Computer forensics or digital forensics is a time period in computer science to acquire legal proof present in digital media or computers storage. With digital forensic investigation, the investigator can discover what occurred to the digital media akin to emails, hard disk, logs, computer system, and the network itself. In lots of case, forensic investigation can produce how the crime might occurred and the way we can shield ourselves against it next time.
Some the reason why we have to conduct a forensic investigation: 1. To gather evidences so that it can be utilized in court to resolve authorized cases. 2. To research our network power, and to fill the safety gap with patches and fixes. 3. To recuperate deleted recordsdata or any recordsdata within the occasion of hardware or software failure
In computer forensics, an important things that need to be remembered when conducting the investigation are:
1. The original proof must not be altered in anyhow, and to do conduct the process, forensic investigator should make a bit-stream image. Bit-stream image is a little by little copy of the unique storage medium and actual copy of the unique media. The distinction between a bit-stream image and regular copy of the original storage is bit-stream image is the slack space within the storage. You'll not discover any slack space information on a replica media.
2. All forensic processes should follow the legal laws in corresponding nation the place the crimes happened. Every country has different regulation suit in it forensics field. Some take IT guidelines very significantly, for example: United Kingdom, Australia.
3. All forensic processes can solely be carried out after the investigator has the search warrant.
Forensic investigators would normally wanting on the timeline of how the crimes occurred in timely manner. With that, we will produce the crime scene about how, when, what and why crimes could happened. In a giant firm, it's steered to create a Digital Forensic Group or First Responder Workforce, so that the company may nonetheless preserve the evidence till the forensic investigator come to the crime scene.
First Response guidelines are: 1. In no way ought to anybody, aside from Forensic Analyst, to make any attempts to get better data from any computer system or gadget that holds electronic information. 2. Any attempt to retrieve the data by person stated in number 1, ought to be avoided because it may compromise the integrity of the proof, through which turned inadmissible in authorized court.
Based on that rules, it has already defined the vital roles of getting a First Responder Staff in a company. The unqualified person can solely secure the perimeter in order that nobody can contact the crime scene until Forensic Analyst has come (This may be done by taking photograph of the crime scene. They will additionally make notes in regards to the scene and who have been present at that time.
Steps have to be taken when a digital crimes occurred in an expert means: 1. Safe the crime scene until the forensic analyst arrive.
2. Forensic Analyst should request for the search warrant from native authorities or company's management.
3. Forensic Analyst make take an image of the crime scene in case of if there isn't any any pictures has been taken.
4. If the computer remains to be powered on, do not turned off the computer. Instead, used a forensic instruments reminiscent of Helix to get some data that can only be found when the computer is still powered on, comparable to information on RAM, and registries. Such tools has it is special function as to not write anything back to the system so the integrity stay intake.
5. As soon as all live evidence is collected, Forensic Analyst cant turned off the computer and take harddisk back to forensic lab.
6. All the evidences have to be documented, by which chain of custody is used. Chain of Custody maintain records on the evidence, equivalent to: who has the evidence for the last time.
7. Securing the evidence should be accompanied by authorized officer comparable to police as a formality.
8. Back in the lab, Forensic Analyst take the evidence to create bit-stream image, as unique proof should not be used. Normally, Forensic Analyst will create 2-5 bit-stream image in case 1 image is corrupted. In fact Chain of Custody still used in this state of affairs to keep data of the evidence.
9. Hash of the unique proof and bit-stream image is created. This acts as a proof that authentic proof and the bit-stream image is the exact copy. So any alteration on the bit image will end in different hash, which makes the evidences discovered turn out to be inadmissible in court.
10. Forensic Analyst begins to search out evidence within the bit-stream image by fastidiously wanting at the corresponding location is dependent upon what kind of crime has happened. For example: Temporary Internet Recordsdata, Slack Space, Deleted File, Steganography files.
Get in touch
+94 778 447 354