Introduction to Digital Forensics
What is Digital Forensics?
Credit to frankwxu
The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after:
- Proper search authority
- Chain of custody (Evidence Transmittal Letter)
- Validation with mathematics (hash function)
- Use of validated tools
- Possible expert presentation
The application of science to identification,collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody of the data.
Types of Digital Investigations
Public-sector investigations: Involve government agencies responsible for criminal investigations and prosecution.
Private-sector investigations: Policy violations, E-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabotage, and industrial espionage.
Steps of digital investigation
- Procedure of gathering the evidence (evidence media)
- Acquiring an image of evidence media
- Analysing digital evidence
- Produce a final report
- Critiquing the case
Procedure of gathering the Evidence
Meet the IT manager to interview him, Fill out the evidence form, have the IT manager sign. Place the evidence in a secure container, carry the evidence to the computer forensics lab. Complete the evidence custody form, Secure evidence by locking the container.
Acquiring an image of evidence media
Bit-by-bit copy of the original storage medium, copy deleted files, e-mail messages or recover file fragments – known as “image” or “image file”.
Backup software only copy known files, Backup software cannot copy deleted files, e-mail messages or recover file fragments.
Analysing Digital Evidence
OS, applications, file, logs
Produce a final report
Document your work, Repeatable findings, Conclusive evidence that suspect did or did not commit a crime or violate a company policy.
Who, what, when, where, why, and how?
Critiquing the Case
- How could you improve your performance in the case?
- Did you expect the results you found? Did the case develop in ways you did not expect?
- Was the documentation as thorough as it could have been?
- What feedback has been received from the requesting source?
- Did you discover any new problems? If so, what are they?
- Did you use new techniques during the case or during research?