Computer Forensics

COMPUTER FORENSICS Mr Kolapo Oyeusi 04044790 [email protected]

Supervisor : Dr. Nick Ioannides [email protected]

A Dissertation submitted in partial fulfilment of the requirements of London Metropolitan University for the degree of Bachelor of Science in Computer Networking with Honours

May 2009

Faculty of Computing

TABLE OF CONTENT Definition of Terms Glossary Acknowledgements Dedication Abstract Chapter 1: Introduction Chapter 2: Literature review Chapter 3: Approach and scope Chapter 4: Practical/ Simulation/ Research work & Result Chapter 5: A Critical Appraisal, Recommendations and Suggestions for further Work Summary Chapter 6: Conclusions Appendices Appendix A: Project Proposal Report Appendix B: Materials (i.e Configurations, Program source listings etc) Reference & Bibliography Literature review Reference and Bibliography 2

Definition of terms

Write-Blockers: These are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. Hardware write blockers can be IDE-to-IDE or Firewire/USB-to-IDE. Good data: These are known file types such as operating system files and common programs (Microsoft word etc)

3

Chapter 1: Introduction Computer forensic is the collection, preservation, analysis and presentation of computer related evidence that can be useful in criminal cases, civil disputes and human resources/employment proceedings (Vacca, 2005). With the growth of the internet and the ever changing digital environment, the need for computer forensics experts cannot be over emphasised. The world gradually is becoming a global village due to the presence of the internet and the personal computer. Businesses and transactions that would have been done in person are now carried out online. The internet has made targets much more accessible and the risk involved for the criminals are much lower than traditional crimes. With more people embracing the internet, the number of people using the internet is expected to rise to 794 million in 2009 from 657 million that is currently available (Vacca, 2005). However, the word forensic was derived from usage in the medical field. Forensic Medicine has been a recognised discipline as far back as the 18th century (Dixon, 2005). The computer industry has been taking computer forensic serious for some years now due to embarrassing computer break-ins by teenage hackers. Computer forensics is one of the largest growing professions of the 21st century. (Vacca, 2005). This is partly due to the growth of the internet which allows organizations and individuals to be susceptible to security threat. It is difficult to pinpoint the first computer forensic examination but in 1991, the term computer forensics was coined in the first training session held by the International Association of Computer Investigative Specialist (IACIS) (www.forensics-intl.com)

4

Computer forensics has also been described as the autopsy of a computer hard disk drive because specialized software tools and techniques are required to analyze the various levels at which computer data is stored after the fact. The Military and the intelligence gathering agency have been involved in computer forensics since the mid-1980 but this field is relatively new to the private sector. Computer forensic tools and procedures are used to identify computer security weaknesses and the leakage of sensitive computer data. (www.forensics-intl.com) The main goals of computer forensics are the preservation, identification, extraction, documentation and interpretation of recovered computer data.

5

Chapter 2: Literature review Several criminal activities are being committed nowadays such as cyber terrorism, internet fraud, viruses, illegal downloads, falsification of document, child pornography, counterfeiting, economic espionage, benefit fraud, human resources/employment proceedings just to mention a few. As such, there is need for necessary legislation to help prosecute the perpetrators of these crimes. This is where the skills of a forensic expert come in to help build indisputable evidence against them. If the computer and its contents are examined by anyone other than a trained and experienced computer forensics specialist, the usefulness and credibility of that evidence will be tainted (Vacca , 2005). A highly skilled computer forensic analyst is someone who understands the discipline as well as understands the use of computer forensic tools. Network forensic investigators on the other hand uses log files to determine when users logged on and they also try to determine which URL’s users accessed, how they logged on to the network and from what location. In special cases, forensic experts use electron microscopes and other sophisticated equipments to retrieve information from machines that have been damage or formatted. The use of this method can be very capital intensive which may sometime exceed $20000. (Bill Nelson et al, 2008) A survey recently conducted reveals that both public and private agencies face serious threats from external and internal sources. (Computer Crime and Security Survey, 2003) There are three things to take into consideration when carrying out computer forensic. A computer can be the target of the crime, it can be the instrument of the crime or it can serve as an evidence repository storing valuable information about the crime. Knowing what role the computer played in the crime can of tremendous help when searching for evidence. This knowledge can also help reduce the time taken to package your evidence. 6

