Computer forensics or digital forensics is a time period in computer science to obtain legal proof present in digital media or computers storage. With digital forensic investigation, the investigator can discover what happened to the digital media similar to emails, hard disk, regina
logs, computer system, and the network itself. In lots of case, forensic investigation can produce how the crime might occurred and how we can shield ourselves against it next time.
Some the reason why we have to conduct a forensic investigation: 1. To gather evidences so that it can be utilized in court docket to unravel legal cases. 2. To analyze our network strength, and to fill the security hole with patches and fixes. 3. To recover deleted recordsdata or any recordsdata in the event of hardware or software failure
In computer forensics, the most important issues that must be remembered when conducting the investigation are:
1. The unique proof must not be altered in anyhow, and to do conduct the process, forensic investigator must make a bit-stream image. Bit-stream image is a bit by bit copy of the original storage medium and precise copy of the unique media. The distinction between a bit-stream image and regular copy of the unique storage is bit-stream image is the slack space in the storage. You'll not find any slack area data on a duplicate media.
2. All forensic processes must follow the authorized laws in corresponding country the place the crimes happened. Each country has completely different regulation suit in IT field. Some take IT guidelines very significantly, for instance: United Kingdom, Australia.
3. All forensic processes can only be conducted after the investigator has the search warrant.
Forensic investigators would usually wanting at the timeline of how the crimes occurred in well timed manner. With that, we can produce the crime scene about how, when, what and why crimes might happened. In a giant firm, it's steered to create a Digital Forensic Team or First Responder Group, in order that the corporate may nonetheless protect the evidence until the forensic investigator come to the crime scene.
First Response rules are: 1. Certainly not ought to anyone, except Forensic Analyst, to make any makes an attempt to get better data from any computer system or gadget that holds digital information. 2. Any attempt to retrieve the data by individual stated in number 1, should be prevented as it might compromise the integrity of the evidence, wherein became inadmissible in legal court.
Based mostly on that guidelines, it has already explained the necessary roles of having a First Responder Group in a company. The unqualified person can only safe the perimeter so that no one can contact the crime scene until Forensic Analyst has come (This can be carried out by taking picture of the crime scene. They will additionally make notes about the scene and who have been present at that time.
Steps must be taken when a digital crimes occurred in knowledgeable way: 1. Safe the crime scene till the forensic analyst arrive.
2. Forensic Analyst must request for the search warrant from local authorities or firm's management.
3. Forensic Analyst make take an image of the crime scene in case of if there is no such thing as a any photos has been taken.
4. If the computer remains to be powered on, do not turned off the computer. As an alternative, used a forensic tools similar to Helix to get some information that may solely be discovered when the computer is still powered on, equivalent to information on RAM, and registries. Such instruments has it is special operate as to not write anything back to the system so the integrity keep intake.
5. Once all live evidence is collected, Forensic Analyst cant turned off the computer and take harddisk back to forensic lab.
6. All the evidences have to be documented, wherein chain of custody is used. Chain of Custody hold data on the proof, corresponding to: who has the proof for the final time.
7. Securing the proof must be accompanied by authorized officer reminiscent of police as a formality.
8. Back within the lab, Forensic Analyst take the evidence to create bit-stream image, as unique evidence must not be used. Normally, Forensic Analyst will create 2-5 bit-stream image in case 1 image is corrupted. In fact Chain of Custody nonetheless used on this scenario to maintain data of the evidence.
9. Hash of the unique proof and bit-stream image is created. This acts as a proof that authentic evidence and the bit-stream image is the exact copy. So any alteration on the bit image will result in totally different hash, which makes the evidences discovered change into inadmissible in court.
10. Forensic Analyst starts to find proof in the bit-stream image by rigorously wanting on the corresponding location depends on what sort of crime has happened. For example: Temporary Internet Recordsdata, Slack Space, Deleted File, Steganography files.