Forensic Analysis for Computer Systems - Evolution

Questions and Answers

The field of computer forensics is believed to have developed more than 40 years ago.

True (A)

During the 1970s, computer crimes were primarily targeted at the healthcare sector.

False (B)

White-collar fraud in the mainframe era involved manipulating computer data for personal gain.

True (A)

The 'one-half cent crime' involved manipulating bank accounts to a single decimal place.

False (B)

Some computer programmers opened accounts to illegally redirect fractional monies into their accounts.

True (A)

The history of forensic science only dates back to the advent of computer technology.

False (B)

Most computers during the 1970s were personal computers used by everyday users.

False (B)

A computer forensics team is responsible for analyzing and investigating electronic crimes.

True (A)

Phishing attacks are designed to secure financial information from users.

False (B)

The survival of a company's network infrastructure depends on the application of computer forensics.

True (A)

Companies face no legal consequences if they fail to protect customer data.

False (B)

Creating duplicates of original evidence is essential to ensure data integrity during investigations.

True (A)

New laws regarding customer data protection are only occasionally developed.

False (B)

Knowledge of forensic principles is not beneficial for companies in legal matters.

False (B)

Forensic science can help save costs for companies that experience data loss incidents.

True (A)

Investigating original evidence is the preferred approach in computer forensics.

False (B)

The ancient Chinese utilized fingerprints to identify personal documents.

False (B)

The FBI Magnetic Media program was established in 1984.

True (A)

Specialized tools for computer forensics were available by the late 1980s.

False (B)

EnCase was developed by a team from ASR Data who left to form their own company.

True (A)

The International Organization on Computer Evidence (IOCE) was formed in 1990.

False (B)

The G8 nations recognized the significance of computer forensics due to rising cybercrime in 1997.

True (A)

ICE was established to handle financial crimes specifically.

False (B)

The INTERPOL Forensic Science Symposium took place in 1999.

False (B)

An organization cannot hire experts from small or mid-size computer investigation firms.

False (B)

Establishing a forensics lab requires government permission.

True (A)

Photographers in a computer forensics team are unnecessary for documenting evidence.

False (B)

Incident handlers are only needed in large organizations.

False (B)

Investigators in a forensics firm do not require specialized tools to find evidence.

False (B)

The size and nature of a business determine the necessity for computer forensic abilities.

True (A)

Incident handlers are responsible for monitoring and acting on computer security incidents.

True (A)

Immediate action is not crucial for investigators after a suspected criminal activity occurs.

False (B)

Investigators should proceed with their investigation even if they encounter a knowledge barrier.

False (B)

Consulting an experienced person can help during a forensic investigation.

True (A)

The rules of evidence are not crucial for the acceptance of evidence in court.

False (B)

Documenting any changes in evidence is unnecessary during a forensic investigation.

False (B)

Written permission is required before initiating an investigation.

True (A)

Restarting a machine has no effect on its temporary files.

False (B)

ILook is a Cyber forensic tool available for personal use by anyone.

False (B)

Access Data Forensic Toolkit (FTK) is used in both law enforcement and civilian markets.

True (A)

Additional training is advised when investigators encounter challenges in their knowledge.

True (A)

Breach of IT security policy is unlikely if written permission is not obtained.

False (B)

The development of data storage and transfer capabilities is unrelated to the evolution of forensic tools.

False (B)

Phishing is a type of cyber attack that primarily targets government organizations.

False (B)

The global nature of digital technology has led to an increase in cybercrimes.

True (A)

Network administrators do not need to be familiar with laws related to cyber security.

False (B)

The tools and techniques of computer forensics have remained static despite advancements in technology.

False (B)

Digital devices and the internet are essential for daily life and can be found in workplaces, homes, and public areas.

True (A)

Flashcards

Phishing Attack

A type of attack where attackers try to trick victims into giving up sensitive information like login credentials or financial details.

Computer Forensics

A crucial part of ensuring the security of computer networks and systems. It helps investigate digital evidence and provides strong proof in legal cases.

Creating Duplicates

Creating copies of digital evidence for analysis to protect the original data's integrity.

Maintaining Data Integrity

Ensuring that digital evidence remains unaltered during an investigation, ensuring its accuracy and reliability for legal purposes.

Evolution of Computer Forensics

The emergence of computer forensics as a distinct field of study, originating from the need to address electronic crimes that increased in the 1970s.

White-collar fraud

Fraud committed by individuals with specialized knowledge who manipulate computer systems for personal gain.

