Computer Forensics:
Data Collection, Analysis and Preservation
Kikunda Eric Kajangu, Cher Vue, and John Mottola
ITIS-3200-001
Computer Forensics defined:
The use of analytical and investigative
techniques to identify, collect, examine and
preserve evidence/information which is
magnetically stored or encoded.
Industry companies interested
in computer forensics

Guidance Software (http://www.guidancesoftware.com)
◦ They are the creators of the popular GUI-based forensic tool
“EnCase”.

Digital Intelligence, Inc. (http://www.digitalintel.com/)
◦ Digital Intelligence designs and builds computer forensic
software and hardware. They also offer free forensic utility
software for law enforcement.

IVIZE Data Center: (http://www.ivize.net).
◦ They provide several litigation support services including
Electronic Data Discovery
Three main concepts

Data collection

Data analysis

Data preservation
Data Collection

Research challenges
◦ Gathering data
 Ensuring the data is relevant and complete
 Obtaining volitile data
 Obtaining deleted and changed files
◦ Lack of trained professionals
 Computer Forensics is a relatively new field
 Threat of System administrators corrupting data
 No standards
Data Collection

Evolution of data collection
◦ Mid 1980’s
 X-Tree Gold and Norton Disk Edit
 Limited to recovering lost or deleted files
◦ 1990’s
 Specialized tools began to appear
 Tools to perform Network investigations
◦ 1999
 Boot to floppy and write to alternative media
 Very slow transfer rate. (1GB/hr)
◦ Current
 Many tools to choose from
 GUI and Command Line Tools are available
 Fast and efficient
Data Analysis
The main problem when dealing with electronic data analysis
is not only the size that can easily reach a very large volume
to manage, but also the different number of the application
associated with those files.
 Electronic Data Discovery :

- e-mail, Microsoft Office files, accounting databases,…
- other electronically-stored information which could be relevant
evidence in a law suit.

Tools to analyze electronic data in computer forensics :
◦ - Needle Finder:
use a special .NET framework application in conjunction with a SQL
database to process hundreds of file types and emails simultaneously
and pinpoint pertinent, requested information for analysis.
◦ - E-Discovery
Data Preservation
Data should never be analyzed using the same
machine it is collected from
 Forensically sound copies of all data storage devices,
primarily hard drives, must bet made.
 There are two goals when making an image

◦ Completeness
◦ Accuracy

This is done by using standalone hard-drive duplicator
or software imaging tools such as DCFLdd or
Iximager
Research Challenges: What are the
essential problems in this field

Training

Operational Standards

International Standardization
Training
Law enforcement personnel should be
trained to handle it
 Network operators should also be
trained, to improve their abilities in
intrusion detection,
 Lawyers should receive some training to
give a basic understanding of computer
evidence.

Operational Standards

Basic guidelines for the evidence
collection process to be established
◦
◦
◦
◦
◦
◦
Planning
Recording
Performance
Monitoring
Recording
Reporting
International Standardization
Different countries each have their own
methods, standards, and laws
 What is acceptable evidence in one
country may not be in another
 Serious problem when dealing with
international crimes, as computer crime
often is

Conclusions and future work
Even though it is a fascinating field, due to the nature
of computers, far more information is available than
there is time to analyze.
 The main emphasis of future work is on recovery of
data.
 To improve ways to:

◦ Identify the evidence
◦ Determine how to preserve the evidence
◦ Extract, process, and interpret the evidence
◦ Ensure that the evidence is acceptable in a court of law
Works Cited











"5 Common Mistakes in Computer Forensics." Online Security. 25 June 2003. 14
Nov.-Dec. 2007 <http://www.onlinesecurity.com/forum/article279.php>.
"Computer Forensics." Digitalintelligence. 2007. 20 Oct. 2007
<http://www.digitalintel.com/>.
"Computer Forensics." Disklabs. 2004. 15 Oct. 2007
<http://www.disklabs.com/computer-forensics.asp>.
"Computer Forensics." Techtarget. 16 Dec. 2003. 25 Oct. 2007
<http://labmice.techtarget.com/security/forensics.htm>.
"Computer Forensics." Wikipedia. 26 Nov. 2007. 28 Nov. 2007
<http://en.wikipedia.org/wiki/Computer_forensics>.
Dearsley, Tony. "United States: Computer Forensics." Mondaq. 14 June 2007. 22 Oct.
2007 <http://www.mondaq.com/article.asp?articleid=48322>.
Garner, George M. "Forensic Acquisition Utilities." Gmgsystemsinc. 2007. 11 Nov.
2007 <http://www.gmgsystemsinc.com/fau/>.
"International High Technology." Htcia. 2007. 28 Oct. 2007 <http://htcia.org/>.
“Computer Forensics-A Critical Need In Computer Science Programs”
<http://www.scribd.com/doc/131838/COMPUTER-FORENSICS-A-CRITICALNEED-IN-COMPUTER>
“Computer Forensics Laboratory and Tools”
<http://www.scribd.com/doc/136793/COMPUTER-FORENSICS-LABORATORYAND-TOOLs>
Works Cited








Ispirian. "Following Procedure." Hgexperts. 2007. 01 Nov. 2007
<http://www.hgexperts.com/hg/article.asp?id=4804>.
Monica. "A Community of Computer Forensics Professionals."
Computerforensicsworld. 26 Aug. 2007. 09 Nov. 2007
<http://www.computerforensicsworld.com/>.
Morris, Jamie. "Computer Forensics Tools." Ezinearticles. 27 Oct. 2006. 28 Oct. 2007
<http://ezinearticles.com/?Computer-Forensics-Tools&id=340154>.
Reuscher, Dori. "How to Become a Cyber-Investigator." About. 2007. 16 Nov. 2007
<http://certification.about.com/cs/securitycerts/a/compforensics.htm>.
Robinson, Judd. "An Explanation of Computer Forensics." Computerforensics. 2007.
26 Oct. 2007 <http://computerforensics.net/forensics.htm>.
Swartz, Jon. "Cybercrime Spurs College Courses in Digital Forensics." Usatoday. 06
June 2006. 14 Nov. 2007
<http://www.usatoday.com/tech/news/techinnovations/2006-06-05-digitalforensics_x.htm>.
LaBancz, Melissa. “Expert vs. Expertise: Computer Forensics and the Alternative OS”
<http://www.linuxsecurity.com/content/view/117371/171>
“Computer Forensics – Past, Present And Future”
<http://www.scm.uws.edu.au/compsci/computerforensics/Publications/Computer_F
orensics_Past_Present_Future.pdf>