Computer forensics or digital forensics is a time period in computer science to obtain legal evidence present in digital media or computers storage. With digital forensic investigation, the investigator can discover what occurred to the digital media akin to emails, ab hard disk, logs, computer system, and the network itself. In many case, forensic investigation can produce how the crime may happened and the way we will defend ourselves in opposition to it next time.
Some reasons why we need to conduct a forensic investigation: 1. To gather evidences in order that it can be utilized in court to unravel legal cases. 2. To research our network energy, and to fill the safety gap with patches and fixes. 3. To recover deleted recordsdata or any recordsdata in the event of hardware or software failure
In computer forensics, an important issues that have to be remembered when conducting the investigation are:
1. The original proof must not be altered in in any case, and to do conduct the method, forensic investigator should make a bit-stream image. Bit-stream image is a little by little copy of the unique storage medium and exact copy of the original media. The difference between a bit-stream image and normal copy of the original storage is bit-stream image is the slack space in the storage. You will not find any slack space information on a duplicate media.
2. All forensic processes must comply with the authorized laws in corresponding nation the place the crimes happened. Every nation has totally different legislation suit in IT field. Some take IT rules very seriously, for example: United Kingdom, Australia.
3. All forensic processes can only be conducted after the investigator has the search warrant.
Forensic investigators would usually looking on the timeline of how the crimes occurred in timely manner. With that, we can produce the crime scene about how, when, what and why crimes might happened. In a big company, it is recommended to create a Digital Forensic Staff or First Responder Crew, so that the company could still preserve the evidence till the forensic investigator come to the crime scene.
First Response rules are: 1. On no account should anybody, except Forensic Analyst, to make any attempts to recuperate info from any computer system or machine that holds digital information. 2. Any attempt to retrieve the information by individual mentioned in number 1, must be prevented because it might compromise the integrity of the proof, wherein grew to become inadmissible in legal court.
Primarily based on that rules, it has already explained the essential roles of having a First Responder Team in a company. The unqualified particular person can solely secure the perimeter so that no one can touch the crime scene until Forensic Analyst has come (This can be performed by taking photo of the crime scene. They can additionally make notes about the scene and who have been current at that time.
Steps must be taken when a digital crimes occurred in knowledgeable means: 1. Secure the crime scene till the forensic analyst arrive.
2. Forensic Analyst should request for the search warrant from native authorities or company’s management.
3. Forensic Analyst make take a picture of the crime scene in case of if there isn’t a any pictures has been taken.
4. If the computer continues to be powered on, don’t turned off the computer. As a substitute, used a forensic instruments corresponding to Helix to get some data that may only be found when the computer is still powered on, corresponding to information on RAM, and registries. Such tools has it’s special operate as to not write something back to the system so the integrity keep intake.
5. Once all live evidence is collected, Forensic Analyst cant turned off the computer and take harddisk back to forensic lab.
6. All of the evidences have to be documented, through which chain of custody is used. Chain of Custody maintain data on the proof, corresponding to: who has the evidence for the final time.
7. Securing the proof have to be accompanied by authorized officer corresponding to police as a formality.
8. Back in the lab, Forensic Analyst take the evidence to create bit-stream image, as original proof must not be used. Normally, Forensic Analyst will create 2-5 bit-stream image in case 1 image is corrupted. Of course Chain of Custody nonetheless used in this state of affairs to maintain data of the evidence.
9. Hash of the unique proof and bit-stream image is created. This acts as a proof that unique proof and the bit-stream image is the exact copy. So any alteration on the bit image will lead to different hash, which makes the evidences discovered develop into inadmissible in court.
10. Forensic Analyst begins to search out proof within the bit-stream image by carefully looking on the corresponding location depends on what sort of crime has happened. For example: Non permanent Internet Files, Slack Space, Deleted File, Steganography files.