COMPUTER FORENSICS

Mr Kolapo Oyeusi
04044790
KOO047@londonmet.ac.uk

Supervisor : Dr. Nick Ioannides

n.ioannides@londonmet.ac.uk

A Dissertation submitted in partial fulfilment

of the requirements of London Metropolitan University for
the degree of Bachelor of Science in Computer Networking with Honours

May 2009

Faculty of Computing
TABLE OF CONTENT

Definition of Terms

Glossary

Acknowledgements

Dedication

Abstract

Chapter 1: Introduction

Chapter 2: Literature review

Chapter 3: Approach and scope

Chapter 4: Practical/ Simulation/ Research work & Result

Chapter 5: A Critical Appraisal, Recommendations and Suggestions for further Work

Summary

Chapter 6: Conclusions

Appendices

Appendix A: Project Proposal Report

Appendix B: Materials (i.e Configurations, Program source listings etc)

Reference & Bibliography

Literature review

Reference and Bibliography

2
Definition of terms

Write-Blockers: These are devices that allow acquisition of information on a drive without
creating the possibility of accidentally damaging the drive contents. Hardware write blockers
can be IDE-to-IDE or Firewire/USB-to-IDE.

Good data: These are known file types such as operating system files and common programs
(Microsoft word etc)

3
Chapter 1: Introduction

Computer forensic is the collection, preservation, analysis and presentation of computer

related evidence that can be useful in criminal cases, civil disputes and human

resources/employment proceedings (Vacca, 2005).

With the growth of the internet and the ever changing digital environment, the need for

computer forensics experts cannot be over emphasised.

The world gradually is becoming a global village due to the presence of the internet and the

personal computer. Businesses and transactions that would have been done in person are now

carried out online. The internet has made targets much more accessible and the risk involved

for the criminals are much lower than traditional crimes.

With more people embracing the internet, the number of people using the internet is expected

to rise to 794 million in 2009 from 657 million that is currently available (Vacca, 2005).

However, the word forensic was derived from usage in the medical field. Forensic Medicine

has been a recognised discipline as far back as the 18th century (Dixon, 2005). The computer

industry has been taking computer forensic serious for some years now due to embarrassing

computer break-ins by teenage hackers.

Computer forensics is one of the largest growing professions of the 21st century. (Vacca,

2005). This is partly due to the growth of the internet which allows organizations and

individuals to be susceptible to security threat.

It is difficult to pinpoint the first computer forensic examination but in 1991, the term

computer forensics was coined in the first training session held by the International

Association of Computer Investigative Specialist (IACIS) (www.forensics-intl.com)

4
Computer forensics has also been described as the autopsy of a computer hard disk drive

because specialized software tools and techniques are required to analyze the various levels at

which computer data is stored after the fact. The Military and the intelligence gathering

agency have been involved in computer forensics since the mid-1980 but this field is

relatively new to the private sector. Computer forensic tools and procedures are used to

identify computer security weaknesses and the leakage of sensitive computer data.

(www.forensics-intl.com)

The main goals of computer forensics are the preservation, identification, extraction,

documentation and interpretation of recovered computer data.

5
Chapter 2: Literature review

Several criminal activities are being committed nowadays such as cyber terrorism, internet

fraud, viruses, illegal downloads, falsification of document, child pornography,

counterfeiting, economic espionage, benefit fraud, human resources/employment proceedings

just to mention a few. As such, there is need for necessary legislation to help prosecute the

perpetrators of these crimes. This is where the skills of a forensic expert come in to help

build indisputable evidence against them.

If the computer and its contents are examined by anyone other than a trained and experienced

computer forensics specialist, the usefulness and credibility of that evidence will be tainted

(Vacca , 2005). A highly skilled computer forensic analyst is someone who understands the

discipline as well as understands the use of computer forensic tools.

