Home » Essay Samples » Computer Science Essay Sample: Forensic Computing

Computer Science Essay Sample: Forensic Computing

Forensic Computing
PC Pornography Case Investigation


Tom was arrested for possession and distribution of pornographic material, his flat was raided by the police and materials were seized. Two computers are under investigation, one of which belongs to Tom and the other belongs to his friend Jerry. These computers are running Windows XP and were connected to the Internet through a router.

Jerry protested that he had no knowledge of any illicit activity but that Tom had used his computer to back up the contents of his machine, without him knowing what that was.

Forensic computing technology will be used to gather evidence to help look into the potential prosecution of Tom, proving or disproving Jerry’s assertion of innocence. Any internet sites which might be the subject of further investigation will be identified.

Forensic Computing

Digital Evidence

Digital evidence is specified as any data stored or transferred by a computer that support or refute an idea of how an offense occurred or that address crucial elements of the offense such as intent or alibi. The data referred to in this definition can be any combination of information types such as text, images, audio and video (Casey, E., 2004).

Attorneys and police are encountering increasing amounts of digital evidence in their work. Digital evidence is normally an abstraction of a user’s activities, when a user uses a computer to conduct an activity which generates data remnants, which then give some idea of what occurred.

Computer forensics

Computer forensics involves the collection and analysis of evidence of computer misuse. Computer based crime in general is increasing and comprises: Fraud & identity theft, Theft of money or trade secrets, Storage & distribution of illicit material, Denial of service (DoS) attacks, Email harassment and spam, Dissemination of viruses and Computer-aided traditional crimes.

A malicious user can, physically or through an insecure network, access another person’s computer, in order to steal data or exploit the machine for other purposes. A computer system can be infected with numerous kinds of viruses and worms which can cause the system to breakdown; they can also install Trojan programmes or spyware so that computer users are monitored remotely. To stop or prevent these computer crimes, one must be aware of system or network vulnerabilities and potential threats and then deploy proper security measures.

What can one do if these computer crimes occur? Firstly, one needs to know that legal action can be taken against these malicious users with appropriate and adequate evidence. Also, that change will need to be made immediately to security procedures to prevent a repeat. Legal action will be dependent on the type of incident, including any actual or potential loss and downtime implications. This evidence is gathered through analysis of system logs; file systems and backups and users information, such as users who have logged in and the activities they have executed. Network information can be gained including firewall information, router information and logs, DNS information and monitoring of network traffic. Analysis of this network information helps to find suspicious network activities. Other analysis also involves checking for security related compromised programmes or suspicious scheduled services.

Data has to be collected in a non-intrusive and reliable way. The process should be carried out without interfering with the system or making changes to the system, whilst under witness. Once data including system logs, network logs, registry information or suspicious files and deleted files is collected, the analysis process can take place using proper toolkits which are external to the system.

From a technical standpoint, the main goal of computer forensics is to recognise, collect, sustain, and analyse data so that integrity of the evidence gathered can be maintained and used effectively in a legal case (US-CERT, 2008).

For a typical computer forensics investigation, those who investigate computers have expertise in understanding the evidence they are searching for so as to organise the investigation. Crimes involving a computer include child pornography, unauthorised access to personal data, and destruction of intellectual property. Moreover, the investigator must have the proper technical tools to carry out the investigation. Some files may have been deleted, damaged, comprised or encrypted, and the investigator needs a set of techniques and software to stop further damage in the recovery process.

Analysis Techniques and Toolkits

  • A basic tool is a command line shell running on Windows or UNIX systems.
  • MD5 digests is deployed to check if a transferred or stored file is intact. For instance, file servers often keep a pre-computed MD5 checksum for the files, and a user can compare the checksum of the transferred file with it. Checksums can be used to check the integrity of a disk copy or a file copy, and ensure applications and DLLS are not tampered or altered.
  • Grep searches one or more input files for lines consisting of a match to a particular pattern.
  • There are many commercial forensic toolkits that are available.

