Course

Overview

i. i
 COURSE OVERVIEW

Introduction
The courseware will guide you to understand the computer forensic methodology and
also gives you a brief knowledge about the computer forensic field. The course is designed
in such way it will help you to describe the important role of computer forensics and
also explain the various methods used by the forensic experts. It also guides you step by
step techniques which are followed by the forensic investigators.

Course Audience
Thus, students should be able to thoroughly understand the topics covered in this course
before pursuing to higher level of forensic and cyber crime topics.

Study Schedule
The students should accumulate 120 hours for this course. Table 1 shows the
approximation of study time that the students should allocate during a semester.

Table 1: Approximate Study Time Allocation

Activities Hours

Self Independent Study 42

Tutorial/face-to-Face Interaction 12
Week of
Chapter Title Work
Online Discussions 30

Doing Assignments 18

Examination Preparation 18

TOTAL 120

Course Objectives
After completing the subject, the students shall achieved the following objectives :
• Explain the computer forensics tools, investigation and analysis.
• Have working knowledge of hardware and operating systems to maximize success
on computer forensics investigations.
• Develop skills on a security program that will protect data and react to threats posed
by Internet users.

ii
CHAPTER 1 l INTRODUCTION TO COMPUTER FORENSICS

Learning outcomes

At the end of the subject, students should be able to :

• Apply the concept of computer forensics to facilitate forensics investigation.
• Identify the current technology trends in computer forensics.
• Help the organization to develop computer forensics that is of high quality and consistent
with business goals.

Course Synopsis
Increasingly today, computers are being used to conduct crimes due to the growth of
the Internet and the proliferation of computer usage world wide. This has created a
need for computer forensics to investigate situations where computers have been used
to commit crimes, or to identify where computer usage is not meeting corporate acceptable
use policies. With the unprecedented growth of the Internet, security has become a
major issue for businesses. This had led to Internet security to be the fastest growing
segmented within ICT. Today, we are seeing Computer Forensics and Internet security
becoming one of the major challenges facing corporations of all sizes.

Text Chapters
This course will go through 8 Chapters which are listed below:

Chapter 1 Introduction to Computer Forensics

In this chapter, we will discuss the definition of computer forensics and also how to prepare
for the computer forensic investigation. This guide also helps you to understand the professional
conducts are maintained by the forensic investigators.

Chapter 2 Understanding Data recovery Workstations and software

In this chapter, the discussion centers on the various files systems and disk structures are used
by computers and also this guide briefly illustrate the important tools are used by the forensic
investigators. This chapter also gives you the overview of the forensic investigation.

Chapter 3 Digital Evidence

This chapter briefly explains the methodologies are used to acquire the digital evidence from
the various disks. This chapter also clearly explains about the different data disk structures.

Chapter 4 Computer Forensic Analysis

This chapter focuses on forensic analysis methods, it also briefly explains about the e-mail
investigation and also clearly elaborates the techniques used by investigator to recover the image

i. iii
 INTRODUCTION TO COMPUTER FORENSICS l CHAPTER 1

files from the various storage medium.

Chapter 5 Working with Windows and DOS Systems

In this chapter, we look at the importance of different operating systems methodologies.

This chapter also explains on how to work with Macintosh Systems, UNIX systems and
Linux systems.

Chapter 6 Crimes and Incident scenes

In this chapter, we will focus on crimes and incident scenes. This chapter gives clear idea
about the search preparation and also explains how to size digital evidence at the crime
scenes. This also gives the methods used to collect digital evidence from the disks.

Chapter 7 Email Investigation

This chapter focuses on the electronic mail investigation and also explains the e-mail client
and server methodologies. This is also explaining the steps to investigate e-mail crimes
and violations.

Chapter 8 Becoming an Expert Witness

This chapter discusses on how to prepare the testimony, how to testify in court and also it
explains how the forensic expert testify during the cross examination in court. Finally,
it briefly explains on how to form an expert witness.

Prior Knowledge
Students would have an advantage if they have undertaken some basic computer related
topics to understand the forensic subject.

