tools required at various stages of an examination which do not fall neatly into one or other of these categories. Earlier sections focused upon imaging and analysis, here we list briefly some of the important additional capabilities that need to be provided, capabilities such as link analysis which relates data from separate files or sources, and provides an effective visualization of that information. These tools rely in turn upon time-lining tools and sophisti- cated search engines with fuzzy logic capability (e.g., NTI’s IPFilter program, which can identify patterns of text associated with prior Internet activities). Link analysis explores and visualizes the key nodes and structures within a data network (i.e., a collection of related data). It is an important tool for exploring relationships in data when investigating complex cases such as fraud that involve large volumes of data such as e-mail or audit data. Link analysis examines a large number of potentially dissimilar records of data and establishes links among those records based on data fields with identical or related values using artificial intelligence (AI) techniques such as heuristic methods to find the links between the records . This bottom-up approach to constructing networks is quite different to techniques that rely on statistical methods. A good introduction to the concept of link analysis can be found at . One of the best known link analysis tools used in computerforensics is the Analyst’s Notebook from i2 Inc. . Analyst’s Notebook is a link analysis and data visualization product that has been used in criminal and fraud investigations worldwide. It consists of two main tools, one for link analysis and one for case management. The latter also provides a time-line analysis capability, a capability whose importance cannot be over- estimated. Time-lining is a recurring theme in this chapter (Section 2.4.1) and Chapters 3, 4, and 6. Both EnCase  and CFIT  examined in Section 2.3 support time-lining. The case studies listed on the i2 site include New Scotland Yard and the Gloucester Police as two users of the Analyst’s Notebook ; in addition, the FBI has recently signed a $2 million contract with i2 while the U.S. Postal Inspection Service is also a user of this tool. Netmap is a link analysis tool widely used by LE in the United States  while Watson from Xanalys  is also widely used for link analysis and data visualization in both LE and in the finance sector. The latter was successfully used recently by the Durham Police (United Kingdom) to analyze over 4,000 e-mail messages as part of a child pornography investigation, leading to a heavier conviction against the offender.
SecurityBreachResponse.com and is the Chief Information Security Officer for Securit-e-Doc, Inc. Before starting this position, he was Vice President of Technical Operations at Intelliswitch, Inc., where he supervised an international telecommunications and Internet ser- vice provider network. Dave is a recognized security expert. A former Florida Certified Law Enforcement Officer, he specializes in computer forensic investigations, incident response, intrusion anal- ysis, security audits, and secure network infrastructures. He has written several secure installation and configuration guides about Microsoft technologies that are used by network professionals. He has developed a Windows operating system lockdown tool, S-Lok (www.s-doc.com/products/slok.asp ), which surpasses NSA, NIST, and Microsoft Common Criteria Guidelines.
A key theme in the digital forensics procedure is one of preservation of data. This is no more important than at the acquisition stage where the investigator has to deal with the original suspect system. Securing data at this stage is imperative for the integrity of the investigation. This chapter focuses upon the procedures and tools available for the acquisition of data on a computer system. It will also give consideration to the decisions an examiner will have to make during the process and the effects they have upon the data integrity. A computer system fundamentally has two sources of data that are of interest to a forensic examiner: volatile and non-volatile memory. Volatile memory primarily relates to the main RAM of a computer, but also includes cache memory and even register memory. Forensic investigations typically focus upon the main memory, as this has a significantly larger capacity than the other two, with systems commonly having 2–4 gigabytes (GBs) of data. Non-volatile memory relates to all other media types that do not lose their data when the power source is removed. Hard drives are amongst the most common forms of memory, with capacities now in terabytes. However, a variety of removable-based media are now also commonly found (e.g. USB keys/Thumb Drives, iPods and SD cards) with varying storage capacities in the gigabyte range.
Hard disk and floppy storage are subject to exploitation by advanced hackers who may have developed tools to utilize otherwise inaccessible areas of the hard disk for data storage. Techniques can be employed that take advantage of something called "slack space" in hard drive sectors. Basically, slack space is the unused space in a sector on the hard drive. Think of it as if the entire hard drive storage were divided up like the mail slots in a hotel lobby for each of the hotel rooms. When mail comes in (or in this case, a computer file to be stored is saved), it goes into the available mail slot reserved for it. If you have too much mail to fit in the single slot, it may have to overflow into the adjacent slot. The rule for this mailbox, however, is that once a slot contains a file, or part of a file, another file is not normally allowed to be stored in the remaining open portion of that mailbox (or sector in our case) even if there is plenty of room, and the next available mail slot is used. What happens to the potentially empty portion of space in the sector? Well, normally it goes to waste. That is why you can fill a hard drive up with lots of small files that do not add up to the rated storage capacity of the drive. The secret here is that low−level programs can be written to take advantage of these "slack" areas for data storage. Another thing to keep in mind is that data in a slack area may have belonged to an incriminating file prior to its deletion, and a smaller file was subsequently stored on top of it; thus, some of that incriminating information may be left behind in that "slack space." A smart perpetrator can also take advantage of tools that supposedly wipe out information with multiple passes of file writes that write a series of binary 1s and 0s in a series of seven passes over the file area. While recovery of information wiped out in this manner is far more difficult, and in many cases impossible with any meaningful results, some recovery techniques exist that specialists can employ to retrieve some of the data. Factors such as the size of the hard drive, the accuracy of the mechanical system in the drive, the power with which the information was recorded, and even the length of time the information was left on the drive prior to wiping all will have an effect on the probabilities for recovery. Performing such recovery is available from companies that specialize in these tasks, but be advised that it is not inexpensive to have this done.
