1. INTRODUCTION Who attacked this computer system? What actions did they take? Whatdamage did they do? With what degree of certainty, and under what assumptions,do we make these assertions? Will these assertions be acceptable in a court?These questions are asked during the computer forensic analysis Process.The term forensics derives from the Latin forensis, which meant in opencourt or public,” which itself comes from the term forum, referring to anactual location a public square or marketplace used for judicial and otherbusiness.” Contemporary use of the word forensics, therefore, generally continuesto relate to law, and has come to mean scientific tests or techniques usedwith the detection of crime.
” Thus, computer forensics implies aconnection between computers,the scientific method, and crime detection. Many computer scientists havesimply been using the word forensics” as a process of logging, collecting,and auditing or analyzing data in a post-hoc investigation”. ComputerForensics is the science of obtaining, preserving, and documenting evidencefrom digital electronic devices. Such as computers, digital cameras, mobilephones and various memory storage devices. All must be done in a mannerdesigned to preserve the probative value of the evidence and to confirm itsadmissibility in a legal proceeding. Computer-based evidence has only recently become common in courtproceedings, but its impact in the legal system has been significant.Computer scientists can take steps to move computer forensics into a morerigorous position as a science by being able to make well-reasoned and concreteclaims about the accuracy and validity of conclusions presented in court. Ourgoal is to try to point out the confusion between forensic practitioners, lawenforcement officials, and computer scientists, and to encourage a dialog, inhopes that the groups will begin to work more closely together in order tosolve the critical problems that exist in the application of computer scienceto legal issues.
We seek to help the different groups understand the steps thatmust be taken in order to make claims about computer forensic data, and underwhat conditions those claims are appropriate and when they are not.The Internet isgrowing explosively, as is the number of crimes committed against or usingcomputers. As a response to the growth of computer crime, the fieldof computer forensics has emerged. Computer forensics involves carefullycollecting and examining electronic evidence that not only assesses the damageto a computer as a result of an electronic attack, but also to recover lostinformation from such a system to prosecute a criminal. Computer forensics uses computer investigation and analysistechniques to collect evidence regarding what happened on a computer that isadmissible in a court of law. Computer forensics requires a well balancedcombination of technical skills, legal and ethical conduct.
Computer forensicsspecialists use powerful software tools to uncover data to be sorted and thenmust figure out the important facts and how to properly present them in a courtof law. Cyber crime rates are accelerating and computer forensics is thecrucial discipline that has the power to impede the progress of these cybercriminals. Computer forensics is defined as “the application of computerinvestigation and analysis techniques to gather evidence suitable forpresentation in a court of law”.Thereis a widespread use of personal computers in businesses and homes.
Companiesare exchanging more information online than ever before, and high-tech crimesare increasing at a rapid rate. This creates more of a need for crimeinvestigators to have access to computer based information. Law enforcement and the legal establishment are facing a newchallenge. Criminal acts are being committed and the evidence of theseactivities is recorded in electronic form. Additionally, crimes are beingcommitted in computer forensics.
Digitalevidence, by it’s very nature is invisible to the eye. Therefore the evidencemust be developed using tools other than the human eye. Each step requires theuse of tools or knowledge, the process must be documented, reliable andrepeatable. The process itself must be understandable to the members of thecourt. Identifying a piece of digitalevidence represents a three-step process. Physical Context Logical ContextLegalContex1.
Itmust be definable in its physical form2. Itmust be identifiable as to its logical position. Where does it reside relativeto the file system?3. Placethe evidence in the correct context in order to read it’s meaning1.2 Forensic Language and Terminology Those involved in computer forensics often donot understand one other. Groups have evolved separately with only littleinteraction.
Each group has largely separate conferences, journals, andresearch locations, and few attempts have successfully brought these groupstogether. Indeed, the language used to describe computer forensics and even thedefinition of the term itself varies considerably among those who study andpractice it: computer scientists, commercial ventures, practitioners, and thelegal profession. As a result, it is difficult for these groups to communicateand understand each others’ goals.Legal specialists commonly refer only to theanalysis, rather than the collection, of enhanced data. The tools andtechniques to recover, preserve, and examine data stored or transmitted inbinary form.” By way of contrast, computer scientists have defined it as validtools and techniques applied against computer networks, systems, peripherals,software, data, or users to identify actors, actions, or states ofinterest.”Even within the computer science discipline,there is disagreement about terminology.
Software forensics” has been definedas tracing code to its authors. Some computer scientists focus largely on theexamination of file system data, whereas others also include the collection ofdata. 1.3 ForensicSystem Inpractice, forensic analysis of a computer system involves identifyingsuspicious objects or events and then examining them in enough detail to form ahypothesis as to their cause and effect. Data for forensic analysis can becollected by introspection of a virtual machine during deterministic replay, aslong as nondeterministic events can be logged, the overhead is acceptable, andthe target machine has only a single processor (because multiprocessorsintroduce no determinism). Specialized hardware can make nondeterministic eventlogging practical, but this kind of hardware is rarely available. Most existingtools simply operate on a live, running system, and look both at system andnetwork-level events and files on a disk.