Network forensic investigators on the other hand uses log files to determine when users

logged on and they also try to determine which URL’s users accessed, how they logged on to

the network and from what location. In special cases, forensic experts use electron

microscopes and other sophisticated equipments to retrieve information from machines that

have been damage or formatted. The use of this method can be very capital intensive which

may sometime exceed $20000. (Bill Nelson et al, 2008)

A survey recently conducted reveals that both public and private agencies face serious threats

from external and internal sources. (Computer Crime and Security Survey, 2003)

There are three things to take into consideration when carrying out computer forensic. A

computer can be the target of the crime, it can be the instrument of the crime or it can serve as

an evidence repository storing valuable information about the crime. Knowing what role the

computer played in the crime can of tremendous help when searching for evidence. This

knowledge can also help reduce the time taken to package your evidence.
6
Also, the evidence required can be located on a network, embedded system or on dead

systems. Most forensic examination is carried out on dead systems that have been delivered

for analysis. It is recommended that computers should be powered down to prevent loss of

evidence when making seizure but doing so before collecting volatile evidence can lead to

loss of evidence when dealing with systems with large RAM or those having active network

connections (Casey,2002).

The integrity and security of evidence is a priority when carrying out forensic investigation

and there are stringent guidelines that must be adhered to even when trying to save time.

A computer forensics specialist should not just rely on just one tool to preserve, identify,

extract and validate the computer evidence. Cross validation through the use of multiple tools

and techniques is standard in all forensic sciences. When this procedure is not used, it creates

advantages for defence lawyers who may challenge the accuracy of the software tool used and

thus the integrity of the results. Using multiple validation software tools enables computer

forensic specialists and procedures eliminate any doubt about the accuracy of the evidence.

(www.forensics-intl.com)

When searching for graphical images on a computer system, it is important not to look for

files with the GIF or JPEG extensions only since the suspect might have saved it with another

extension like DOC. Therefore it is important to search every sector of the physical disk for

certain file types (Casey, 2002)

Encryption and stenography hinder the investigation of a computer forensic specialist.

Encryption makes it difficult for the examiner to analyse evidence that have been found,

collected, documented and preserved. Stenography on the other hand involves the act of

hiding information.

7
An individual using specialist data hiding tools like the Marutukku can protect its self from all

data recovery techniques. (Casey, 2002)

Computers have been featuring in litigations for over 31 years. In 1977, there were 20 U.K

cases in which the word computer appeared and which was sufficiently important to be noted

in the lexis database. In the United state, there were 291 federal cases and 246 state cases in

which it appeared (Vacca, 2005). A lot of people sometimes think of a computer forensic

expert as someone who helps in recovering lost digital data from a computer but their work

goes far beyond that.

Countries all over the world are creating new laws and amending old ones since the surge in

computer related crimes. It is important to have the necessary legal backing to bring the

perpetrators of these crimes to justice or else the work carried out by a computer forensic

specialist will be in vain. Likewise, businesses are adjusting their policies to help protect

themselves against disgruntled employees willing to reveal sensitive client records and trade

secrets.

Employing the services of a computer forensic specialist can be tricky sometimes. Having

someone with the expertise and experience is not just enough nowadays. The individual must

also be able to testify and stand up to scrutiny and pressure of cross examination in the law

court.

In the early 1980’s, computer forensic tools were simple and mainly generated by government

agencies such as the U.S internal Revenue Service (IRS) and the Royal Canadian Mounted

Police (RCMP) in Ottawa. Most of the tools written then were in C language and assembly

language and were not that popular. Moving into the mid 1980’s, a software known as Xtree

Gold was introduced which was able to recognise file types as well as retrieve lost or deleted

files. Shortly after the release of Xtree, Norton released the DiskEdit and this became the best

8
tool for finding deleted files at that time because the DiskEdit was compatible with most PC’s

then.

Moving into the 1990’s, specialist tools for computer forensics became available. This led to

the training on software for computer forensic investigation by the International association of

Computer Investigative Specialist (IACIS). ASR Data created commercial GUI forensic

software called Expert Witness. The Expert Witness could recover deleted files and fragments

of deleted files. One of the ASR partner left to develop Encase which is the most popular

forensic tool.

DATA RECOVERY

Data recovery is the process in which highly trained forensic experts evaluate and extract data

from damaged media and return it in an intact format (Vacca, 2005). Lost data might be as a

result of computer systems crashing, accidental deletion, computer viruses corrupting files,

disgruntled employee destroying files just to mention a few. There is a high chance of

recovering all the data if recovery is attempted shortly after the files must have been removed.