Investigation Division of the IRS to create image files for forensic examination and evidentiary purposes. It is capable of duplicating individual partitions or entire disks of virtually any size, and the image files can be transferred to SCSI tape units or almost any other magnetic storage media.The product contains CRC functions to check the integrity of the copies, as well as the date and timestamps to maintain an audit trail of the software’s operations.The vendor provides a three-day computer forensic course to train forensic specialists in the use of the software. (In fact, the company does not provide technical support to individuals who have not undergone this training.) SafeBack is DOS-based and you can use it to copy DOS,Windows, and UNIX disks (including RAID drives) on Intel-compatible systems.You can save images as multiple files for storage on CDs or other small-capacity media.To avoid legal concerns about possible alteration, no compression or translation is used in cre- ating the image. Once you have created a duplicate of the data using SafeBack, you can use GFE Stealth to automatically extract photos and other images.You can examine files output by GFE Stealth using any of the picture viewers discussed in the next section. GFE Stealth is available from www.forensics-intl.com.
Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation. Network forensics generally has two uses. The first, relating to security, involves monitoring a network for anomalous traffic and identifying intrusions. An attacker might be able to erase all log files on a compromised host; network-based evidence might therefore be the only evidence available for forensic analysis. The second form relates to law enforcement. In this case analysis of captured network traffic can include tasks such as reassembling transferred files, searching for keywords and parsing human communication such as emails or chat sessions.
Computerforensics science, which views computer systems as crime scenes, aims to identify, recover, analyze, preserve and present facts and opinions on information collected for a security event It analyzes what attackers have done such as spreading computer viruses, malwares, and malicious codes and conducting DDoS attacks Most intrusion detection techniques focus on how to ﬁnd malicious network behaviours , and acquire the characteristics of attack packets, i.e., attack patterns, based on the histories recorded in log ﬁles Qadeer et al. used self-developed packet sniffer to collect network packets with which to discriminate network attacks with the help of network states These ﬁles contain traces of computer misuse. The authors systematically summarized and compared different intrusion detection methods, thus allowing us to clearly view those existing research challenges.which collects forensic features for users at command level rather than at SC level, by invoking data mining and techniques developed. Moreover, if attackers use many sessions to issue attacks, e.g., DDoS attacks or multistage attacks then it is not easy for that system to identify attack patterns.. presented an IDS that utilizes a forensic technique to proﬁle user behaviors and a data mining technique to cooperative and carry out attacks. The authors claimed that the system could detect intrusions effectively and efﬁciently in real time. However, they did not mention the SC ﬁlter. Gifﬁn et al. This is helpful in detecting applications that issue a series of malicious SCs and identifying attack sequences having been collected in knowledge bases. When an undetected attack is presented, the system frequently ﬁnds the attack sequence in 2 s as its computation overhead. Fiore et al. explored the effectiveness of a detection approach based on machine learning using the Discriminative Restricted Boltzmann Machine to combine the expressive power of generative models with to infer part good classiﬁcation accuracy capabilities of its knowledge from incomplete training data so that can provide an adequate degree of the network anomaly detection scheme protection from both external and internal menaces. Faisal et al. analyzed the possibility of using data stream mining to enhance the security of advanced metering infrastructure through an IDS.which is one of the most crucial components of smart card, serves as a bridge
attack patterns. These files contain tracked information of misuse computer. It means that, from synthetically generated log files, these traces or patterns of misuse can be more accurately reproduced. In Author overviewed research progress of applying methods of computational intelligence, including artificial neural networks, fuzzy systems, evolutionary computation, artificial immune systems, and swarm intelligence, to detect malicious behaviors. The author can compared different intrusion systems and systematically summarized the details hence allow us to described existing research challenges. To network security these aforementioned techniques and applications truly work finely. When unauthorized user log in in to the system with valid ID and password that time they not able to easily authentic remote login user and detect specific type of intrusion. In previous work for collects forensic features they can use security system for users at command level rather than at SC level, by invoking data mining and forensic techniques, was developed. Moreover, if attackers use many sessions to issue attacks, e.g., multistage attacks, or launch DDoS attacks, then it is not easy for that system to identify attack patterns. In Author presented an intelligent lightweight IDS with the help with this forensic technique identify users behavior and a data mining technique to carry out cooperative attacks. The authors claimed that the system could detect intrusions effectively and efficiently in real time. However, they did not mention the SC filter. In Author provided another example of integrating computerforensics with a knowledge-based system. For allowing SC Sequence to be executed, the system adopt predefine model. Same will be employed by a detection system to restrict program execution to ensure the security
