technology in computer forensics

Technology in Computer Forensics

Alicia Castro Thesis Defense

Master of Software Engineering Department of Computer Science

University of Colorado, Colorado Springs

Technology in Computer Forensics

Author: Alicia Castro

Committee Members: Dr. C. Edward Chow

Dr. Jugal K. Kalita Dr. Xiaobo Zhou

Computer Forensics Facts Computer forensics is about investigating digital

evidence related to criminal or suspicious behavior where computers or computer and related equipment may or may not be the target.

Internet crime has increased 22.3% in 2009 over 2008.

Computer Forensic Background Digital evidence includes computer

generated records such as the output of computer programs and computer-stored records such as email messages

It is difficult to attribute certain computer activities to an individual especially in a multi-access environment.

Computer Forensics Legal Issues Understand fundamentals of:

Search and Seizure laws Electronic Communication Privacy Act Wiretap Statute Pen/Trap Statute Patriotic Act State Laws about Search and Seizure

Forensic InvestigationAccessories to a Crime

…Forensic Investigation

Accomplices of a Crime

Suspect

Utilities used with Nica Forensic Tool

IECacheView MozillaCacheView ChromeCacheView IEHV Outlook Redemption Microsoft Log Parser

Nica Forensic Tool uses external tools to help parse the cache files from IE, Mozilla Firefox and Google Chrome browsers and also to gain access and parse the Outlook .pst files

Nica Forensic tool functionality

Use the cache files parser information and determine what information is valuable.

Get cookies and history files of each web browser, Skype logs, Instant Messenger and Outlook logs.

Store information in a database Display any necessary output. Design of all GUI displays

Nica Forensic Tool Unlike most the forensic tools, it finds all

the users on the computer not just the logged on users.

Unlike similar forensic tools, it does not need the investigator to enter the path where the information would be found. Nica Forensic Tool does it for the investigator.

Nica Forensic Tool DesignEnter Case NumberCase DescriptionForensic InvestigatorNotes

Run the parser to find entries by activities. Note the time stamp for date that the investigation was done and also the times it takes to find all the activities

Timeline Viewer Report by user, date time and activities

Finding the Evidence

Selecting the Evidence

Displaying selected suspected activities

Evidence’s Classification Inclusion Criteria

More than one activity

Time between activities is less than 15 minutes

Previous history of web sited visited

Exclusion Criteria One isolated

activity and no previously history

Two or more activities with time intervals of more than 15 minutes between each activity

Nica Forensic Tool Logic Flow Chart

Nica Forensic Tool Implementation Number of End Users = 6 (it can be

unlimited) Effects on change of task and

responsibilities of End Users: Tool is so portable, investigators can carry it

with them. It works so fast, that it can be run when a

suspect just moves away from his/her computer for a few minutes.

It is still a forensic tool, all the legal steps should be followed before trying to run the tool.

Nica Forensic Tool Limitations Forensic can be done only to computers

that are using the windows platform. Currently set to use the most popular

browsers, instant messengers, and Outlook email client but more can be added easily to the scalable architecture.

Conclusion Only portable Forensic Tool that

automatically looks for login paths and all user profiles

Capture relevant Evidence Easy to use Assist Investigators obtaining reliable

evidence

References Please refer to Thesis Document http://cs.uccs.edu/~chow/master/acastro/doc/

MasterThesisV6.doc