Most Linux systems use the ext2 file system which reveals the presence of slack space. A tool

called bmap can jam data in the slack space, take out data and also wipe the slack space clean

if needed. Data can be hidden in slack space to store secrets, plant evidence and maybe hide

tools from integrity checkers.

EVIDENCE COLLECTION

There are two main reasons why we need to collect evidence:

1) Future prevention.

2) Responsibility.

9
The job of a computer forensic specialist goes far beyond just data recovery. Evidence

collection must be done in a methodological manner by professionals trained for this purpose.

Real Evidence: is any evidence that speaks for itself without relying on anything else. For

instance, a log produced by an audit function which is free from contamination.

Testimonial Evidence: This is any evidence supplied by a witness. This evidence is dependent

on the reliability of the witness. As long as the witness is reliable, the testimonial evidence

can be as powerful the real evidence. It should be noted that hear say is inadmissible in the

court.

RULES OF EVIDENCE COLLECTION

The 5 rules of electronic evidence collection are also related to the 5 properties that evidence

must possess to be useful and they are:

1) Admissible: Evidence gathered is meant for use in the court/tribunal

2) Authentic: Evidence collected must be relevant to the incidence.

3) Complete: Evidence must be able to prove that the offender is liable for the offence

despite other people present at the same time of attack. Evidence that will implicate as

well as those that will vindicate him must be collected.

4) Reliable: The methods used in the collection of evidence and the analysis procedure

must not cast any doubt on the authenticity of the evidence.

5) Believable: The evidence presented must be understandable and believable to the jury.

To have believable evidence, there are certain guidelines you must adhere to such as:

• Minimise handling and corruption of original data

10
• Account for any changes and keep detailed logs of your actions

• Comply with the five rules of evidence

• Don’t exceed your knowledge

• Follow your local security policy

• Capture as accurate an image of the system as possible

• Be prepared to testify

• Work fast

• Proceed from volatile to persistence evidence

• Don’t shutdown before collecting evidence

• Don’t run any program on affected system

11
TYPES OF COMPUTER FORENSIC TOOLS

Computer forensic tools can be classified into two major categories namely:

Hardware Forensic Tool

Software Forensic Tool

Hardware Forensic Tools

Hardware forensic tool varies and may range from simple, single purpose components to

complete systems and servers. An example of the single-purpose component is the ACARD

AEC-7720WP Ultra Wide SCSI-to-IDE Bridge. This device helps to write-block an IDE

drive connected to a SCSI cable.

Fig: ACARD AEC-7720WP Ultra Wide SCSI-to-IDE Bridge

Examples of complete systems forensic tool include the Digital Intelligence F.R.E.D. systems,

DIBS Advanced Forensic Workstation, and Forensic Computers Forensic Examination

stations and portable units (e.gTalon) just to mention a few.

12
Fig: Digital Intelligence F.R.E.D. systems

Forensic Recovery of Evidence Device (F.R.E.D) systems are designed for stationary

laboratory. It can acquire data directly from a whole range of hard drives and storage devices

including DLT-V4 tapes and save the forensic image retrieved onto a DVD, CD or hard drive.

Fig: DIBS® Advanced Forensic Workstation

The DIBS® Advanced Forensic Workstation is a very versatile piece of forensic equipment

that is easy to use. It can copy and analyse hard drives using windows XP operating systems.

The unit runs on Pentium 4 3GHz processor with a motherboard of 1GB RAM. DIBS® is

acceptable in courts throughout the world.

13
Fig: Portable Forensic Lab (PFL)

The Hand-held, computer forensic Talon is an advanced forensic capture system designed

specifically for the use of law enforcement, Military, corporate security, investigators and

auditors. Talon can make images and verifies data up to 4GB/min which makes it industry’s

most powerful and versatile data capturing system. This device captures IDE/UDMA/SATA

drives as well as SCSI drives via USB cable

Software Forensic Tools

Software forensic tool can be classified into command-line applications and GUI applications.

