There are three categories of data in digital forensics that we are associated with; active, archival, & latent data
Active Data is the information that we can really
see. This contains applications, and files that are used by the operating
system (OS). This is by far the easiest sort of data to gain. Archival Data
is data that has been stored and backed up. Such as; floppy disks, CDs, DVDs,
tapes, or even entire hard disk drives (HDD). Latent Data is the
information that a person normally needs specified tools to access. For
instance information that has been erased or overwritten is considered latent
data.
A digital investigation could include considering all of these
categories, depending on the conditions. Gaining latent data is time consuming
and very expensive. Digital forensics is all about gaining the evidence of a
crime or breech of policy. It centers on gaining evidence of an illegal misuse
of computers in an approach that could lead to the trial of the criminal.
However, if there is a problem, it is best to act fast since digital evidence
is unstable and can be eagerly damaged. It is also better to know for sure than
to threat potential concerns. If a potential problem is uncovered, it may be
wise to search for private guidance from a Qualified Forensic investigator
before choosing a solution. Managing this condition alone is a dangerous
approach which may have extensive effects. If in-house staff is a must, start
with the basics of evidential integrity and do not be drawn to the usage of
shortcuts.
When performed properly, the forensic examination of computer
systems involved in misuse can offer valuable evidence which could otherwise
have been misplaced or ignored. Carried out incorrectly, and your evidence
might give wrong parties the chance to get a case discharged.
Phases in the Forensic Investigation Process
Digital forensic investigations should always be led by a Qualified
Digital Forensic Investigator. They will use licensed tools to avoid spoiling
of the evidence and guarantee its legitimacy in court. The six phases involved
for a computing examination are:
Phase 1
Establish a chain of custody. The Investigator is aware all the time where any item linked to the investigation are placed. Use a looker or safe frequently to secure objects.
Establish a chain of custody. The Investigator is aware all the time where any item linked to the investigation are placed. Use a looker or safe frequently to secure objects.
Phase 2
Classify all related information, including active, archival, and latent data. Recover information that has been erased to any extent possible. Identify password-protected information and encoded information, along with whatever that point toward attempts to hide or complicate data. Keep the integrity of the original media to the highest point possible, which means that the original basis of information should not be changed. Make an exact copy of a HDD image is and authenticate that image alongside the original to make sure that it is indeed the same.
Classify all related information, including active, archival, and latent data. Recover information that has been erased to any extent possible. Identify password-protected information and encoded information, along with whatever that point toward attempts to hide or complicate data. Keep the integrity of the original media to the highest point possible, which means that the original basis of information should not be changed. Make an exact copy of a HDD image is and authenticate that image alongside the original to make sure that it is indeed the same.
Phase 3
Gain additional bases of information as the conditions dictate. This contains firewall, Kerberos & proxy server logs.
Gain additional bases of information as the conditions dictate. This contains firewall, Kerberos & proxy server logs.
Phase 4
Examine and understand the information to decide potential evidence. Search for both inculpatory (did it) and exculpatory (did it not) evidence. If proper, crack password protected files and encoded files.
Examine and understand the information to decide potential evidence. Search for both inculpatory (did it) and exculpatory (did it not) evidence. If proper, crack password protected files and encoded files.
Phase 5
Submit a written report to the client with the investigator’s outcomes and notes. This is considered the most important phase and it contains the work of the investigator in the four previous phases
Submit a written report to the client with the investigator’s outcomes and notes. This is considered the most important phase and it contains the work of the investigator in the four previous phases
Phase 6
If required, the investigator should deliver professional witness testimony at a trail, hearing, or any other legal proceeding.
If required, the investigator should deliver professional witness testimony at a trail, hearing, or any other legal proceeding.
The information delivered in this report covers the fundamentals,
and does not necessarily do complete justice to all aspects of digital
forensics. Nevertheless, this should provide a better understanding of what
phases are engaged in the process.
No comments:
Post a Comment