complete Linux distribution on a CD. This includes a working computer operating system and a powerful suite of graphical user software which can be used as a live CD. It is a Debian-based Linux distribution, developed by Linux consultant Klaus Knopper. ... Helix is a freely available Linux distribution based on Knoppix. ...


The aforementioned Open Source tools can also scan RAM and Registry information to show recently accessed web-based email sites and the login/password combination used. Additionally these tools can also yield login/password for recently access local email applications including MS Outlook.


With MS most recent addition, Vista, and Vista's use of BitLocker and the Trusted Platform Module (TPM), the importance of developing procedures for examining and imaging live (mounted unencrypted) systems is anticipated to significantly increase.


It is possible that in utilizing tools to analyze and document a live computer system that changes can be made to the content of the hard drive. During each phase of system analysis, the forensic examiner must document what they did and why they did it. Specifically, the examiner should detail the potentially perishable information that can/will be lost during a system power down process. The examiner must balance the need to potentially change data on the hard drive versus the evidentiary value of such perishable data.


RAM can be analyzed for prior content after power loss. Although as production methods become cleaner the impurities used to indicate a particular cell's charge prior to power loss are becoming less common. Data held statically in an area of RAM for long periods of time are more likely to be detectable using these methods. The likelihood of such recovery increases as the originally applied voltages, operating temperatures and duration of data storage increases. Holding unpowered RAM below − 60 °C will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery. However, the practicality of utilizing such a method in a field examination environment severely limits this approach.


As expeditious destruction of chronic residual stress within the module can really only be achieved by impractical exposure to high energies, applications written with data security in mind will periodically bit-flip critical data, such as encryption keys, to eliminate 'imprinting' of this data on the RAM, thus preventing the need to actively destroy it in the first place.[1] In computer programming, a bitwise operation operates on one or two bit patterns or binary numerals at the level of their individual bits. ...



It is important to note that that when preforming a live analysis that the order of volatility be followed. The data that is most likely to be modified or damaged first should be captured first. The order of volatility is.


1. Network connections


Network connections can close quickly and often leave no evidence of where they were connected to or the data being transferred.


2. Running Processes


It is important to note which programs are running on a computer before further analysis is conducted.


3. RAM


The systems Random Accessing Memory contains information on all running programs as well as recently run programs. The information that can be gained from the system ram includes Passwords, encryption keys, personal information and system and program settings.


4. System settings


The Operating system settings can now be extracted. this includes User lists, currently logged in users, system date and time, currently accessed files and current security policies.


5. Hard Disk


The hard disk can then be imaged. It is important to note that it is not forensically sound to image a hard drive while it is running live unless there are extenuating circumstances.[2]


Power down carefully

If the computer is running when seized, it should be powered down in a way that is least damaging to data currently in memory and that which is on the hard disk. The method that should be used is dependent on many differing values, such as the operating system in use, and the role of the computer to be seized. Performing a proper shut down may cause malicious scripts to be run, or volatile data to be lost. On the other hand, removing the power plug may cause corruption of the filesystem or loss of crucial data. Typical hard drives of the mid-1990s. ... An operating system (OS) is the software that manages the sharing of the resources of a computer and provides programmers with an interface used to access those resources. ... See Filing system for this term as it is used in libraries and offices In computing, a file system is a method for storing and organizing computer files and the data they contain to make it easy to find and access them. ...


Be aware of the fact that computers may feature an internal uninterruptible power supply (UPS). With such devices the computer may stay running long after the power cable has been removed. An uninterruptible power supply (UPS), also known as an uninterruptible power source or a battery backup is a device which maintains a continuous supply of electric power to connected equipment by supplying power from a separate source when utility power is not available. ...


Inspect for traps

See also: commons:Category:Computer hardware

Fully document hardware configuration

Completely photograph and diagram the entire configuration of the system. Note serial numbers and other markings. Pay special attention to the order in which the hard drives are wired, since this will indicate boot order, as well as being necessary to reconstruct a RAID array. A little time being thorough here will save you more later. In computing, a redundant array of inexpensive disks, also later known as redundant array of independent disks (commonly abbreviated RAID) is a system which uses multiple hard drives to share or replicate data among the drives. ...


