Guide To Digital Forensics

Guide To Digital Forensics

Computer forensics or digital forensics is a time period in computer science to obtain authorized evidence present in digital media or computers storage. With digital forensic investigation, the investigator can discover what happened to the digital media akin to emails, hard disk, logs, computer system, and the network itself. In many case, forensic investigation can produce how the crime could occurred and how we can protect ourselves towards it next time.

Some reasons why we have to conduct a forensic investigation: 1. To gather evidences in order that it can be utilized in court docket to unravel authorized cases. 2. To investigate our network strength, and to fill the security hole with patches and fixes. 3. To get well deleted recordsdata or any information within the event of hardware or software program failure

In computer forensics, the most important issues that should be remembered when conducting the investigation are:

1. The unique evidence must not be altered in anyways, and to do conduct the process, forensic investigator bc should make a bit-stream image. Bit-stream image is a bit by bit copy of the unique storage medium and precise copy of the unique media. The distinction between a bit-stream image and normal copy of the unique storage is bit-stream image is the slack space in the storage. You will not discover any slack space information on a replica media.

2. All forensic processes should observe the authorized laws in corresponding country where the crimes happened. Each nation has totally different legislation suit in IT field. Some take IT guidelines very seriously, for example: United Kingdom, Australia.

3. All forensic processes can only be conducted after the investigator has the search warrant.

Forensic investigators would normally wanting at the timeline of how the crimes occurred in timely manner. With that, we are able to produce the crime scene about how, when, what and why crimes might happened. In an enormous firm, it is suggested to create a Digital Forensic Workforce or First Responder Crew, in order that the company could nonetheless preserve the proof till the forensic investigator come to the crime scene.

First Response rules are: 1. In no way ought to anybody, except for Forensic Analyst, to make any attempts to recover data from any computer system or device that holds electronic information. 2. Any try and retrieve the data by person said in number 1, must be averted as it could compromise the integrity of the proof, through which grew to become inadmissible in legal court.

Based mostly on that rules, it has already explained the essential roles of having a First Responder Team in a company. The unqualified particular person can only secure the perimeter so that nobody can touch the crime scene till Forensic Analyst has come (This can be achieved by taking photograph of the crime scene. They will additionally make notes concerning the scene and who were current at that time.

Steps must be taken when a digital crimes happenred in an expert manner: 1. Secure the crime scene till the forensic analyst arrive.

2. Forensic Analyst should request for the search warrant from native authorities or company's management.

3. Forensic Analyst make take an image of the crime scene in case of if there isn't any any images has been taken.

4. If the computer is still powered on, do not turned off the computer. Instead, used a forensic tools similar to Helix to get some info that can solely be discovered when the computer remains to be powered on, comparable to information on RAM, and registries. Such instruments has it's particular operate as not to write anything back to the system so the integrity stay intake.

5. Once all live proof is collected, Forensic Analyst cant turned off the computer and take harddisk back to forensic lab.

6. All the evidences must be documented, wherein chain of custody is used. Chain of Custody preserve records on the proof, comparable to: who has the proof for the final time.

7. Securing the evidence must be accompanied by authorized officer similar to police as a formality.

8. Back in the lab, Forensic Analyst take the proof to create bit-stream image, as authentic proof must not be used. Normally, Forensic Analyst will create 2-5 bit-stream image in case 1 image is corrupted. In fact Chain of Custody nonetheless used in this situation to keep records of the evidence.

9. Hash of the unique proof and bit-stream image is created. This acts as a proof that unique evidence and the bit-stream image is the exact copy. So any alteration on the bit image will result in totally different hash, which makes the evidences found turn into inadmissible in court.

10. Forensic Analyst starts to find evidence in the bit-stream image by rigorously trying at the corresponding location is determined by what kind of crime has happened. For instance: Temporary Internet Recordsdata, Slack Area, Deleted File, Steganography files.

Ignited byPink Amber Creative