Also, the evidence required can be located on a network, embedded system or on dead systems. Most forensic examination is carried out on dead systems that have been delivered for analysis. It is recommended that computers should be powered down to prevent loss of evidence when making seizure but doing so before collecting volatile evidence can lead to loss of evidence when dealing with systems with large RAM or those having active network connections (Casey,2002). The integrity and security of evidence is a priority when carrying out forensic investigation and there are stringent guidelines that must be adhered to even when trying to save time. A computer forensics specialist should not just rely on just one tool to preserve, identify, extract and validate the computer evidence. Cross validation through the use of multiple tools and techniques is standard in all forensic sciences. When this procedure is not used, it creates advantages for defence lawyers who may challenge the accuracy of the software tool used and thus the integrity of the results. Using multiple validation software tools enables computer forensic specialists and procedures eliminate any doubt about the accuracy of the evidence. (www.forensics-intl.com) When searching for graphical images on a computer system, it is important not to look for files with the GIF or JPEG extensions only since the suspect might have saved it with another extension like DOC. Therefore it is important to search every sector of the physical disk for certain file types (Casey, 2002) Encryption and stenography hinder the investigation of a computer forensic specialist. Encryption makes it difficult for the examiner to analyse evidence that have been found, collected, documented and preserved. Stenography on the other hand involves the act of hiding information.

7

An individual using specialist data hiding tools like the Marutukku can protect its self from all data recovery techniques. (Casey, 2002) Computers have been featuring in litigations for over 31 years. In 1977, there were 20 U.K cases in which the word computer appeared and which was sufficiently important to be noted in the lexis database. In the United state, there were 291 federal cases and 246 state cases in which it appeared (Vacca, 2005). A lot of people sometimes think of a computer forensic expert as someone who helps in recovering lost digital data from a computer but their work goes far beyond that. Countries all over the world are creating new laws and amending old ones since the surge in computer related crimes. It is important to have the necessary legal backing to bring the perpetrators of these crimes to justice or else the work carried out by a computer forensic specialist will be in vain. Likewise, businesses are adjusting their policies to help protect themselves against disgruntled employees willing to reveal sensitive client records and trade secrets. Employing the services of a computer forensic specialist can be tricky sometimes. Having someone with the expertise and experience is not just enough nowadays. The individual must also be able to testify and stand up to scrutiny and pressure of cross examination in the law court. In the early 1980’s, computer forensic tools were simple and mainly generated by government agencies such as the U.S internal Revenue Service (IRS) and the Royal Canadian Mounted Police (RCMP) in Ottawa. Most of the tools written then were in C language and assembly language and were not that popular. Moving into the mid 1980’s, a software known as Xtree Gold was introduced which was able to recognise file types as well as retrieve lost or deleted files. Shortly after the release of Xtree, Norton released the DiskEdit and this became the best

8

tool for finding deleted files at that time because the DiskEdit was compatible with most PC’s then. Moving into the 1990’s, specialist tools for computer forensics became available. This led to the training on software for computer forensic investigation by the International association of Computer Investigative Specialist (IACIS). ASR Data created commercial GUI forensic software called Expert Witness. The Expert Witness could recover deleted files and fragments of deleted files. One of the ASR partner left to develop Encase which is the most popular forensic tool.

