Computer Forensics

when crime makes use of technology

Carlos Lpez Grande

Ricardo Salvador Guadrn

Escuela de Ingeniera Elctrica y Electrnica

Escuela Especializada en Ingeniera ITCA-FEPADE
Santa Tecla, El Salvador
carlos.lopez@itca.edu.sv

Escuela de Ingeniera Elctrica y Electrnica

Escuela Especializada en Ingeniera ITCA-FEPADE
Santa Tecla, El Salvador
rguadron@itca.edu.sv

AbstractCrime has evolved at the same speed technology.

Fraud, deception and even rape and murder can be committed
using technology. It is necessary that digital evidence considered
in court proceedings to resolve many of these cases are
considered unsolvable.
Keywordsforensics, crime, cybercrime, kali, cane, FBI,
IOCE, RFC, Intrusion, computer, analysis, evidence

I. INTRODUCTION
On January 10th, 2007, in an apartment in 2280 Gemes
street, in Florida, Buenos Aires city, Argentina, Solange
Grabenheimers lifeless body was found, with four stabbings in
her neck and signs of choking. The main suspect of the murder:
her friend and roommate Lucila Frend [1] in the left on Image
1.

victim passed away between 7:00 AM and 1:00 PM. An

accurate time interval for Solanges death was never obtained.
Why was the vitreous body contaminated? Because the
needle touched other eye tissues due the lack of experience of
the person who took the sample; On top of that, they did not
take the temperature of the dead body because when they
got the evidence, they noticed that they did not have the
adequate thermometer. Lucilas alibi started to get
stronger and nearly 7 years later, on November 2013, she was
finally acquitted of all charges, and the case was left
unresolved.
Like this case, there are many that do not get resolved due
to mistakes during the procedure of taking evidence on the
crime scene. The lack of experience, not having the appropriate
tools, or even ignorance, can lead to the forensic analysis to
have voids, and cases to be lost, like Solanges, and that
perpetrators are free, or innocent people serve sentences that
they do not deserve.
The digital world is not exempt of these kinds of criminal
scenarios: the use of IT to make a scam, getting credentials to
bank accounts, sending threats (trying to stay anonymous),
stealing data to a company or person, website damages,
violation to confidentiality of an organization, among others.
Just like in the real world there is a forensic procedure to clear
up the facts and to find the perpetrators, we can use Computer
forensics.

Image 1 Lucila Frend (left) with Solange Grabenheimer

On the autopsy done on Solanges body on the crime scene,
the vitreous body, which is the clear liquid that fills the space
between the lens and the retina of the eyeball, was extracted.
When you run a potassium test on it, it allows you to obtain
accurate data on the time of death.
One of the forensic doctors on the case mentioned that the
liquid extracted from the victim was contaminated because
after the test, the results showed that the victim had been dead
for 77 hours, meaning that Solange was dead when she was
still alive. Other results showed that the murder happened
between 5:00 AM (when Lucila was home) and 5:00 PM
(when Lucila was not home), and another test showed that the

According to the FBI, Computer forensics is the science

that collects, preserves, analyses and presents the data that has
been processed and stored on electronic media, applying
scientific and analytic techniques, by using specialized
hardware and software to achieve a task [2].
The application of these techniques, through technic and
scientific processes, allows to present accurate data to a legal
process through the reconstruction of a computer good,
residual data examination, data authentication, information
recovering, among other activities related directly to each
computer crime. On this to:
Compensation of the damage caused by the crime.

 Persecution and law processing of the perpetrators

based on the laws of the country in which the crime was
committed
Creation and application of measures to avoid similar
cases (Computer forensics is not a prevention science.
On the contrary, it gets applied once the crime has been
committed, but it can offer resources that allow
avoiding similar crimes in the future)
II. COMPUTER FORENSICS PRINCIPLES
In the early 90s, Federal Bureau of Investigation (FBI),
observed that, just like DNA identification is a powerful
evidence tool in the fight against crime, digital evidence could
be too. To this need, the FBI created the CART unit (Computer
Analysis and Response Team), which takes care of giving
support to the FBI in investigations and forensics test of digital
evidence.
In the late 90s, the IOCE was created (International
Organization on Computer Evidence) with the purpose of
sharing information on Computer forensics practices
worldwide.
In March 1998, the IOCE was commissioned the
development of a set of applicable regulations to the
procedures for activities related to digital evidence, method
standardization and procedures between countries that
guarantee the reliability in the use of digital evidence recovered
by a country so that they were used in courts in other countries.
After 2 years, G8 approved a set of regulations applied to
digital evidence [3]:

