Computer forensics or digital forensics is a time period in computer science to acquire legal evidence present in digital media or computers storage. With digital forensic investigation, the investigator can discover what happened to the digital media equivalent to emails, hard disk, logs, computer system, and the network itself. In lots of case, forensic investigation can produce how the crime might occurred and how we are able to shield ourselves towards it subsequent time.
Some reasons why we have to conduct a forensic investigation: 1. To gather evidences in order that it may be used in court docket to resolve legal cases. 2. To research our network power, and to fill the safety gap with patches and fixes. 3. To get better deleted information or any recordsdata within the event of hardware or software failure
In computer forensics, crucial issues that must be remembered when conducting the investigation are:
1. The unique proof must not be altered in in any case, and to do conduct the method, forensic investigator should make a bit-stream image. Bit-stream image is a little by little copy of the unique storage medium and exact copy of the unique media. The distinction between a bit-stream image and regular copy of the original storage is bit-stream image is the slack house in the storage. You’ll not discover any slack space information on a duplicate media.
2. All forensic processes should follow the authorized legal guidelines in corresponding country where the crimes happened. Every country has different legislation suit in IT field. Some take IT rules very critically, for cybercrime instance: United Kingdom, Australia.
3. All forensic processes can solely be carried out after the investigator has the search warrant.
Forensic investigators would normally trying at the timeline of how the crimes happened in well timed manner. With that, we can produce the crime scene about how, when, what and why crimes might happened. In a big firm, it’s recommended to create a Digital Forensic Group or First Responder Team, in order that the corporate might still preserve the evidence until the forensic investigator come to the crime scene.
First Response rules are: 1. Not at all ought to anyone, with the exception of Forensic Analyst, to make any attempts to get better info from any computer system or system that holds digital information. 2. Any try to retrieve the information by individual mentioned in number 1, ought to be prevented because it could compromise the integrity of the evidence, during which turned inadmissible in legal court.
Based mostly on that guidelines, it has already defined the important roles of getting a First Responder Team in a company. The unqualified individual can only safe the perimeter in order that no one can contact the crime scene till Forensic Analyst has come (This can be achieved by taking picture of the crime scene. They will additionally make notes about the scene and who were current at that time.
Steps should be taken when a digital crimes happenred in an expert manner: 1. Safe the crime scene until the forensic analyst arrive.
2. Forensic Analyst must request for the search warrant from local authorities or firm’s management.
3. Forensic Analyst make take a picture of the crime scene in case of if there is no any photos has been taken.
4. If the computer is still powered on, don’t turned off the computer. As an alternative, used a forensic instruments similar to Helix to get some info that can only be found when the computer is still powered on, akin to data on RAM, and registries. Such tools has it’s particular operate as to not write something back to the system so the integrity keep intake.
5. As soon as all live proof is collected, Forensic Analyst cant turned off the computer and take harddisk back to forensic lab.
6. All of the evidences must be documented, through which chain of custody is used. Chain of Custody maintain data on the evidence, such as: who has the evidence for the last time.
7. Securing the proof should be accompanied by legal officer reminiscent of police as a formality.
8. Back in the lab, Forensic Analyst take the proof to create bit-stream image, as authentic evidence must not be used. Normally, Forensic Analyst will create 2-5 bit-stream image in case 1 image is corrupted. Of course Chain of Custody nonetheless used in this state of affairs to maintain records of the evidence.
9. Hash of the original evidence and bit-stream image is created. This acts as a proof that authentic proof and the bit-stream image is the precise copy. So any alteration on the bit image will end in different hash, which makes the evidences discovered grow to be inadmissible in court.
10. Forensic Analyst begins to find evidence within the bit-stream image by carefully looking on the corresponding location depends upon what kind of crime has happened. For example: Momentary Internet Recordsdata, Slack Area, Deleted File, Steganography files.