DATA RECOVERY Data recovery is the process in which highly trained forensic experts evaluate and extract data from damaged media and return it in an intact format (Vacca, 2005). Lost data might be as a result of computer systems crashing, accidental deletion, computer viruses corrupting files, disgruntled employee destroying files just to mention a few. There is a high chance of recovering all the data if recovery is attempted shortly after the files must have been removed. Most Linux systems use the ext2 file system which reveals the presence of slack space. A tool called bmap can jam data in the slack space, take out data and also wipe the slack space clean if needed. Data can be hidden in slack space to store secrets, plant evidence and maybe hide tools from integrity checkers. EVIDENCE COLLECTION There are two main reasons why we need to collect evidence: 1) Future prevention. 2) Responsibility. 9

The job of a computer forensic specialist goes far beyond just data recovery. Evidence collection must be done in a methodological manner by professionals trained for this purpose. Real Evidence: is any evidence that speaks for itself without relying on anything else. For instance, a log produced by an audit function which is free from contamination. Testimonial Evidence: This is any evidence supplied by a witness. This evidence is dependent on the reliability of the witness. As long as the witness is reliable, the testimonial evidence can be as powerful the real evidence. It should be noted that hear say is inadmissible in the court. RULES OF EVIDENCE COLLECTION The 5 rules of electronic evidence collection are also related to the 5 properties that evidence must possess to be useful and they are: 1) Admissible: Evidence gathered is meant for use in the court/tribunal 2) Authentic: Evidence collected must be relevant to the incidence. 3) Complete: Evidence must be able to prove that the offender is liable for the offence

despite other people present at the same time of attack. Evidence that will implicate as well as those that will vindicate him must be collected. 4) Reliable: The methods used in the collection of evidence and the analysis procedure

must not cast any doubt on the authenticity of the evidence. 5) Believable: The evidence presented must be understandable and believable to the jury.

To have believable evidence, there are certain guidelines you must adhere to such as: • Minimise handling and corruption of original data

10

• Account for any changes and keep detailed logs of your actions • Comply with the five rules of evidence • Don’t exceed your knowledge • Follow your local security policy • Capture as accurate an image of the system as possible • Be prepared to testify • Work fast • Proceed from volatile to persistence evidence • Don’t shutdown before collecting evidence • Don’t run any program on affected system

11

TYPES OF COMPUTER FORENSIC TOOLS Computer forensic tools can be classified into two major categories namely: Hardware Forensic Tool Software Forensic Tool Hardware Forensic Tools Hardware forensic tool varies and may range from simple, single purpose components to complete systems and servers. An example of the single-purpose component is the ACARD AEC-7720WP Ultra Wide SCSI-to-IDE Bridge. This device helps to write-block an IDE drive connected to a SCSI cable.

Fig: ACARD AEC-7720WP Ultra Wide SCSI-to-IDE Bridge Examples of complete systems forensic tool include the Digital Intelligence F.R.E.D. systems, DIBS Advanced Forensic Workstation, and Forensic Computers Forensic Examination stations and portable units (e.gTalon) just to mention a few.

12

Fig: Digital Intelligence F.R.E.D. systems Forensic Recovery of Evidence Device (F.R.E.D) systems are designed for stationary laboratory. It can acquire data directly from a whole range of hard drives and storage devices including DLT-V4 tapes and save the forensic image retrieved onto a DVD, CD or hard drive.

Fig: DIBS® Advanced Forensic Workstation The DIBS® Advanced Forensic Workstation is a very versatile piece of forensic equipment that is easy to use. It can copy and analyse hard drives using windows XP operating systems. The unit runs on Pentium 4 3GHz processor with a motherboard of 1GB RAM. DIBS® is acceptable in courts throughout the world.

13

Fig: Portable Forensic Lab (PFL) The Hand-held, computer forensic Talon is an advanced forensic capture system designed specifically for the use of law enforcement, Military, corporate security, investigators and auditors. Talon can make images and verifies data up to 4GB/min which makes it industry’s most powerful and versatile data capturing system. This device captures IDE/UDMA/SATA drives as well as SCSI drives via USB cable Software Forensic Tools Software forensic tool can be classified into command-line applications and GUI applications. Some of these tools are designed to perform only one Task. A good example of this is the SafeBack software which is a command-line disk acquisition tool from New Technologies Inc (NTI). Other forensic software tool can carry out several tasks and these are usually GUI tools capable of performing most of the computer forensic acquisition and analysis functions. Some good examples of such GUI tool are the Technology Pathways ProDiscover, Guidance Software EnCase and AccessData FTK. Many GUI acquisition tools can read all structures in an image file as though it was the original drive. (Bill et al, 2008)

14

Comparing Forensic Tool Functions To be able to determine what kind of tool might be required to achieve the set objectives, it is necessary to cross-reference functions and sub-functions with vendor products to determine which forensic tool meet my needs.