When manipulating digital evidence, all general

procedures and forensic techniques must be applied in
order to protect the interest of all parts.
All activities done on digital evidence must not alter by
any means the digital evidence. If a test that alters the
evidence is required, the procedure must be properly
documented.

Every person that manipulates digital evidence must be

trained to do so. Even if a copy of the evidence is made
to act on it, some cases will require to act on the
original evidence, by a trained person.

Every activity related to digital evidence, like

retrieving, accessing, storing and transferring, must be
fully documented, preserved, and be available for its
study.

As long as a person is in charge of the digital evidence,

they are responsible of all actions taken on it.

retrieve the technical computer and legal aspects of the forensic

case.
A fundamental premise in forensic science, which can
also be applied to Computer forensics, is the Lockard
Transfer Principle, that allows to relate a criminal with the
crime he has committed. It usually is expressed as follows:
"Whenever two objects come into contact, they transfer part
of the material incorporated to the other object"; for
example, if you break a glass with your hand, crystal
residues can be left on your hand and traces of blood may
be left on the glass. If you step on the lawn, grass can be
left on the shoe, and a footprint on the lawn. If we apply
this principle to the digital world, an improper SSH
connection may leave logs that can be reviewed later; an
exploits attack could leave a MD5 from a single attacker.
III. STEPS OF COMPUTER FORENSICS
Based on the Computer forensics concept of the FBI, there
are four main steps in the process. However, a previous step
can be added, as observed in Image 2.

COMPUTER FORENSICS

Identification
Collection
Preservation
Analysis
Presentation
Image 2 Steps of Computer Forensics
A. Identification
Once the crime has been committed, an identification
which consists on knowledge and verification of the criminal
act, must be initiated; generally, it is done with an assessment
of resources, scope and objectives to carry out the
investigation, which must be done by a suitable teamwork,
with defined limits, functions and responsibilities.
Additionally, a previous investigation must be done to describe
the current situation, the facts, the affected parties, possible
suspects, the infrastructure that has been affected or violated, in
order to understand the situation and define an action path to
follow according to the investigation.

Authorized institutions to retrieve and manipulate digital

evidence must ensure the compliance of these regulations,
which will serve as guidelines, and support acting procedures
developed on those institutions.

On the other hand, IT elements involved in the crime must

be recognized, such like servers, desktop computers, mobile
devices, switches, routers and firewalls. Storage devices that
are considered committed and that may serve as evidence,
should also be identified, such as external hard drives,
removable flash memories, hard disk drive, among others.

All techniques used in the gathering and analysis of digital

evidence must be based in a good scientific methodology, and
must be documented under a acting protocol that allow to

It is important to secure the crime scene, both physically

and digitally. Just like the scene is secured to keep DNA and
fingerprints clean, electronic elements must be secured.

Physical contamination can alter a digital evidence. For

example, static electricity of the human body may disable a
circuit; bumps on hard drives may damage it; a magnet near an
electronic device can alter the stored data, among others.

Remote sessions
relevant to case.

Physical
topology.

In every IT forensic procedure, the enforcement of Chain of

Custody, which is a set of steps and procedures that help
preserve digital evidence so that it can be used later as
evidence during a trial, is necessary. There is no worldwide
recognized standard for Chain of Custody, but there are
procedures that can be used to manipulate digital evidence.

Store the drive.