References
John Vacca. 2002. Computer Forensics - Computer Crime Scene Investigations. Charles River
Media ISBN 1-58450-018-2

Douglas Schweitzer .2003. Incident Response: Computer Forensics Toolkit, 360 pages,
Publisher: Wiley ISBN-10: 0764526367

Levine, D., & Levine, R. (2003). Society and Education.

Bruce Middleton. 2005. Cyber Crime Investigator’s Field Guide. Auerbach Publications,
ISBN 0-8493-1192-6.

iv
CHAPTER 1 l INTRODUCTION TO COMPUTER FORENSICS

John W. Rittinghouse, William M. Hancock and Bill Hancock.2003 Cyber security

Operations Handbook was written by Dr. John W. Rittinghouse and Elsevier Digital
Press.UK. ISBN 1-55558-306-7.

John W. Rittinghouse, William M. Hancock and Bill Hancock.2003 Cyber security

Operations Handbook was written by Dr. John W. Rittinghouse and Elsevier Digital
Press.UK. ISBN 1-55558-306-7.

Sheetz, Michael. 2000. Computer Forensics: An Essential Guide for Accountants,

Lawyers, and Managers. Wiley, John & Sons, Incorporated.

Shinder, D., Tittel, E. 2000. Scene of the Cybercrime: Computer Forensics Handbook.
Syngress Publishing.

Steel, Chad. 2006. Windows Forensics: The Ultimate Field Guide for Corporate
Computer Investigations. Wiley, John & Sons, Incorporated.

Evaluation
Course evaluation consists of two components that are the ongoing evaluation and the
final examination. In order to obtain a good score and grade in this course, students need
to take each component of the course evaluation seriously.
Ongoing Evaluation
i. Test (2) : 25%
ii. Involvement in ongoing discussion : 5%
iii. Assignment (1) : 20%

Final Examination
i. Marks : 50%
ii Total Marks : 100%

Note: In order to pass the course (minimum grade C) the students need to obtain 25
marks from the final examination component (25%) (Requirements of the Malaysian
Accreditation Body, MAB)

i. v
 1 l INTRODUCTION TO COMPUTER FORENSICS
COURSE OVERVIEW
CHAPTER

1
Introduction
to Computer
CHAPTER Forensics
LE AR NI NG OUTCOMES
By the end of this chapter, you should be able to:

1 . Define cyber crime;

2. Explain the basics of computer forensics;

3. Identify the steps involved in a computer forensic investigation; and

4 . Describe the professional duties and obligations of a computer forensics

investigator.

i. 1
 INTRODUCTION TO COMPUTER FORENSICS l CHAPTER 1

INTRODUCTION
Are you aware that each time you check your email or perform a banking transaction
online, you are at risk of a malicious attack? At any point of time, hackers can infect your
computer with viruses, steal your identity, trap you into scams and literally take control
of your life. Let’s watch a video to further understand the seriousness of this threat. Click
on the play button to watch the video.

Source: http://www.youtube.com/watch?v=NzsE6KwjWCs&NR=1

Relying on information technology in our daily transactions has led to the steep rise
of criminal acts carried out through the use of Information and Communication
Technologies (ICT). Cyber crime has already been subjected to regulations and is a matter
of concern for public and private parties involved in electronic transactions.

This chapter will give you an overview of what is cyber crime, the basics of computer
forensics, how computer forensics experts investigate cyber crime and legal aspects
related to computer forensic investigations.

2
CHAPTER 1 l INTRODUCTION TO COMPUTER FORENSICS

1.1 Cyber Crime

Cyber crime refers to any crime that involves computers or a computer network. It is
a criminal activity where a computer or network is used as a source, tool, target,
or place of the crime. Cyber crime occurs when the computer technology is used to
commit or obscure an offence.

Although the terms ‘cyber crime’ and ‘computer crime’ are used more specifically to
criminal activities where the computer is a necessary part of the crime, these terms
may also refer to conventional crimes that involve the use of computers such as fraud,
theft, blackmail, forgery, and misappropriation.

