Thousands of people use Autopsy to figure out what really happened to the computer. Specialists of large companies and the military widely use Autopsy in their work. Autopsy is an open source and graphical user interface for efficient forensic research on hard disks and smartphones.

1. Cyber Forensics Information Software
2. Cyber Forensics Software Pdf
3. Cyber Forensics Tools
4. Cyber Security Forensics Software

Computer forensics (also known as computer forensic science^[1]) is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.

Although it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail.

Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence. It has been used in a number of high-profile cases and is becoming widely accepted as reliable within U.S. and European court systems.

• 3Forensic process
• 7Further reading

Overview[edit]

In the early 1980s personal computers became more accessible to consumers, leading to their increased use in criminal activity (for example, to help commit fraud). At the same time, several new 'computer crimes' were recognized (such as cracking). The discipline of computer forensics emerged during this time as a method to recover and investigate digital evidence for use in court. Since then computer crime and computer related crime has grown, and has jumped 67% between 2002 and 2003.^[2] Today it is used to investigate a wide variety of crime, including child pornography, fraud, espionage, cyberstalking, murder and rape. The discipline also features in civil proceedings as a form of information gathering (for example, Electronic discovery)

Forensic techniques and expert knowledge are used to explain the current state of a digital artifact, such as a computer system, storage medium (e.g. hard disk or CD-ROM), or an electronic document (e.g. an email message or JPEG image).^[3] The scope of a forensic analysis can vary from simple information retrieval to reconstructing a series of events. In a 2002 book, Computer Forensics, authors Kruse and Heiser define computer forensics as involving 'the preservation, identification, extraction, documentation and interpretation of computer data'.^[4] They go on to describe the discipline as 'more of an art than a science', indicating that forensic methodology is backed by flexibility and extensive domain knowledge. However, while several methods can be used to extract evidence from a given computer the strategies used by law enforcement are fairly rigid and lack the flexibility found in the civilian world.^[5]

Use as evidence[edit]

In court, computer forensic evidence is subject to the usual requirements for digital evidence. This requires that information be authentic, reliably obtained, and admissible.^[6] Different countries have specific guidelines and practices for evidence recovery. In the United Kingdom, examiners often follow Association of Chief Police Officers guidelines that help ensure the authenticity and integrity of evidence. While voluntary, the guidelines are widely accepted in British courts.

Computer forensics has been used as evidence in criminal law since the mid-1980s, some notable examples include:^[7]

• BTK Killer: Dennis Rader was convicted of a string of serial killings that occurred over a period of sixteen years. Towards the end of this period, Rader sent letters to the police on a floppy disk. Metadata within the documents implicated an author named 'Dennis' at 'Christ Lutheran Church'; this evidence helped lead to Rader's arrest.
• Joseph E. Duncan III: A spreadsheet recovered from Duncan's computer contained evidence that showed him planning his crimes. Prosecutors used this to show premeditation and secure the death penalty.^[8]
• Sharon Lopatka: Hundreds of emails on Lopatka's computer lead investigators to her killer, Robert Glass.^[7]
• Corcoran Group: This case confirmed parties' duties to preserve digital evidence when litigation has commenced or is reasonably anticipated. Hard drives were analyzed by a computer forensics expert who could not find relevant emails the Defendants should have had. Though the expert found no evidence of deletion on the hard drives, evidence came out that the defendants were found to have intentionally destroyed emails, and misled and failed to disclose material facts to the plaintiffs and the court.
• Dr. Conrad Murray: Dr. Conrad Murray, the doctor of the deceased Michael Jackson, was convicted partially by digital evidence on his computer. This evidence included medical documentation showing lethal amounts of propofol.

Forensic process[edit]

Computer forensic investigations usually follow the standard digital forensic process or phases which are acquisition, examination, analysis and reporting. Investigations are performed on static data (i.e. acquired images) rather than 'live' systems. This is a change from early forensic practices where a lack of specialist tools led to investigators commonly working on live data.

Techniques[edit]

A number of techniques are used during computer forensics investigations and much has been written on the many techniques used by law enforcement in particular.

Cross-drive analysis

A forensic technique that correlates information found on multiple hard drives. The process, still being researched, can be used to identify social networks and to perform anomaly detection.^[9][10]

Live analysis

The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence. The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.

Deleted files

A common technique used in computer forensics is the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted data.^[11] Most operating systems and file systems do not always erase physical file data, allowing investigators to reconstruct it from the physical disk sectors. File carving involves searching for known file headers within the disk image and reconstructing deleted materials.

Stochastic forensics

A method which uses stochastic properties of the computer system to investigate activities lacking digital artifacts. Its chief use is to investigate data theft.