Data Collection Regarding Computer Based Pornography Case

Two computers are under investigation. First, we need to prepare for the data collection process, a laptop workstation is set up, and a hard drive is wiped and formatted into NTFS file system. A customary structure is created on this working hard drive. The following is the directory structure:
\Prepare- the root directory to hold files requiring further processing
\Prepare\normal-contains compressed, undeleted files.
\Prepare\slack-contains extracted slack space files.
\Prepare\unallocated-contains deleted and unallocated, encrypted, protected files.
\Final-The root directory to contain the final collected data.

Before data collection, we make precise copies of all hard drives and disks using computer software, date and time stamped on each file which will be used for timeline. A log of all work done by the investigator must be maintained.

Paraben’s Forensic Replicator 4 is a useful tool used to make bit-by-bit forensic images of hard drives, floppy disks, CDs and other electronic media for forensic analysis, backup, drive imaging, or archiving. It acquires, compresses, segments, and restores the imaged media in quick speed.

Data collection involves the following steps:

Discover files:

Identify all the files which contain pornographic images from normal files, deleted files, password protected files, hidden files, encrypted files and cache files. Tools: Paraben’s Forensic Sorter 2.0.1(Shown in Figure-1) helps manage and accelerate the examination of the contents of a hard drive. Forensic Sorter enables one to classify the contents of whole hard drives into categories such as video, audio and spreadsheets, therefore one can easily find the required files. It also filters out common Windows files, recovers deleted files or file fragments in slack, creates log files and sorts un-partitioned and unallocated space.

To look for hidden files with hidden attributes, open Windows Browser, click tools-folder options-view, set Hidden files and folders to Show files and folders. All hidden files will appear. Also cached files such as Windows XP cache and temporary internet files should be checked. Files with a .tmp extension on Windows and files ending ‘.bak’ or ‘~’ can be backup copies of edited Word files.

Searches for keywords such as child abuse or child pornography should be made using Grep. Windows Grep – Advanced searching for Windows. Windows Grep is a useful tool for searching files for text strings that one defines. Although Windows and many other programmes have file searching application built-in, this tool is the most powerful and versatile one.

Through the above activities, any pornographic images or files should have been identified.

Step two: Track websites visited.

In Windows XP, index.dat is a file used by the IE web browser. The index.dat file acts as an active database, which runs when a user is using Windows. It is a depository of redundant data, such as Internet URLs, search contents and newly used files. Its duty is like an index file in a database, where a mechanism named indexing records the contents of a database in a different order to assist query responses. Similarly, when the Auto complete function is enabled in Internet Explorer, any web address visited is sorted in the index.dat file, which allows Internet Explorer to find a proper match when a user types in an edit field. Separate index.dat files exist for Internet Explorer history, cache, and cookies.

Tools: IEHistoryView works by retrieving all information contained in the history file and displaying that in a clear and well-designed graphical manner. This tool displays useful information such as the explicit title of the page, how many visits made to the page, modified, expiration date of this URL and more.

Another tool named Super Winspy 3.3 has even greater capability, the information this tool can extract includes URLs history, Cookies, Recent Documents, Search History, and Index.dat.

NetAnalysis adds comments to URL records which can be used to track user activity and produces an Advanced Evidence Report showing user comments, and has Auto Investigate to recognise suspect sites, search engine criteria, usernames & passwords.

Alternatively, Registry can be used to examine the users’ internet visiting habits. Internet Explorer keeps its data in the HKCU\Software\Microsoft\Internet Explorer key. There are three sub-keys within the Internet Explorer key that are most significant to the forensic examiner. The first is HKCU\Software\Microsoft\ Internet Explorer\Main. This key stores the user’s settings of Internet Explorer. It includes information like search bars, start page, form settings, etc. The second and most crucial key is HKCU\Software\Microsoft\ Internet Explorer\TypedURLs. Figure-2 illustrates the URLS of where the user has visited.

Whatever the tool used, the aim is to find out the users’ internet viewing habits, what websites they usually visits and what the content of these websites is. This data will be kept and analysed. The most visited websites need to be investigated carefully and be recorded as evidences.