Cyber crimes include:

• Financial fraud;
• Sabotage of data and/or networks;
• Theft of proprietary information;
• System penetration from the outside;
• Denial of service;
• Unauthorised access by insiders;
• Employee abuse of Internet access privileges;
• Viruses (the leading cause of unauthorised users gaining access to systems and
networks through the Internet);
• Child pornography;
• Credit card fraud;
• Cyberstalking;
• Defaming another online;
• Copyright infringement;
• Software licensing;
• Trademark violation; and
• Software piracy.

i. 3
 INTRODUCTION TO COMPUTER FORENSICS l CHAPTER 1

Figure 1.1: CSI/FBI 2000 Computer Crime and Security Survey

Source: Computer Security Institute

Download CSI Computer Crime & Security Survey, the world’s most
widely quoted research on computer crime. Go to:

http://www.gocsi.com/

4
CHAPTER 1 l INTRODUCTION TO COMPUTER FORENSICS

1.1.1 The Role of Computers in a Cyber Crime

A computer can play different roles in a cyber crime. Therefore, it is critical to develop
a deeper understanding of how computers can be involved in a crime so a more
refined approach to investigate such cases can be developed. The precise role that a
computer plays in a crime also determines how it can be used as evidence.

The use of computers in cyber crimes can be broadly classified into four categories.
Refer to the figure below:

Figure 1.2: Categories of Cyber Crime

i. 5
 INTRODUCTION TO COMPUTER FORENSICS l CHAPTER 1

1.1.2 Modes of Attack

Cyber crimes can be categorised as either insider attacks or external attacks, depending
on how the attack took place (as shown in Figure 1.3).

Figure 1.3: Threats to Data Security

Source: http://www.smartcardbasics.com/security_3.html

6
CHAPTER 1 l INTRODUCTION TO COMPUTER FORENSICS

(a) Insider Attacks

Attacks that involve a breach of trust by employees within an organisation. Insider attacks
are committed by those with a significant link to the intended victim, for example a bank
employee who siphons electronic funds from a customer’s account. Other examples in-
clude:
• Downloading or distributing offensive material;
• Theft of intellectual property;
• Internal system intrusions;
• Fraud; and
• Intentional or unintentional deletion or damage of data or systems.
Insider attacks can generally be contained within the organisation being attacked as it is
easier to determine the motive of the attack, and therefore simpler to identify the criminal.
However, when the person involved thoroughly understands the information technology
infrastructure he intrudes, obtaining digital evidence of the offence can be difficult.

Figure 1.4: Anatomy of an Insider Attack

i. 7
 INTRODUCTION TO COMPUTER FORENSICS l CHAPTER 1

(b) External Attacks

Attacks that involve hackers hired either by an insider or an external entity whose aim
is to destroy the company’s reputation. An external attack is committed anonymously.

A typical example is the Philippine-based ILOVEYOU virus e-mail attack in 2000.

Other examples of external attacks include computer system intrusion, and deceptive,
reckless or deliberate and indiscriminate system crashes.

For detailed information on the ‘ILOVEYOU’ virus go to:

http://en.wikipedia.org/wiki/I_Love_YOu_virus

An external attack is hard to anticipate, yet can often be traced using evidence available
to or provided by the organisation under attack. Normally, the offender has no motive
and is not even connected to the organisation, making it fairly clear-cut to prove that it
was an unlawful access to data or systems.

8
CHAPTER 1 l INTRODUCTION TO COMPUTER FORENSICS

Source: http://www.smartcardbasics.com/security_3.html

1. What is cyber crime? Give 5 examples.

2. Explain 4 ways computers are used in cyber crimes.
3. Describe the modes of attack in cyber crimes.

i. 9
 INTRODUCTION TO COMPUTER FORENSICS l CHAPTER 1

1.2 What is Computer Forensics?

Forensic science or forensics is the application of science to find answers to questions

that are of interest to legal proceedings. Computer forensics is a step by step analysis
of data stored in electronic equipment to determine whether that electronic equipment
has been used for illegal or unauthorised purposes. Examples of electronic equipment
investigated are computers, computer networks, storage devices and digital media
equipment.