Steganography

One of the techniques used to hide data is via steganography, the process of hiding data inside of a picture or digital image. An example would be to hide pornographic images of children or other information that a given criminal does not want to have discovered. Computer forensics professionals can fight this by looking at the hash of the file and comparing it to the original image (if available.) While the image appears exactly the same, the hash changes as the data changes.^[12]

Volatile data[edit]

When seizing evidence, if the machine is still active, any information stored solely in RAM that is not recovered before powering down may be lost.^[8] One application of 'live analysis' is to recover RAM data (for example, using Microsoft's COFEE tool, WinDD, WindowsSCOPE) prior to removing an exhibit. CaptureGUARD Gateway bypasses Windows login for locked computers, allowing for the analysis and acquisition of physical memory on a locked computer.

RAM can be analyzed for prior content after power loss, because the electrical charge stored in the memory cells takes time to dissipate, an effect exploited by the cold boot attack. The length of time that data is recoverable is increased by low temperatures and higher cell voltages. Holding unpowered RAM below −60 °C helps preserve residual data by an order of magnitude, improving the chances of successful recovery. However, it can be impractical to do this during a field examination.^[13]

Some of the tools needed to extract volatile data, however, require that a computer be in a forensic lab, both to maintain a legitimate chain of evidence, and to facilitate work on the machine. If necessary, law enforcement applies techniques to move a live, running desktop computer. These include a mouse jiggler, which moves the mouse rapidly in small movements and prevents the computer from going to sleep accidentally. Usually, an uninterruptible power supply (UPS) provides power during transit.

However, one of the easiest ways to capture data is by actually saving the RAM data to disk. Various file systems that have journaling features such as NTFS and ReiserFS keep a large portion of the RAM data on the main storage media during operation, and these page files can be reassembled to reconstruct what was in RAM at that time.^[14]

Analysis tools[edit]

A number of open source and commercial tools exist for computer forensics investigation. Typical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and pictures for review.^[7]

Certifications[edit]

There are several computer forensics certifications available, such as the ISFCE Certified Computer Examiner, Digital Forensics Investigation Professional (DFIP) and IACRB Certified Computer Forensics Examiner.

The top vendor independent certification (especially within EU) is considered the [CCFP - Certified Cyber Forensics Professional [1]].^[15]

Others, worth to mention for USA or APAC are the:IACIS (the International Association of Computer Investigative Specialists) offers the Certified Computer Forensic Examiner (CFCE) program.

ISFCS (the The International Society of Forensic Computer Examiners®) offers the Certified Computer Examiner (CCE) program.

Asian School of Cyber Laws offers international level certifications in Digital Evidence Analysis and in Digital Forensic Investigation. These Courses are available in online and class room mode.

Many commercial based forensic software companies are now also offering proprietary certifications on their products. For example, Guidance Software offering the (EnCE) certification on their tool EnCase, AccessData offering (ACE) certification on their tool FTK, PassMark Software offering (OCE) certification on their tool OSForensics, and X-Ways Software Technology offering (X-PERT) certification for their software, X-Ways Forensics.^[16]

See also[edit]

References[edit]

1. ^Michael G. Noblett; Mark M. Pollitt; Lawrence A. Presley (October 2000). 'Recovering and examining computer forensic evidence'. Retrieved 26 July 2010.
2. ^Leigland, R (September 2004). 'A Formalization of Digital Forensics'(PDF).
3. ^A Yasinsac; RF Erbacher; DG Marks; MM Pollitt (2003). 'Computer forensics education'. IEEE Security & Privacy. CiteSeerX10.1.1.1.9510.Missing or empty |url= (help)
4. ^Warren G. Kruse; Jay G. Heiser (2002). Computer forensics: incident response essentials. Addison-Wesley. p. 392. ISBN978-0-201-70719-9. Retrieved 6 December 2010.
5. ^Gunsch, G (August 2002). 'An Examination of Digital Forensic Models'(PDF).
6. ^Adams, R. (2012). ''The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice'.
7. ^ ^abcCasey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN978-0-12-163104-8.
8. ^ ^abVarious (2009). Eoghan Casey (ed.). Handbook of Digital Forensics and Investigation. Academic Press. p. 567. ISBN978-0-12-374267-4. Retrieved 27 August 2010.
9. ^Garfinkel, S. (August 2006). 'Forensic Feature Extraction and Cross-Drive Analysis'(PDF).
10. ^'EXP-SA: Prediction and Detection of Network Membership through Automated Hard Drive Analysis'.
11. ^Aaron Phillip; David Cowen; Chris Davis (2009). Hacking Exposed: Computer Forensics. McGraw Hill Professional. p. 544. ISBN978-0-07-162677-4. Retrieved 27 August 2010.
12. ^Dunbar, B (January 2001). 'A detailed look at Steganographic Techniques and their use in an Open-Systems Environment'.
13. ^J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten (2008-02-21). 'Lest We Remember: Cold Boot Attacks on Encryption Keys'. Princeton University. Retrieved 2009-11-20.Cite journal requires |journal= (help)CS1 maint: multiple names: authors list (link)
14. ^Geiger, M (March 2005). 'Evaluating Commercial Counter-Forensic Tools'(PDF).
15. ^'CCFP Salaries surveys'. ITJobsWatch. Retrieved 2017-06-15.
16. ^'X-PERT Certification Program'. X-pert.eu. Retrieved 2015-11-26.