15

TOOLS AND TECNOLOGY DEPLOYED IN COMPUTER FORENSICS Technology surrounding computer forensics can be classified into three based on the area where it is deployed. 1. Military computer forensic technology. 2. Law enforcement computer forensic technology. 3. Business computer forensic technology.

Military Computer Forensic Technology This technology focuses on evaluating and in-depth examination of data related to both Trans and Post Cyber attack periods. CFX-2000 came to be as a result of the partnership between the U.S Department of Defence (DoD) and the National Institute of Justice via the auspices of the National Law Enforcement and Correction Technology Centre (NLECTC). Most computer forensic examinations are usually carried out after the crime/event has been committed. But with CFX-2000, it is possible to accurately determine the intent, motive, target, sophistication, identity and location of Cyber criminals by deploying an integrated analysis frame work. Forensic tools involved in CFX-2000 consisted of commercial off the shelf software and directorate-sponsored R&D prototype. Law Enforcement and Business Computer Forensic Tool AnaDisk Anadisk turns your PC into a sophisticated diskette analysis tool. The software was originally created to meet the needs of the U. S. Treasury Department in 1991. It is primarily used to 16

identify data storage anomalies on floppy diskettes. AnaDisk can be used to analyze floppy diskettes when doing work which involves abnormal floppy diskettes or data storage issues tied to floppy diskettes. However standard duplication of floppy diskettes is more easily accomplished with NTI's COPYQM. USES: It is used for security reviews of floppy diskettes for storage anomalies. It is used for editing diskette at a physical sector level. It searches data on floppy diskettes in traditional and non-traditional storage areas. It is also used to illustrate data hiding techniques CRCMD5 DATA VALIDATION TOOL This program mathematically creates a unique signature for the contents of one, multiple or all files on a given storage device. Such signatures can be used to identify whether or not the contents of one or more computer files have changed. The program is also used to document that computer evidence has not been altered or modified during computer evidence processing USES: It is used to identify files that have changed or have been altered. It is used to benchmark operating system files on a new computer system before distribution to computer users. It is used to quickly identify altered files after a computer incident. 17

It is used in computer investigations to prove that the evidence remains unchanged after forensic processing. SAFEBACK 3.0 SafeBack is used to create mirror-image (bit-stream) backup files of hard disks or to make a mirror-image copy of an entire hard disk drive or partition. The process is analogous to photography and the creation of a photo negative. Once the photo negative has been made several exact reproductions can be made of the original. SafeBack is an industry standard selfauthenticating computer forensics tool that is used to create evidence grade backups of hard drives USES: Used to create evidence grade backups of hard disk drives on Intel based computer systems. Used to exactly restore archived SafeBack images to another computer hard disk drive of equal or larger storage capacity. Used as an evidence preservation tool in law enforcement and civil litigation matters. Used as an intelligence gathering tool by military agencies.