Figure 1.5: Computer forensic will determine whether the electronic equipment
has been used for illegal or unauthorised purpose

10
CHAPTER 1 l INTRODUCTION TO COMPUTER FORENSICS

Cyber crime involves attacks on targeted systems, that contain confidential data,
for malicious purposes. This often includes a wide variety of crimes against persons,
property or organisations that are of public interest. Collecting cyber evidence through
forensics is necessary to investigate crimes and to assure that appropriate support is
afforded to evidence that needs to be introduced in criminal or other legal proceedings.

Cyber crime investigations involve examining electronic evidence and using information
technology to carry out forensic investigations. While forensics investigators collect
electronic evidence, forensic examiners who provided assistance at the crime scenes
examine the evidence. Activities involved in a cyber crime investigation include collecting,
archiving, and managing digital evidence in a way that renders it acceptable in
proceedings. Evidence gathered to be presented in a court of law must be in a coherent
and meaningful format.

1.2.1 The Role of Computer Forensics

Cyber crime is a major concern to the legal system as well as professionals who
are exposed to it in their everyday duties. Law enforcement response to cyber crime
requires officers, investigators, forensic experts, and managers to act immediately and
get involved in recognising, collecting, preserving, transporting, and archiving computer
or electronic evidence.

When an incident or crime occurs, an organisation needs a proper forensic response in

place. By hiring computer forensics experts to manage the response to an incident,
organisations ensure that all avenues are investigated, all evidence are located and
handled correctly, and all those involved are treated neutrally.

As soon as an incident that compromises the server occurs, an investigation takes

place. The computer forensics investigators typically follow the following steps in
investigating the case:

i. 11
 INTRODUCTION TO COMPUTER FORENSICS l CHAPTER 1

Read more about Computer Forensics. Go to:

http://www.computer-forensic.com/about.html

1.2.2 Challenges in Computer Forensics

Computer forensics is still in the early developmental stage. It differs from other
forensic science, as it examines digital evidence. There is little theoretical knowledge
to base assumptions for analysis and standard empirical hypothesis testing when
carried out lacks proper training or standardisation of tools.

In order to effectively fight against cyber crime, all parties involved in dealing with
computers must be well educated. This includes the legal communities, the IT communities,
as well as the end users. Imagine what would happen to the electronic evidence if
a law enforcement officer wasn’t experienced or properly trained, and as a result of
his actions, a good portion of the evidence was destroyed.

Most times the judge or adjudicators lack the technical expertise to understand the

12
CHAPTER 1 l INTRODUCTION TO COMPUTER FORENSICS

topics discussed or interpret the law for these cases. What would happen to a
very difficult and important case if the jury, prosecutor, and the judge have little
experience with computers?

For detailed information on Cyber Crime Law go to:

http://www.cybercrimelaw.net/index.html

Explain the role of computer forensics to fight cyber crime and

its challenges.

1.3 Computer Forensic Investigation

Before an investigation of any case is started, the investigator must have:

• thorough understanding of the forensic process.
• technical training.
• proper lab preparation.
These are significant to the success of an investigation. All the technical expertise
assigned to the unit must have the necessary training and background to conduct
investigations.

i. 13
 INTRODUCTION TO COMPUTER FORENSICS l CHAPTER 1

After the evidence has been properly analysed, the investigator acts as an expert
witness and present the evidence in court in an acceptable manner. The investigator also
acts as a tool for law enforcement to track and prosecute cyber criminals.

1.3.1 Cyber Detectives

Computer forensics is an important defence in the corporate world’s armoury

against cyber crime. Cyber forensics investigators detect the extent of a security
violation, recover lost data, determine how an intruder got past security mechanisms
and, eventually, identify the offender.