One-half cent crime

A type of fraud targeting financial systems where small fractions of money were diverted to unauthorized accounts.

Mainframe era crime

An early example of computer crime committed during the mainframe era, involving the manipulation of computer data to steal funds.

The need for computer forensics

The need for a specialized field to investigate crimes, such as financial fraud, where the evidence is stored digitally in computer systems.

Rules of Computer Forensics

A set of principles and guidelines that govern the collection, preservation, and analysis of digital evidence.

Computer Forensics team

A team of professionals with specialized skills in computer technology and forensics, responsible for investigating digital crimes.

FBI Magnetic Media Program

The FBI established a program focused on analyzing and responding to computer crimes. This marked a key moment in the birth of computer forensics.

Computer Analysis and Response Team (CART)

This team was created by the FBI and is considered a pivotal moment in the history of computer forensics.

Specialized Tools for Computer Forensics

The development of software specifically designed for computer forensics became more prominent by the early 1990s.

International Association of Computer Investigative Specialists (IACIS)

The IACIS was founded in 1988 as an international non-profit organization dedicated to professional computer forensics. It plays a key role in training and setting standards in the field.

Expert Witness for Macintosh

ASR Data's Expert Witness for Macintosh became the first commercial software with a graphical user interface (GUI) to be used in computer forensics.

EnCase

EnCase became a popular tool in computer forensics after its creator, a former partner at ASR Data, developed it.

International Organization on Computer Evidence (IOCE)

The IOCE aims to connect organizations involved in digital evidence, fostering collaboration and improving the quality and consistency of forensic practices.

G8's Recognition of Computer Forensics

The rising number of cybercrimes led G8 nations to recognize the critical importance of computer forensics in 1997.

Forensics Lab

A dedicated space equipped with specialized hardware and software to conduct computer forensics investigations.

Investigators

Individuals trained to conduct forensics investigations, gather evidence, analyze data, and report findings.

Photographer

A person responsible for capturing and preserving evidence at a crime scene, including IT devices and related equipment.

Incident Handlers

IT professionals responsible for detecting and responding to incidents involving computer security breaches, policy violations, or malicious activities.

Network Breach

An attempt to gain unauthorized access to a computer system, network, or data.

Computer Security Incident

The practice of monitoring and responding to events that may compromise a computer system or network's security.

First Responders

A specialized group designed to respond to computer security incidents and conduct forensics investigations to prevent further damage.

Why is computer forensics essential?

The use of computer forensics is essential because it helps investigate digital evidence in a variety of areas, including cybercrime, fraud, and intellectual property theft.

What drives the need for computer forensics?

The ever-increasing rate of cybercrime, encompassing phishing, hacking, and data theft, highlights the importance of computer forensics in addressing these threats.

How has the evolution of data storage impacted computer forensics?

Computer forensics tools and techniques have evolved alongside the advancements in data storage and transfer technologies, such as desktop computers, laptops, routers, printers, CD/DVDs, and flash drives.

What are some examples of computer forensics software?

Computer forensics software, like ILook and Access Data Forensic Toolkit (FTK), has been developed to analyze and read digital evidence from various storage devices and systems.

What is phishing?

Phishing is a cybercrime tactic where perpetrators use deceptive emails, text messages, or phone calls to trick individuals into revealing sensitive information, like passwords or financial details.

Why are forensic experts crucial in organizations?

To combat cybercrime effectively, forensic experts are needed in both public and private organizations to investigate digital evidence and ensure effective security.

What is the importance of legal knowledge in cybersecurity?

Organisations should ensure that their network administrators and security staff are knowledgeable about laws pertaining to digital evidence and cybercrime to maintain compliance and security.

Why does computer forensics need to evolve?

The field of computer forensics must continuously evolve and adapt to stay ahead of advancements in computer technology and the evolving nature of cybercrime.

Stop if you don't know

If you encounter a situation you don't fully understand or lack the skills to handle, stop the investigation immediately. Do not attempt to proceed without proper knowledge or guidance.

Seek guidance

When facing a roadblock, consult with experienced professionals or seek additional training to enhance your skills and knowledge.

Follow rules of evidence

Always adhere to the established rules and procedures of evidence collection and handling to ensure that the evidence is admissible in court.

Document changes

Thoroughly document any changes or modifications observed in the evidence during the investigation process, along with the reasons, results, and nature of the alterations.

Written permission

Before commencing any investigation, obtain written permission from the appropriate authorities, outlining the scope of your investigation.