Chain of Custody [5] must reduce the amount of agents

implied in the manipulation of evidence, and also protect the
identity of the people implied from the recovery of the
evidence until it is presented. It must ensure the integrity of the
evidence in the transfers between the agents involved in the
process. For this purpose, time records of the transfer of
evidence must be signed along with the signature of the agent
responsible for it. Chain of Custody will allow to observe who
got the evidence, when and where was it taken, who protected
it and who had access to it during the whole investigation
process.
This step must show as a result a document that allows to
define a starting point to acquire data, and ensure the devices
be evaluated.
B. Collection
IETF (Internet Engineering Task Force), a team conformed
by service providers, computer manufacturers, researchers,
teachers, students, among others, developed in 2002 the
document RFC 3227 [6] a set of guidelines for digital
evidence collection and archiving. It is known by all that this
RFC is not of mandatory compliance, but most of these
guidelines can be applied to IT forensic procedures, and may
serve to enhance other methods for forensic technicians to
execute. Considering that in 2002 technology was not as
advanced as nowadays, the RFC 3227 still remains in effect
for these cases.
Some of the guidelines stated by the RFC are:
Minimiza changes in the data being collected. If any,
these must be correctly documented.
Verify differences between the local time and the
compromised systems time.
In the crime scene, evidence must be collected first, and
then analyzed.
Proceed by volatility, from the most to the least volatile
element. An example of the order that should be
followed according to volatility is shown:

and

configuration

data
and

monitoring
network

Considering that digital evidence is really easy to

destroy, RFC 3227 [6], states de following
recommendations:
Not turning off the equipment until the evidence has
been fully collected. A lot of evidence can be lost, and
the attacker could have altered the start and turn-off of
the equipment to destroy the evidence.
Not using the system programs to collect evidence, due
to their lack of reliability because they were
compromised. The forensic technician must use their
own software tools to collect it.
Not using programs that modify the access dates and
times to the system files.
Not disconnecting equipment from the network until all
evidence has been collected, because it could cause the
activation of a process that identifies the disconnection
and automatically deletes all the information in it.
On the other hand, RFC 3227 [6] has privacy
considerations about collecting digital evidence:
Following the guidelines and privacy policies set by the
organization and by the laws of the country or city
where the crime was committed. It must be ensured that
only authorized people have access to information that
can be collected as evidence, like log files that can show
the patterns of the attack.
Not intruding individuals privacy without a valid
justification that will support it. Particularly, not
collecting information from areas that usually have no
reason to be inspected on, like the users personal files,
unless there is enough reliable evidence that suggests
that there is information related to the crime.
Having backups of procedures that relate to the
collecting of digital evidence from a crime.
These considerations, besides the ones that the forensic
technician or the organization considers convenient, will allow
the evidence to fulfill the following requirements to be
considered valid:
Admissible: It must obey the laws (of each city and
country) for it to be accepted in a court room.

Registry and cache memory.

Authentic: This will allow to link the digital evidence

to the crime.

Route tables, ARP Cache, process table,

kernel status, memory.

Complete: The evidence must backup the story behind

the crime and not just one perspective of it.

Temporary system files.

Hard disk drive

Trustworthy: Anything that compromises the

authenticity and truthfulness of the evidence should not
exist.

 Believable: It must be credible and comprehensible

evidence for a jury of the court in which will be used.
At the moment of collecting evidence at the crime scene, it
is necessary to correctly pack them to guarantee its integrity
considering the Chain of Custody. These actions are
fundamental due to the great amount of situations and digital
evidence that can be found.
C. Preservation
Once the evidence has been collected, it is recommended to
photograph the unaltered equipment with its serial number
shown, to photograph the disassembled equipment showing its
serial number for it to match when the comparison is done. The
internal configuration of the connections must be photographed
as well, properly documenting the whole process, and
following the guidelines of the Chain of Custody.
If the main evidence is the hard disk drive of the
equipment, it is necessary that it is not altered, as mentioned
before. For that purpose, one or several copies of the seized
element must be done to avoid original evidence to be
modified. Once the copy has been successfully done, the
original evidence must be secured with a device that will not
allow disk writing.
The copy must be signed with a MD5 hash or SHA 1, to
generate a second original from which the rest of the copies
will be made and analyzed. A MD5 has to be generated to each
copy to ensure that they have not been altered, and that they are
the same as the original. It is necessary to document all
evidence, including a form for their packaging that includes the
features of it, like manufacturer, serial number, physical
condition, storage, among others.
It is recommended to photograph the original hard disk
drive and the means used to make the copies, and document the
date and time to ascertain the proper delivery of the original
and copies. They must be stored in a safe place away from
electromagnetic waves that can damage the evidence.