A cyber forensic professional needs to be qualified in both investigative and

technical fields and well trained in countering cyber crime. They should also be
knowledgeable in the law, particularly on legal jurisdictions, court requirements
and the laws on permissible evidence and production.

In most cases, forensic investigations take the lead in calling in law enforcement
agencies and building a case for potential prosecution, which could lead to a criminal
trial. The alternative is pursuing civil remedies, as opposed to criminal prosecution,
for instance pursuing breach of trust, and loss of intellectual property rights.
Types of Computer Investigation
There are two types of computer investigations as described in the figure as follow:

14
CHAPTER 1 l INTRODUCTION TO COMPUTER FORENSICS

Figure 1.6: Types of Computer Investigations

1.3.2 Stages in a Computer Forensic Investigation

A computer forensics investigator must follow certain stages and procedures (as shown
in Figure 1.7) when working on a case.

i. 15
 INTRODUCTION TO COMPUTER FORENSICS l CHAPTER 1

Figure 1.7: Life cycle of a computer forensic investigation

1. Initial Assessment
First, the computer forensics investigator identifies the crime, along with the computer
and other tools used to commit the crime.

2. Obtain Evidence
Like any other investigation, the area must be handled as a crime scene. Everything
there must be left the way it is. For example, if the computer system was found
turned off, it should be left that way.

The forensics investigator then takes digital photographs and secures documentary
evidence such as printouts, notes and disks found at the scene. If the computer
was left on, all information is gathered from the running applications. The computer
is then shut down in a way that will not cause data to be lost. Doing a standard
shut down or pulling the plug is not an option. Both of these methods may lose
or damage data stored in the computer system.

Next, the configuration of the system is documented in the same manner a crime
scene is documented. Items in the system to be documented include the order of
hard drives, modem, LAN, storage subsystems, cable connections, and wireless
networking hardware. The forensics investigator may make a diagram to go along
with the digital photographs. He will also take portable storage devices from
the crime scene area that may contain substantial evidence.

16
CHAPTER 1 l INTRODUCTION TO COMPUTER FORENSICS

Figure 1.8: In most forensic cases the computer’s hard drive is the primary source of the investigation
Source: http://knol.google.com/k/anonymous/computer-forensics/vzqr4kq08y8h/3#

3. Analyse the Recovered Evidence

All evidence must now be taken to the lab to be examined. No evidence should be
examined in the same hardware it was found. This is because, people who engage
in cyber crimes are aware that important data can be retrieved to convict them.
Countermeasures such as viruses and booby traps may be installed in the system
to damage electronic evidence.

At the lab, using special tools, an exact duplicate of all the data found is made.
The forensics investigator will ensure that data is copied completely and accurately.
The duplicate will then be verified by an algorithm. The recovered data is then
examined and analysed.

i. 17
 INTRODUCTION TO COMPUTER FORENSICS l CHAPTER 1

Figure 1.9: A write blocker device is used to examine data stored in the hard drive
Source: http://knol.google.com/k/anonymous/computer-forensics/vzqr4kq08y8h/3#

Source: http://knol.google.com/k/anonymous/computer-forensics/vzqr4kq08y8h/3#

18
CHAPTER 1 l INTRODUCTION TO COMPUTER FORENSICS

4. Complete the Case Report

Finally, a report is made on the findings and all the steps taken during the investi-
gation beginning from the acquisition of the data. This evidence will be presented
in court if prosecution is necessary.

For detailed information on Computer Forensic Investigation go to:

http://knol.google.com/k/anonymous/computer-forensics/vzqr4kq08y8h/3#

1. Explain the two types of computer investigation?

2. Describe the steps involved in a computer forensic investigation.

1.4 Computer Forensics as a Profession

Computer forensics is a focused, fast growing and interesting field. As business enterprises
and organisations become more multifaceted and exchange more information online,
ultra-modern crimes are also increasing at a rapid rate. Due to this situation, many
companies and professionals are now offering computer forensic services.

i. 19
 INTRODUCTION TO COMPUTER FORENSICS l CHAPTER 1

A computer forensics investigator is a combination of a private investigator and a

computer scientist. Although this unique field requires technical, legal and law
enforcement experience, many industries choose professionals with investigative
intelligence and technology expertise. A computer forensics professional can fill a
diversity of roles which include a private examiner, an investigator, a corporate
compliance professional, and a law enforcement official.