GETGIF GetGIF software is a computer forensics software tool which was designed to automatically extract exact copies of GIF graphics file images from ambient data sources

18

GetGiF can be of assistance in investigations involving the distribution of child pornography and in identity theft cases involving the use of GIF graphics files. USES: It is used to find evidence in corporate, civil and criminal investigations which involve GIF computer graphics files, e.g., investigations which potentially involve child pornography and/or inappropriate Internet web browsing in a corporate or government setting. Also used with other computer forensic software to quickly reconstruct and view previously deleted GIF graphics files stored on computer storage media. It is used to quickly identify and view GIF image files stored anywhere on a computer hard disk drive when used with NTI's SafeBack evidence grade backup software. It is used effectively in computer investigations involving the distribution of child pornography and identity theft when GIF graphics files are involved. Used "after-the-fact" to determine what files may have been viewed over or downloaded from the Internet. (http://www.forensics-intl.com/getgif.html)

GRAPHIC IMAGE FILE EXTRACTOR Graphics Image File Extractor is a computer forensics software tool which was designed to automatically extract exact copies of graphics file images from ambient data sources

19

Graphics File Extractor software can be used to quickly sample the Windows Swap/Page File and help the computer forensics investigator in making a quick determination about possible past Internet computer usage tied to a specific computer. USES It is used to find evidence in corporate, civil and criminal investigations which involve computer graphics files, e.g., investigations which potentially involve child pornography and/or inappropriate Internet web browsing in a corporate or government setting. Used with other computer forensic software to quickly reconstruct and view previously deleted BMP, GIF and JPEG graphics files stored on computer storage media. Used to quickly identify and view BMP, GIF and JPEG image files stored anywhere on a computer hard disk drive when used with NTI's SafeBack evidence grade backup software and Firehand Embers. Used effectively in computer investigations involving the distribution of child pornography and identity theft. Used very effectively in the recovery of deleted graphics files from computer hard disk drives and/or digital flash memory chips. (http://www.forensics-intl.com/iextract.html)

GETSLACK This software is used to capture all of the file slack contained on a logical hard disk drive or floppy diskette on a DOS and Windows systems.

20

Software is an ideal computer forensics tool for use in investigations, internal audits and in computer security reviews Network logons and passwords are found in file slack. It is also possible for passwords used in file encryption to be stored as memory dumps in file slack. USES: Quickly calculates the amount of storage space which is allocated to file slack on a logical DOS/Windows partition. Captures all file slack on a logical DOS/Windows drive and converts it into one or more files automatically. Used in computer security reviews and computer investigations. Validates the results of computer security scrubbers used to eliminate sensitive or classified data from file slack on computer storage devices. (http://www.forensicsintl.com/getslack.html)

21

Tasks Performed by Computer Forensic Tools Computer forensic tools are required to be able to perform and meet certain criteria which can be grouped into 5 Major Categories namely:  Acquisition  Validation and Discrimination  Extraction  Reconstruction  Reporting

Acquisition: It involves making copies of the original drive. Acquisition is referred to as the first task in computer forensics investigation. Tools such as EnCase and AccessData FTK are used to acquire data images. It is also possible to acquire image of data using hardware devices such as Talon from Logicube. This hardware device possesses in-built software for data acquisition. There are two types of data copying methods used in software acquisition and they are: physical copying of entire drive and logical copying of disk partition. Logical acquisition is more preferable because data acquired can be read and analysed easily. Validation and Discrimination: Validation is the process of ensuring and maintaining the integrity of the data acquired. The process of validating data is what result in the discrimination of data. The main purpose of data discrimination is to separate good data from suspicious data. All computer forensic tools have a way of ensuring that the integrity of the data is still intact by comparing the original data with the image data. This is possible with the help of processes like Hashing, Filtering and Analysing file header. Searching and comparing file headers improves data discrimination. Extraction: This is the recovery task in a computing investigation (Bill et al, 2008). Subfunctions of extraction used in investigation include: Data viewing, Keyword searching,

22

Decompressing, carving, Decrypting and Bookmarking. Extraction of data involves great mastery in the software and hardware deployed. Reconstruction: Reconstruction features in a forensic tool are necessary to recreate a suspect’s drive and to show what happened during the crime or an incident (Bill et al, 2008). Duplicating a suspect’s hard drive enables other investigators to carry out their own acquisition, test and analysis of the evidence. The most reliable way to recreating an image of a suspect’s hard drive is to obtain the same make and model drive as the suspect’s drive. Subfunctions of reconstructions are: Disk-to-disk copy, Image-to-disk copy, Partition-topartition copy, Image-to-partition copy. Examples of tools that can perform image-to-disk and image-to-partition copies are: SafeBack, SnapBack, EnCase, FTK Imager, ProDiscover. All these tools are proprietary and as such image created can only be re assemble by the exact application that created them. Reporting: The report phase is the final phase of the forensic disk analysis and examination. The log report can be included in the final report detailing the step by step process undergone during the examination.