Some of these tools are designed to perform only one Task. A good example of this is the

SafeBack software which is a command-line disk acquisition tool from New Technologies Inc

(NTI). Other forensic software tool can carry out several tasks and these are usually GUI tools

capable of performing most of the computer forensic acquisition and analysis functions. Some

good examples of such GUI tool are the Technology Pathways ProDiscover, Guidance

Software EnCase and AccessData FTK. Many GUI acquisition tools can read all structures in

an image file as though it was the original drive. (Bill et al, 2008)

14
Comparing Forensic Tool Functions

To be able to determine what kind of tool might be required to achieve the set objectives, it is

necessary to cross-reference functions and sub-functions with vendor products to determine

which forensic tool meet my needs.

15
TOOLS AND TECNOLOGY DEPLOYED IN COMPUTER FORENSICS

Technology surrounding computer forensics can be classified into three based on the area

where it is deployed.

1. Military computer forensic technology.

2. Law enforcement computer forensic technology.

3. Business computer forensic technology.

Military Computer Forensic Technology

This technology focuses on evaluating and in-depth examination of data related to both Trans

and Post Cyber attack periods.

CFX-2000 came to be as a result of the partnership between the U.S Department of Defence

(DoD) and the National Institute of Justice via the auspices of the National Law Enforcement

and Correction Technology Centre (NLECTC). Most computer forensic examinations are

usually carried out after the crime/event has been committed. But with CFX-2000, it is

possible to accurately determine the intent, motive, target, sophistication, identity and location

of Cyber criminals by deploying an integrated analysis frame work. Forensic tools involved

in CFX-2000 consisted of commercial off the shelf software and directorate-sponsored R&D

prototype.

Law Enforcement and Business Computer Forensic Tool

AnaDisk

Anadisk turns your PC into a sophisticated diskette analysis tool. The software was originally

created to meet the needs of the U. S. Treasury Department in 1991. It is primarily used to

16
identify data storage anomalies on floppy diskettes. AnaDisk can be used to analyze floppy

diskettes when doing work which involves abnormal floppy diskettes or data storage issues

tied to floppy diskettes. However standard duplication of floppy diskettes is more easily

accomplished with NTI's COPYQM.

USES:

It is used for security reviews of floppy diskettes for storage anomalies.

It is used for editing diskette at a physical sector level.

It searches data on floppy diskettes in traditional and non-traditional storage areas.

It is also used to illustrate data hiding techniques

CRCMD5 DATA VALIDATION TOOL

This program mathematically creates a unique signature for the contents of one, multiple or

all files on a given storage device. Such signatures can be used to identify whether or not the

contents of one or more computer files have changed.

The program is also used to document that computer evidence has not been altered or

modified during computer evidence processing

USES:

It is used to identify files that have changed or have been altered.

It is used to benchmark operating system files on a new computer system before distribution

to computer users.

It is used to quickly identify altered files after a computer incident.

17
It is used in computer investigations to prove that the evidence remains unchanged after

forensic processing.

SAFEBACK 3.0

SafeBack is used to create mirror-image (bit-stream) backup files of hard disks or to make a

mirror-image copy of an entire hard disk drive or partition. The process is analogous to

photography and the creation of a photo negative. Once the photo negative has been made

several exact reproductions can be made of the original. SafeBack is an industry standard self-

authenticating computer forensics tool that is used to create evidence grade backups of hard

drives

USES:

Used to create evidence grade backups of hard disk drives on Intel based computer

systems.

Used to exactly restore archived SafeBack images to another computer hard disk drive of

equal or larger storage capacity.

Used as an evidence preservation tool in law enforcement and civil litigation matters.

Used as an intelligence gathering tool by military agencies.

GETGIF

GetGIF software is a computer forensics software tool which was designed to automatically

extract exact copies of GIF graphics file images from ambient data sources

18
GetGiF can be of assistance in investigations involving the distribution of child pornography

and in identity theft cases involving the use of GIF graphics files.

USES:

It is used to find evidence in corporate, civil and criminal investigations which involve GIF

computer graphics files, e.g., investigations which potentially involve child pornography

and/or inappropriate Internet web browsing in a corporate or government setting.

Also used with other computer forensic software to quickly reconstruct and view previously

deleted GIF graphics files stored on computer storage media.