Follow security policy

Always comply with the organization's security policy, whether it relates to data access, copying, or handling sensitive information.

What is IT Security?

Information Technology security refers to a comprehensive strategy encompassing various aspects like network security, data protection, and access control, aimed at safeguarding organizational assets.

Why written permission is important

During investigations, handling and accessing sensitive data requires written permission to avoid potential legal ramifications.

Study Notes

Course Plan

• Forensic Analysis for Computer Systems
• Introduction
• Evolution of Computer Forensics
• Computer Forensics process
• Computer Forensics techniques and tools
• Types of Computer Forensics
• Forensics Readiness

Evolution of Computer Forensics

• Computer forensics began to develop more than 40 years ago.
• In the 1970s, electronic crimes, particularly in finance, increased. 
• Early computers were mainframes used by skilled personnel in finance, engineering, and academia.
• White-collar fraud emerged as methods to make money through computer manipulation were developed.
• One notable early crime was the "one-half cent crime," involving banks tracking money to the third decimal place.
• Computer programmers exploited this by diverting fractional amounts into their accounts.
• Forensic science has a long history, with fingerprinting being an early application.
•  In the 1980s, the FBI created a Magnetic media program (later renamed CART) which is considered the start of computer forensics.
• Specialized computer forensics tools became available in the early 1990s.
• The International Association of Computer Investigative Specialists (IACIS) provided training in 1988.
• Commercial GUI software for computer forensics (e.g., Expert Witness) became available in the mid-1990s.
• ASR Data had a role in developing software to recover deleted files.
• EnCase was developed, later becoming a popular tool.
• The International Organization on Computer Evidence (IOCE) was formed in 1995 to bring together organizations for consistency. 

The Need for Computer Forensics

• The world has evolved, becoming a global village through computers, digital devices, and the internet.
• Life has become impossible without computers and related technologies.
• Information can be stored and moved with diverse devices (desktops, laptops, routers, printers, CD/DVDs, flash drives).
• Data storage and transfer variations have driven the development of forensic tools, techniques, procedures, and investigators.
• Cybercrimes like phishing and hacking create a need for forensic expertise.
• The increase in cybercrimes requires broad access to expertise.
• Forensic expertise is needed in public and private organizations.

Rules of Computer Forensics

• (1) Minimizing Original Evidence Examination:*
• Make accurate copies of evidence to avoid damage or alterations. 
• Investigate the duplicates, maintaining data integrity. 
• (2) Knowledge Limits:*
• If an investigation encounters roadblocks beyond current knowledge, stop, consult experts, and seek additional training.
• (3) Adherence to Evidence Rules:*
• Follow the specific rules of evidence to ensure evidence admissibility in court.
• (4) Documenting Changes:*
• Record any changes to evidence (e.g., machine restarts affecting temporary files).
• (5) Written Permission and Local Security Procedures:*
• Secure written permission before accessing or copying data to prevent IT security policy breaches.
• (6) Readiness for Testimony:*
• Prepare for the possibility of testifying in court regarding collected evidence.
• (7) Repeatable Actions:*
• Maintain consistent procedures to ensure evidence authenticity.
• (8) Preventing Data Loss:*
• Work quickly to avoid losing volatile data (data that may disappear).
• Use automated tools cautiously to avoid rushing the process, allowing for flexibility.
• Utilize resources (people) to eliminate data loss in fast-paced investigations.
• Conduct work on original data from volatile evidence.
• (9) Maintaining Original Evidence Before Collection:*
• Do not shut down the device while collecting data to preserve volatile data 
• Data and evidence collection is essential for investigations
• Powering down systems can harm data integrity.
• (10) Avoidance of System Interference:*
• Avoid running programs on the affected system to maintain data integrity.
• Copies should be made of evidence and work on duplicates to preserve the original evidence.
• Beware of malicious programs such as Trojans.

Computer Forensics Team

• Law enforcement and security agencies are responsible for major computer crime investigations. 
• Every organization should handle basic investigations internally.
• Organizations can hire experts from specialized firms.
• Organizations can also create their own computer forensic units.
• Need for a forensics lab, government permission, proper tools, and personnel.
• Difficulties in identifying fraud, illegal activities, and policy breaches.
• Necessary abilities can vary based on business type, threats, and potential loss.
• Teams should include specialists who handle case details and can find evidence (investigators).
• Photographers who document scenes are essential for evidence recording.
• Incident handlers monitor and respond to IT security incidents.
• IT engineers and technicians manage daily operations.
• Attorneys are needed to assist in cases and court processes.