CIT 429 LECTURE SERIES Topic: Computer Forensics By Dr. A.O. Akinwunmi Computer Science programme College of Computing and Communication Studies Computer Crime • One of the biggest threats facing businesses and corporations today is that of computer crime or Cybercrime or cyber-attacks and threats. • If these are large enough in scale and magnitude, it could even be considered as an act of Cyber terrorism, in which a significant impact can be felt in both regarding cost and human emotion. • Whenever something like this occurs, two of the most common questions that get asked are: • How did it happen? • How can this be prevented from happening again in the future? 2 What is Computer Crime? • Computer crime is any criminal offense, activity or issue that involves computers • Computer misuse tends to fall into two categories: • Computer is used to commit a crime • Computer itself is a target of a crime. Computer is the victim. Computer Security Incident. 3 Computer is Used to Commit a Crime • Computer is used in illegal activities: child pornography, threatening letters, e-mail spam or harassment, extortion, fraud and theft of intellectual property, embezzlement – all these crimes leave digital tracks. • Investigation into these types of crimes include searching computers that are suspected of being involved in illegal activities • Analysis of gigabytes of data looking for specific keywords, examining log files to see what happened at certain times 4 Computer Security Incident • Unauthorized or unlawful intrusions into computing systems • Scanning a system - the systematic probing of ports to see which ones are open • Denial–of–Service (DoS) attack - any attack designed to disrupt the ability of authorized users to access data • Malicious Code – any program or procedure that makes unauthorized modifications or triggers unauthorized actions (virus, worm, Trojan horse) 5 Computer Incident Response • This is an organized approach to addressing and managing the aftermath of a security breach or cyberattack. • The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. 6 Computer Forensics or Digital Forensics • The terms computer forensics and digital forensics are often used interchangeably to refer to the investigation of any computer, computer-related device or digital device for legal purposes. • Technically, the term computer forensics refers to the investigation of computers. • Digital forensics includes not only computers but also any digital device, such as digital networks, cell phones, flash drives and digital cameras. • It is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. 7 Purpose of Computer Forensics • The purpose of computer and digital forensics is to determine if a device was used for illegal purposes, ranging from computer hacking to storing illegal pornography or records of other illegal activity. • It entails examining digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information. • The discipline of computer forensics emerged during the time when the use of computer grew and the use for criminal activities increased as a method to recover and investigate digital evidence for use in court. • Since then computer crime and computer related crime has grown, and has jumped 67% between 2002 and 2003. 8 Purpose of Computer Forensics Cont’d • Today it is used to investigate a wide variety of crime, including child pornography, fraud, espionage, cyberstalking, murder and rape. • The discipline also features in civil proceedings as a form of information gathering (for example, Electronic discovery). • In court, computer forensic evidence is subject to the usual requirements for digital evidence. • This requires that information be authentic, reliably obtained, and admissible. • Different countries have specific guidelines and practices for evidence recovery 9 Definition of Computer Forensics and Its Importance • It is the discipline that combines the elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law. • Digital Forensics is defined as the process of preservation, identification, extraction, and documentation of computer evidence which can be used by the court of law. • It is a science of finding evidence from digital media like a computer, mobile phone, server, or network. • It provides the forensic team with the best techniques and tools to solve complicated digital-related cases. 10 Computer Forensics data • Obviously, when a Cyber-attack has occurred, collecting all relevant evidence is of utmost importance to answer the questions which were outlined in above. • However, keep in mind that the forensics examiner/investigator is particularly interested in a particular piece of evidence, which is known specifically as “latent data.” • In the Cybersecurity world, this kind of data (also known as “ambient data”) is not easily seen or accessible upon first glance at the scene of a Cyber-attack. • In other words, it takes a much deeper level of investigation by the computer forensics expert to unearth them. Obviously, this data has many uses to it, but it was implemented in such a way that access to it has been extremely limited. 11 Examples of latent data • Information which is in computer storage but is not readily referenced in the file allocation tables; • Information which cannot be viewed readily by the operating system or commonly used software applications; • Data which has been purposely deleted and is now located in: • Unallocated spaces in the hard drive; • Swap files; • Print spooler files; • Memory dumps; • The slack space between the existing files and the temporary cache. 12 Importance of Computer Forensics • The importance of computer forensics to a business or a corporation is of paramount importance. For instance, there is often the thinking that simply fortifying the lines of defense with firewalls, routers, etc. will be enough to thwart off any Cyber-attack. • To the security professional, he or she knows that this is untrue, given the extremely sophisticated nature of today’s Cyber hacker. • This premise is also untrue from the standpoint of computer forensics. While these specialized pieces of hardware do provide information to a certain degree as to what generally transpired during a Cyber-attack, they very often do not possess that deeper layer of data to provide those clues as to what exactly happened. 13 Importance of Computer Forensics Cont’d • This underscores the need for the organization also to implement those security mechanisms (along with hardware above) which can provide these specific pieces of data (examples of this include those security devices which make use of artificial intelligence, machine learning, business analytics, etc.). • Thus, deploying this kind of security model in which the principles of computer forensics are also adopted is also referred to as “Defense in Depth.” • By having these specific pieces of data, there is a much greater probability that the evidence presented will be considered as admissible in a court of law, thus bringing the perpetrators who launched Cyber-attack to justice. 14 History of Digital forensics • Hans Gross (1847 -1915): First use of scientific study to head criminal investigations • FBI (1932): Set up a lab to offer forensics services to all field agents and other law authorities across the USA. • In 1978 the first computer crime was recognized in the Florida Computer Crime Act. • Francis Galton (1982 - 1911): Conducted first recorded study of fingerprints • In 1992, the term Computer Forensics was used in academic literature. • 1995 International Organization on Computer Evidence (IOCE) was formed. • In 2000, the First FBI Regional Computer Forensic Laboratory established. • In 2002, Scientific Working Group on Digital Evidence (SWGDE) published the first book about digital forensic called "Best practices for Computer Forensics". • In 2010, Simson Garfinkel identified issues facing digital investigations. 15 Objectives of computer forensics • It helps to recover, analyze, and preserve computer and related materials in such a manner that it helps the investigation agency to present them as evidence in a court of law. • It helps to postulate the motive behind the crime and identity of the main culprit. • Designing procedures at a suspected crime scene which helps you to ensure that the digital evidence obtained is not corrupted. • Data acquisition and duplication: Recovering deleted files and deleted partitions from digital media to extract the evidence and validate them. • Helps you to identify the evidence quickly, and also allows you to estimate the potential impact of the malicious activity on the victim • Producing a computer forensic report which offers a complete report on the investigation process. • Preserving the evidence by following the chain of custody. 16 Computer Forensics Process • Computer forensics work procedure or work process can be divided into 5 major parts 17 Computer Forensics Process Cont’d • Identification • The first process of computer forensics is to identify the scenario or to understand the case. • At this stage, the investigator has to identify the purpose of investigation, type of incident, parties that involved in the incidence, and the resources that are