Guide To Digital Forensics

Guide To Digital Forensics

Computer forensics or digital forensics is a time period in computer science to obtain legal evidence found in digital media or computers storage. With digital forensic investigation, the investigator can discover what happened to the digital media similar to emails, hard disk, logs, computer system, and the network itself. In many case, forensic investigation can produce how the crime could occurred and the way we are able to shield ourselves towards it subsequent time.

Some the explanation why we have to conduct a forensic investigation: 1. To collect evidences in order that it can be used in courtroom to solve authorized cases. 2. To investigate our network energy, and to fill the security gap with patches and fixes. 3. To get well deleted recordsdata or any information within the event of hardware or software failure

In computer forensics, crucial things that must be remembered when conducting the investigation are:

1. The original proof should not be altered in in any case, and to do conduct the method, forensic investigator should make a bit-stream image. Bit-stream image is a bit by bit copy of the original storage medium and precise copy of the original media. The difference between a bit-stream image and normal copy of the original storage is bit-stream image is the slack space within the storage. You will not discover any slack house data on a duplicate media.

2. All forensic processes must follow the legal laws in corresponding country where the crimes happened. Every country has completely different legislation suit in IT field. Some take IT guidelines very seriously, for instance: United Kingdom, Australia.

3. All forensic processes can only be conducted after the investigator has the search warrant.

Forensic investigators would usually looking at the timeline of how the crimes happened in well timed manner. With that, we will produce the crime scene about how, when, what and why crimes could happened. In a giant company, it's steered to create a Digital Forensic Staff or First Responder Workforce, so that the corporate might still preserve the evidence till the forensic investigator come to the crime scene.

First incident response guidelines are: 1. Not at all ought to anybody, except Forensic Analyst, to make any attempts to recuperate data from any computer system or machine that holds electronic information. 2. Any try to retrieve the data by person said in number 1, must be prevented because it might compromise the integrity of the proof, in which grew to become inadmissible in authorized court.

Primarily based on that rules, it has already defined the important roles of getting a First Responder Group in a company. The unqualified particular person can solely safe the perimeter so that nobody can contact the crime scene until Forensic Analyst has come (This can be accomplished by taking photograph of the crime scene. They can also make notes about the scene and who had been present at that time.

Steps need to be taken when a digital crimes occurred in a professional approach: 1. Safe the crime scene until the forensic analyst arrive.

2. Forensic Analyst should request for the search warrant from native authorities or company's management.

3. Forensic Analyst make take an image of the crime scene in case of if there isn't any any images has been taken.

4. If the computer continues to be powered on, do not turned off the computer. Instead, used a forensic instruments corresponding to Helix to get some data that can only be discovered when the computer remains to be powered on, resembling information on RAM, and registries. Such tools has it's special function as not to write anything back to the system so the integrity stay intake.

5. Once all live evidence is collected, Forensic Analyst cant turned off the computer and take harddisk back to forensic lab.

6. All of the evidences have to be documented, in which chain of custody is used. Chain of Custody keep data on the evidence, akin to: who has the evidence for the final time.

7. Securing the proof should be accompanied by authorized officer equivalent to police as a formality.

8. Back in the lab, Forensic Analyst take the evidence to create bit-stream image, as authentic proof must not be used. Usually, Forensic Analyst will create 2-5 bit-stream image in case 1 image is corrupted. After all Chain of Custody nonetheless used on this state of affairs to keep records of the evidence.

9. Hash of the original evidence and bit-stream image is created. This acts as a proof that unique evidence and the bit-stream image is the exact copy. So any alteration on the bit image will lead to different hash, which makes the evidences discovered turn out to be inadmissible in court.

10. Forensic Analyst starts to search out proof within the bit-stream image by rigorously wanting on the corresponding location will depend on what kind of crime has happened. For example: Non permanent Internet Files, Slack House, Deleted File, Steganography files.