It is used to quickly identify and view GIF image files stored anywhere on a computer hard

disk drive when used with NTI's SafeBack evidence grade backup software.

It is used effectively in computer investigations involving the distribution of child

pornography and identity theft when GIF graphics files are involved.

Used "after-the-fact" to determine what files may have been viewed over or downloaded from

the Internet. (http://www.forensics-intl.com/getgif.html)

GRAPHIC IMAGE FILE EXTRACTOR

Graphics Image File Extractor is a computer forensics software tool which was designed to

automatically extract exact copies of graphics file images from ambient data sources

19
Graphics File Extractor software can be used to quickly sample the Windows Swap/Page File

and help the computer forensics investigator in making a quick determination about possible

past Internet computer usage tied to a specific computer.

USES

It is used to find evidence in corporate, civil and criminal investigations which involve

computer graphics files, e.g., investigations which potentially involve child pornography

and/or inappropriate Internet web browsing in a corporate or government setting.

Used with other computer forensic software to quickly reconstruct and view previously

deleted BMP, GIF and JPEG graphics files stored on computer storage media.

Used to quickly identify and view BMP, GIF and JPEG image files stored anywhere on a

computer hard disk drive when used with NTI's SafeBack evidence grade backup software

and Firehand Embers.

Used effectively in computer investigations involving the distribution of child pornography

and identity theft.

Used very effectively in the recovery of deleted graphics files from computer hard disk drives

and/or digital flash memory chips. (http://www.forensics-intl.com/iextract.html)

GETSLACK

This software is used to capture all of the file slack contained on a logical hard disk drive or

floppy diskette on a DOS and Windows systems.

20
Software is an ideal computer forensics tool for use in investigations, internal audits and in

computer security reviews

Network logons and passwords are found in file slack. It is also possible for passwords used

in file encryption to be stored as memory dumps in file slack.

USES:

Quickly calculates the amount of storage space which is allocated to file slack on a logical

DOS/Windows partition.

Captures all file slack on a logical DOS/Windows drive and converts it into one or more files

automatically.

Used in computer security reviews and computer investigations.

Validates the results of computer security scrubbers used to eliminate sensitive or classified

data from file slack on computer storage devices. (http://www.forensics-

intl.com/getslack.html)

21
Tasks Performed by Computer Forensic Tools

Computer forensic tools are required to be able to perform and meet certain criteria which can be
grouped into 5 Major Categories namely:

 Acquisition

 Validation and Discrimination

 Extraction

 Reconstruction

 Reporting

Acquisition: It involves making copies of the original drive. Acquisition is referred to as the

first task in computer forensics investigation. Tools such as EnCase and AccessData FTK are

used to acquire data images. It is also possible to acquire image of data using hardware

devices such as Talon from Logicube. This hardware device possesses in-built software for

data acquisition. There are two types of data copying methods used in software acquisition

and they are: physical copying of entire drive and logical copying of disk partition. Logical

acquisition is more preferable because data acquired can be read and analysed easily.

Validation and Discrimination: Validation is the process of ensuring and maintaining the

integrity of the data acquired. The process of validating data is what result in the

discrimination of data. The main purpose of data discrimination is to separate good data from

suspicious data. All computer forensic tools have a way of ensuring that the integrity of the

data is still intact by comparing the original data with the image data. This is possible with the

help of processes like Hashing, Filtering and Analysing file header. Searching and comparing

file headers improves data discrimination.

Extraction: This is the recovery task in a computing investigation (Bill et al, 2008).

Subfunctions of extraction used in investigation include: Data viewing, Keyword searching,

22
Decompressing, carving, Decrypting and Bookmarking. Extraction of data involves great

mastery in the software and hardware deployed.

Reconstruction: Reconstruction features in a forensic tool are necessary to recreate a

suspect’s drive and to show what happened during the crime or an incident (Bill et al, 2008).

Duplicating a suspect’s hard drive enables other investigators to carry out their own

acquisition, test and analysis of the evidence. The most reliable way to recreating an image of

a suspect’s hard drive is to obtain the same make and model drive as the suspect’s drive.

