Introduction
Computer forensics is the practice of collecting, analysing and reporting on digital information in a way that is legally admissible. It can be used in the detection and prevention of crime and in any dispute where evidence is stored digitally. Computer forensics has comparable examination stages to other forensic disciplines and faces similar issues.

About this guide
This guide discusses computer forensics from a neutral perspective. It is not linked to particular legislation or intended to promote a particular company or product and is not written in bias of either law enforcement or commercial computer forensics. It is aimed at a non-technical audience and provides a high-level view of computer forensics. This guide uses the term “computer”, but the concepts apply to any device capable of storing digital information. Where methodologies have been mentioned they are provided as examples only and do not constitute recommendations or advice. Copying and publishing the whole or part of this article is licensed solely under the terms of the Creative Commons – Attribution Non-Commercial 3.0 license

Uses of computer forensics
There are few areas of crime or dispute where computer forensics cannot be applied. Law enforcement agencies have been among the earliest and heaviest users of computer forensics and consequently have often been at the forefront of developments in the field. Computers may constitute a ‘scene of a crime’, for example with hacking [ 1] or denial of service attacks [2] or they may hold evidence in the form of emails, internet history, documents or other files relevant to crimes such as murder, kidnap, fraud and drug trafficking. It is not just the content of emails, documents and other files which may be of interest to investigators but also the ‘meta-data’ [3] associated with those files. A computer forensic examination may reveal when a document first appeared on a computer, when it was last edited, when it was last saved or printed and which user carried out these actions.

More recently, commercial organisations have used computer forensics to their benefit in a variety of cases such as;

• Intellectual Property theft
• Industrial espionage
• Employment disputes
• Fraud investigations
• Forgeries
• Matrimonial issues
• Bankruptcy investigations
• Inappropriate email and internet use in the work place
• Regulatory compliance

Guidelines
For evidence to be admissible it must be reliable and not prejudicial, meaning that at all stages of this process admissibility should be at the forefront of a computer forensic examiner’s mind. One set of guidelines which has been widely accepted to assist in this is the Association of Chief Police Officers Good Practice Guide for Computer Based Electronic Evidence or ACPO Guide for short. Although the ACPO Guide is aimed at United Kingdom law enforcement its main principles are applicable to all computer forensics in whatever legislature. The four main principles from this guide have been reproduced below (with references to law enforcement removed):

1. No action should change data held on a computer or storage media which may be subsequently relied upon in court.

1. In circumstances where a person finds it necessary to access original data held on a computer or storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

1. An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third-party should be able to examine those processes and achieve the same result.

1. The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.

In summary, no changes should be made to the original, however if access/changes are necessary the examiner must know what they are doing and to record their actions.

Live acquisition
Principle 2 above may raise the question: In what situation would changes to a suspect’s computer by a computer forensic examiner be necessary? Traditionally, the computer forensic examiner would make a copy (or acquire) information from a device which is turned off. A write-blocker[4] would be used to make an exact bit for bit copy [5] of the original storage medium. The examiner would work then from this copy, leaving the original demonstrably unchanged.

However, sometimes it is not possible or desirable to switch a computer off. It may not be possible to switch a computer off if doing so would result in considerable financial or other loss for the owner. It may not be desirable to switch a computer off if doing so would mean that potentially valuable evidence may be lost. In both these circumstances the computer forensic examiner would need to carry out a ‘live acquisition’ which would involve running a small program on the suspect computer in order to copy (or acquire) the data to the examiner’s hard drive.

By running such a program and attaching a destination drive to the suspect computer, the examiner will make changes and/or additions to the state of the computer which were not present before his actions. Such actions would remain admissible as long as the examiner recorded their actions, was aware of their impact and was able to explain their actions.

Stages of an examination
For the purposes of this article the computer forensic examination process has been divided into six stages. Although they are presented in their usual chronological order, it is necessary during an examination to be flexible. For example, during the analysis stage the examiner may find a new lead which would warrant further computers being examined and would mean a return to the evaluation stage.

Readiness
Forensic readiness is an important and occasionally overlooked stage in the examination process. In commercial computer forensics it can include educating clients about system preparedness; for example, forensic examinations will provide stronger evidence if a server or computer’s built-in auditing and logging systems are all switched on. For examiners there are many areas where prior organisation can help, including training, regular testing and verification of software and equipment, familiarity with legislation, dealing with unexpected issues (e.g., what to do if child pornography is present during a commercial job) and ensuring that your on-site acquisition kit is complete and in working order.