Duplicate the electronic media (evidence)

The process of creating an exact duplicate of the original evidenciary media is often called Imaging. Using a standalone hard-drive duplicator or software imaging tools such as DCFLdd or IXimager, completely duplicate the entire hard drive. This should be done at the sector level, making a bit-stream copy of every part of the user-accessible areas of the hard drive which can physically store data, rather than duplicating the filesystem. Be sure to note which physical drive each image corresponds to. The original drives should then be moved to secure storage to prevent tampering. Typical hard drives of the mid-1990s. ... In the context of computer hardware, a sector is a sub-division of a track on a magnetic disk or optical disc. ...


Usually some kind of hardware write protection to ensure no writes will be made to the original drive is used. Even if operating systems like Linux can be configured to prevent this, a hardware write blocker is usually the best practice. The Defense Cyber Crime Institute warns that if a hardware write-block is used the examiner should take into consideration the fact that write-blocks can introduce extra benign data when being used to image damaged media (bad sectors).[3] Special consideration is also given to hard drives with Host Protected Areas (HPAs) and Device Configuration Overlays (DCOs). These small areas of a hard drive, normally reserved for hard drive device and diagnostic utilities and hidden from the operating system, can be altered up to the entire capacity of the hard drive and used to store information (potential evidence) that many imaging applications and devices fail to image. You can image to another hard disk drive, a tape, or other media. Tape is a preferred format for archive images, since it is less vulnerable for damage and can be stored for a longer time. There are two goals when making an image: Host Protected Area sometimes referred to as Hidden Protected Area[1] is an area of a hard drive that is not normally visible to an operating system(OS). ... A hidden area on many of today’s HDDs is the Device Configuration Overlay (DCO). ...

  1. Completeness (imaging all of the information)
  2. Accuracy (copying it all correctly)

The imaging process is verified by using the SHA-1 message digest algorithm (with a program such as sha1sum) or other still viable algorithms. To make a forensically sound image, you need to make two reads that result in the same output by the message digest algorithm. Generally, a drive should be hashed in at least two algorithms to help ensure its authenticity from modification in the event one of the algorithms is cracked. This can be accomplished by first imaging to one tape labeled as the Master and then make an image labeled Working. If onsite and time is critical, the second read can be made to Null. SHA redirects here. ... In cryptography, a cryptographic hash function is a hash function with certain additional security properties to make it suitable for use as a primitive in various information security applications, such as authentication and message integrity. ... In mathematics, computing, linguistics, and related disciplines, an algorithm is a finite list of well-defined instructions for accomplishing some task that, given an initial state, will terminate in a defined end-state. ...


Note: Ultimately the methodology used by computer forensic investigators in capturing potential evidence on a system (such as imaging hard drives) will be dictated by the proportionality of the likely importance of that evidence in the matter for which these services are engaged. Additional influences such as claims of privilege and potential damages sought for business interruption create potential headaches for corporate investigations where forensic soundness is often sacrificed for practicality. Law enforcement personnel moving into the corporate environment tend to be overly strict in their application of computer forensic principles in litigations where the burden of proof does not require it. There is an increasing need to capture servers live and capturing less than whole disks worth of data in an effort to work within a time and cost framework. Even an unsolved murder investigation must be wound up at some point where there are diminishing gains to be had in progressing the investigation, so too with computer forensic investigations in both the corporate and criminal arenas where the sheer quantity of digital evidence can become overwhelming and threaten to overburden investigators. Also, it must be remembered that any computer evidence is potentially admissible regardless of the methodology by which it came to the attention of the court. If an examiner fails to create a SHA or MD5 hash on the original hard drive, the data is not necessarily worthless or non admissible. Traditional discovery has been happening for at least a decade (often without a hashes). Application of proper forensic principles will however improve its overall credibility and diminish admissibility challenges. However, reasonable attempts should be made to ensure that the most complete and accurate image possible is obtained.


E-mail review

E-mail has become one of the primary mediums of communication in the digital age, and vast amounts of evidence may be contained therein, whether in the body or enclosed in an attachment. Because users may access email in a variety of ways, it's important to look for different kinds of emails. The user may have used a dedicated program, or Mail User Agent (MUA), a web browser, or some other program to read and write email. Additionally, files for each of these programs may be stored on a local hard drive, a network device, or a removable device. A good examiner will search all of these locations for email data. Be aware that many email clients will save a copy of outgoing messages, so both the sender and the recipient may have a copy of each message. Finally, mail may also be stored on a dedicated mail server, either awaiting delivery or as permanent storage. Wikipedia does not yet have an article with this exact name. ... This article does not cite any references or sources. ...


