Guide To Digital Forensics

Guide To Digital Forensics

Computer forensics or digital forensics is a time period in computer science to acquire authorized proof present in digital media or computers storage. With digital forensic investigation, the investigator can discover what happened to the digital media corresponding to emails, hard disk, logs, computer system, and the network itself. In lots of case, forensic investigation can produce how the crime might happened and the way we will defend ourselves towards it subsequent time.

Some reasons why we need to conduct a forensic investigation: 1. To collect evidences so that it may be used in court docket to solve authorized cases. 2. To research our network power, and to fill the security hole with patches and fixes. 3. To recover deleted recordsdata or any recordsdata within the occasion of hardware or software failure

In computer forensics, crucial issues that should be remembered when conducting the investigation are:

1. The original evidence should not be altered in anyhow, and to do conduct the method, forensic investigator should make a bit-stream image. Bit-stream image is a little by little copy of the unique storage medium and exact copy of the unique media. The distinction between a bit-stream image and normal copy of the original storage is bit-stream image is the slack house within the storage. You will not find any slack area info on a replica media.

2. All forensic processes must comply with the legal legal guidelines in corresponding country where the crimes happened. Each nation has different regulation suit in IT field. Some take IT rules very significantly, for instance: United Kingdom, Australia.

3. All forensic processes can only be carried out after the investigator has the search warrant.

Forensic investigators would normally trying at the timeline of how the crimes occurred in well timed manner. With that, we can produce the crime scene about how, when, what and why crimes might happened. In a big firm, it is instructed to create a Digital Forensic Workforce or First Responder Team, so that the corporate might still protect the evidence till the forensic investigator come to the crime scene.

First Response rules are: 1. Certainly not should anyone, apart from Forensic Analyst, to make any attempts to get better data from any computer system or gadget that holds electronic information. 2. Any attempt to retrieve the information by particular person stated in number 1, ought to be avoided because it might compromise the integrity of the proof, by which grew to become inadmissible in authorized court.

Based on that guidelines, it has already explained the essential roles of having a First Responder Group in a company. The unqualified particular person can only safe the perimeter so that no one can contact the crime scene till Forensic Analyst has come (This can be done by taking picture of the crime scene. They can additionally make notes concerning the scene and who were present at that time.

Steps should be taken when a digital crimes occurred in an expert manner: 1. Safe the crime scene until the forensic analyst arrive.

2. Forensic Analyst should request for the search warrant from local authorities or company's management.

3. Forensic Analyst make take an image of the crime scene in case of if there isn't a any images has been taken.

4. If the computer is still powered on, do not turned off the computer. As a substitute, used a forensic instruments corresponding to Helix to get some info that may only be discovered when the computer remains to be powered on, corresponding to knowledge on RAM, and registries. Such instruments has it is special function as not to write anything back to the system so the integrity stay intake.

5. Once all live evidence is collected, Forensic Analyst cant turned off the computer and take harddisk back to forensic lab.

6. All the evidences have to be documented, wherein chain of custody is used. Chain of Custody keep records on the proof, resembling: who has the evidence for the last time.

7. Securing the proof have to be accompanied by authorized officer comparable to police as a formality.

8. Back in the lab, Forensic Analyst take the proof to create bit-stream image, as authentic evidence must not be used. Usually, Forensic Analyst will create 2-5 bit-stream image in case 1 image is corrupted. Of course Chain of Custody nonetheless used on this situation to keep records of the evidence.

9. Hash of the unique evidence and bit-stream image is created. This acts as a proof that original evidence and the bit-stream image is the precise copy. So any alteration on the bit image will lead to different hash, which makes the evidences found grow to be inadmissible in court.

10. Forensic Analyst starts to seek out proof in the bit-stream image by carefully looking on the corresponding location depends on what sort of crime has happened. For instance: Non permanent Internet Information, Slack Area, Deleted File, Steganography files.

Follow Us on Facebook