Subfunctions of reconstructions are: Disk-to-disk copy, Image-to-disk copy, Partition-to-

partition copy, Image-to-partition copy. Examples of tools that can perform image-to-disk and

image-to-partition copies are: SafeBack, SnapBack, EnCase, FTK Imager, ProDiscover. All

these tools are proprietary and as such image created can only be re assemble by the exact

application that created them.

Reporting: The report phase is the final phase of the forensic disk analysis and examination.

The log report can be included in the final report detailing the step by step process undergone

during the examination.

23
SCENARIO

A company evaluates the performance and productivity of his staff and noticed that it falls

way below the standard. It discovers that valuable time being lost by his employees

downloading and surfing the internet during office hours and as such he implements strict

policy guiding against the indiscriminate use of the internet.

After few weeks, his IT manager reviews a detection tool report used by the company. This

report suggests that an employee of the company is still accessing restricted sites and

downloading objectionable content (graphic) during office hours using his official

workstation PC.

The IT manager decided to follow procedure by contacting the chief information officer

(CIO) of the company who is the person officially nominated to deal with computer related

violations and crimes within the company. He decides to invoke the incident response team

comprising of a computer forensic specialist.

The company aims to determine which employee is responsible, examining data recovered

from the employee hard disk, build evidence against such employee which might eventually

lead to their dismissal.

24
AIM AND OBJECTIVES

The purpose of Computer Forensics is to preserve, identify, extraction, document and

interpret computer data that are located on offending machines.

Academic Objectives

1) To locate and isolate offending machine(s)

2) To conduct computer forensics examination of the computer system using necessary

tools and technology.

3) To analyse the data gathered to determine where the materials came from, how often it

has been going on.

4) To prevent evidence from being contaminated.

5) To produce a report detailing every activity and action carried out on the offending

machine.

Personal objectives

To have a better understanding of computer forensics methodologies

To improve my problem solving and communication skills

To conclude my project within the allocated time required

To develop my project management skills.

25
RISKS

There are several risks that I foresee might hinder the progress of my project and they include:

Loss of data as a result of damage or loss to memory stick

Availability of credible resources

Lack of experience in the subject area.

CONTINGENCIES

Backing up all my data on multiple storage devices.

Work fast so that there is enough time to rectify any mishap.

LIMITATIONS

Time: Being able to divide my time between my project and other module as well as my paid

employment.

Cost of Tools/Software: Computer Forensic software can be very expensive so i have decided

to use the trial version of the software required to achieve my goals

Availability of credible resources: There are limited materials regarding computer forensics in

the school library.

26
27
A Brief Description of the hard drive recovered/Given

The hard drive retrieved is the Maxtor’s D740X-6L 20GB AT hard disk. This hard disk is part

of the family of high performance 1-inch high hard drive. This hard drive uses a non-

removable 3 ½-inch hard disks available with ATA interface. The Maxtor D740X-6L 20GB

AT hard disk possess an embedded hard disk drive controllers and uses ATA commands to

optimise system performance.

General characteristics

Manufacturer: Maxtor Corporation

Model: D740X6L (20GB)

Interface: EIDE/UltraATA/133

Capacity: 20GB

Total LBAs: 40,132,503

Height: 1.028" (26.10mm) max

Width: 4.00 ± 0.01" (101.6 ± 0.25mm)

Depth: 5.786" (147mm) max

Weight: <1.4lbs. (635grm)

Performance

Rotational speed: 7200RPM

Average Rotational Latency: 4.17ms

Spin-up time to Ready (typical) 12.5Sec

28
Activity Specification

Track-to-Track 0.8ms

Average Random Read 8.5ms

Average Random Write 10.5ms

Full Stroke 17.8ms

Cache (Total): 2MB

Interface transfer rate (Max) 133MB/Sec Burst

Interleave Factor: 1:1

Internal Characteristics

Number of Heads: 1

Number of Disks: 1

Track Density: 60,000 tracks per inch

Total sector: 40,132,503

Byte per sector: 512

Electrical

Nominal Voltage: +5Vdc/ +12Vdc

Voltage Margin: +5Vdc @ ± 5%, +12vdc @ ± 10%

Environmental

Operating Temperature: 5 to 55 Degrees centigrade

Operating Humidity: 10 to 85% RH (non-condensing)