Step 3: Analyse Windows Event log files, user activity log. Windows keeps a record of user activities such as log on and log off. In Windows XP, an event is any important occurrence in the system or in a programme that request users to be informed, or an entry added to a log. The Event Log Service stores application, security, and system events in Event Viewer. With the event logs in Event Viewer, one can find information about the hardware, software, and system components, and monitor security events on a local or remote computer. Event log Explorer can help find any system related events and login and logoff information.

Data Analysis

From the collected data, if Tom’s computer has stored a certain number of pornographic images and videos from step 1 and if the results from step2 show that he also has visited improper websites regularly, he will be charged and convicted. If Jerry’s computer only contains these obscene images which he claimed from Tom’s backup folder, we do not successfully track any websites he visited containing pornographic imagery and he does not open or view this folder, neither does he search for any obscene content from websites, the issue won’t be serious. Otherwise, he is not as innocent as he protests.

Legal Aspects of Computer Forensics

Anyone overseeing network security must understand the legal implications of forensic activity. Security professionals should make their policy decisions and take technical action in compliance with existing laws. For example one must have authorisation for monitoring and collecting information regarding a computer intrusion. There are also legal ramifications to deploying security monitoring tools.

Computer forensics is a comparably new area to the courts and many of the existing laws used to prosecute computer-associated crimes, legal precedents, and practices regarding computer forensics are dynamic. New court rulings are issued that impact how computer forensics is executed (Thomas, 2004).

Computer forensics involves basically conducting an autopsy of the computer, deploying special tools and techniques to investigate exactly what activities the computer has undertaken and what data is stored. The evidence gained can then be handed to these who will make the final decision about the crime. This process requires complex data acquisition and analysis rather than simply copying files from a computer. The investigator has to consider issues such as where the data is stored and how the operating system deals with files, etc. Besides technical considerations, they have to be careful with the ways they collect the evidence so that it can be regarded as being untainted and un-tampered with. The investigation tools and usage of these specialised techniques have become well known now.

The Field of computer forensics has become increasingly widespread and its validity in a court of law has increased significantly. The term “computer Forensics” dates back to 1991 at the first training session held by the International Association of Computer Specialists. It represents the application of law in the fields of computing. It handles the preservation, identification, extraction and documentation of computer evidence which can be whole duplicate of hard drives down to individual files.

This field has developed quickly in the last decade while computer based crime has dramatically increased. Organisations are using the techniques not only to investigate computer crimes within a company, but also to prevent potential crimes. Moreover, law enforcement agencies are trying to use computer forensics to attain evidence in crimes which are computer related. Computer forensics is becoming a required technique for law enforcement agencies, government entities, and organisations. The need for personnel with expertise in this area is growing.

A computer forensics investigation must stick to the following points:

  • An examiner is impartial, and his work is to analyse the media and document the findings with no assumption of guilt or innocence.
  • The media deployed in the investigation has to be sterilised.
  • A true image of the original media must be created and used for the analysis.
  • The integrity of the original media must be kept.

Whether an organisation chooses not to deal with any of the technology for legal argumentation internally or whether it is determined to handle it all, it has to make sure to get support from good forensic computing experts. Even organisations with competent in-house legal capability acquire outside law firms to support particular projects or to provide them specific expertise for issues that need additional attention.

Legal View of Computer Based Porn

Computer-based pornography and other images or material have been one of the major computer crimes which require greater regulation of the Internet. Current law, however, already covers dispersion of obscene images over the Internet, or by other types of computer hardware such as disks or CDROMs.

Principle legislation covering computer-enabled obscene publications is:

  • Section 43 of the Telecommunications Act 1984 (OPSI, 1984), which prohibits the sending of obscene material over public telephone networks; and
  • The Protection of Children Act 1978, as amended by the Criminal Justice Act 1988 and the Criminal Justice and Public Order Act 1994, on the creation or possession of child pornography, The Police and Justice Act 2006 included amendments to The Protection of Children Act 1978.

Sentencing can vary between fines, community service and custody to a maximum of 10 years in prison, dependent on the level of the conviction and whether the material has been distributed or only being in possession.

