Beginner’s Guide to Computer Forensics

Introduction: It may be used in the prevention and detection of crime and in any dispute where evidence is stored digitally. Computer forensics has similar examination stages to other forensic disciplines and faces related difficulties. About this guideThis manual discusses computer forensics from a neutral perspective. It isn’t linked to certain legislation or intended to promote a particular business or product which is not composed in prejudice of either law enforcement or commercial computer forensics. It is directed in a non-technical audience and supplies a high-level perspective of computer forensics. Where methodologies are mentioned they are supplied as examples only and don’t constitute advice or recommendations. Copying and publishing the whole or part of the article is licensed only under the terms of the Creative Commons – Attribution Non-Commercial 3.0 licenseThere are few areas of dispute or crime where computer forensics cannot be applied. Law enforcement agencies have been among the earliest and heaviest consumers of computer forensics and have often been in the forefront of advancements within the specialty. Computers may constitute a’scene of a crime’, for example with hacking [ 1] or denial of service attacks [2] or they may hold proof in the form of emails, internet history, files or other documents pertinent to crimes like murder, kidnap, fraud and drug trafficking. It isn’t just the content of emails, files and other documents which may be of interest to investigators but also the’meta-data’ [3] associated with those files. A computer forensic examination may disclose when a document first appeared on a computer, as it was edited, as it was last saved or published and which user completed these activities. More recently, commercial businesses have used computer forensics for their benefit in Many Different instances such as;Intellectual Property theftIndustrial espionageEmployment disputesFraud investigationsForgeriesMatrimonial problems Bankruptcy investigationsInappropriate email and internet use in the job area Regulatory complianceGuidelines One set of guidelines which has been widely recognized to Help in this is the Association of Chief Police Officers Good Practice Guide for Computer Based Electronic Evidence or ACPO Guide for brief. In situations where a person finds it necessary to access original data stored on a computer or storage network, that person must be able to do so and be able to give evidence explaining the relevance and the implications of their actions. An independent third-party ought to be in a position to analyze those processes and achieve the identical outcome. The person responsible for the investigation has overall responsibility for ensuring that the law and those principles are adhered to. In conclusion, no changes must be made to the original, nevertheless if access/changes are necessary the examiner must be aware of what they are doing and to document their actions.Live acquisitionPrinciple 2 above may increase the question: In what scenario would changes to a defendant’s computer by a computer forensic examiner be necessary? Traditionally, the computer forensic examiner could make a copy (or obtain ) information from a device which is switched off. The examiner would work then from this copy, leaving the original demonstrably unchanged. However, at times it isn’t possible or desirable to switch off a computer. It may be impossible to switch off a computer if doing so would result in substantial financial or other loss for the owner. It might not be desired to switch off a computer if doing this would mean that potentially valuable evidence may be lost. In both these circumstances the computer forensic examiner would have to perform a’live purchase’ that would entail running a little application on the suspect computer in order to copy (or obtain ) the data to the examiner’s hard drive.By conducting this type of schedule and attaching a destination driveway to the defendant pc, the examiner will make changes and/or additions to the state of the computer which were not present prior to his activities. Such actions would stay admissible so long as the examiner recorded their activities, was conscious of the effect and managed to describe their activities.Stages of a examinationFor the purposes of this article the computer forensic evaluation process has been split into six phases. Although they are presented in their usual chronological arrangement, it is necessary through an examination to be flexible. By way of instance, during the analysis period the examiner may find a new guide which would warrant additional computers being examined and would mean a return to the evaluation stage. ReadinessForensic readiness is an important and sometimes overlooked stage from the examination procedure. In commercial computer forensics it may consist of educating clients about system preparedness; for example, forensic examinations will provide stronger proof if a server or monitor’s built-in auditing and logging systems are all switched on. For examiners there are lots of places where previous organisation might assist, such as training, regular testing and verification of software and equipment, familiarity with laws, coping with unexpected issues (e.g., what to do if child porn is current during a commercial occupation ) and ensuring that your onsite acquisition kit is complete and in working order. Assessment The evaluation stage includes the receiving of clear instructions, hazard analysis and allocation of resources and roles. Risk analysis for law enforcement might include an assessment on the probability of physical threat on entering a defendant’s property and how best to take care of this. Commercial organisations also have to be aware of safety and health issues, while their analysis would also insure reputational and financial risks on accepting a specific project. CollectionThe principal part of the set stage, acquisition, was released above. If acquisition is to be performed out on-site rather than in a computer forensic laboratory then this point would consist of identifying, securing and recording the scene. Interviews or meetings with employees who may hold information that could