Before you become a computer forensics professional, you need to be aware that:
• The rest of the world is not part of that profession;
• Majority of the general public are excluded from computer forensics;
• Majority of computer professionals are not skilled in computer forensics; and
• Many computer forensic practitioners come from other disciplines (of computing
and from other areas, e.g. audit).
Aspects essential to the computer forensics profession are:
• Academic
• Application of computer science
• Application of forensic science
• Narrow specialism
• Aligned to computer security
• Core discipline

20
CHAPTER 1 l INTRODUCTION TO COMPUTER FORENSICS

Before deciding on the precise training you want, appraise the role that you wish
to fulfil. Some of the common roles that could involve the process of computer
forensics are as described below:

Find out more about Computer Forensics Training and Careers.

Go to:

http://free-backup.info/computer-forensics-training-and-careers.html

i. 21
 INTRODUCTION TO COMPUTER FORENSICS l CHAPTER 1

1.4.1 Guidelines on Professionalism and Duties

The field of computer forensics require a certain degree of professionalism. Refer to

the figure below:

Figure 1.10: Professionalism in Computer Forensics

22
CHAPTER 1 l INTRODUCTION TO COMPUTER FORENSICS

It is very important that as a computer forensics investigator, you follow all the necessary
steps and that the process contains no propaganda that could ruin your reputation or
the reputation of an organisation.

The following are guidelines on professional duties of a computer forensics investigator:

A good forensics investigator should always follow these rules:

• Examine original evidence as little as possible. Instead examine the duplicate
evidence.
• Follow the rules of evidence and do not tamper with the evidence.
• Always prepare a chain of custody, and handle evidence carefully.
• Never go beyond the knowledge base of the forensic investigation.
• Document any changes in evidence.
If your investigation stays within these parameters, then your case should be valuable
and justifiable.

i. 23
 INTRODUCTION TO COMPUTER FORENSICS l CHAPTER 1

1.4.2 Ethical Behaviour

In relation to ethical behaviour in computer forensics, there is a very thin line

between what is acceptable and what is deemed as malpractice. Computer forensics exists
in an ethical grey area. The forensics investigator needs to balance between self
motivation, legal constraints and procedural considerations. The ethical responsibility
in a computer forensic investigation is to:

It is also the responsibility of the forensics investigator to help the court on matters
within his knowledge. The duty overrides any obligation to the person from whom
the forensics investigator receives instructions from or by whom he is paid by.

24
CHAPTER 1 l INTRODUCTION TO COMPUTER FORENSICS

1.4.3 Legal Considerations

While investigating cyber crimes, one has to know the laws that cover such crimes.
Legal authorisations are needed to access targets of evidence. In order to preserve
the admissibility of evidence, proper handling of evidence by a computer forensics
expert is required.

The International Organisation on Computer Evidence (IOCE) has working groups

in Canada, Europe, the United Kingdom, and the United States to formulate international
standards for recovery of computer based evidence.

For detailed information about ‘The International Organisation on

Computer Evidence (IOCE)’, go to:

http://www.ioce.org/core.php?ID=1

Different warrant requirements and other legal constraints apply to different categories
of data such as recent, older, interceptable, not interceptable, etc. Investigators
should always consult the legal department of their corporation to understand the
limits of their investigation. Privacy rights of suspects should not be ignored.