property crimes, among others, Computer Forensics is

applied. If the investigation is destined to attacks or suspicious
behaviors linked to computer systems, like intrusions, DoS
attacks, among others, then it is applied as Intrusion Forensics
[7].
The analysis of digital evidence can be performed in 2
ways:
Post-mortem analysis: when the evidence is analyzed with
equipment specialized in computer forensics. It is usually
found in a laboratory and has the hardware features and
software tools needed for the analysis.
Crime scene analysis: not recommended, but if there is no
other option, the analysis is performed in the compromised or
trespassed equipment. For this case, it is recommended to use a
storage device that possesses different forensic analysis tools,
set up so that they do not modify in any way the compromised
system. After a crime scene analysis, post-mortem analysis
must be performed.
One of the first things that a computer forensics technician
should consider when performing the analysis of the evidence,
is the set of tools available in the lab.
As mentioned before, there are many paid and open source
solutions for this purpose. Three free Linux distributions sets
containing useful tools to perform forensic analysis are detailed
as follows:
Kali Linux 2016.1 [8]: Linuxs most recent distribution,
known for its use in most cases due to the amount of hacking
tools it contains. On that sense, this distribution has a relatively
small toolbox to perform forensic analysis on digital evidence.
It can even be used for crime scene analysis, due to its starting
option in Forensic Mode as shown in Image 3. This mode
allows to setup the compromised equipment without
automatically connecting the internal and external storage units
that may modify the information within them.

From this moment on, it is recommended that every time

some type of collected evidence is going to be used, it is
supervised by a trustworthy witness that ascertains the use of
the copies and that they have not been altered. It is optional and
recommended that a witness ascertains that when collecting the
evidence, making the copies and storing them, there has been
no harm in the analysis.
D. Analysis
When completing the collecting of the digital evidence
needed to solve the case, the analysis must be performed on an
isolated network with equipment capable to execute the task.
There are different hardware and software solutions that will
perform the forensic analysis, both paid and open source. It
will depend on the forensic technician and their work
environment to decide the tools used on the evidence analysis.
Depending on the kind of scenario, the application of
Computer forensics will change. When the use of a computer
system or digital evidence is implied, but the crime committed
is from a different nature, like identity theft, fraud, intellectual

Image 3 Kali Linux 2016.1 boot options

CAINE 7(Computer Aide Investigation Enviroment)

[9]: As shown in image 4, Caine is a Linux distribution created
by Italian developers based on Ubuntu 14.04, and was released
in 2015 for 64 bits. It allows to block storage devices and
setting them up in Read Only mode by using one of the tools
that the distribution features. It has a user friendly interface that
guides the forensic technician from the collection of the
evidence until the final report is delivered to the authorities. It
features an application called Systemback, which allows to go
back like a system restore does. It also can be used as a
LiveCD. It features tools specialized in copying clear images
from storage devices, to recover files and folders previously
deleted, and other tools to recover images or photos that have
been deleted from the system.

The goal of these and other distribution or software tools is

to be able to aid each step of the computer forensics process.
The flexibility and personalization of these distribution will
allow the technician to add or delete the tools that they
consider necessary for their research methodology, having
results that can be presented in a judicial trial.
It should be noted that each tool has a specific purpose
more efficiently than other, for example, there are very
intuitive tools for finding information on keywords by order of
a judge, but are not as effective in blocking HDD writing, other
tools are effective in blocking HDD writing to preserve digital
evidence of contamination, but are not agile for search and
keyword analysis.
It is recommended that, depending on the problem that has
to be analyzed, a combination of tools to be applied to ensure
the effectiveness must be in cases where the liberty of a person
is committed, and that could depend on the outcome of
expertise applying computer forensics tools

Image 4 CAINE 7 user interface

SIFT (SANS Investigative Forensic Toolkit) [10]: It is an
Ubuntu-based platform that offers the technician the tools to
perform a detailed investigation of digital evidence. It supports
the different kinds of file systems of the current OS. It also
contains applications that help creating storage devices images,
file recovery, documents and images, tools to analyze logs
from different devices, among others. One of the advantages of
SIFT is that it can generate these sets of forensic tools through
any Linux distribution, by simply installing needed packages
for it. It also contains manuals and guides that will help those
who are starting in the computer forensics field to understand
how to use the different tools, as shown in Image 5.

