Guide to Digital Forensics

Computer forensics or digital forensics is a term in computer science to obtain legal evidence found in digital media or computers storage. With digital forensic investigation, the investigator can find what happened to the digital media such as emails, hard disk, logs, computer system, and the network itself. In many case, forensic investigation can produce how the crime could happened and how we can protect ourselves against it next time.

Some reasons why we need to conduct a forensic investigation: 1. To gather evidences so that it can be used in court to solve legal cases. 2. To analyze our network strength, and to fill the security hole with patches and fixes. 3. To recover deleted files or any files in the event of hardware or software failure

In computer forensics, the most important things that need to be remembered when conducting the investigation are:

1. The original evidence must not be altered in anyways, and to do conduct the process, forensic investigator must make a bit-stream image. Bit-stream image is a bit by bit copy of the original storage medium and exact copy of the original media. The difference between a bit-stream image and normal copy of the original storage is bit-stream image is the slack space in the storage. You will not find any slack space information on a copy media.

2. All forensic processes must follow the legal laws in corresponding country where the crimes happened. Each country has different law suit in IT field. Some take IT rules very seriously, for example: United Kingdom, Australia.

3. All forensic processes can only be conducted after the investigator has the search warrant.

Forensic investigators would normally looking at the timeline of how the crimes happened in timely manner. With that, we can produce the crime scene about how, when, what and why crimes could happened. In a big company, it is suggested to create a Digital Forensic Team or First Responder Team, so that the company could still preserve the evidence until the forensic investigator come to the crime scene.

First Response rules are: 1. Under no circumstances should anyone, with the exception of Forensic Analyst, to make any attempts to recover information from any computer system or device that holds electronic information. 2. Any attempt to retrieve the data by person said in number 1, should be avoided as it could compromise the integrity of the evidence, in which became inadmissible in legal court.

Based on that rules, it has already explained the important roles of having a First Responder Team in a company. The unqualified person can only secure the perimeter so that no one can touch the crime scene until Forensic Analyst has come (This can be done by taking photo of the crime scene. They can also make notes about the scene and who were present at that time.

Steps need to be taken when a digital crimes occurred in a professional way: 1. Secure the crime scene until the forensic analyst arrive.

2. Forensic Analyst must request for the search warrant from local authorities or company’s management.

3. Forensic Analyst make take a picture of the crime scene in case of if there is no any photos has been taken.

4. If the computer is still powered on, do not turned off the computer. Instead, used a forensic tools such as Helix to get some information that can only be found when the computer is still powered on, such as data on RAM, and registries. Such tools has it’s special function as not to write anything back to the system so the integrity stay intake.

5. Once all live evidence is collected, Forensic Analyst cant turned off the computer and take harddisk back to forensic lab.

6. All the evidences must be documented, in which chain of custody is used. Chain of Custody keep records on the evidence, such as: who has the evidence for the last time.

7. Securing the evidence must be accompanied by legal officer such as police as a formality.

8. Back in the lab, Forensic Analyst take the evidence to create bit-stream image, as original evidence must not be used. Normally, Forensic Analyst will create 2-5 bit-stream image in case 1 image is corrupted. Of course Chain of Custody still used in this situation to keep records of the evidence.

9. Hash of the original evidence and bit-stream image is created. This acts as a proof that original evidence and the bit-stream image is the exact copy. So any alteration on the bit image will result in different hash, which makes the evidences found become inadmissible in court.

10. Forensic Analyst starts to find evidence in the bit-stream image by carefully looking at the corresponding location depends on what kind of crime has happened. For example: Temporary Internet Files, Slack Space, Deleted File, Steganography files.

11. Each evidence found must be hashed as well, so the integrity stay intake.

12. Forensic Analyst will create a report, normally in PDF format.

13. Forensic Analyst send the report back to the company along with fees.

Beginners Guide to Digital Forensics

Those of you who watch any kind of crime drama know what “Forensics” are. They’re little pieces of information like DNA, blood, fingerprints, foot prints, etc. that are put together to form a picture of what happened at a crime scene and to help the investigators find out “who dunit”.

Digital forensics is very similar to this in many ways and really is just another branch of Forensic Science. However is tasked with the finding and/or the recovery of data found in digital devices such as computers, data cards/sticks and mobile phones.

Digital forensics have a number of applications particularly within the police and trying to prove or disprove guilt. They can also be used within the private sector for investigative work They have been used to deal with issues like copyright, privacy, online harassment (cyber bullying and the like), financial fraud and child pornography to name but a few.

You can divide Digital Forensics up into 4 main areas:

Computer Forensics

This area deals, as you would expect, mainly with computers. It is the acquisition of logs, internet history, recovery of deleted or corrupted files from computer hard drives or even from USB Drives and the like. This information can then be used to as evidence against a suspect, or maybe to confirm an alibi or a statements.

Network Forensics

Again, as the name suggest this deals with monitoring and analysing network traffic. This could be on a Local Area Network within an office, or could even be monitoring traffic and gathering evidence from the internet

Forensic Data Analysis

This is mainly used in Fraud cases and can be very in-depth. It uses mountains of data usually to follow money and find out where the fraud has occurred and who by.

Mobile Device Forensics

This is similar to Computer Forensics in so much as there is a data storage area, but the main difference is that Mobile Device Forensics tends to focus on calls, call logs and SMS/MMS messaging to and from the phone. As most smartphone now have built-in GPS capabilities, this discipline can also be used to track movements and again provide alibis or confirm guilt.

As technology moves on, digital forensics has to keep up, from its early incarnations in the late 70’s, to a massive boom in computer crime in the 90’s, to the problems faced nowadays with data encryption, the ever- growing number of digital media devices and the vastness of the internet. Unfortunately if it’s there, someone will find a criminal way to use it, and so Digital Forensics is going to be a growth area for the police and other areas of law enforcement for many years to come.

Digital Forensic Investigation

Many individuals from across the world, of a variety of ages use a computer on a daily basis, either at work or at home. Unfortunately, this increased usage and the widespread availability of the internet has led to a higher number of criminal cases involving computers. Today, the police can analyse computers seized in the course of investigations to access files and crucial information that could help towards their criminal investigations, in a process known as a digital forensic investigation.

Digital forensics, also known as computer or mobile phone forensics, is a science based discipline that aims to aid criminal investigations by uncovering vital information and files within computers. There are independent organisations in the UK that can aid the investigation process; their tailored services can assist the discovery of criminal activities such as, intellectual property theft, money laundering, indecent images, hacking and drug dealing.

Typical services offered by Digital forensics companies also include, deleted data recovery, e-discovery, mobile phone forensics, cell site analysis and secure data destruction. Although many businesses have an in-house IT team, due to the volatile nature of digital evidence, it is important to commission an experienced forensic team that follows ACPO guidelines and is ISO9001 certified, that can analyse digital information without damaging it.

These digital forensic organisations work closely with the police and other clients and inform them of any evidence that they uncover. This plays an extremely important role in linking a defendant to a crime, potentially aiding the prosecution. Working alongside the police, digital evidence can help to prosecute a range of individuals who have misused computer technology; such individuals may include pedophiles, hackers, fraudsters and terrorists.

Just some of the sectors that digital forensics can benefit are legal, law enforcement, the corporate sector, criminal defense, legal aid and the public sector. Dependent upon a client’s requirements the procedures that are implemented can be adapted.

For further digital forensic investigation information, these organisations have a range of case studies and resources available on their website. Those seeking computer forensics services can contact a member of their team by filling out their online contact form or by calling one of their experienced members of staff.