Beginner’s Guide to Computer Forensics

ntroductionComputer forensics is the custom of collecting, analysing and reporting on digital data in a way that is legally admissible. It can be used in the detection and prevention of crime and in any dispute where proof is stored digitally. Computer forensics has comparable examination phases to other forensic disciplines and faces related difficulties. Relating to this manual This manual discusses computer forensics from a neutral perspective. It isn’t linked to particular legislation or intended to promote a particular business or product which is not composed in prejudice of either law enforcement or commercial computer forensics. It’s aimed in a non-technical viewer and provides a high-level view of computer forensics. Where methods have been mentioned they are provided as examples only and don’t constitute advice or recommendations. Programs of computer forensicsThere are just a few areas of crime or dispute where computer forensics cannot be implemented. Law enforcement agencies have been one of the oldest and heaviest consumers of computer forensics and consequently have often been at the forefront of advancements in the field. Computers can constitute a’spectacle of a crime’, for example with hacking [ 1] or denial of service attacks [2] or they could hold proof in the form of emails, web history, documents or other files relevant to crimes like murder, kidnap, fraud and drug trafficking. It isn’t just the content of emails, documents and other files which may be of interest to researchers as well as the’meta-data’ [3] associated with these files. A computer forensic examination may reveal when a file first appeared on a computer, when it was edited, as it was last saved or printed and which user completed these activities. More recently, commercial businesses have used computer forensics to their benefit in Many Different instances such as;Intellectual Property thieving Industrial espionageEmployment disputesFraud investigationsForgeriesMatrimonial problems Bankruptcy investigationsInappropriate email and internet use in the job placeRegulatory complianceGuidelinesFor evidence to be admissible it must be reliable and not prejudicial, meaning at all phases of this procedure admissibility should be in the forefront of a computer forensic examiner’s mind. The four chief principles from this guide have been reproduced below (with references to law enforcement eliminated ):No actions should change data held on a computer or storage media that might be subsequently relied upon in court. In circumstances where a person finds it necessary to access original data held on a computer or storage media, that person has to be competent to do so and be in a position to provide evidence describing the importance and the consequences of their activities. An independent third-party should be able to examine those procedures and achieve exactly the identical outcome. The person in charge of the evaluation has overall responsibility for ensuring that the law and these principles are adhered to. In conclusion, no changes should be made to the original, nevertheless if access/changes are necessary the examiner must know what they are doing and also to record their actions.Live purchase Rule 2 above can increase the question: In what situation would changes to a defendant’s computer by means of a computer forensic examiner be necessary? Traditionally, the computer forensic examiner could make a copy (or obtain ) information from a system which is turned off. The examiner would do the job then from this copy, leaving the first demonstrably unchanged. But sometimes it is not possible or desired to switch a computer off. It might not be possible to switch off a computer if doing so would lead to considerable financial or other reduction for the owner. It might not be desired to change a computer off if doing so would mean that potentially valuable evidence could be missing. In both these circumstances the computer forensic examiner would have to perform a’live purchase’ which would entail running a small program on the suspect computer in order to replicate (or acquire) the information to the examiner’s hard drive.By running such a program and attaching a destination driveway to the defendant pc, the examiner will create changes and/or improvements into the state of the computer that weren’t present before his activities. Such activities would stay admissible so long as the examiner recorded their actions, was aware of their effect and managed to explain their actions.Stages of an examinationFor the purposes of this article the personal computer forensic examination process was divided into six phases. Although they are presented in their customary chronological arrangement, it’s necessary through an examination to be elastic. For example, during the analysis stage the examiner may find a new lead which would warrant additional computers being analyzed and would mean a return into the test stage. ReadinessForensic readiness is a significant and occasionally overlooked stage from the examination process. In industrial computer forensics it can consist of educating clients about system preparation; for example, forensic assessments will provide stronger evidence if a server or monitor’s built-in auditing and logging systems are all switched on. For examiners there are many areas where prior organisation might assist, such as training, regular testing and verification of equipment and software, familiarity with laws, coping with unexpected issues (e.g., what to do when child porn is present during a commercial occupation ) and ensuring that your on-site acquisition kit is complete and in working order. Assessment The evaluation stage includes the receiving of clear directions, hazard analysis and allocation of roles and resources. Risk evaluation for law enforcement might include an assessment on the probability of physical threat on entering a suspect’s property and how best to take care of this. Commercial organisations also need to be conscious of safety and health issues, while their evaluation would also insure reputational and financial risks on accepting a particular project. CollectionThe principal part of the collection stage, acquisition, was introduced over. If acquisition is to be carried out on site rather than at a computer forensic lab then this stage would consist of identifying, securing and documenting the scene. Interviews or meetings with personnel who may hold information that might be relevant to the examination (which could include the end users of the pc, and the supervisor and individual responsible