The first piece of UK legislation created to particularly address computer misuse was the Computer Misuse Act 1990. The act was proposed because of growing concern that existing legislation was insufficient for handling hackers. The issue was put into acute relief by the failure to sentence Stephen Gold and Robert Schifreen who attained unauthorised access to BT’s Prestel service in 1984 and were charged under the Forgery and Counterfeiting Act 1981. However, they were acquitted by the Court of Appeal and the acquittal decision was later approved by the House of Lords.

The Computer Misuse Act 1990 (OPSI, 1990), ‘an Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes’; states three computer misuse offences.

1. Unauthorised access to computer material
2. Unauthorised access with intent to commit or facilitate commission of further offences
3. Unauthorised modification of computer material

The maximum prison sentences defined by the act for each of the previous offences are six months, five years and five years respectively.

The Police and Justice Act 2006 (OPSI, 2006) which covers broader issues than computer crime alone included amendments to the Computer Misuse Act. The maximum prison sentence under section 1 of the original Act was increased from six months to two years.

The European Convention on Cybercrime, designed to provide a general international framework for disposing of cybercrime, was adopted by the EU Committee of Ministers of the Council of Europe in November 2001(Parliament Assembly, 2001).

The treaty covers a wide range of cybercrime, including illegal access, illegal interception of data, data interference, system interference, and misuse of devices, computer-related forgery, computer-related fraud, offences related to child pornography and offences related to infringements of copyright and related rights. The treaty is also created to provide a common law enforcement framework for handling cybercriminals and to advance the sharing of information among all signatories.

Decided Child Pornography Cases

Child pornography is certainly a serious crime that harms children and affects their safety. This threat has been in recent years a problem of great concern to the international community considering that production and dissemination of child pornography using computer systems leads to the proliferation of the abuse of children.

On 27th July 2000 MR JUSTICE SILBER was sentenced at the Peterboroug Crown Court on 27 offences of producing indecent photographs or pseudo photographs of children. He was sentenced of nine months’ imprisonment concurrent for each offence. When he was sentenced the learned judge mentioned that society considered these offences as serious and treated them with great distaste. He took into account all factors put forward in mitigation and then sentenced him to prison (Smith Bernal Reporting Ltd, 2000).

The attitude of Courts to this sort of offence is demonstrated by the decision of the Court in Kenelm James [2000] 2 Cr App R (S) 258. In this case, the Court believed the purpose of the downloading had been for the appellant’s private perverted sexual gratification, and downloading huge numbers of pictures supported abuse of children. The Court of Appeal in that case regarded this as a disgusting trade, however viewed, and that it advanced the abuse of very young children. Noted that the sentence was eighteen months, and the defendant had a previous conviction for similar offences regarding which he had received a four month prison sentence. The number of images for this case was 18,500, which was substantially larger than the amount involved in the first case.

Case of Father Adrian McLeish (Akdeniz, Y., 2001)

Father Adrian McLeish, 45, a Roman Catholic priest, St Joseph’s church in Gilesgate, Durham held the largest known amount of illicit material yet collected electronically. He had accumulated a huge storage of obscene pictures and drawings in his presbytery and exchanged thousands of explicit e-mail messages with other pedophiles. McLeish was sentenced for six years by Newcastle upon Tyne Crown Court on the 13th of November 1996.


With regard to the case under investigation, adequate data and evidence has been gathered. If Tom possessed and tried to distribute the computer related pornography, it will lead to a court convicting him. According to The Protection of Children Act 1978, as amended by the Criminal Justice Act 1988 and the Criminal Justice and Public Order Act 1994, The European Convention on Cybercrime, and The Police and Justice Act 2006, the sentence against him will rely on the amount of the images or videos he has stored and obtained from the internet, the levels of the contents, and his previous convictions. Law enforcement also considers the fact whether he has been involved in producing obscene images or videos.

Jerry has claimed innocence, if his computer retained such photos, this will cause him further suspicion but should not be very serious if he has not downloaded or distributed these images and has not viewed the folder recently.

Share this content...Share on FacebookTweet about this on TwitterShare on Google+Email this to someone
(Visited 269 times, 1 visits today)