Computer forensics or digital forensics is a term in computer science to obtain legal proof present in digital media or computers storage. With digital forensic investigation, the investigator can discover what happened to the digital media similar to emails, hard disk, logs, computer system, and the network itself. In many case, forensic investigation can produce how the crime could happened and how we can protect ourselves towards it subsequent time.
Some reasons why we need to conduct a forensic investigation: 1. To collect evidences in order that it may be used in court docket to unravel authorized cases. 2. To research our network strength, and to fill the safety gap with patches and fixes. 3. To get better deleted recordsdata or any recordsdata within the event of hardware or software failure
In computer forensics, a very powerful issues that should be remembered when conducting the investigation are:
1. The original evidence must not be altered in anyhow, and to do conduct the process, forensic investigator should make a bit-stream image. Bit-stream image is a bit by bit copy of the unique storage medium and precise copy of the unique media. The difference between a bit-stream image and normal copy of the unique storage is bit-stream image is the slack space in the storage. You'll not find any slack space info on a duplicate media.
2. All forensic processes must comply with the legal laws in corresponding country the place the crimes happened. Every country has completely different legislation suit in IT field. Some take IT rules very significantly, for example: United Kingdom, Australia.
3. All forensic processes can solely be performed after the investigator has the search warrant.
Forensic investigators would usually looking on the timeline of how the crimes happened in timely manner. With that, we will produce the crime scene about how, when, what and why crimes could happened. In a big firm, it is advised to create a Digital Forensic Staff or First Responder Team, so that the corporate may nonetheless protect the proof till the forensic investigator come to the crime scene.
First Response guidelines are: 1. Not at all should anybody, excluding Forensic Analyst, to make any attempts to get better data from any computer system or device that holds electronic information. 2. Any try and retrieve the info by individual mentioned in number 1, must be avoided as it might compromise the integrity of the proof, wherein grew to become inadmissible in legal court.
Based mostly on that rules, it has already explained the important roles of having a First Responder Crew in a company. The unqualified particular person can solely secure the perimeter in order that no one can touch the crime scene until Forensic Analyst has come (This can be carried out by taking photograph of the crime scene. They can additionally make notes in regards to the scene and who have been current at that time.
Steps need to be taken when a digital crimes happenred in an expert way: 1. Secure the crime scene till the forensic analyst arrive.
2. Forensic Analyst should request for the search warrant from native authorities or firm's management.
3. Forensic Analyst make take a picture of the crime scene in case of if there isn't a any images has been taken.
4. If the computer is still powered on, don't turned off the computer. Instead, used a forensic tools resembling Helix to get some data that may solely be found when the computer continues to be powered on, similar to knowledge on RAM, toronto
and registries. Such tools has it is particular perform as to not write anything back to the system so the integrity keep intake.
5. As soon as all live evidence is collected, Forensic Analyst cant turned off the computer and take harddisk back to forensic lab.
6. All of the evidences should be documented, by which chain of custody is used. Chain of Custody hold information on the proof, resembling: who has the proof for the final time.
7. Securing the evidence should be accompanied by legal officer comparable to police as a formality.
8. Back within the lab, Forensic Analyst take the evidence to create bit-stream image, as authentic proof must not be used. Usually, Forensic Analyst will create 2-5 bit-stream image in case 1 image is corrupted. After all Chain of Custody nonetheless used in this state of affairs to keep data of the evidence.
9. Hash of the unique proof and bit-stream image is created. This acts as a proof that unique proof and the bit-stream image is the precise copy. So any alteration on the bit image will end in different hash, which makes the evidences discovered change into inadmissible in court.
10. Forensic Analyst begins to search out proof within the bit-stream image by carefully trying on the corresponding location will depend on what kind of crime has happened. For example: Temporary Internet Files, Slack Space, Deleted File, Steganography files.