Computer forensics or digital forensics is a term in computer science to acquire legal evidence found in digital media or computers storage. With digital forensic investigation, the investigator can discover what occurred to the digital media akin to emails, hard disk, logs, computer system, and the network itself. In many case, forensic investigation can produce how the crime might occurred and the way we are able to shield ourselves against it next time.
Some the reason why we need to conduct a forensic investigation: 1. To collect evidences in order that it can be used in court docket to resolve authorized cases. 2. To investigate our network strength, and to fill the safety hole with patches and unfaithful
fixes. 3. To get better deleted recordsdata or any information within the event of hardware or software program failure
In computer forensics, an important things that should be remembered when conducting the investigation are:
1. The original evidence must not be altered in in any case, and to do conduct the process, forensic investigator must make a bit-stream image. Bit-stream image is a little by little copy of the original storage medium and exact copy of the unique media. The difference between a bit-stream image and normal copy of the unique storage is bit-stream image is the slack area in the storage. You'll not find any slack space data on a replica media.
2. All forensic processes must comply with the authorized laws in corresponding country the place the crimes happened. Each nation has totally different legislation suit in IT field. Some take IT guidelines very significantly, for instance: United Kingdom, Australia.
3. All forensic processes can solely be conducted after the investigator has the search warrant.
Forensic investigators would normally trying at the timeline of how the crimes happened in well timed manner. With that, we are able to produce the crime scene about how, when, what and why crimes may happened. In a big company, it is prompt to create a Digital Forensic Team or First Responder Crew, in order that the company could nonetheless preserve the proof until the forensic investigator come to the crime scene.
First Response guidelines are: 1. Certainly not should anyone, with the exception of Forensic Analyst, to make any attempts to recover info from any computer system or gadget that holds digital information. 2. Any try and retrieve the data by individual mentioned in number 1, must be prevented as it might compromise the integrity of the evidence, wherein grew to become inadmissible in authorized court.
Based mostly on that guidelines, it has already explained the vital roles of having a First Responder Team in a company. The unqualified individual can solely secure the perimeter so that no one can contact the crime scene till Forensic Analyst has come (This may be done by taking picture of the crime scene. They can additionally make notes concerning the scene and who have been current at that time.
Steps must be taken when a digital crimes occurred in knowledgeable means: 1. Secure the crime scene until the forensic analyst arrive.
2. Forensic Analyst should request for the search warrant from local authorities or company's management.
3. Forensic Analyst make take a picture of the crime scene in case of if there is no any images has been taken.
4. If the computer is still powered on, do not turned off the computer. As an alternative, used a forensic tools such as Helix to get some information that may solely be found when the computer remains to be powered on, akin to knowledge on RAM, and registries. Such instruments has it is special perform as not to write anything back to the system so the integrity keep intake.
5. Once all live evidence is collected, Forensic Analyst cant turned off the computer and take harddisk back to forensic lab.
6. All of the evidences must be documented, during which chain of custody is used. Chain of Custody hold data on the proof, reminiscent of: who has the proof for the last time.
7. Securing the proof must be accompanied by legal officer equivalent to police as a formality.
8. Back in the lab, Forensic Analyst take the proof to create bit-stream image, as original proof must not be used. Usually, Forensic Analyst will create 2-5 bit-stream image in case 1 image is corrupted. In fact Chain of Custody nonetheless used on this scenario to keep information of the evidence.
9. Hash of the unique evidence and bit-stream image is created. This acts as a proof that original evidence and the bit-stream image is the exact copy. So any alteration on the bit image will lead to different hash, which makes the evidences discovered change into inadmissible in court.
10. Forensic Analyst starts to search out proof within the bit-stream image by rigorously looking on the corresponding location depends on what kind of crime has happened. For example: Momentary Internet Information, Slack House, Deleted File, Steganography files.