Guide To Digital Forensics

Guide To Digital Forensics

Computer forensics or digital forensics is a term in computer science to acquire legal evidence present in digital media or computers storage. With digital forensic investigation, the investigator can find what occurred to the digital media comparable to emails, hard disk, logs, computer system, and the network itself. In lots of case, forensic investigation can produce how the crime may occurred and the way we will defend ourselves towards it subsequent time.

Some reasons why we have to conduct a forensic investigation: 1. To assemble evidences so that it can be used in court docket to resolve authorized cases. 2. To investigate our network energy, and to fill the safety hole with patches and fixes. 3. To get well deleted files or any recordsdata within the occasion of hardware or software program failure

In computer forensics, a very powerful issues that need to be remembered when conducting the investigation are:

1. The original evidence should not be altered in in any case, and to do conduct the process, forensic investigator must make a bit-stream image. Bit-stream image is a bit by bit copy of the original storage medium and precise copy of the unique media. The difference between a bit-stream image and normal copy of the original storage is bit-stream image is the slack area within the storage. You will not discover any slack house info on a replica media.

2. All forensic processes must comply with the authorized legal guidelines in corresponding nation where the crimes happened. Each nation has totally different regulation suit in IT field. Some take IT rules very critically, for instance: United Kingdom, Australia.

3. All forensic processes can only be performed after the investigator has the search warrant.

Forensic investigators would usually trying at the timeline of how the crimes happened in well timed manner. With that, we will produce the crime scene about how, when, what and why crimes could happened. In an enormous firm, it's instructed to create a Digital Forensic Workforce or First Responder Team, in order that the company could nonetheless preserve the evidence until the forensic investigator come to the crime scene.

First Response rules are: 1. Not at all ought to anyone, except Forensic Analyst, to make any attempts to recuperate info from any computer system or system that holds digital information. 2. Any try and retrieve the info by person said in number 1, must be prevented because it may compromise the integrity of the proof, during which turned inadmissible in authorized court.

Primarily based on that rules, it has already explained the necessary roles of getting a First Responder Group in a company. The unqualified individual can solely secure the perimeter so that nobody can contact the crime scene till Forensic Analyst has come (This can be carried out by taking picture of the crime scene. They will additionally make notes about the scene and who were current at that time.

Steps must be taken when a digital crimes happenred in knowledgeable way: 1. Secure the crime scene till the forensic analyst arrive.

2. Forensic Analyst should request for the search warrant from local authorities or firm's management.

3. Forensic Analyst make take a picture of the crime scene in case of if there isn't a any images has been taken.

4. If the computer is still powered on, do not turned off the computer. Instead, used a forensic instruments corresponding to Helix to get some data that can solely be discovered when the computer is still powered on, resembling data on RAM, and registries. Such tools has it's particular operate as to not write something back to the system so the integrity keep intake.

5. As soon as all live proof is collected, Forensic Analyst cant turned off the computer and take harddisk back to forensic lab.

6. All the evidences have to be documented, by which chain of custody is used. Chain of Custody hold information on the proof, similar to: who has the proof for the last time.

7. Securing the proof have to be accompanied by legal officer such as police as a formality.

8. Back within the lab, Forensic Analyst take the proof to create bit-stream image, chilliwack as unique proof should not be used. Normally, Forensic Analyst will create 2-5 bit-stream image in case 1 image is corrupted. After all Chain of Custody nonetheless used in this scenario to keep records of the evidence.

9. Hash of the unique evidence and bit-stream image is created. This acts as a proof that authentic evidence and the bit-stream image is the exact copy. So any alteration on the bit image will lead to totally different hash, which makes the evidences found change into inadmissible in court.

10. Forensic Analyst begins to search out evidence within the bit-stream image by fastidiously wanting on the corresponding location relies on what sort of crime has happened. For instance: Temporary Internet Information, Slack Area, Deleted File, Steganography files.