E. Presentation
During the process of the implementation of Computer
Forensics, Documentation has been mentioned many times. Is
an important step of the process because it will allow to show
accurate, understandable, clear and complete data in a written
report with the steps that were carried out in the analysis
process, the discovery and interpretation of each step to
provide a conclusion for each of them. In most cases, the
document is presented to institutions that do not have enough
technic knowledge of the subject, and so it must be written in
an easy and understandable way.
In general, the presentation of two documents is
recommended. The first is an Executive Report that
summarizes the most important data during the investigation
without going into technical details. This report has to be very
clear, accurate, and brief, leaving out any questions. The
second document, a Technical Report, details more precisely
all the analysis performed on the evidence, highlighting
techniques and found results, emphasizing observations, and
leaving behind personal opinions.
IV. CONCLUSIONS
After knowing about Computer Forensics, recognizing that
there are several difficulties for its correct implementation is
necessary. These difficulties range from the proper academic
and technic training of the forensic technicians, to the laws of
each country and the way that they are implemented, and how
digital evidence is provided in each legal case. But difficulties
become challenges for everyone involved in the process:
legislators, judges, researchers, computer specialists.
Every forensic discipline evolves as time passes because of
new discoveries, new scientific methodologies are developed,
and implementation techniques are improved in order to favor
the technicians work and analysis made every day. The
computer field does the same thing, because it suffers changes
on a daily basis, which implies greater training and preparation.

Image 5 SIFT work environment

Many cases that nowadays seem unsolvable, may have a

solution in the future, because now crime uses technology.

REFERENCES
[1] S. Amaya, La Nacin, La Nacin, 04 July 2011. [En
lnea]. Available: http://www.lanacion.com.ar/1386331-casosolange-que-podria-llegar-a-condenar-o-absolver-a-lucilafrend. [ltimo acceso: 10 February 2016].
[2] M. G. Noblett y M. M. Pollit, FBI, FBI, October 2000.
[En
lnea].
Available:
https://www.fbi.gov/aboutus/lab/forensic-sciencecommunications/fsc/oct2000/index.htm/computer.htm.
[ltimo acceso: 10 February 2016].
[3] FBI, FBI, FBI, April 2000. [En lnea]. Available:
https://www.fbi.gov/about-us/lab/forensic-sciencecommunications/fsc/april2000/swgde.htm/. [ltimo acceso:
15 February 2016].
[4] Wikipedia, Wikipedia, Wikipedia, 22 September 2014.
[En
lnea].
Available:
https://es.wikipedia.org/wiki/Edmond_Locard#Principio_de_i
ntercambio_de_Locard. [ltimo acceso: 2 March 2016].
[5] C. d. T. e. Criminalstica, Ministerio Pblico Fiscal, July
2015.
[En
lnea].
Available:
http://www.mpf.gob.ar/capacitacion/files/2015/07/ManualCriminalistica.pdf. [ltimo acceso: 3 March 2016].

[6] D. Brezinski y T. Killalea, IETF, February 2002. [En

lnea]. Available: https://www.ietf.org/rfc/rfc3227.txt. [ltimo
acceso: 4 March 2016].
[7] G. Mohay, A. Anderson, B. Collie, O. de Vel y R.
McKemmish, Computer and Intrusion forensics, Artech
House, 2001.
[8] muts, Kali, Kali, 21 January 2016. [En lnea]. Available:
https://www.kali.org/news/kali-linux-rolling-edition-2016-1/.
[ltimo acceso: 6 March 2016].
[9] CAINE, CAINE - LIVE, CAINE, 05 November 2015.
[En lnea]. Available: http://www.caine-live.net/. [ltimo
acceso: 8 March 2016].
[10] SANS DFIR, SANS Digital Forensics and Incident
Response, SANS DFIR, March 2015. [En lnea]. Available:
http://digital-forensics.sans.org/community/downloads.
[ltimo acceso: 12 March 2016].