E-mail headers

Main article: E-mail#Internet e-mail header

All email programs generate headers that attach to the messages. The study of these headers is complex. Some investigators favor reading the headers from the bottom up, others from the top down. Under normal circumstances, headers are supposed to be created by the mail user agent and then prepended by mail servers, the bottom up method should work. But a malicious mail server or forger may make this difficult. Wikipedia does not yet have an article with this exact name. ...


The headers added by an MUA are different from those added by mail servers. For example, here is the format for headers generated by Mozilla Thunderbird 1.0 running on Microsoft Windows.

 Message-ID: <41B5F981.5040504@example.net> Date: Tue, 07 Dec 2004 13:42:09 -0500 From: User Name <username@example.net> User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: recipient@example.com Subject: Testing Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit

Extensions such as enigmail may add extra headers.


The Message-ID field has three parts:

  1. The time the message was sent in seconds past the epoch in hexadecimal (Unix 32 bit Big Endian Hex Value)
  2. A random value called a salt. The salt is of the format #0#0#0# where # is a random digit. Because Thunderbird treats the salt like a number, it may be shorter if the leading digits are zeros. For example, a salt of "0030509" would display as "30509".
  3. The fully qualified domain name of the sender.
 Message-ID: [time].[salt]@[domain-name]

Information on the Message-ID header was derived from the source code in mozilla/mailnews/compose/src/nsMsgCompUtils.cpp in function msg_generate_message_id() and therefore applies only to mail sent by this application. Generally the format of the Message-ID is arbitrary, and you should refer to the applicable RFCs. In cryptography, a salt consists of random bits used as one of the inputs to a key derivation function. ... In cryptography, a salt consists of random bits used as one of the inputs to a key derivation function. ...


Sorting through the masses

While theoretically possible to review all e-mails, the sheer volume that may be subject to review may be a daunting task; large-scale e-mail reviews cannot look at each and every e-mail due to the sheer impracticality and cost. Forensics experts use review tools to make copies of and search through e-mails and their attachments looking for incriminating evidence using keyword searches. Some programs have been advanced to the point that they can recognize general threads in e-mails by looking at word groupings on either side of the search word in question. Thanks to this technology vast amounts of time can be saved by eliminating groups of e-mails that are not relevant to the case at hand.


Also, emails may contain In-Reply-To: headers that allow threads to be reconstructed. Good email clients can do this.


Computer forensic examples

Forensics can be defined as the use of technology and science for investigation and fact recovery when dealing with criminal matters. Computer forensics is the technological aspect of retrieving evidence to use within criminal or civil courts of law. They are able to recover damaged and deleted files. Some cases in particular used the art of computer forensics as their lead of evidence to indict a criminal offender or find the location of a missing person.


Example

Chandra Levy, who went missing on April 30, 2001, was a Washington, D.C. intern whose disappearance was widely publicized. While her location was unknown, she had used the Internet as well as e-mail to make travel arrangements and to communicate with her parents. The use of this technology helped a computer criminalist trace her whereabouts. The information found on her computer led police to her location, even though she had been missing for one year. Chandra Levy Chandra Ann Levy (April 14, 1977 – 2001) was an intern who worked at the Federal Bureau of Prisons in Washington, D.C., who disappeared in the summer of 2001 and was subsequently found murdered in Rock Creek Park. ... is the 120th day of the year (121st in leap years) in the Gregorian calendar. ... Year 2001 (MMI) was a common year starting on Monday (link displays the 2001 Gregorian calendar). ... For other uses, see Washington, D.C. (disambiguation). ...


Example two

There have been a number of cases at private schools where authority figures have been charged with possession of child pornography. These discoveries were made using computer forensics. By tracking the buying and selling of pornography online, computer forensic investigators have been able to locate people involved in these crimes. They are able to use information found on the computers as circumstantial evidence in court, allowing prosecution to occur.


Example three

A final example of how computer forensics is affecting the current workplace is the aspect of security. Employees' work computers are now being monitored to ensure no illegal actions are taking place in the office. They also have heightened security so outsiders cannot access a company’s confidential files. If this security is broken a company is then able to use computer forensics to trace back to which computer was being tampered with and what information was extracted from it, possibly leading to the guilty parties and other potential parties involved.