23

SCENARIO A company evaluates the performance and productivity of his staff and noticed that it falls way below the standard. It discovers that valuable time being lost by his employees downloading and surfing the internet during office hours and as such he implements strict policy guiding against the indiscriminate use of the internet. After few weeks, his IT manager reviews a detection tool report used by the company. This report suggests that an employee of the company is still accessing restricted sites and downloading objectionable content (graphic) during office hours using his official workstation PC. The IT manager decided to follow procedure by contacting the chief information officer (CIO) of the company who is the person officially nominated to deal with computer related violations and crimes within the company. He decides to invoke the incident response team comprising of a computer forensic specialist. The company aims to determine which employee is responsible, examining data recovered from the employee hard disk, build evidence against such employee which might eventually lead to their dismissal.

24

AIM AND OBJECTIVES The purpose of Computer Forensics is to preserve, identify, extraction, document and interpret computer data that are located on offending machines.

Academic Objectives 1) To locate and isolate offending machine(s) 2) To conduct computer forensics examination of the computer system using necessary

tools and technology. 3) To analyse the data gathered to determine where the materials came from, how often it

has been going on. 4) To prevent evidence from being contaminated. 5) To produce a report detailing every activity and action carried out on the offending

machine.

Personal objectives To have a better understanding of computer forensics methodologies To improve my problem solving and communication skills To conclude my project within the allocated time required To develop my project management skills.

25

RISKS There are several risks that I foresee might hinder the progress of my project and they include: Loss of data as a result of damage or loss to memory stick Availability of credible resources Lack of experience in the subject area.

CONTINGENCIES Backing up all my data on multiple storage devices. Work fast so that there is enough time to rectify any mishap.

LIMITATIONS Time: Being able to divide my time between my project and other module as well as my paid employment. Cost of Tools/Software: Computer Forensic software can be very expensive so i have decided to use the trial version of the software required to achieve my goals Availability of credible resources: There are limited materials regarding computer forensics in the school library.

26

27

A Brief Description of the hard drive recovered/Given The hard drive retrieved is the Maxtor’s D740X-6L 20GB AT hard disk. This hard disk is part of the family of high performance 1-inch high hard drive. This hard drive uses a nonremovable 3 ½-inch hard disks available with ATA interface. The Maxtor D740X-6L 20GB AT hard disk possess an embedded hard disk drive controllers and uses ATA commands to optimise system performance. General characteristics Manufacturer:

Maxtor Corporation

Model:

D740X6L (20GB)

Interface:

EIDE/UltraATA/133

Capacity:

20GB

Total LBAs:

40,132,503

Height:

1.028" (26.10mm) max

Width:

4.00 ± 0.01" (101.6 ± 0.25mm)

Depth:

5.786" (147mm) max

Weight:

<1.4lbs. (635grm)

Performance Rotational speed:

7200RPM

Average Rotational Latency:

4.17ms

Spin-up time to Ready (typical)

12.5Sec

28

Activity

Specification

Track-to-Track

0.8ms

Average Random Read

8.5ms

Average Random Write

10.5ms

Full Stroke

17.8ms

Cache (Total):

2MB

Interface transfer rate (Max)

133MB/Sec Burst

Interleave Factor:

1:1

Internal Characteristics Number of Heads:

1

Number of Disks:

1

Track Density:

60,000 tracks per inch

Total sector:

40,132,503

Byte per sector:

512

Electrical Nominal Voltage:

+5Vdc/ +12Vdc

Voltage Margin:

+5Vdc @ ± 5%, +12vdc @ ± 10%

Environmental Operating Temperature:

5 to 55 Degrees centigrade

Operating Humidity:

10 to 85% RH (non-condensing)

Non-Operating Temperature:

-40 to 65 Degrees Centigrade

Non-Operating Humidity:

5 to 95% RH (non-condensing)

29

Power Dissipation Operating Mode

Power (Watts)

Start-up (Peak)

23.9 Watts

Maximum Seeking

11.6Watts

Read/Write on Tracks

7.1Watts

Idle

6.5Watts

Standby

1.0Watt

Sleep

1.0Watt

Fig1: A diagram of the Maxtor D740X-6L 20GB AT hard drive

30

Fig2: A diagram showing the drive power and interface connector of the hard drive.

Fig3: Show the jumper locations on the hard drive

31

The Maxtor’s D740X-6L 20GB AT hard disk has three jumper location which is used to configure the master or slave operation.

Fig4: Picture of the Maxtor’s D740X-6L 20GB AT hard disk

32

GANTT CHART

FIG1: Gantt chart showing how I intend to implement my task

33

WORK BREAKDOWN STRUCTURE

COMPUTER FORENSICS

To investigate the current and future state of computer forensics

Current state of computer forensics

To identify and explain various tools and technology employed in computer forensics and ways of recovering and analysing data to produce indisputable evidence

Future of computer forensics

Tools available in the market and Specialist tools

Explaining the tools and technology employed in computer forensics

Technology employed in computer forensic

Applying computer forensic skills in the recovering of lost data

Ways to recover and analyse data to produce indisputable evidence

Ways to recover lost data

Ways of analysing data to produce indisputable evidence

Examining a recovered hard disk for lost data. Using necessary tools and technology to extract lost data. Analyse recovered data. Production of report that can be allowed in legal proceedings. 34

INDICATIVE FINAL YEAR PROJECT Acknowledgement Abstract Introduction Literature review Current state and future direction of computer Forensics Software deployed in Computer Forensics Case study/Scenario How to capture and analyse data Production of Report Conclusion Recommendation Bibliography Appendix

35

REFERENCE AND BIBLIOGRAPHY BOOKS 

“2003 Computer Crime and Security Survey,” Federal Bureau of Investigation, J. Edgar Hanover Building, 935 Pennsylvania Ave. NW, Washington, D.C. 20535-0001, 2003.



John R. Vacca (2005) Computer Forensics: Computer Crime Scene Investigation 2nd Ed. Charles River Media. Massachusetts (USA)



Casey Eoghan (2002) Handbook of Computer Crime Investigation: Forensic Tool and Technology. 1st Ed Academic Press Amsterdam (Netherlands)



Casey Eoghan (2004) Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. 2nd Ed. Academic Press. California (USA)



Sammes, T., Sammes, A.J and Jenkinson, B (2000) Forensic Computing: A Practitioner’s Guide(Practitioner Series), 1st Ed. Springer-Verlag

36

WEBSITES http://www.comouterforensicworld.com/ http://support.dell.com/support/edocs/storage/7j376/intro.htm http://www.forensic-computers.com/index.php http://www.digitalintelligence.com/products/forensic_duplicator/ http://www.logicube.com/products/hd_duplication/talon.asp# (http://www.forensics-intl.com/getslack.html) (http://www.forensics-intl.com/iextract.html) (http://www.forensics-intl.com/getgif.html) (http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6V8G-4BJWYVJ1&_user=983321&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000044920& _version=1&_urlVersion=0&_userid=983321&md5=defaa524a1b6df68ad9b4e2612b78310) (http://delivery.acm.org/10.1145/1070000/1060428/p143-francia.pdf? key1=1060428&key2=2510398221&coll=GUIDE&dl=GUIDE&CFID=14665516&CFTOKE N=83314542) http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6V8G-4BJWYVJ1&_user=983321&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000044920& _version=1&_urlVersion=0&_userid=983321&md5=defaa524a1b6df68ad9b4e2612b78310

37

38