Concepts of Computer Forensics

Some examples of modern cybercrime

• child pornography; 
• fraud; 
• terrorism; 
• extortion; 
• cyberstalking; 
• money laundering; 
• forgery;
• identify theft etc.

Cybercrime investigations heavily relies upon digital evidences such as
Media Analysis

• Magnetic media (e.g., hard disks, tapes)
• Optical media (e.g., compact discs (CDs), digital versatile discs (DVDs), Blu-ray discs)
• Memory (e.g., random-access memory (RAM), solid-state storage)

Network analysis

• Intrusion detection and prevention system logs   
• Network flow data captured by a flow monitoring system
• Packet captures deliberately collected during an incident
• Logs from firewalls and other network security devices

Software Analysis

• In some cases, when malicious insiders are suspected, the forensic analyst may be asked to conduct a review of software code, looking for back doors, logic bombs, or other security vulnerabilities.
• In other cases, forensic analysts may be asked to review and interpret the log files from application or database servers, seeking other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks.

Hardware/Embedded Device Analysis

• Personal computers
• Smartphones
• Tablet computers
• Embedded computers in cars, security systems, and other devices

Computer forensics can be defined as gathering and analyzing data in a manner as free from distortion or bias as possible, to reconstruct data or what has happened in the past on a system. Thus, the ultimate goal of a forensic investigation is to identify, analyze, reconstruct past events or activities, and to present admissible evidence to court. There are basically three criteria for an evidence to be admissible to court

• The evidence must be relevant to determining a fact.
• The fact that the evidence seeks to determine must be material (that is, related) to the case.
• The evidence must be competent, meaning it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.

Forensic investigators use forensic tools and follow appropriate procedures to collect, preserve, analyze, and report admissible evidence to court providing his or her critical judgments of exactly what has happened. It is very important to prove that evidence presented to court has never been modified.

How evidence was collected, stored, and analyzed? could potentially taint digital evidence. Example: suppose you copy a file using Linux command CP. This results in modification of files' time of access, accidentally tainting the evidence.

Where are evidence collected from?
Basically everywhere. Data can be in one of the three states:

• At rest, which means stored in a computer drive, the Cloud, or a USB drive, etc, a mobile phone; 
• data in use, which means data is in a computer's memory currently in use; 
• data in transit, which means moving through a network.

It is to be noted that the tool to collect/analyze data at rest are different from tools used for data in transit. Moreover, there are tools and technologies, called anti-digital forensics or ADF, which are designed to thwart discovery of such information. The main aim of ADF is to erase, obfuscase, or manipulate digital data, which makes forensic investigation much more difficult, time-consuming, and/or virtually impossible.
Example:

• renaming files by changing file extensions; 
• data hiding by associating good blocks with the bad block inodes; 
• overwriting data and metadata, sometimes called wiping; 
• hide or obfuscating data through steganography, cryptography, and other methods.