Computer Forensics and

Jurisprudence

By: Abhishek Vaish

Academic Purpose - Internal Use

Topic of the Presentation

Introduction
History of computer forensics
Definition of what is computer forensics
Need for Computer forensics
Developing Computer forensics Resources
Preparing for computer investigation
Understanding enforcement agency investigation
Understanding corporate investigation
Investigation Process
Role of Formulating Policies and Warning Banner

Advantage of having Banners

Academic Purpose - Internal Use

Introduction

obtaining and analyzing digital information

very necessary skillset for law enforcement
departments
FRED ( Federal Rules of Evidence) is primarily
dealing with the usage of digital evidence and in
Indian Scenario the law of Evidence Act.
forth Amendment which hold the right to secure
in their person, residence and property from
search and Seizure
Academic Purpose - Internal Use

Continued

Its Different..
the goal is to ensure that the recovered data is
valid so that it can be used as evidence.
Evidence are of two type:

inculpatory or exculpatory

Investigators retrieve the data and if they found

what is required they piece it together to make it
evidence and it should be admissible.

For this microscopes or sophisticated equipement are

used

Academic Purpose - Internal Use

ContdTriad of Computer Security

Vulnerability Assessment & Risk Management.
Network Intrusion Detection and Incidence
Response.
Computer Investigation.
Note: combination of all this will help to resolve all
the issue

Academic Purpose - Internal Use

History of computer forensics

By the 1970 - were mainframe

method of rounding up
law enforcement agencies were not exposed

In 1980s mainframe were replace by PC

forensics tool were used by the Royal Canadian Mounted Police

in Ottawa.
written in C language
Xtree Gold appeared on the market having functionalities like
recognizing file type and retrieve lost file and data
Norton Disk Edit soon followed and became the best tool for
finding delete files
powerful machines of that time i.e. 8088
; IBM Compatible computer had 10 Mb hard disk and two
floppy disk drives
Academic Purpose - Internal Use

Continued

In 1990s
specialized tools for computer forensics were available
( IACIS) Introduced training on currently available
software for forensics investigations
the Internal Revenue Service created a search warrant
programs
ASR Data created expert witness for mackintosh
One of the partner left ASR Data and developed
Encase

Academic Purpose - Internal Use

Definition of what is computer forensics

Computer forensics is simply the application of
computer investigation and analysis techniques
in the interests of determining potential legal
evidence

Academic Purpose - Internal Use

Need for Computer forensics

Criminal
Prosecutors

Civil
Litigations

Individuals
Computer
Forensics
Law
Enforcement
Officials

Insurance
Companies

Corporations

Academic Purpose - Internal Use

Explanation

Criminal Prosecutors use computer evidence in a variety of crimes where

incriminating documents can be found: homicides, financial fraud, drug and
embezzlement record-keeping, and child pornography.

Civil litigations can readily make use of personal and business records found on
computer systems that bear on: fraud, divorce, discrimination, and harassment cases.

Insurance Companies may be able to mitigate costs by using discovered computer

evidence of possible fraud in accident, arson, and workman's compensation cases.

Corporations often hire computer forensics specialists to ascertain evidence relating

to: sexual harassment, embezzlement, theft or misappropriation of trade secrets and
other internal/confidential information.

Law Enforcement Officials frequently require assistance in pre-search warrant

preparations and post-seizure handling of the computer equipment.

Individuals sometimes hire computer forensics specialists in support of possible

claims of: wrongful termination, sexual harassment, or age discrimination.
Academic Purpose - Internal Use

Developing Computer forensics Resources

Knowledge of More than one platform

Contact List

.e. linux, macintosh and the windows

names of the professional with whom you have worked .

Join private and public computer user group

Computer Technology Investigator Northwest
High Technology Crime Investigation Association

Academic Purpose - Internal Use

Supported Example
which a person has molested young girl by intoxicating
them by alcohol , after a search and seizure it reaveled
that he was using CoCoDos, an OS that has been not
being in use for many years. The investigator posts it on
a public user group, which supplied the standard
command desired information needed to gain access to
the system. On the suspect system the investigator
found diary detailing the suspect action over the past 15
year including the molestation of 400 young women. As
the result, the suspect received a much longer sentence
that he would have if he had molested only one child.
Academic Purpose - Internal Use

Preparing for computer investigation

Investigation
Private

Public

Public Investigation :involves government agencies responsible for criminal

investigation and prosecution
Private Investigation: Private or Corporate investigation, however deals with
private companies
Things to Remember:
The Organization must observe the law of the country for it for eg, in U.S
forth amendment issues related with search and seizure
internal policies that define expected employee behavior and conduct in the
workplace.
Academic Purpose - Internal Use

Understanding Enforcement Agency

Investigation

For Public Computer:

prior knowledge of the law of Land on computer related crime

and depth knowledge about the legal process
ways to build up criminal cases

Continued
Academic Purpose - Internal Use

To Determine whether the crime is a computer crime or

not, one has to answer following question?

