WHAT IS COMPUTER FORENSICS? |
Computer forensics otherwise known as "digital forensics" is a process of electronic discovery to acquire digital evidence, analyse facts and report on a case by examining digital devices such as computers, hard drives or any other storage media or network conducted by a suitably trained computer forensic analyst in order to investigate a claim or allegation.
Computer forensics involves 4 basic steps:
1. Acquisition and collection of data
2. Examination
3. Analysis
4. Reporting
|
 |
The forensic investigator must be suitably trained to perform the specific type of investigation requested by the client who can be a solicitor, private detective, company manager, prosecuting agent or law enforcing agency. A computer forensic specialist will initially examine each computer forensic case to determine the complexity level of the case so that an appropriately trained digital forensic investigator or team of investigators is assigned to the job. It is at this level that all the costs, logistics and duration of the investigation is determined and communicated to the client. Depending on the case, there may be a charge for the initial assessment which will be agreed at the time of the computer forensic service inquiry.
|
|
Acquiring and Collecting Digital Evidence
|
Digital evidence can be collected from many sources. Obvious sources include computers, mobile phones, digital cameras, hard drives, CD-ROM, USB memory sticks and so on. Non-obvious sources include RFID tags, and web pages which must be preserved as they are subject to change.
We will take special care when handling computer evidence: most digital information is volatile can be easily changed, and once modified, it is usually difficult to detect the changes or to revert the data back to its original state. For this reason, we will carry out and calculate a cryptographic hash of digital evidence and record that hash in a safe place to prevent any digital evidence contamination. This is essential as the computer forensic investigators will be able to establish at a later stage whether or not the original digital evidence has been tampered with since the hash was initiated and calculated.
|
Imaging electronic media evidence
|
| As as an initial stage of our computer forensic investigation, we may have to to create an exact duplicate of the original evidentiary media. We use a combination of standalone hard-drive duplicators or software imaging tools so that the entire hard drive is fully cloned. We will do this at the at the sector level, making a bit-stream copy of every part of the user-accessible areas of the hard drive which can physically store data, rather than duplicating the file system. We will then transfer the original drive to secure storage to prevent any tampering. During the imaging process, we will use a write-protection or write-blocking device or application to ensure that no information is introduced onto the evidentiary media during the computer forensic investigation process. |
