There are three categories of data in digital forensics that we are
associated with; active, archival, & latent data
Active Data is the information that we can really
see. This contains applications, and files that are used by the operating
system (OS). This is by far the easiest sort of data to gain. Archival Data
is data that has been stored and backed up. Such as; floppy disks, CDs, DVDs,
tapes, or even entire hard disk drives (HDD). Latent Data is the
information that a person normally needs specified tools to access. For
instance information that has been erased or overwritten is considered latent
data.
A digital investigation could include considering all of these
categories, depending on the conditions. Gaining latent data is time consuming
and very expensive. Digital forensics is all about gaining the evidence of a
crime or breech of policy. It centers on gaining evidence of an illegal misuse
of computers in an approach that could lead to the trial of the criminal.
However, if there is a problem, it is best to act fast since digital evidence
is unstable and can be eagerly damaged. It is also better to know for sure than
to threat potential concerns. If a potential problem is uncovered, it may be
wise to search for private guidance from a Qualified Forensic investigator
before choosing a solution. Managing this condition alone is a dangerous
approach which may have extensive effects. If in-house staff is a must, start
with the basics of evidential integrity and do not be drawn to the usage of
shortcuts.
When performed properly, the forensic examination of computer
systems involved in misuse can offer valuable evidence which could otherwise
have been misplaced or ignored. Carried out incorrectly, and your evidence
might give wrong parties the chance to get a case discharged.
Digital forensic investigations should always be led by a Qualified
Digital Forensic Investigator. They will use licensed tools to avoid spoiling
of the evidence and guarantee its legitimacy in court. The six phases involved
for a computing examination are:
Phase 1
Establish a chain of custody. The
Investigator is aware all the time where any item linked to the investigation
are placed. Use a looker or safe frequently to secure objects.
Phase 2
Classify all related information,
including active, archival, and latent data. Recover information that has been
erased to any extent possible. Identify password-protected information and
encoded information, along with whatever that point toward attempts to hide or
complicate data. Keep the integrity of the original media to the highest point
possible, which means that the original basis of information should not be
changed. Make an exact copy of a HDD image is and authenticate that image
alongside the original to make sure that it is indeed the same.
Phase 3
Gain additional bases of information as
the conditions dictate. This contains firewall, Kerberos & proxy server
logs.
Phase 4
Examine and understand the information to
decide potential evidence. Search for both inculpatory (did it) and exculpatory
(did it not) evidence. If proper, crack password protected files and encoded
files.
Phase 5
Submit a written report to the client
with the investigator’s outcomes and notes. This is considered the most
important phase and it contains the work of the investigator in the four
previous phases
Phase 6
If required, the investigator should
deliver professional witness testimony at a trail, hearing, or any other legal
proceeding.
The information delivered in this report covers the fundamentals,
and does not necessarily do complete justice to all aspects of digital
forensics. Nevertheless, this should provide a better understanding of what
phases are engaged in the process.