Further reading[edit]

• A Practice Guide to Computer Forensics, First Edition (Paperback) by David Benton (Author), Frank Grindstaff (Author)
• Casey, Eoghan; Stellatos, Gerasimos J. (2008). 'The impact of full disk encryption on digital forensics'. Operating Systems Review. 42 (3): 93–98. CiteSeerX10.1.1.178.3917. doi:10.1145/1368506.1368519.
• YiZhen Huang; YangJing Long (2008). 'Demosaicking recognition with applications in digital photo authentication based on a quadratic pixel correlation model'(PDF). Proc. IEEE Conference on Computer Vision and Pattern Recognition: 1–8. Archived from the original(PDF) on 2010-06-17. Retrieved 2009-12-18.
• Incident Response and Computer Forensics, Second Edition (Paperback) by Chris Prosise (Author), Kevin Mandia (Author), Matt Pepe (Author) 'Truth is stranger than fiction...' (more)
• Ross, S.; Gow, A. (1999). Digital archaeology? Rescuing Neglected or Damaged Data Resources(PDF). Bristol & London: British Library and Joint Information Systems Committee. ISBN978-1-900508-51-3.
• George M. Mohay (2003). Computer and intrusion forensics. Artech House. p. 395. ISBN978-1-58053-369-0.
• Chuck Easttom (2013). System Forensics, Investigation, and Response. Jones & Bartlett. p. 318. ISBN978-1284031058.

Related journals[edit]

External links[edit]

• US NIST Digital Data Acquisition Tool Specification (PDF)

Computer Forensics means examining computers for traces of data that might solve a problem – be it legal or workplace related or personal use. While the term computer forensics brings to mind, an image of professionals using high-end tools to recover and examine data, there are tools that even laymen can use. This article talks of some of the best free computer forensics tools and software that I have come across at some point or the other.

Free Computer Forensics Tools

P2 eXplorer

Cyber Forensics Information Software

This is one of my favorite tools. Not that I have had a real use for it, but I found it interesting because it allows you to browse a disk image without having to burn it to DVDs. You simply mount a disk image to one of the available letters on your computer and then open it in the Windows Explorer. Since it is a disk image, it is read only. That means you can check out the contents but cannot make changes to it. Nevertheless, it is an important tool if you have to examine disks in details or when you have too many computer disks to examine. You have all the data in one interface and all you need is to mount the image file and study it.

P2 eXplorer is available in both free and paid versions. The free version runs in 32-bit operating systems only. It does not mount EnCase v7 images nor does it mount any virtual machine files. The paid version is highlighted more on their website, but the link to download free version is available towards the right side of the website.

Digital Forensics Framework

This is an open source software that allows for:

1. Write blocking
2. Read different types of file formats, irrespective of the operating system; you can also recover raw Linux files from a Windows OS using this software
3. Remote access to disks and drives
4. Recover and examine deleted and hidden files
5. Can read the headers of the files easily so that you know which files to dig into for further information

Above all, people with good computer knowledge can build their own code and use it with the API of digital forensics framework.

HxD

This is yet another easy to use tool that analyses the file system and recovers files that have been deleted on purpose or otherwise. It can also modify the RAM (system memory). It can handle files of any size. The interface is easy to use and hence can be used by anyone with little knowledge of how computers work. You can download HXD from the manufacturer’s website.

Cyber Forensics Software Pdf

PlainSlight

PlainSlight is yet another free computer forensics tools that is open source and helps you preview the entire system in different ways. It’s easy to use interface and self-explanatory labels allows people (even with little knowledge of computer’s internal function) to use it without much difficulty. It can recover deleted files, recover hidden files and folders. It can help with certain other things like obtaining hard disk information, view user groups and group information, examine USB storage information and things like that. Though I like it for its ease of use, it does not offer many features other than the basics of computer forensics. We already have seen P2 eXplorer that can recover file fragments and place them in a readable form. Compared to that, is really very simple.

Bulk Extractor

This is a good tool as it ignores the file table and parses the disk directly. That enables it to record hidden, system and deleted files. The information can be then aggregated into similar entries and analyzed using other tools. You can download Bulk Extractor from GitHub.

All of them work on most of the recent Windows versions. If I have missed out any free or open source computer forensic tool, please let us know.

Cyber Forensics Tools

Cyber Security Forensics Software

Related Posts: