IT Forensics

IT Forensics
Current computer technology can be used as a tool for perpetrators of computer crimes: theft, embezzlement and so forth. Evidence derived from computers has appeared in court almost 30 years. Initially, the judge accepted the evidence is without distinguish it from other forms of evidence. But as computer technology advances, the treatment becomes confusing.
Evidence derived from computers are hard to distinguish between the original or a copy, because by their very nature, the existing data in a computer is very easy to modify. The process of verification of evidence of crime would have kriteriakriteria, as well as the process of proof on the evidence obtained from computers.
In the early 1970's Congress of the United States began to realize the weakness of existing legislation and seek new solutions faster in completion of computer crime. U.S. Federals Rules of Evidence 1976 states the problem. Another law which states the problem is:

    Economic Espionage Act of 1996, relating to theft of trade secrets
    The Electronic Comunications Privacy Act 1986, relating to the interception of electronic equipment.
    The Computer Security Act of 1987 (Public Law 100-235), relating to the security of government computer systems
While the definition of Computer Forensics is:

    The definition is simple: use a set of procedures to conduct thorough testing of a computer system using software and tools to retrieve and preserve evidence of criminal acts.
    According to Robin Judd, a computer forensic expert: "The application of a simple computer investigation and analysis techniques to determine the legal evidence that may be".
    New Technologies to expand the definition of Robin Judd: "Computer forensics deals with the maintenance, identification, extraction and documentation of computer evidence stored in the form of magnetic information."
    According to Dan Farmer & Wietse Venema: "Obtaining and analyzing data in a way that is free from distortion or as much as possible, to reconstruct data or what has happened at an earlier time in a system".
Procedures in Forensic IT
Forensic procedures commonly used are:
A. Make copies of all log data, files, etc. daln deemed necessary on a separate media.
2. Finerptint of the data makes it mathematically.
3. Making of copies secvara automated fingerprint.
4. Make a masterlist hashes
5. Good documentation of everything that has been done.
Meanwhile, according to the method of Search and seizure is:
A. Identify and research problems.
2. Membaut hypothesis.
3. Test the concept and empirical hypotheses.
4. Evaluation of hypotheses based on the results of testing and retesting if the hypothesis is far from what was expected.
5. Evaluation of the impact of another hypothesis if the hypothesis is acceptable.
Forensic Tools in IT
A. antiword
Antiword is an application used to display text and graphics document in Microsoft Word. Antiword only supports documents created by MS Word version 2 and version 6 or later.
2. Autopsy
The Autopsy Forensic Browser is a graphical interface for investigative analysis tool diginal The Sleuth Kit command line. Together, they can analyze the disk and the Windows and UNIX filesystem (NTFS, FAT, UFS1 / 2, Ext2 / 3).
3. binhash
binhash is a simple program to do the hashing of the various parts of the ELF and PE file for comparison. This time he made a hash of the header segment of the ELF header segment and the segment object obyekPE header.
4. sigtool
sigtcol is a tool for database management and ClamAV signature. sigtool can be used to rnenghasilkan MD5 checksum, the conversion of data into hexadecimal format, displaying a list of virus signatures and build / unpack / test / verify CVD databases and scripts update.
5. ChaosReader
ChaosReader is a freeware tool to track the session TCP / UDP / ... and retrieve application data from tcpdump logs. He will take a telnet session, FTP files, HTTP transfers (HTML, GIF, JPEG, ...), SMTP email, and so on, from the data captured by the network traffic logs. A html index file will be created that contains a link to the rest of the session details, including realtime replay programs for telnet sessions, rlogin, IRC, X11 or VNC, and make statements such as image reports and reports the contents of HTTP GET / POST.
6. chkrootkit
chkrootkit is a tool to check for signs of rootkits locally. He will examine the major utilities are infected, and is currently examining about 60 rootkits and its variations.
7. dcfldd
This tool was originally developed at the Department of Defense Computer Forensics Lab (DCFL). Although at this time Nick Harbour is no longer affiliated with DCFL, he still maintains this tool.
8. ddrescue
GNU ddrescue is a tool rescue data, la menyalinkan data from one file or block device (hard disc, cdrom, etc..) To another, trying hard to save the data in terms of reading failure. Ddrescue does not cut the output file if not asked. So every time you run the same output kefile, he tried to fill the void.
9. foremost
Foremost is a tool that can be used to recover files based on header, footer, or the structure of the data file. He was initially developed by Jesse Kornblum and Kris Kendall from the United States Air Force Office of Special Investigations and The Center for Information Systems Security Studies and Research. Currently maintained by Nick Mikus foremost a researcher at the Naval Postgraduate School Center for Information Systems Security Studies and Research.
10. gqview
Gqview is a program for viewing pictures GTK He supports various image formats, zooming, panning, thumbnails, and sorting images.
11. galleta
Galleta is a tool written by Keith J Jones to perform forensic analysis of Internet Explorer cookies.
12. Ishw
Ishw (Hardware Lister) is a small tool that provides detailed information about the hardware configuration of the machine. It can report exact memory configuration, firmware version, mainboard configuration, CPU version and speed, cache configuration, bus speed, etc.. the system t> MI-capable x86 or EFI system.
13. Pasco
Many computer crime investigations require the reconstruction of the suspects Internet activity. Because technical analysis is done on a regular basis, Keith probe the structure of the data found in Internet Explorer activity files (index.dat file). Pasco, which is derived from Latin and means "browse", was developed to test the contents of Internet Explorer cache files. Pasco will check the information in the index.dat file and issue the results in the field delimited so it can be imported into your favorite spreadsheet program.
14. scalpel
calpel is a forensic tool that was designed to identify, isolate and recover your data from computer media during the forensic investigation. Scalpel search your hard drive, bit-stream image, unallocated file space, or any computer file to the characteristics, contents or specific attributes, and generate reports on the location and content of the artifacts found during the search process electronically. Scalpel also produced (carves) artifacts were found as individual files.