What are the reasons for computer forensics?
Results 1 to 6 of 6

Thread: What are the reasons for computer forensics?

  1. #1
    Junior Member
    Join Date
    Mar 2005
    Posts
    18

    What are the reasons for computer forensics?

    Ok. This is again related to my dissertation. one of the problems I am having is that I'm not sure of all the different methods of computer forensics, and indeed what reasons for searching a computer are. Also there are different OS's: Windows (different versions so will differ), Linux, Mac OS, PDA's

    It seems obvious to split it up into two sections:

    a) Intrusion detection, and forensically investigating the specifics of the attack by an other user (trying to find user)

    b) Searching a computer for evidence of some illegal activity, or files that should'n be on the users computer. (found user, trying to find evidence)

    For part a) I am struggling a bit here, it isn't where I have done to much research, so I will leave it for now...I'm more bothered in the searching of a computer aspect.

    For part b):

    -Legal requirements for evidence to be given in court
    -Imaging the hard drive, so as to carry out tests on another computer (links back to first point) Using tools such as Encase, Safeback, data Dumper.
    -Check MD5 to make sure image is made correctly
    -Search for evidence: Using TASK, Autospy, CookieView. Search in logs, cookies, NTUSER.DAT, temp internet files, printed docs.
    -If deleted from recycle bin etcand had a format, still possibly retrievable(use which tools here?)
    -encryption (problems that encryption gives to a forensic)

    Is there anything else I could add in here? Obviously it depends on what exactly the forensic would be looking for, but I am going for either a file or some sort that has been on the comp; OR a website which is illegal. I am also assuming that all this info will be somewhere on the hard drive, even if its not actually there at the moment (if you understand what i mean)

    Part b) I would like to add in somehow, but my knowledge of this type of intrusion is a lot less, and it seems a lot less hands on, which is what my dissertation is all about.

    thanks for any help
    Andy
    \"Get busy livin\', or get busy dyin\'...\" Come visit www.computer-tutorials.org

  2. #2
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    Hi andrewsco,

    This might help a little...

    http://www.fbi.gov/hq/lab/fsc/backis...0/computer.htm
    Recovering and Examining Computer Forensic Evidence by Noblett et al. (Forensic Science Communications, October 2000)

    this might help too...

    http://www.cftt.nist.gov/
    GENERAL INFORMATION

    this place has a few tidbits...

    http://ncfs.ucf.edu/home.html
    National Center for Forensic Science

    I found this at the above site too...

    http://www.ncjrs.org/txtfiles1/nij/199408.txt
    199408.txt

    Eg

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    andrewsco

    Don't forget that a lot of countries have employment protection legislation.......the EU for example, or there are trade unions involved. If you want to discipline someone under your Authorised User Policy (AUP) you may have to provide evidence.

    Also (rather mundane) there is the use of forensic techniques just to recover data that has become corrupted. OK there should be backups and RAID1 or 5, but accidents do happen.

    If you do a Google for "data recovery" you will see that there are quite a few organisations that make a living out of this sort of thing Technically there is no real difference between recovering incriminating information and important information?

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    Junior Member
    Join Date
    Mar 2005
    Posts
    18
    I have been checking out some great white papers on computer forensics, but there are 2 that seem to be down at the moment, and I cant find them anywhere...even google couldn't help me. They are:

    Forensic Analysis of Microsoft Internet Explorer Cookie Files
    Keith J. Jones

    Forensic Analysis of Microsoft Windows Recycle Bin Records
    Keith J. Jones

    I could really do with reading them, I dont suppose anyone has a copy saved to there computer who could email me them?I know its a bit of an outside chance but its worth a shot. I assume they are freely available to read.

    Andy
    \"Get busy livin\', or get busy dyin\'...\" Come visit www.computer-tutorials.org

  5. #5
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    Excellent reads about forenciscs can be found at forensics.nl[1],
    especially in-depth specifications for filesystems[2]

    The two papers by Jones are nice reads. You still can download
    them
    Forensic Analysis of Microsoft Internet Explorer Cookie Files[3]
    Forensic Analysis of Microsoft Windows Recycle Bin Records[4]

    Cheers.

    [1] http://www.forensics.nl/links
    [2] http://www.forensics.nl/filesystems
    [3] http://sf.gds.tuwien.ac.at/00-pdf/o/...nstruction.pdf
    [4] http://sf.gds.tuwien.ac.at/00-pdf/o/...nstruction.pdf
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  6. #6
    Junior Member
    Join Date
    Mar 2005
    Posts
    18
    Thanks mate! The links page on forensics.nl is a great resource, I have been reading the papers on there for the last day or so, but the two which I wanted were down! Although thanks to you I know have them.

    Cheers mate.
    Sco
    \"Get busy livin\', or get busy dyin\'...\" Come visit www.computer-tutorials.org

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •