Information To Digital Forensics

Information To Digital Forensics

Computer forensics or digital forensics is a time period in computer science to acquire legal evidence present in digital evidence media or computers storage. With digital forensic investigation, the investigator can discover what happened to the digital media such as emails, hard disk, logs, computer system, and the network itself. In lots of case, forensic investigation can produce how the crime might happened and the way we will shield ourselves against it subsequent time.

Some reasons why we have to conduct a forensic investigation: 1. To collect evidences so that it may be used in courtroom to solve legal cases. 2. To research our network strength, and to fill the security gap with patches and fixes. 3. To get better deleted recordsdata or any recordsdata within the occasion of hardware or software failure

In computer forensics, a very powerful things that have to be remembered when conducting the investigation are:

1. The unique proof should not be altered in in any case, and to do conduct the process, forensic investigator should make a bit-stream image. Bit-stream image is a little by little copy of the original storage medium and exact copy of the original media. The distinction between a bit-stream image and regular copy of the original storage is bit-stream image is the slack space in the storage. You will not discover any slack area data on a duplicate media.

2. All forensic processes should observe the legal legal guidelines in corresponding country where the crimes happened. Each nation has completely different law suit in IT field. Some take IT rules very severely, for instance: United Kingdom, Australia.

3. All forensic processes can solely be conducted after the investigator has the search warrant.

Forensic investigators would usually looking on the timeline of how the crimes occurred in timely manner. With that, we can produce the crime scene about how, when, what and why crimes could happened. In a giant company, it's instructed to create a Digital Forensic Group or First Responder Workforce, in order that the company could nonetheless protect the proof until the forensic investigator come to the crime scene.

First Response rules are: 1. By no means ought to anybody, excluding Forensic Analyst, to make any attempts to get better data from any computer system or machine that holds digital information. 2. Any try to retrieve the info by person stated in number 1, should be avoided as it may compromise the integrity of the proof, in which became inadmissible in authorized court.

Primarily based on that rules, it has already defined the important roles of having a First Responder Team in a company. The unqualified person can only safe the perimeter so that no one can touch the crime scene until Forensic Analyst has come (This may be accomplished by taking photo of the crime scene. They will additionally make notes in regards to the scene and who had been present at that time.

Steps have to be taken when a digital crimes happenred in knowledgeable approach: 1. Secure the crime scene till the forensic analyst arrive.

2. Forensic Analyst must request for the search warrant from local authorities or company's management.

3. Forensic Analyst make take a picture of the crime scene in case of if there is no any photographs has been taken.

4. If the computer continues to be powered on, do not turned off the computer. As a substitute, used a forensic tools reminiscent of Helix to get some data that may solely be discovered when the computer remains to be powered on, such as knowledge on RAM, and registries. Such instruments has it's particular function as not to write anything back to the system so the integrity stay intake.

5. Once all live evidence is collected, Forensic Analyst cant turned off the computer and take harddisk back to forensic lab.

6. All of the evidences must be documented, by which chain of custody is used. Chain of Custody maintain records on the proof, such as: who has the evidence for the last time.

7. Securing the evidence must be accompanied by authorized officer akin to police as a formality.

8. Back in the lab, Forensic Analyst take the proof to create bit-stream image, as authentic evidence must not be used. Usually, Forensic Analyst will create 2-5 bit-stream image in case 1 image is corrupted. Of course Chain of Custody nonetheless used on this state of affairs to maintain records of the evidence.

9. Hash of the original evidence and bit-stream image is created. This acts as a proof that authentic proof and the bit-stream image is the exact copy. So any alteration on the bit image will end in different hash, which makes the evidences found develop into inadmissible in court.

10. Forensic Analyst starts to search out evidence in the bit-stream image by carefully looking at the corresponding location relies on what kind of crime has happened. For example: Temporary Internet Information, Slack Space, Deleted File, Steganography files.