for supplying computer services) would normally be carried out in this stage. Consideration also needs to be given to securely and safely hauling the material to the examiner’s lab. Diagnosis Analysis is dependent on the specifics of every job. The examiner usually provides feedback to the client during analysis and from this dialog the analysis might have a different path or be narrowed to specific places. Evaluation has to be precise, thorough, impartial, documented, repeatable and completed within the time-scales accessible and resources allocated. There are myriad tools out there for computer forensics analysis. The main requirements of a computer forensic instrument is that it does exactly what it’s supposed to do and the only way for examiners to make sure this is for them to regularly check and calibrate the resources that they use before analysis takes place. Dual-tool affirmation can affirm outcome integrity during analysis (if with instrument’A’ that the examiner finds out artefact’X’ at position’Y’, then tool’B’ should replicate these outcomes.) PresentationThis stage usually involves the examiner producing a structured report on their findings, fixing the points at the initial directions along with any subsequent instructions. It would also cover some other information that the examiner deems relevant to the investigation. The report must be written together with the conclusion reader in mind; in several cases the reader of the report will be non existent, so the terminology should acknowledge this. The examiner should also be prepared to participate in meetings or telephone conferences to discuss and elaborate on the report. ReviewTogether with the readiness phase, the inspection stage is often overlooked or disregarded. This may be caused by the perceived costs of performing work which isn’t billable, or the need’to get on with another job’. However, a review stage incorporated into each examination can save money and increase the level of quality by making potential examinations more efficient and time efficient. A review of an examination can be easy, quick and can begin during any of the above mentioned stages. It might include a fundamental’what went wrong and how can this be enhanced’ and also a’what went well and how can it be incorporated into future assessments’. Feedback from the teaching party should also be searched. Any lessons learnt from this stage should be put on another examination and fed to the readiness phase. The problems confronting computer forensics examiners could be simplified into three broad categories: technical, administrative and legal. Encryption – Encrypted documents or hard drives may not be possible for investigators to view without the correct password or key. Examiners should consider that the key or password may be stored elsewhere on the computer or on another computer that the suspect has had access to. It might also live in the volatile memory of a computer (called RAM [6] which is usually missing on pc shut-down; yet another reason to look at using live acquisition methods as outlined above.Increasing storage distance – Storage media retains ever greater amounts of data that for the examiner usually means that their analysis computers need to have sufficient processing power and available storage to effectively cope with searching and analysing enormous amounts of data.New technologies – Computing is a ever-changing area, with new hardware, applications and operating systems being continuously produced. No single computer forensic examiner can be an expert on all areas, though they may often be expected to analyse something which they haven’t managed before. To be able to manage this circumstance, the examiner ought to be well prepared and ready to test and experiment with all the behaviour of new technologies. Networking and sharing information with other computer forensic examiners is also quite helpful in this regard since it’s probably someone else might have encountered the same issue. This may consist of encryption, the over-writing of data to make it unrecoverable, the alteration of documents’ meta-data and file obfuscation (disguising files). As with encryption above, the proof that such methods have been used may be saved elsewhere on the computer or on a different computer that the defendant has access to. In our experience, it’s quite uncommon to see anti-forensics tools utilized correctly and frequently enough to totally obscure either their existence or the presence of the evidence they were used to conceal.Legal issuesLegal disagreements may confuse or distract from a computer examiner’s findings. A Trojan is a part of computer code disguised as something benign however, that has a hidden and malicious function. Trojans have many applications, and comprise key-logging [7], downloading and uploading of files and installation of viruses. A attorney might have the ability to argue that actions on a computer were not completed by a user but were automated by a Trojan without the consumer’s knowledge; such a Trojan Defence was successfully used even if no trace of a Trojan or other malicious code has been found on the suspect’s computer. In such cases, a capable opposing lawyer, supplied with evidence from a capable computer forensic analyst, should be able to dismiss such an argument. Accepted standards – There are an array of standards and guidelines in computer forensics, number of which appear to be universally accepted. This is due to a range of reasons including standard-setting bodies being tied into particular legislations, standards being directed either at law enforcement or commercial forensics but not at the writers of such criteria not being accepted by their peers, or high joining fees dissuading professionals from participating.Fitness to practice – In many jurisdictions there’s not any qualifying body to inspect the competence and ethics of computer forensics professionals. In these cases anyone may present themselves as a computer forensic expert, which may result in computer forensic examinations of questionable quality and a negative perspective of the profession as a whole.Resources and further readingThere doesn’t appear to be a terrific amount of material covering pc forensics that’s aimed in a non-technical readership. However the following links at links at the bottom of this webpage may prove to be of curiosity prove to be of interest

For more information and deep knowledge please visit following links


Leave a Reply

Your email address will not be published. Required fields are marked *.

You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>