Legal issues associated with cyber crime are still being developed by legislators and
may change in future. Follow these guidelines when performing a computer forensic
investigation:

i. 25
 INTRODUCTION TO COMPUTER FORENSICS l CHAPTER 1

For detailed information about the ‘Electronic Communication Privacy

Act of 1986 (ECPA)’, go to:

http://legal.web.aol.com/resources/legislation/ecpa.html

For detailed information about the ‘Cable Communication Policy Act

(CCPA)’, go to:

http://www.privacilla.org/business/cablepolicyact.html

For detailed information about the ‘Privacy Protection Act of 1980

(PPA)’, go to:

http://www.cybertelecom.org/privacy/ppa.htm

26
CHAPTER 1 l INTRODUCTION TO COMPUTER FORENSICS

1. Explain the main aspects of professionalism in computer forensics.

2. Discuss the ethical and legal guidelines you would have to abide
by when you take up computer forensics as a profession.

SUMMARY

1. Cyber crime refers to a criminal activity where a computer or network is

used as a source, tool, target, or place of the crime.
2. The use of computers in a cyber crime can be broadly classified into 4 categories:
• Computers as a target.
• Computers as an instrumentality.
• Computers as incidental to other crimes.
• Computers associated with the prevalence of computers.
3. There are two modes of cyber attacks. They are:
• Insider attacks.
• External attacks.
4. Computer forensics involves investigating data stored in electronic equipment
to determine the source of intrusion in a cyber crime
5. The steps involved in a computer forensic investigation are initial
assessment, obtain evidence, analyse the recovered evidence and complete
the case report.
6. As a computer forensics investigator, you must abide by the required
professional duties, ethical behaviour as well as legal guidelines.

i. 27
 INTRODUCTION TO COMPUTER FORENSICS l CHAPTER 1

GLOSARRY

MD5 Acronym for Message-Digest algorithm 5. It is a

widely used cryptographic hash function with a
128-bit hash value. The algorithm takes a message
of arbitrary length as input and produces a 128-bit
“fingerprint” or “message digest” as output of the
input.

It is conjectured that it is computationally infeasible

to produce two messages having the same message
digest, or to produce any message having a given
prespecified target message digest.

MD5 has been employed in a wide variety of

security applications, and is also commonly used
to check the integrity of files.

Chain of Custody The chronological documentation, and/or paper

trail, showing the seizure, custody, control, transfer,
analysis, and disposition of evidence – physical
or electronic.

As evidence can be used in court to convict

suspects of a crime, it must be handled in a
scrupulously careful manner to avoid allegations
of misconduct or tampering with evidence which
can later compromise the case of the prosecution
toward acquittal or to overturning a guilty verdict
upon appeal.

IOCE International Organization on Computer Evidence

ICT Information and Communication technologies

28
CHAPTER 1 l INTRODUCTION TO COMPUTER FORENSICS

FRP First Response of Procedures

FI Forensics Investigator

MD Message Digest

ECPA Electronic Communication Privacy Act

CCPA Cable Communication Policy Act

PPA Privacy Protection Act

TRUE/FALSE QUESTIONS

1. Sabotage of data and/or networks does not come under cyber crime.
True False

2. A cyber crime involving a breach of trust from employees within an organisation

is called an insider attack.
True False

3. Sending threatening e-mail is a computer crime under the category computer as

an instrumentality.
True False

4. A computer forensics expert needs to be qualified only in the technical field.

True False

5. Obtaining a copy of evidence in a disk drive is not a part of the life cycle of a
computer forensic investigation.
True False

i. 29
 INTRODUCTION TO COMPUTER FORENSICS l CHAPTER 1

6. Cross-validation of findings is a good process in computer forensic investigation.

True False

7. A computer forensics investigator does not need to maintain a chain of custody.

True False

8. A computer forensics investigator can investigate on original evidence before

duplicating it.
True False

9. A computer forensics investigator should ensure that he has appropriate power

and authority to search and seizure before going for an investigation.
True False

10. Proper handling is not an important part of admissibility of evidence in court.

True False

MULTIPLE CHOICE QUESTIONS 1

1. Where does the computer forensics investigator transport seized evidence from the
crime scene?
A. Forensic lab.
B. Court
C. Home
D. None of the above.

2. Which of the following is not a type of public computer investigation?

A. Corporate
B. Local
C. Country
D. State

3. Which of the following is not a common role that could involve the process
of computer forensics?
A. Security consultants providing incident response services.
B. Legal professional.
C. Law enforcement officials.
D. Quality professionals.