If the basic input/output system (BIOS) interface is chosen to access integrated drive electronics (IDE) hard drives on an older computer using a legacy BIOS that underreports the number of cylinders on the drive, then there may be a small area of sectors at the end of the drive that is not accessed. The sectors in this area are usually not used by commercial software. If direct access using the advance technology attachment (ATA) interface is chosen instead, EnCase accesses every sector of the hard drive. For certain partition types (FAT32 and NTFS), a logical restore of a
Abstract: Digital forensic is the process of interpreting and uncovering electronic data. The goal of process is to preserve any evidence in its most original form while applying performing a structured investigation by collecting, identifying and validating the digital information for the purpose of reconstructing past events. This dissertation will discuss the need for network forensics to be practiced in legal and an effective way. In this study also confer types of digital forensics and also prevention ideas from online fraud, social networking crime etc. IDS stand for intrusion detection system is a technique by using of we can monitor our network traffic and also take control over suspicious activity and alter the administrator or the network. In this dissertation I also try to define how computer may communicate with each other as well as how they share resources and using same internet. This paper defined types of intrusion detection system and did practical implementation on packet transmission in order to sniff bad data packets and take control over transmission between computers which share resources. The full implementation of the sniffer application software that captures network data as well as provides sufficient means for the decision making process of an administrator. The aim of this application is to rewrite C# language sniffer into .Net, and also develop an application that consumes little memory on the hard disk.
The tools that you use for forensic duplication must pass the legal tests for reliability. Over the past few years, we have seen a number of commercial entities enter the forensic tool market. Each one is motivated to separate itself from the competition by reinventing definitions that fit their vision, or worse, insert the word forensics into every marketing spin possible. An important item to note is that it is far easier to prove that the informa- tion was gathered in a reliable, accurate manner when the tool is generally accepted by others in the field. This is not to say that a new technique for imaging cannot be used, but simply that the court may recognize the validity of a documented technique more quickly than a process created for that particular occasion. This leads us to how courts recognize the methods used by a testifying expert.
crime. Their own computers — not just computers of people they know — have been infected with a virus or worm, their company website has been defaced or its presence crippled by a denial of service attack, or their information systems have been infiltrated and their company’s proprietary data has fallen into the hands of an unidentified intruder. Indeed, as time passes, amongst those that actively use computers, I meet fewer and fewer organizations that have proven immune to these growing threats. And, I suspect that the people in this room, and the groups you represent, are no different. If you don’t think that you or your company has ever been affected by some form of cybercrime, either you just aren’t aware of it, or you are a lucky member of a rapidly narrowing class. An annual com- puter crime survey conducted jointly between the Computer Security Institute and the FBI bears this out. In 1996, when we asked systems administrators if anybody had gained unauthorized access to their computers, less than half, 42 percent, answered yes. Last year, when asked the same question, well over half of the respondents, a full 70 percent, answered yes. And there lies the irony to the pri- vacy debate. Law-abiding citizens are finding that their privacy is increasingly being intruded upon by criminals. Meanwhile, the criminals are gaining privacy. I’ve been the Director of the NIPC for a little over eight months now, having held a number of different management positions at the Center since arriving there in 1998. I have watched it grow and develop almost from its inception. Bear in mind that, just three years ago, infrastructure protection was relatively new ground for the Federal govern- ment. President Clinton issued Presidential Decision Directive 63 in May of 1998. It was a wake up call, which established a new framework for doing business. For the first time, the Federal govern- ment created an interagency entity, the National Infrastructure Protection Center — combining the United States law enforcement, military, and intelligence communities — to work directly with the private sector to achieve what many to this day say is impossible: The elimination of all vulnerabilities to our nation’s critical infrastructures. Eliminating all of these vulnerabilities, stated the President, would necessarily require “flexible, evolutionary approaches” spanning both the public and private sectors, and protecting both domestic and international security.
– Time stamps are very important and doing live-analysis will alter non-volatile data in the computer! Locard’s Exchange Principle – On the other hand – pulling the power cable may cause corruption – Sometimes there is no other option - mission-critical server
E-mails come with information of every computer they pass through to get to you. This is kept in the headers. Sometimes even more information is in the headers. To view the headers however is not always so simple. Various mail clients will all have different ways to view this. The real trick to reading headers, though, is to know they are backwards. The top of the list is you. Then it travels goes with each line until the very last line is the computer or network that the mail was sent from.