Non-Operating Temperature: -40 to 65 Degrees Centigrade

Non-Operating Humidity: 5 to 95% RH (non-condensing)

29
Power Dissipation

Operating Mode Power (Watts)

Start-up (Peak) 23.9 Watts

Maximum Seeking 11.6Watts

Read/Write on Tracks 7.1Watts

Idle 6.5Watts

Standby 1.0Watt

Sleep 1.0Watt

Fig1: A diagram of the Maxtor D740X-6L 20GB AT hard drive

30
Fig2: A diagram showing the drive power and interface connector of the hard drive.

Fig3: Show the jumper locations on the hard drive

31
The Maxtor’s D740X-6L 20GB AT hard disk has three jumper location which is used to

configure the master or slave operation.

Fig4: Picture of the Maxtor’s D740X-6L 20GB AT hard disk

32
 GANTT CHART

FIG1: Gantt chart showing how I intend to implement my task

33
 WORK BREAKDOWN STRUCTURE

COMPUTER FORENSICS

To identify and explain various tools and

technology employed in computer Applying computer forensic
To investigate the current and forensics and ways of recovering and skills in the recovering of lost
future state of computer analysing data to produce indisputable data
forensics evidence

Explaining the tools Ways to recover and

Current state of and technology analyse data to
Future of employed in produce indisputable
computer forensics
computer forensics computer forensics evidence

Tools available in Technology Ways of analysing data

Ways to recover
the market and employed in to produce indisputable
lost data
Specialist tools computer forensic evidence

Examining a recovered
hard disk for lost data.

Using necessary tools

and technology to
extract lost data.

Analyse recovered data.

Production of report that

can be allowed in legal
proceedings.

34
INDICATIVE FINAL YEAR PROJECT

Acknowledgement

Abstract

Introduction

Literature review

Current state and future direction of computer Forensics

Software deployed in Computer Forensics

Case study/Scenario

How to capture and analyse data

Production of Report

Conclusion

Recommendation

Bibliography

Appendix

35
REFERENCE AND BIBLIOGRAPHY

BOOKS

 “2003 Computer Crime and Security Survey,” Federal Bureau of Investigation, J.

Edgar Hanover Building, 935 Pennsylvania Ave. NW, Washington, D.C. 20535-0001,

2003.

 John R. Vacca (2005) Computer Forensics: Computer Crime Scene Investigation 2nd

Ed. Charles River Media. Massachusetts (USA)

 Casey Eoghan (2002) Handbook of Computer Crime Investigation: Forensic Tool and

Technology. 1st Ed Academic Press Amsterdam (Netherlands)

 Casey Eoghan (2004) Digital Evidence and Computer Crime: Forensic Science,

Computers and the Internet. 2nd Ed. Academic Press. California (USA)

 Sammes, T., Sammes, A.J and Jenkinson, B (2000) Forensic Computing: A

Practitioner’s Guide(Practitioner Series), 1st Ed. Springer-Verlag

36
WEBSITES

http://www.comouterforensicworld.com/

http://support.dell.com/support/edocs/storage/7j376/intro.htm

http://www.forensic-computers.com/index.php

http://www.digitalintelligence.com/products/forensic_duplicator/

http://www.logicube.com/products/hd_duplication/talon.asp#

(http://www.forensics-intl.com/getslack.html)

(http://www.forensics-intl.com/iextract.html)

(http://www.forensics-intl.com/getgif.html)

(http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6V8G-4BJWYVJ-

1&_user=983321&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000044920&

_version=1&_urlVersion=0&_userid=983321&md5=defaa524a1b6df68ad9b4e2612b78310)

(http://delivery.acm.org/10.1145/1070000/1060428/p143-francia.pdf?

key1=1060428&key2=2510398221&coll=GUIDE&dl=GUIDE&CFID=14665516&CFTOKE

N=83314542)

http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6V8G-4BJWYVJ-

1&_user=983321&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000044920&

_version=1&_urlVersion=0&_userid=983321&md5=defaa524a1b6df68ad9b4e2612b78310

37
38