Computer forensics or digital forensics is a term in computer science to acquire authorized evidence present in digital media or computers storage. With digital forensic investigation, the investigator can find what happened to the digital media comparable to emails, hard disk, logs, computer system, and the network itself. In many case, forensic investigation can produce how the crime could happened and how we will shield ourselves in opposition to it next time.
Some explanation why we have to conduct a forensic investigation: 1. To gather evidences in order that it can be used in courtroom to resolve legal cases. 2. To analyze our network energy, and to fill the safety hole with patches and fixes. 3. To recover deleted files or any recordsdata within the occasion of hardware or software failure
In computer forensics, the most important issues that have to be remembered when conducting the investigation are:
1. The unique proof must not be altered in anyhow, and to do conduct the process, forensic investigator should make a bit-stream image. Bit-stream image is a little by little copy of the original storage medium and actual copy of the unique media. The distinction between a bit-stream image and normal copy of the unique storage is bit-stream image is the slack space within the storage. You'll not find any slack space info on a replica media.
2. All forensic processes should observe the legal legal guidelines in corresponding country where the crimes happened. Each country has different law suit in IT field. Some take IT rules very critically, for example: United Kingdom, Australia.
3. All forensic processes can only be carried out after the investigator has the search warrant.
Forensic investigators would usually wanting on the timeline of how the crimes happened in well timed manner. With that, we will produce the crime scene about how, when, what and why crimes may happened. In a giant company, it is advised to create a Digital Forensic Workforce or First Responder Staff, in order that the corporate might nonetheless preserve the evidence until the forensic investigator come to the crime scene.
First Response guidelines are: 1. Certainly not ought to anyone, apart from Forensic Analyst, to make any makes an attempt to recover information from any computer system or system that holds electronic information. 2. Any try to retrieve the info by person mentioned in number 1, must be prevented because it could compromise the integrity of the evidence, in which turned inadmissible in legal court.
Based on that rules, it has already defined the necessary roles of getting a First Responder Workforce in a company. The unqualified individual can only safe the perimeter in order that nobody can contact the crime scene till Forensic Analyst has come (This may be accomplished by taking picture of the crime scene. They can additionally make notes about the scene and who have been current at that time.
Steps should be taken when a digital crimes occurred in knowledgeable means: 1. Safe the crime scene till the forensic analyst arrive.
2. Forensic Analyst must request for the search warrant from native authorities or company's management.
3. Forensic Analyst make take an image of the crime scene in case of if there isn't a any photographs has been taken.
4. If the computer continues to be powered on, do not turned off the computer. Instead, used a forensic instruments comparable to Helix to get some info that may only be found when the computer remains to be powered on, such as data on RAM, and registries. Such instruments has it is special operate as not to write anything back to the system so the integrity keep intake.
5. As soon as all live proof is collected, kelowna
Forensic Analyst cant turned off the computer and take harddisk back to forensic lab.
6. All the evidences have to be documented, wherein chain of custody is used. Chain of Custody maintain data on the proof, resembling: who has the proof for the final time.
7. Securing the proof should be accompanied by authorized officer comparable to police as a formality.
8. Back in the lab, Forensic Analyst take the proof to create bit-stream image, as authentic proof must not be used. Normally, Forensic Analyst will create 2-5 bit-stream image in case 1 image is corrupted. Of course Chain of Custody still used in this scenario to keep records of the evidence.
9. Hash of the original evidence and bit-stream image is created. This acts as a proof that original proof and the bit-stream image is the exact copy. So any alteration on the bit image will lead to different hash, which makes the evidences discovered turn into inadmissible in court.
10. Forensic Analyst starts to find proof in the bit-stream image by fastidiously looking at the corresponding location depends upon what sort of crime has happened. For instance: Non permanent Internet Recordsdata, Slack House, Deleted File, Steganography files.