Information To Digital Forensics

Information To Digital Forensics

Computer forensics or digital forensics is a time period in computer science to acquire authorized evidence present in digital media or computers storage. With digital forensic investigation, the investigator can find what occurred to the digital media equivalent to emails, hard disk, logs, computer system, and the network itself. In lots of case, forensic investigation can produce how the crime could occurred and how we are able to shield ourselves against it subsequent time.

Some reasons why we have to conduct a forensic investigation: 1. To assemble evidences so that it may be used in court to solve legal cases. 2. To research our network energy, and to fill the safety hole with patches and fixes. 3. To get better deleted files or any files in the event of hardware or software failure

In computer forensics, crucial things that must be remembered when conducting the investigation are:

1. The original evidence should not be altered in anyhow, and to do conduct the method, forensic investigator must make a bit-stream image. Bit-stream image is a bit by bit copy of the original storage medium and precise copy of the unique media. The distinction between a bit-stream image and regular copy of the original storage is bit-stream image is the slack area within the storage. You will not discover any slack area information on a copy media.

2. All forensic processes should comply with the legal laws in corresponding country where the crimes happened. Each country has totally different regulation suit in IT field. Some take IT rules very critically, for instance: United Kingdom, Australia.

3. All forensic processes can only be conducted after the investigator has the search warrant.

Forensic investigators would normally wanting on the timeline of how the crimes happened in timely manner. With that, we are able to produce the crime scene about how, when, what and why crimes could happened. In an enormous firm, it's recommended to create a Digital Forensic Team or First Responder Group, so that the corporate might nonetheless preserve the proof until the forensic investigator come to the crime scene.

First Response guidelines are: 1. By no means should anybody, except for Forensic Analyst, to make any makes an attempt to recuperate data from any computer system or gadget that holds digital information. 2. Any try to retrieve the information by individual said in number 1, should be avoided because it might compromise the integrity of the evidence, by which turned inadmissible in legal court.

Based mostly on that rules, it has already defined the essential roles of having a First Responder Team in a company. The unqualified particular person can only safe the perimeter in order that nobody can touch the crime scene until Forensic Analyst has come (This may be finished by taking picture of the crime scene. They can also make notes about the scene and who have been present at that time.

Steps have to be taken when a digital crimes occurred in knowledgeable approach: 1. Secure the crime scene till the forensic analyst arrive.

2. Forensic Analyst should request for the search warrant from native authorities or company's management.

3. Forensic Analyst make take a picture of the crime scene in case of if there is no any photographs has been taken.

4. If the computer remains to be powered on, do not turned off the computer. As an alternative, used a forensic tools similar to Helix to get some information that can only be found when the computer remains to be powered on, comparable to data on RAM, and registries. Such instruments has it's special operate as not to write something back to the system so the integrity keep intake.

5. As soon as all live evidence is collected, Forensic Analyst cant turned off the computer and take harddisk back to forensic lab.

6. All of the evidences should be documented, by which chain of custody is used. Chain of Custody hold information on the proof, akin to: who has the evidence for the last time.

7. Securing the evidence must be accompanied by legal officer reminiscent of police as a formality.

8. Back in the lab, Forensic Analyst take the evidence to create bit-stream image, as original proof must not be used. Normally, Forensic Analyst will create 2-5 bit-stream image in case 1 image is corrupted. In fact Chain of Custody still used in this situation to keep data of the evidence.

9. Hash of the unique proof and bit-stream image is created. This acts as a proof that original proof and ontario the bit-stream image is the exact copy. So any alteration on the bit image will end in totally different hash, which makes the evidences found become inadmissible in court.

10. Forensic Analyst begins to seek out evidence in the bit-stream image by carefully wanting on the corresponding location will depend on what kind of crime has happened. For example: Momentary Internet Information, Slack Area, Deleted File, Steganography files.