Theconcepts of “logging” and auditing” have been around for a longtime. Anderson and Bonyun first proposed use of audit trails on computersystems. They discussed the merits of certain data and the placement ofmechanisms to capture that data, but did not discuss how the process ofselecting data could be generalized.
Throughout the early evolution of audittrails, sophisticated logging capabilities were developed for multipleplatforms. However, the purpose was purely an ad-hoc method of capturing datathought to be useful for investigatory purposes, and was not intended for legaluse.Today,UNIX system log (syslog) entries, and the equivalents on other operatingsystems, are commonly used forensic data sources. However, these mechanismswere designed for debugging purposes for programmers and system administrators,and not for forensics.
Similarly, the Sun Basic Security Module (BSM) andcross-platform successors are constructed based on high-level assumptions aboutwhat events are important to security, and not to answer specific forensicquestions such as who committed a certain action. The most successful forensicwork has involved unifying these tools using a toolbox” approach that combinesapplication-level mechanisms with low-level memory inspection and otherstate-based analysis techniquesTheforensic software used in the vast majority of court cases cannot make thedistinction among these methods of file creation. Such software does notprovide sufficient information to enable an analyst to reconstruct previousevents rather than just objects, particularly when those events appear ordinary,”such as when committed by insiders. In court, a jury must consider questionsthat are not as straightforward as whether a file exists or an action has takenplace.
The jury needs to know how the file got there and who took the action.1.4 Benefits ofthe research study Apartfrom the technical aspect, legal issues are also involved. Computer forensicanalysts make their investigation in such a way that the electronic evidencewill be admissible in court.Thereare advantages and disadvantages when it comes to computer forensics. Thisfield is relatively new and criminal matters usually dealt with physicalevidences. This makes electronic evidence something very new.
Fortunately ithas been a helpful tool wherein important data needed for a case that has beenlost, deleted or damaged can be retrieved. Computerforensics’ main advantage is its ability to search and analyzea mountain of data quickly and efficiently. They can searchkeywords in a hard drive in different languages which is beneficial since cybercrimes can easily cross borders through the internet.Valuable data that has been lost and deleted by offenders can be retrievedwhich becomes substantial evidence in court. Legal professionals are able toproduce data in court that were previously impossible.
Thefirst setbackwhen using electronic or digital evidence is making it admissible in court. Data canbe easily modified. Analyst must be able to fully comply withstandards of evidence required in the court of law.
The computer forensicanalyst must show that the data is tampered.His or her own investigation must also be fully documented and accounted for.Computer forensics must also training of legal standard procedures whenhandling evidence.
1.5References James Wardell and G. Stevenson Smith, “Recovering Erased DigitalEvidence from CD-RW Discs in a Child Exploitation Investigation,” InternationalJournal of Digital Forensics & Incident Response 5 (no. 1–2),2008.
Michael G.Noblett; Mark M. Pollitt; Lawrence A. Presley (October 2000).
“Recovering and examining computer forensicevidence”. Retrieved 26July 2010. Leigland, R(September 2004). “A Formalization of Digital Forensics” (PDF).
A Yasinsac; RFErbacher; DG Marks; MM Pollitt (2003). “Computer forensicseducation”. IEEE Security & Privacy. CiteSeerX 10.1.1.
1.9510? . Warren G.
Kruse; Jay G. Heiser (2002). Computer forensics: incident response essentials. Addison-Wesley. p. 392.
ISBN 0-201-70719-5. Retrieved 6 December 2010. Gunsch, G (August 2002). “An Examination of Digital Forensic Models” (PDF). Adams, R.
(2012). “‘The Advanced Data Acquisition Model (ADAM): Aprocess model for digital forensic practice”. Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4. Various (2009).
Eoghan Casey, ed. Handbook of Digital Forensics and Investigation. Academic Press. p. 567. ISBN 0-12-374267-6. Retrieved 27 August 2010.
Garfinkel, S.(August 2006). “Forensic Feature Extraction and Cross-DriveAnalysis” (PDF). “EXP-SA: Prediction and Detection of NetworkMembership through Automated Hard Drive Analysis”. Aaron Phillip;David Cowen; Chris Davis (2009). Hacking Exposed: Computer Forensics. McGraw Hill Professional.
p. 544. ISBN 0-07-162677-8. Retrieved 27 August 2010. Dunbar, B(January 2001). “A detailed look at Steganographic Techniques andtheir use in an Open-Systems Environment”. J.
Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, WilliamPaul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten (2008-02-21).
“Lest We Remember: Cold Boot Attacks on EncryptionKeys”. Princeton University. Retrieved 2009-11-20. Geiger, M(March 2005). “Evaluating Commercial Counter-Forensic Tools” (PDF). “CCFP Salaries surveys”.
ITJobsWatch. Retrieved 2017-06-15. “X-PERT Certification Program”. X-pert.eu.Retrieved 2015-11-26.