There are some practical examples of forensic triage: Kim et al looked at a couple of indicators of malware and hacking attempts: Timeline analysis of system files, DNS Analysis, Phishing and Pharming Inspection, Correlation Analysis between Network, the Connection and Processes and ARP Analysis and whether these features can be used to see if a system is infected. This research can be seen as an example of how the problem can be addressed: They used some rules and signatures to determine whether the user station was within the expected values. However not everything they use is viable: changes to the host.txt file to redirect to another site is not done as frequently anymore. There are ways to achieve the same goal which are less detectable than to change the host.txt, however checking the host.txt for changes is an easy thing to do and still may be worth checking. The timeline analysis of system files will generate a lot of false positives: during the normal operation of the operating systems, anomalies (wrong combinations of timestamps) are generated. Thus this method will also find these false positives. Some of the other features could be looked at whether they prove viable. Berte et al. describe a way to execute postmortem forensic triage with regards to the computer system of a suspect. The focus of the research is to triage computers based on the likelihood that they were used in illegal activity. They suggest that someone who does triage on the computer looks at a couple of indicators within in a computer including the installed software, browser history and system event logs. While this research focuses on the triage of systems used by attackers the same method, with perhaps different features, could be used to determine whether a system is a victim of an attacker. Marturana et al. does a similar study into this. They use the same model as Berte et al.  and they use similar features like the installed programs, specifically file sharing programs, browser history but also the number of specific (.pdf, .iso, .divx) files on the system. They use a couple of machine learning algorithms and 10 folds cross-validation to see how well it performed. The classifiers managed to get up to 99% accuracy in determining whether a system was used to commit copyright infringement.
h. Wireless access in the United States is increasing at an explosive rate. It can be found at McDonald’s, Starbucks, in many airports and hotels, and most important to this discussion, in our homes where we may like to access our high-speed Internet connec- tion from anywhere in the house without running wires all over the place. The literature is full of the technical details of how insecure this Wi-Fi standard is. Out of the box, Wi-Fi is configured to require no password, no encryption, and no secu- rity at all, and most users do not tinker with those default settings. Now, radio travels over far larger distances than what these boxes claim, and it is not uncommon for a home Wi-Fi to be accessed a full 5 miles away if one builds a directional antenna and drives around town looking for other people’s home Wi-Fi’s to connect to, a practice known as “war driving.” Once connected, which is a trivial matter because there is no security, the war driver has full access to the victim’s computer and Internet connection. This means that files can be placed on or removed from the victim’s computer, and it also means that the war driver can leave a long trace of illegal Internet activity in the victim’s ISP’s records. Now imagine the very common situa- tion where the victim is at home, is the only person at home, and the war driver uses the victim’s computer to engage in any one or more of the multitude of illegal activities that can be con- ducted over the Internet. The finger will be pointed at the victim as being the “obvious” perpetrator; good luck convincing an uninformed court that the victim was a victim and not the perpetrator.
Seda and Kramer (2015) examined the extent to which educators were following the U.S. National Institute of Justice funded suggested model forensic accounting curriculum, discussed earlier in this paper (WVU, 2007). In general, they found that undergraduate and graduate accounting programs had weak coverage of forensic accounting in a digital environment. They acknowledge this finding may be due to the interdisciplinary nature of forensic accounting, given that computerforensics is an area that most accounting educators may believe they lack expertise to adequately teach. However, every member of a forensic accounting team does not necessarily need to have the expertise of a forensic technology specialist, although someone on the team with this this expertise is often critical (Pope & Ong, 2007). Kramer et al. (2017) acknowledge that as the business world moves more toward a paperless electronic environment, the ability to perpetrate fraud will continue to expand, increasing the demand for forensic accountants with computer skills. Given that there has been a dramatic increase in the availability of forensic accounting education, the researchers surveyed forensic accounting
This course requires not only theoretical exploration but also practice capacity. So the teacher attaches great importance to the experiment. There are seven experiments in this class, including the recovery of hard disk, the encryption and decryption of electronic data, the forensics of computer log system, and sniffer on Internet. The department invested 2 million RMB to build a professional internet and information lab. And bought some software, hardware and supporting equipment .Now it can support about 50 students to practice at the same time. In order to improve the ef- fect of experiments, the lab is divided into 8 groups; each one is settled by a hexagonal lab table and can form a subnet. Every group is connected by network with each other. The teacher’s computer is set as ser v- er to connect with Internet. The students in each group can cooperate with each other to complete the experi- ment. And the teacher also can arrange a simulated computer attack and defense scene. Some groups act as the roles of hackers. Some act as the roles of com- puter forensics experts. So they can interact with each other and the interest of the class is improved .