|
|
| Computer
Crimes |
| Computer
forensics is an area of science that deals with computer crimes such
as illegal computer hacking, the forging of software, creating viruses,
fraud, embezzlement and child pornography. Computer crime does
not only refer to computer and laptops but also mean anything that
contains chips that are able to store and process data records such
as mobile phones, video recorders, cameras and fax machines. The majority
of computer crimes committed concern home PC's. |
|
Choose one of the following to read more:
--> File deletion
-> In the RAM
-> Finding
without loss
--> Encryption
-> Symmetric
encryption
-> Public key encryption
-> Decryption
|
|
|
|
| |
| File
Deletion |
|
| Some
criminals believe that deleting a file means that it is gone forever,
however, it does not remove it off a disc, it merely renames the file
to hide it from the user. On the hard disk, deleting a file
from the drive and even after emptying the recycle bin, will still
allow a chance of recovery. When the file is deleted, the area of
space previously used by the file is simply marked as 'deleted', but
until data is further stored there and the area is written over, the
original file stays on the hard drive. More advanced criminals are
aware of glitches in this security system and prefer to use more advanced
ways of hiding files such as encryption and securely deleting programs
to ensure that their incriminating data stays hidden. |
|
| *The
quick erase functions of cd-write programs do not fully erase the
disc either and data physically remains on the cd. Photo courtesy
of www.imageafter.com. |
| |
| In
The RAM |
|
| Computer systems contain
memory to speed up the running ability of programs. The storing of
data on a random access memory chip (RAM) makes programs respond quicker,
as there is more memory. The computer operating system makes the RAM's
work very difficult, as it is constantly swapping seldom used data
from the RAM to a hard disk, which is much slower but contains a much
higher storage volume. Undergoing this process creates a file called
a 'swap file' and even if a file is completely deleted, it
is possible that it may still exist inside the swap file. It does
not remain there forever, as each time the computer is turned on and
utilized, new files replace some of the existing old files in the
swap file and everything is moved around. This evidence can be invaluable.
|
| |
| Finding
Without Loss |
|
 |
Because swap files
are altered each time the computer is switched on, it presents
investigators with a problem. Any evidence existing on a computer's
hard drive may be erased when the computer is switched on for
investigation. Forensic scientists have overcome this problem
with a simple solution involving equipment that can completely
copy the computers contents without turning on the machine.
Investigators then examine all of the information that is on
the copy without the risk of destroying the data. This method
also prevents the accusation of evidence tampering and allows
personnel such as lawyers, to access the evidence and attempt
at self-analysing the RAM for verification. |
| *
As long as the evidence within a computer is properly preserved,
it can tell a lot. Photo courtesy of www.imageafter.com.
|
|
| |
|
| Encryption |
|
| Because almost anybody
can access data once it has been sent over the internet, computer
users often encrypt data using a form of code. The study of cryptography
has brought about two main systems of encoding which computers use,
respectively asymmetric encryption (also known as public-key encryption)
and symmetric encryption. |
| |
|
Symmetric Encrytpion |
|
| As
there is a key to open/lock a door, there is also a key (or code)
to decode/encode a message. Symmetric encoding uses one key to encode
the message and uses this same key to decipher it. This means both
the computer sending the message and the computer receiving the message
must have a copy of the same key code, thus the term 'symmetric'
encryption. |
| |
| Public
Key Encrytpion |
|
| The
asymmetric encryption (public key encryption) system uses two
different keys. One to encode the message and the other to decode
the message. The key used to encode the message is known as the public
key, while the code used to decrypt the message is the private key,
known only to the recipients themselves. The private key corresponding
to the certain public key must be used to decipher the data. |
| |
| The
Decryption Process |
|
| Unfortunately,
there is no direct way to describe a method of decryption that forensic
scientists can use in computer forensics. Particularly when data is
encoded using public key encryption, finding the type of public key
used and the clues for its corresponding private key, depends largely
on the luck of this information having been stored on a separate disc
or recorded in some way, for example, on the hard drive of the computer
used for encryption. Experience and time both pay off during a decryption
process, which will vary in accordance to the effectiveness/security
of the encryption code. |
|
|