What was the tool used to commit the crime?

Was it a simple trespass?
Was it a theft, a burglary, or vandalism?
Did the perpetrator infringe on someone elses
rights by cyber stalking or email harassment?
Note:

well versed with the types of cyber crime

implicitly or explicitly covered in the legal system

Academic Purpose - Internal Use

Understanding Corporate Investigation

To conduct investigation with minimal loss due

to interruption in business operations
profit making
Minimize or eliminate litigation.
The examples of the corporate threats are:

E-mail Harrasment
Falsification of Data
Gender and Age Discrimination
Embezzlement
Sabotage and Industrial Espionages Disgruntle Employees

Academic Purpose - Internal Use

Investigation Process
Inves
tigati
on

Com
plaint

Pros
ecuti
on
Investigation Process Dependencies Parameter
Local Custom
Legislative Structure
Rules of Evidence
Academic Purpose - Internal Use

Complaint

Step 1
Cognizance of illegal Act
Step 2
Lodged complaint with the police
Step 3
Framed Allegation an accusation or supposition of fact that
a crime has Been Committed
Step 4
Interview by the police officer followed by report finalization

Step 5
Process the report & start the investigation or log the
information in the blotter
Academic Purpose - Internal Use

Investigation

Step 1
Assessment of the scope
OS
Hardware, Peripheral
Step 2
Assessment of Resources
Proper Tool
Specialists are Required
Delegation of roles and Initiation of Work
Step 3
Hand over it to the prosecutor
Step 4
Report with evidence to government attorney
Step 5
In case of public seeking search warrant which directs upon to submit
affidavit duly notarized. The affidavit should exhibit information that support
allegation to justify warrant.
Academic Purpose - Internal Use

Prosecution

The procedure of the trial

Academic Purpose - Internal Use

Role of Formulating Policies and

Warning Banner

Policies avoids litigation

permissible to conduct investigations and gives the
line of authority to the investigator
display warning banners on the screen of the
computer
The absence of warning banner the employees
assumed the right of privacy in the same manner
as the privacy is assured in the case of mails
sending through post.
Academic Purpose - Internal Use

Continued.

well worded and strong warning banner can by

pass the process of obtaining Search Warrant .

Another branch of displaying warning is its

usage, typically warning are of two types

For internal usage regarding Intranet Access

For external usage regarding Internet Access

Academic Purpose - Internal Use

Word to be used for Policies

Access Restricted
For official Use only
Owner has the right to Monitor
Penalizing for Unauthorized Access

Academic Purpose - Internal Use

The Language that can be used for Banner

should be like the following:

Access Restricted :Access to this system and network is

restricted
For official Use only :Use of this system and network is
for official business only
Owner has the right to Monitor :Systems and networks
are subject to monitoring at any time by the owner
Penalizing for Unauthorized Access :Unauthorized or
illegal users of this system or network will be subject to
discipline or prosecution

Academic Purpose - Internal Use

For for-profit organization which has proprietary information

following in the network flowing, they can use this language.

This system is the property of Company X

This system is used for authorized use only;
unauthorized access is the violation of law and
violator will be prosecuted
All activity, software, network traffic, and
communication are subject to monitoring.

Academic Purpose - Internal Use

Advantage of having Banners

No Privacy Interest in the System- In case of

prosecution, warning help in determining the
interest of the user for privacy of the
information stored on the system
It can be easily presentable in the court of LawBring the policy can be difficult to present in
comparison with banner as banner are usually
very short and precise.
Academic Purpose - Internal Use

Computer forensics methodologies

Academic Purpose - Internal Use

Admissibility of Evidence
Daubert Guidelines

Academic Purpose - Internal Use

Do You Know?
Company property if Yes

Because the data is on the company Network, does the

information belong to the company?
Now suppose that the company gave the employee the
PDA as part of her holiday bonus. Can the company
claim rights to the PDA?
Similar issues comes up when an employee brings in a
personal notebook computer and hooks it up to the
company network. What rules should apply?
Academic Purpose - Internal Use

Managing Professional Conduct

For Computer forensics Professional you should

possess:
Objectivity
Confidentiality

Academic Purpose - Internal Use

New Topics

Preparing A Computer Investigation

Examining a Computer Crime

Examining a Company Policy violation

Systematic Approach
Assessing the Case
Planning Your Investigation
Securing Your Investigation

Academic Purpose - Internal Use

Preparing A Computer Investigation

Chain of Custody or Chain of Evidence

Taking a Systematic Approach

Academic Purpose - Internal Use