Computer Forensics

What Is Computer Forensics? :- :- 

 

Computer forensics is simply the application of disciplined investigative techniques in the automated environment and the search, discovery, and analysis of potential evidence. It is the method used to investigate and analyze data maintained on or retrieved from electronic data storage media for the purposes of presentation in a court of law, civil or administrative proceeding. Evidence may be sought in a wide range of computer crime or misuse cases.

Computer forensics is rapidly becoming a science recognized on a par with other forensic sciences by the legal and law enforcement communities. As this trend continues, it will become even more important to handle and examine computer evidence properly. Not every department or organization has the resources to have trained computer forensic specialists on staff.

Computer Forensic Process

As in any investigation, establishing that an incident has occurred is the first key step. Secondly, the incident needs to be evaluated to determine if computer forensics may be required. Generally, if the computer incident resulted in a loss of time or money, or the destruction or compromise of information, it will require the application of computer forensic investigative techniques. When applied, the preservation of evidence is the first rule in the process. Failure to preserve evidence in its original state could jeopardize the entire investigation. Knowledge of how the crime was initiated and committed may be lost for good. Assignment of responsibility may not be possible if evidence is not meticulously and diligently preserved. The level of training and expertise required to execute a forensics task will largely depend on the level of evidence required in the case. If the result of the investigation were limited to administrative actions against an employee, the requirement would be lower than taking the case to court for civil or criminal litigation. 

Network Forensics

        As technology has advanced, computers have become incredibly powerful. Unfortunately, as computers get more sophisticated, so do the crimes committed with them. Distributed Denial of Service Attacks, ILOVEYOU and other viruses, Domain Name Hijacking, Trojan Horses, and Websites shut down are just a few of the hundreds of documented attack types generated by computers against other computers usually using an electronic network.

The need for security measures to prevent malicious attacks is well recognized and is a fertile research area as well as a promising practioner's marketplace. Though there is an immense effort ongoing to secure computer systems and prevent attacks, it is clear that computer and network attacks will continue to be successful. When attacks are successful, forensics techniques are needed to catch and punish the perpetrators, as well as to allow recovery of property and/or revenue lost in the attack.

Current Issues

Users scare that if they use disk imaging tools, it might altered the layout of the copy and omits free and deleted space. In computer forensics, priority and emphasis are on accuracy and evidential integrity and security Doing analysis directly on original evidence might changes or alters the evidence. Due to that, it is essential to have a forensically sound of copy from original evidence.

Another issue is regarding internal verification. When done with imaging process, it is important to have one procedure or mechanism to determine that the evidence has not been altered or damaged. Internal verification is the only way to check the validity of the copy from the original drive.

In computer forensics, for cases that take years to be resolved, the evidence that has been imaged need to be stored into appropriate media. Appropriate media must be chosen to avoid any alteration or contamination of the evidence.

Training The Investigative Team

The investigative procedure that follows an attack needs to be carried out with precaution and the investigative team must have computer forensics skills. We have to make sure the investigative team members have the abilities necessary to follow the investigative procedure. During a preliminary investigation, the investigative team will use these skills to determine whether an attack actually occurred, and if possible to identify the crime by determining how it was committed and who did it, and find the evidence left behind. In order to do this, the investigative team needs to understand the steps followed by the attacker so that they can be retraced.

Utilize Data Indexes

The first step of an investigation is to check all the potential evidence collected. This is easier said than done, especially since extensive logging produces a great volume of data. The amount of time to search through each entry in a log file is analogous to the amount of time necessary to go through all the books on a shelf one by one. Examples of the type of information we may want to include in the summaries are the date, source/origin, destination, service port, and duration of TCP connection occurring on the network, the URL from every web request, the origin and destination of SMTP sessions, and the user identification from all Telnet, FTP, and relogin sessions.

Conclusion

Practical investigations tend to rely on multiple streams of evidence which corroborate each other - each stream may have its weaknesses, but taken together may point to a single conclusion.

Disk forensics may remain for some time the single most important form of digital evidence .Increasing number of computer crime means increasing demand for computer forensics services. In doing computer forensics investigation, choosing the right disk imaging tool is very  important. There is no standard conformity of computer forensic imaging methodology or tool. This paper only provides guidance and suggestions regarding imaging tool. It should not be constructed as mandatory requirement.