Comparison to Physical Forensics

There are many core differences between computer forensics and "physical forensics." [3] At the highest level, the physical forensic sciences focus on identification and individualization. Both of these processes compare an item from a crime scene with other substances to identify the class of the item (i.e. is the red liquid fruit juice or blood?) or the source of the item (i.e. did this blood come from person X?). Computer forensics on the other hand focuses on finding the evidence and analyzing it. Therefore, it is more analogous to a physical crime scene investigation[4] than the physical forensic processes. 1) The term Individualization is used in number of different areas, urban planning, architecture etc. ...


See also

Counter Forensics is a method of erasing user data from an operating system to circumvent law enforcement. ... Data analysis is the means by which the information systems auditor determines the completeness and accuracy of an organization’s data. ... Cryptanalysis (from the Greek kryptós, hidden, and analýein, to loosen or to untie) is the study of methods for obtaining the meaning of encrypted information, without access to the secret information which is normally required to do so. ... Data recovery is the process of salvaging data from damaged, failed, corrupted or inaccessible primary storage media when it cannot be accessed normally. ... It has been suggested that File wipe be merged into this article or section. ... Encrypt redirects here. ... This article is about hidden messages. ... Steganalysis is the art and science of detecting messages hidden using steganography; this is comparable to cryptanalysis applied to cryptography. ... MAC times are pieces of file system metadata that record when a file was last modified, accessed, or changed. ... Information Forensics is the science of investigation into systemic processes that produce information. ... An information technology (IT) audit or information systems (IS) audit is an examination of the controls within an entitys Information technology infrastructure. ... Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. ... It has been suggested that this article or section be merged into Computer forensics. ... A computer security audit is a manual or systematic measurable technical assessment of a system or application. ... Software testing is the process used to measure the quality of developed computer software. ... The Sleuth Kit (TSK) is a collection of UNIX- and Windows-based tools and utilities to allow for the forensic analysis of computer systems. ...

References

  1. ^ Peter Gutmann Secure Deletion of Data from Magnetic and Solid-State Memory University of Auckland
  2. ^ [www.porcupine.org/forensics/forensic-discovery/appendixB.html] [order of volatility]
  3. ^ Cyrus Robinson IXImager Bad Sector Drive Imaging Study Defense Cyber Crime Institute Cyber Files Reports and studies are available only to US governmental agencies and law enforcement organizations.
  4. ^ Brian Carrier, Eugene H. Spafford Getting Physical with the Digital Investigation Process International Journal of Digital Evidence Fall 2003, Volume 2, Issue 2

4. Xiaoyun Wang and Hongbo Yu. "How to Break MD5 and Other Hash Functions". EUROCRYPT 2005.  The University of Auckland (Māori: Te Whare Wānanga o Tāmaki Makaurau) is New Zealands largest research-based university. ...


External links

  • Digital Data Acquisition Tool Specification (PDF)
  • Computer Forensics World Forum
  • IT Crime Investigation: An overview of techniques
  • Original Computer Forensics Wiki
  • Electronic Evidence Information Center
  • Forensic Focus
  • Forensics Wiki
  • Digital Forensic Research Workshop (DFRWS)

Related Journals

  • Journal of Digital Investigation[4]
  • International Journal of Digital Evidence[5]
  • International Journal of Forensic Computer Science[6]
  • Journal of Digital Forensic Practice[7]
  • Cryptologia[8]
  • Cryptologia[9]

  Results from FactBites:
 
Computer Forensics World (645 words)
This is a free and open peer to peer medium for digital and computer forensics professionals and students.
Computer Forensics World is a growing community of professionals involved in the digital forensics industry.
However, generally, computer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded.
Computer forensics - Wikipedia, the free encyclopedia (2664 words)
Computer forensics is done in a fashion that adheres to the standards of evidence that are admissible in a court of law.
If the computer is running when seized, it should be powered down in a way that is least damaging to data currently in memory and that which is on the hard disk.
Computer forensics is the technological aspect of retrieving evidence to use within criminal or civil courts of law.
  More results at FactBites »


 

COMMENTARY     


Share your thoughts, questions and commentary here
Your name
Your comments
Please enter the 5-letter protection code

Want to know more?
Search encyclopedia, statistics and forums:
 


Lesson Plans | Student Area | Student FAQ | Reviews | Press Releases |  Feeds | Contact
The Wikipedia article included on this page is licensed under the GFDL.
Images may be subject to relevant owners' copyright.
All other elements are (c) copyright NationMaster.com 2003-5. All Rights Reserved.
Usage implies agreement with terms.