Evaluation
The evaluation stage includes the receiving of clear instructions, risk analysis and allocation of roles and resources. Risk analysis for law enforcement may include an assessment on the likelihood of physical threat on entering a suspect’s property and how best to deal with it. Commercial organisations also need to be aware of health and safety issues, while their evaluation would also cover reputational and financial risks on accepting a particular project.

Collection
The main part of the collection stage, acquisition, has been introduced above. If acquisition is to be carried out on-site rather than in a computer forensic laboratory then this stage would include identifying, securing and documenting the scene. Interviews or meetings with personnel who may hold information which could be relevant to the examination (which could include the end users of the computer, and the manager and person responsible for providing computer services) would usually be carried out at this stage. The ‘bagging and tagging’ audit trail would start here by sealing any materials in unique tamper-evident bags. Consideration also needs to be given to securely and safely transporting the material to the examiner’s laboratory.

Analysis
Analysis depends on the specifics of each job. The examiner usually provides feedback to the client during analysis and from this dialogue the analysis may take a different path or be narrowed to specific areas. Analysis must be accurate, thorough, impartial, recorded, repeatable and completed within the time-scales available and resources allocated. There are myriad tools available for computer forensics analysis. It is our opinion that the examiner should use any tool they feel comfortable with as long as they can justify their choice. The main requirements of a computer forensic tool is that it does what it is meant to do and the only way for examiners to be sure of this is for them to regularly test and calibrate the tools they use before analysis takes place. Dual-tool verification can confirm result integrity during analysis (if with tool ‘A’ the examiner finds artefact ‘X’ at location ‘Y’, then tool ‘B’ should replicate these results.)

Presentation
This stage usually involves the examiner producing a structured report on their findings, addressing the points in the initial instructions along with any subsequent instructions. It would also cover any other information which the examiner deems relevant to the investigation. The report must be written with the end reader in mind; in many cases the reader of the report will be non-technical, so the terminology should acknowledge this. The examiner should also be prepared to participate in meetings or telephone conferences to discuss and elaborate on the report.

Review
Along with the readiness stage, the review stage is often overlooked or disregarded. This may be due to the perceived costs of doing work that is not billable, or the need ‘to get on with the next job’. However, a review stage incorporated into each examination can help save money and raise the level of quality by making future examinations more efficient and time effective. A review of an examination can be simple, quick and can begin during any of the above stages. It may include a basic ‘what went wrong and how can this be improved’ and a ‘what went well and how can it be incorporated into future examinations’. Feedback from the instructing party should also be sought. Any lessons learnt from this stage should be applied to the next examination and fed into the readiness stage.

Issues facing computer forensics
The issues facing computer forensics examiners can be broken down into three broad categories: technical, legal and administrative.

Encryption – Encrypted files or hard drives can be impossible for investigators to view without the correct key or password. Examiners should consider that the key or password may be stored elsewhere on the computer or on another computer which the suspect has had access to. It could also reside in the volatile memory of a computer (known as RAM [6] which is usually lost on computer shut-down; another reason to consider using live acquisition techniques as outlined above.

Increasing storage space – Storage media holds ever greater amounts of data which for the examiner means that their analysis computers need to have sufficient processing power and available storage to efficiently deal with searching and analysing enormous amounts of data.

New technologies – Computing is an ever-changing area, with new hardware, software and operating systems being constantly produced. No single computer forensic examiner can be an expert on all areas, though they may frequently be expected to analyse something which they haven’t dealt with before. In order to deal with this situation, the examiner should be prepared and able to test and experiment with the behaviour of new technologies. Networking and sharing knowledge with other computer forensic examiners is also very useful in this respect as it’s likely someone else may have already encountered the same issue.

Anti-forensics – Anti-forensics is the practice of attempting to thwart computer forensic analysis. This may include encryption, the over-writing of data to make it unrecoverable, the modification of files’ meta-data and file obfuscation (disguising files). As with encryption above, the evidence that such methods have been used may be stored elsewhere on the computer or on another computer which the suspect has had access to. In our experience, it is very rare to see anti-forensics tools used correctly and frequently enough to totally obscure either their presence or the presence of the evidence they were used to hide.

Legal issues
Legal arguments may confuse or distract from a computer examiner’s findings. An example here would be the ‘Trojan Defence’. A Trojan is a piece of computer code disguised as something benign but which has a hidden and malicious purpose. Trojans have many uses, and include key-logging [7], uploading and downloading of files and installation of viruses. A lawyer may be able to argue that actions on a computer were not carried out by a user but were automated by a Trojan without the user’s knowledge; such a Trojan Defence has been successfully used even when no trace of a Trojan or other malicious code was found on the suspect’s computer. In such cases, a competent opposing lawyer, supplied with evidence from a competent computer forensic analyst, should be able to dismiss such an argument.

