Introduction to Computer Forensics
What is "Computer Forensics"? Computer Forensics (CF) is obtaining digital evidence » Analogue evidence is usually not considered here: Use "ordinary" forensics to gather/evaluate – Analogue computers are almost non-existing today! This may come from running systems or parts of them » Hard disks, flash drives, PDAs, mobile phones, telephones, copiers, “pads” etc. Can be evidence for computer crimes (computer fraud, hacking, …) or any other crime (documents with plans for x) or for various other uses One indispensable issue is "data integrity" Data is easily changeable: Evidence is then and only then usable in proceedings, if it is ensured, that it has not been changed!
What is "Computer Forensics"? Other definitions: "Analytical techniques to identify, collect, preserve and examine evidence/information which is magnetically stored or encoded" » Problem: "magnetically" Flash disks, running systems? » Better: "in computerized systems and their parts" "We define computer forensics as the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law." » Focus on legal proceedings; there are many other uses as well! – Note that this almost the "highest" form: If evidence is sufficient for criminal proceedings, it can be used for everything else as well! "A technological, systematic inspection of the computer system and its contents for evidence or supportive evidence of a crime or other computer use that is being inspected."
What is "Computer Forensics"? The main elements: Has something happened at all? » Random effect, bugs, … When did it happen? » How long had the attacker access to out files? What has happened and what are the effects? » What are the results from the intrusion/…and what is their direct and indirect "cost"? Who was responsible for it? » Can we identify an IP address or a person? How did he do it? » So we can block this in the future Why were we attacked? » Just “some computer” or deliberate attack; damage/gain; … Generally: Uncovering what really occurred