30-09-2016, 10:22 AM
1456939803-Computerforensicsanddigitalforensicslifecycle.pdf (Size: 552.43 KB / Downloads: 6)
Computer forensics
Forensics refers to the use of scientific or technological techniques to
conduct an investigation or establish facts in a criminal case.
Computer forensics is defined as the application of computer
investigation and analysis techniques in the interests of determining potential
evidence. The field of computer forensics involves identifying, extracting,
documenting, and preserving information that is stored or transmitted in
electronic or magnetic form. Like fingerprints, digital evidence can be visible or
it can be latent. An important aspect of computer forensics involves finding
and evaluating this “hidden data” for its evidentiary value.
Computer forensics standards have been developed that apply to the
collection and preservation of digital evidence, which differs in nature from
most other types of evidence and thus requires different methods of handling.
The proper handling of these procedures comes into play at two different
points in a trial:
If evidence is not collected and handled according to the proper
standards, the judge may deem the evidence inadmissible when it is
presented and the jury members will never get a chance to evaluate it or
consider it in making their decision.
If the evidence is admitted, the opposing attorney will attack its
credibility during questioning of the witnesses who testify regarding it.
Such an attack can create doubt in jury members’ minds that will cause
them to disregard the evidence in making their decision—and perhaps
even taint the credibility of the entire case.
Many legal experts consider digital evidence to be more demonstrative
than documentary, because the field of computer forensics basically concerns
itself with reconstructing the crime scene. However, this view could vary
depending on the type of digital evidence associated with a particular crime.
Most computer forensics organizations and experts agree on some basic
standards regarding the handling of digital evidence, which can be summarized
as follows:
The original evidence should be preserved in a state as close as possible
to the state it was in when found.
If at all possible, an exact copy (image) of the original should be made to
be used for examination so as not to damage the integrity of the
original.
Copies of data made for examination should be made on media that is
forensically sterile—that is, there must be no pre-existing data on the
disk or other media; it should be completely “clean” and checked for
freedom from viruses and defects.
All evidence should be properly tagged and documented and the chain
of custody preserved, and each step of the forensic examination should
be documented in detail.
Computer forensics specialists must have a strong background in computer
technology with an understanding of how disks are structured, how file
systems work, and how and where data is recorded.
Computer Forensics Resources
Computer forensics is a relatively young field. However, standards are
quickly evolving and a large number of resources are available to aspiring
computer forensics experts. Cybercrime investigators who want to expand
their knowledge, corporate IT personnel who are interested in specializing in
this area, and crime scene technicians who want to learn to deal with digital
evidence will all find a plethora of available training programs, equipment, and
software available.
Computer Forensics Equipment and Software
The following types of equipment can be useful to investigators and
forensics technicians:
Imaging equipment
Forensic workstations
Forensic software
Computer forensics is a field that is not only growing fast but changing fast
as well. New techniques and technologies are being developed and proven all
the time, and it’s important that investigators keep up with the latest news in
the field.
Computer forensics is concerned as much with complying with the law and
following prescribed procedures for evidence collection as with the technical
aspects of collecting digital evidence.
*
Digital forensic process
The digital forensic process is a recognised scientific and forensic
process used in digital forensics investigations.
Forensics researcher Eoghan Casey defines it as a number of steps from
the original incident alert through to reporting of findings. The process is
predominantly used in computer and mobile forensic investigations and
consists of three steps:
1. Acquisition
2. analysis
3. reporting.
In the digital forensic laboratory Forensic workstations are customized
computer systems that contain the equipment necessary for analysis of
suspect computers.
In addition to standard PC components such as motherboards, hard
drives, and memory, forensic workstations may include:
1. Disk duplicators
2. Disk erasers
3. Write-blockers
To avoid the possibility of data contamination, digital forensic
workstations are typically not connected to the Internet or any computer
outside of the laboratory’s secure network. Under no circumstances should
peer-to-peer file sharing applications be allowed on the same network as the
forensic workstation.
Software used in digital forensic analysis comes in two varieties:
1. Commercial software
2. Open-source software
In either case, the software is typically used for copying data from a
suspect’s disk drive to an image file, and then analyzing the data without
making any changes to the original source.
Comprehensive digital forensic examination tool that includes these
programs:
1. E-mail Examiner
2. Network E-mail Examiner
3. Forensic Sorter
4. Chat Examiner
5. Advanced Registry & System Analyzer
6. Text Searcher
The digital forensic investigation may reveal evidence that is interesting
but irrelevant.
A skilled digital forensic investigator can often trace and neutralize these
threats without the involvement of law enforcement.
The digital forensic investigator must maintain absolute objectivity.
Digital forensic Lifecycle
Collection
Identify, isolate, label, record, and collect the data and physical evidence
related to the incident being investigated, while establishing and maintaining
integrity of the evidence through chain-of-custody.
Examination
Identify and extract the relevant information from the collected data,
using appropriate forensic tools and techniques, while continuing to maintain
integrity of the evidence.
Analysis
Analyze the results of the examination to generate useful answers to the
questions presented in the previous phases.
The case is typically “solved” in this phase.
Reporting
Report in the results of the analysis, including:
Findings relevant to the case
Actions that were performed
Actions left to be performed
Recommended improvements to procedures and tools