Accepted standards – There are a plethora of standards and guidelines in computer forensics, few of which appear to be universally accepted. This is due to a number of reasons including standard-setting bodies being tied to particular legislations, standards being aimed either at law enforcement or commercial forensics but not at both, the authors of such standards not being accepted by their peers, or high joining fees dissuading practitioners from participating.

Fitness to practice – In many jurisdictions there is no qualifying body to check the competence and integrity of computer forensics professionals. In such cases anyone may present themselves as a computer forensic expert, which may result in computer forensic examinations of questionable quality and a negative view of the profession as a whole.

Resources and further reading
There does not appear to be a great amount of material covering computer forensics which is aimed at a non-technical readership. However the following links at links at the bottom of this page may prove to be of interest prove to be of interest:

Glossary
1. Hacking: modifying a computer in way which was not originally intended in order to benefit the hacker’s goals.
2. Denial of Service attack: an attempt to prevent legitimate users of a computer system from having access to that system’s information or services.
3. Meta-data: at a basic level meta-data is data about data. It can be embedded within files or stored externally in a separate file and may contain information about the file’s author, format, creation date and so on.
4. Write blocker: a hardware device or software application which prevents any data from being modified or added to the storage medium being examined.
5. Bit copy: bit is a contraction of the term ‘binary digit’ and is the fundamental unit of computing. A bit copy refers to a sequential copy of every bit on a storage medium, which includes areas of the medium ‘invisible’ to the user.
6. RAM: Random Access Memory. RAM is a computer’s temporary workspace and is volatile, which means its contents are lost when the computer is powered off.
7. Key-logging: the recording of keyboard input giving the ability to read a user’s typed passwords, emails and other confidential information.

Open Source (Free) development is a methodology of creating software products from the design, development to its distribution. Developers often distributed such free software under the GPL (General Public License). This methodology provides a source code access to anybody and everybody aspiring to develop the software further for the good.

The evolution of Open source development

During the period of 50′s and 60′s, software were distributed free of cost to enhance the functionality of the hardware or to promote the hardware. People involved in the computer business dealt with hardware and freely distributed codes to encourage hardware sales. Also, buyers often had to change the code to make it work according to their business. They also had to fix bugs or add new features supporting hardware issues.

During early 1970′s, operating system and compilers began to grow rapidly. This development phase led to the surge in software demand, which had software companies to begin charging for the software licenses. Software started selling with several legal restrictions including copyright, trademark and leasing contracts.

The Open Source trend evolved during 1984 and 1985 when Stallman started the GNU project with an ultimate goal of getting the operating system developed and edited by genius developers without the expensive licensing issue and source code restrictions. This promoted Open Source development not only for operating system, but also for other areas of computing. Later, GNU General Public License became a legal tool ensuring that software under the GNU will remain free.

Open source framework programming advanced and today major companies accept its integration. This system developed some of the most famous and robust software namely Mozilla Corporation products, Firefox; Linux and UNIX operating systems; LAMP software stack and so on.

The Concept

Although we fondly call these applications as free software, the term “free” refers to its nature, meaning users have liberty to study, use and modify the software. In terms of price, these applications are not available free of cost, but one can easily avail them at minimal charges. This type of application development is, generally, an initiative from the non-profit organizations.

The customization of such software makes proprietary software owners uncomfortable due to its lower cost of development, support and license. Also, there is a wide scope for open source development and integration, as the huge communities and developers with better skills back the technology. These solutions are faster and scalable as compared to their proprietary counterparts. Moreover, these solutions offer more stability as they can be freely changed with time and according to the usability.

Is open source integration preferable?

Today, most companies feel implementing free software framework programming techniques are safer and hassle-free, as companies don’t have to go through the complicated proprietary software licensing process. Free applications are community driven and community serving; brilliant programmers across the world join these communities and put their efforts to serve it better.

Open-source development is self-sustained. It doesn’t belong to a specific organization, but to the community. Therefore, Open Source integration is always preferable as if a company initiating a specific development goes bankrupt, the software still remains strong, and the development never stops, as it is well-maintained by the community.

If you want to remotely have access to your central organizational network, you may want to consider using a virtual private network (VPN). Although the name sounds very complicated, it is actually quite easy to use. This private network largely uses public telecommunication such as the internet to provide access to a central organizational network. This simply means that a computer can connect to another computer on the same network. With this private network you may share data and have access to network resources, printers, databases, websites, etc.