30
CHAPTER 1 l INTRODUCTION TO COMPUTER FORENSICS

4. MD5 (Message-Digest algorithm 5) is a widely used cryptographic hash function

with a ____ -bit hash value.
A. 128
B. 32
C. 64
D. 256

5. What does a computer forensics investigator prepare?

A. First Response of Procedures.
B. First Report of Procedures.
C. First Report of Process.
D. None of the above.

MULTIPLE CHOICE QUESTIONS 2

1. What is the most important thing a computer forensics investigator must have
before going to search and seizure?
A. Investigation tools.
B. Appropriate power and authority.
C. Permission from the system owner.
D. None of the above.

2. Which one of the following is NOT a step in the computer forensic investigation
life cycle?
A. Report
B. Analyze
C. Initial assessment.
D. Post assessment.

3. Which one of the following crime is not a crime where the computer is used
as a target?
A. Unauthorized access.
B. Data theft.
C. Data manipulating .
D. Sending threatening e-mail.

i. 31
 INTRODUCTION TO COMPUTER FORENSICS l CHAPTER 1

4. Computer crime, or cybercrime, generally refers to criminal activities where

a computer or network is the _____________________________.
A. Source, tool, target, or place of a crime.
B. Source or place of a crime.
C. Target of a crime.
D. Tool of a crime.

5. A methodical series of techniques and procedures for gathering evidence

from computing equipment and various storage devices and digital media, is
called ___________________.
A. Computer forensics .
B. Digital evidence.
C. Computer crime.
D. None of the above.

REFERENCES

Simson L. Garfinkel . 2006. AFF: a new format for storing hard drive images
Commun. ACM 49(2):85-87. New York. USA..

Simson L. Garfinkel. 2006. Forensic feature extraction and cross-drive analysis

Digital Investigation 3(Supplement-1):71—81..

Bishop, M. (1993). Teaching computer security. Paper presented at the IFIP TC11,
2006.

Blankenhorn, C. A., Huebner, E., & Cook, M. (2005). Forensic investigation of

data in live high volume environments Retrieved October 2, 2006, 2006, from.
http://www.cit.uws.edu.au/compsci/computerforensicsTechnical%2520Reports/Blan-
kenhorn 2005.doc

Bogen, A. C., & Dampier, D. A. (2004). Knowledge discovery and experience

modeling in computer forensics media analysis. Paper presented at the 2004
International Symposium on Information and Communication Technologies, Las
Vegas, Nevada.

Buchholz, F. P. (2004). Providing process origin information to aid in computer

forensic investigations. Journal of Computer Security, 12(5), 753-776.

32
CHAPTER 1 l INTRODUCTION TO COMPUTER FORENSICS

Carney, M., & Rogers, M. (2004). The Trojan Made Me Do It: A First Step
in Statistical Based Computer Forensics Event Reconstruction. International
Journal of Digital Evidence, 2(4).

Carrier, B., & Spafford, E. H. (2003). Getting physical with the digital
investigation process. International Journal of Digital Evidence, 2(2), 1-20.

Casey, E. (2002). Error, Uncertainty, and Loss in Digital Evidence. International

Journal of Digital Evidence, 1(3), 71-74.

Casey, E. (2006). Investigating Sophisticated Security Breaches. Communications

of the ACM,49(2), 48-55.

Ciardhuáin, S. (2004). An Extended Model of Cybercrime Investigations.

International Journal of Digital Evidence, 3(1).

Corey, V., Peterman, C., Shearin, S., Greenberg, M. S., & Van Bokkel-
en, J. (2002). Network Forensics Analysis. Internet Computing, IEEE, 6(6),
60-66.

Dai, J. S., Xiao, J. M., & Zhang, J. (2005). Research and Design of a Distributed
Network Real Forensics System. Journal of University of Electronic Science
and Technology of China, 34(3), 347-350.

i. 33