be relevant to the exam (which could include the end users of the computer, and the manager and individual responsible for providing computer services) could usually be carried out at this stage. Consideration also needs to be given to securely and safely transporting the substance to the examiner’s laboratory. Diagnosis Analysis is dependent upon the particulars of each job. The examiner generally provides feedback to the client during analysis and from this dialog the analysis might have a different route or be narrowed to specific areas. Analysis has to be accurate, thorough, impartial, documented, repeatable and finished within the time-scales available and resources allocated. The main requirements of a personal computer forensic tool is that it does what it is supposed to do and the only way for examiners to make sure of this is to allow them to regularly test and calibrate the resources they use before diagnosis takes place. Dual-tool affirmation can affirm outcome integrity during analysis (if with instrument’A’ that the examiner finds artefact’X’ at position’Y’, then instrument’B’ should replicate these results.) PresentationThis stage usually includes the examiner producing a structured report on their findings, addressing the points in the initial instructions together with any following instructions. It would also cover some other information that the examiner deems relevant to this investigation. The report has to be written together with the end reader in mind; in several situations the reader of this report will be non-technical, so the language should admit this. The examiner should also be prepared to take part in meetings or phone conferences to discuss and elaborate on the report. ReviewTogether with the readiness stage, the review stage is often missed or disregarded. This may be caused by the perceived costs of doing work which isn’t billable, or the requirement’to get on with the next job’. However, a review stage incorporated into every examination can save money and raise the level of quality by making future assessments more effective and time efficient. A review of an assessment can be simple, quick and can start during any of the above stages. It may incorporate a fundamental’what went wrong and how can this be enhanced’ and a’what went well and how is it incorporated into future examinations’. Feedback from the teaching party should also be sought. Any lessons learnt from this stage should be applied to another examination and fed to the readiness stage. The problems confronting computer forensics examiners can be simplified into three broad categories: technical, legal and administrative. Encryption – Encrypted files or hard drives may not be possible for investigators to see without the correct key or password. It might also reside in the memory of a computer (known as RAM [6] which is usually missing on computer shut-down; yet another reason to consider using live acquisition methods as outlined previously.Increasing storage distance – Storage media retains ever greater quantities of data which for the examiner usually means that their investigation computers have to have sufficient processing power and accessible storage to effectively cope with hunting and analysing enormous amounts of information.New technology – Computing is a ever-changing field, using new hardware, applications and operating systems being continuously produced. No computer forensic examiner can be an expert in all areas, even though they may frequently be expected to analyse something that they haven’t managed before. In order to manage this situation, the examiner should be well prepared and able to check and experiment with the behavior of new technologies. Networking and sharing information with other computer forensic examiners is also quite helpful in this regard as it is probably someone else may have already encountered the same matter. This could include encryption, the over-writing of information to allow it to be unrecoverable, the modification of documents’ meta-data and document obfuscation (disguising files). Much like encryption above, the evidence that such methods have been used may be stored elsewhere on the computer or on a different computer that the suspect has had access to. In our experience, it is quite rare to determine anti-forensics tools used properly and often enough to completely obscure either their presence or the presence of the evidence they were used to conceal.Legal problems A Trojan is a part of computer code disguised as something harmless however, which has a hidden and malicious function. Trojans have many uses, and include key-logging [7], uploading and downloading of files and setup of viruses. A attorney may be able to argue that actions on a computer were not completed by a user but were automated by a Trojan without the consumer’s knowledge; such a Trojan Defence was successfully used even when no trace of a Trojan or other malicious code was found on the defendant’s computer. In such instances, a competent opposing lawyer, provided with evidence from a competent computer forensic analyst, ought to have the ability to dismiss this kind of argument. Accepted standards – There are an array of criteria and guidelines in computer forensics, number of which seem to be universally approved. This is a result of a range of reasons including standard-setting bodies being tied to certain legislations, standards being aimed either at law authorities or commercial forensics but not in the writers of such standards not being accepted by their peers, or large joining fees dissuading professionals from engaging. In such cases anyone may present themselves as a computer forensic expert, which may result in computer forensic examinations of questionable quality and a negative perspective of their profession as a whole.Resources and further readingThere does not appear to be a terrific deal of material covering computer forensics which is directed in a non invasive readership. However the following links at links in the bottom of this webpage may prove to be of curiosity prove to be of interest

For more information and deep knowledge please visit following links


Leave a comment

Your email address will not be published. Required fields are marked *