The benefit of a VPN is that there are low costs involved because it does not need physical leased lines to connect users remotely to an Intranet. The world has slowly evolved into a modernised wireless technological era. Businesses are at the advantage point and grow in capital because of smart technology and software. Virtual Private networks are faster, secure and reliable when you want to share information across computer networks. People who are traveling, sales persons, companies with many shops, offices or businesses around the world benefit hugely from this fast network.

You don’t have to worry about how safe the network is. A Virtual Private network is safe and secure, because only users with access can read the data, thus anybody else who intercepts the data will only be reading encrypted data. Privacy are ensured through security procedures and tunnelling protocols. Not only are the data encrypted, but also the originating and receiving network addresses are encrypted. Data that are send through these “tunnels” are encrypted and only the sender and receiver can read the data. Businesses wishing to grow can expand all its intranet’s resources to employees working from remote offices or their homes securely. The ultimate aim of your VPN is to grant secure access to the organization with equal resources at a better price.

Other benefits of your VPN are that it will be hard for anyone else to know what your real IP address is or to identify where you are located. This is useful when you want to prevent harassment or spying caused by people tracking you by your IP address.

So how does it work? Well you first have to connect to any public internet. Then you connect to the company server which has initiated the VPN connection to a remote host (a dialup link). Now you can communicate remotely with the company central organizational network and access all resources that you need.

Through development and deployment of plug-ins we can extend Microsoft Dynamics CRM 4.0. In this article we will discuss development, deployment and debugging of plugins. additionally we will see what tools and techniques we can use for improving your efficiency and experienced for developing plug-ins.

Applies To

• Microsoft Dynamics CRM 4.0
• Visual Studio 2005
• Visual Studio 2008

Prerequisites

We assume that you are aware of writing applications in Microsoft Visual C# or Microsoft Visual Basic.NET with the use of.NET framework. Developers who are experienced in.Net development, CRM solutions, Cloud CRM and CRM application development are aware of the framework. In order to write plug-in code you need to download and extract Microsoft Dynamics CRM 4.0 SDK and then install Visual Studio 2005 or 2008 on your PC. For deploying and executing plug-ins you need to access Microsoft Dynamics CRM on-premise or IFD server. The online one does not support upload of custom code to the server. By writing workflows you can extend the functionality of Microsoft Dynamics CRM.

How to set up the Development Environment?

To improve your experience in.Net development or CRM application development and for writing code faster with less run-time errors you need to set up an efficient development environment. You may search the Internet for tools and techniques which may help you to improve experience. It is possible to set up development environment in any computer that runs Windows XP, Windows Vista, Windows Server 2003 or Windows Server 2008. While it is also possible to develop directly on the server but it is not advisable as it affects the stability and performance of the system.

For more information, see the MSDN article: Setting Up Your Development Environment.

Installation of SDK: You need to download the latest version of SDK and you will get programming documentation, source code samples and tools and the required assemblies for developing plugins.

Installation of plug-in template: You will also find Microsoft Visual Studio templates which contains basic plug-in code in the latest version of SDK which makes writing of plugins easier. Just select MSCRM Plug-in template while creating new project and use the template.

Build the sample tools and other useful tools that are easily available free on internet. Some of the tools are Microsoft Dynamics CRM Developer Toolkit, Dynamic Entity Visualizer, Plug-in Samples, and Snippet Designer. Then it is the time to set up the test server before development and deploying.

Design and Write a Plug-in: After having set up an environment for development of plugin we can move to writing of the plugins. Please check out Quick start Guide to Plug-in Development.

Building a Plug-in:

It is same like building the plug-in project like any other Microsoft Visual Studio project. Only thing you need to do is to sign the assembly by which plugins are loaded and executed by MDCRM.

However, one thing that you must do is to sign the assembly. Only plugins from signed assemblies are loaded and executed by Microsoft Dynamics CRM. For this follow these steps:

• Open property page, right click in Solution Explorer and select Properties.
• Select Signing tab
• Select Sign the assembly
• Choose a string name key file
• Type a name in the dialog box, make sure Protect my key file with a password is no checked and click OK
• Build the project

Deploying a Plug-in:

While deploying a plug-in you need to copy one or more plugin assemblies to MDCRM. If your plug-in requires other custom assemblies, those assemblies must be deployed to the Global Assembly Cache (GAC) on the target computer. In addition, each plugin must be registered with the Microsoft Dynamics CRM server. On-disk and Database are two kinds of plug-in deployments. A copy of assembly will be stored in server database. Thus your database deployed plugin assembly will be deployed automatically to each server.