What Is Computer Forensics? :- :-
Computer
forensics is simply the application of disciplined investigative techniques in
the automated environment and the search, discovery, and analysis of potential
evidence. It is the method used to investigate and analyze data maintained on
or retrieved from electronic data storage media for the purposes of
presentation in a court of law, civil or administrative proceeding. Evidence
may be sought in a wide range of computer crime or misuse cases.
Computer
forensics is rapidly becoming a science recognized on a par with other forensic
sciences by the legal and law enforcement communities. As this trend continues,
it will become even more important to handle and examine computer evidence
properly. Not every department or organization has the resources to have
trained computer forensic specialists on staff.
Computer Forensic
Process
As
in any investigation, establishing that an incident has occurred is the first
key step. Secondly, the incident needs to be evaluated to determine if computer
forensics may be required. Generally, if the computer incident resulted in a
loss of time or money, or the destruction or compromise of information, it will
require the application of computer forensic investigative techniques. When
applied, the preservation of evidence is the first rule in the process. Failure
to preserve evidence in its original state could jeopardize the entire
investigation. Knowledge of how the crime was initiated and committed may be
lost for good. Assignment of responsibility may not be possible if evidence is
not meticulously and diligently preserved. The level of training and expertise
required to execute a forensics task will largely depend on the level of
evidence required in the case. If the result of the investigation were limited
to administrative actions against an employee, the requirement would be lower
than taking the case to court for civil or criminal litigation.
Network Forensics
As
technology has advanced, computers have become incredibly powerful.
Unfortunately, as computers get more sophisticated, so do the crimes committed
with them. Distributed Denial of Service Attacks, ILOVEYOU and other viruses,
Domain Name Hijacking, Trojan Horses, and Websites shut down are just a few of
the hundreds of documented attack types generated by computers against other
computers usually using an electronic network.
The
need for security measures to prevent malicious attacks is well recognized and
is a fertile research area as well as a promising practioner's marketplace.
Though there is an immense effort ongoing to secure computer systems and
prevent attacks, it is clear that computer and network attacks will continue to
be successful. When attacks are successful, forensics techniques are needed to
catch and punish the perpetrators, as well as to allow recovery of property
and/or revenue lost in the attack.
Current Issues
Users
scare that if they use disk
imaging tools, it might altered the layout of the copy and omits free and
deleted space. In computer forensics, priority and emphasis are on accuracy and
evidential integrity and security Doing analysis directly on original evidence
might changes or alters the evidence. Due to that, it is essential to have a
forensically sound of copy from original evidence.
Another
issue is regarding internal verification. When done with imaging process, it is
important to have one procedure or mechanism to determine that the evidence has
not been altered or damaged. Internal verification is the only way to check the
validity of the copy from the original drive.
In
computer forensics, for cases that take years to be resolved, the evidence that
has been imaged need to be stored into appropriate media. Appropriate media
must be chosen to avoid any alteration or contamination of the evidence.
Training The
Investigative Team
The
investigative procedure that follows an attack needs to be carried out with
precaution and the investigative team must have computer forensics skills. We
have to make sure the investigative team members have the abilities necessary
to follow the investigative procedure. During a preliminary investigation, the
investigative team will use these skills to determine whether an attack
actually occurred, and if possible to identify the crime by determining how it
was committed and who did it, and find the evidence left behind. In order to do
this, the investigative team needs to understand the steps followed by the
attacker so that they can be retraced.
Utilize Data
Indexes
The
first step of an investigation is to check all the potential evidence
collected. This is easier said than done, especially since extensive logging
produces a great volume of data. The amount of time to search through each
entry in a log file is analogous to the amount of time necessary to go through
all the books on a shelf one by one. Examples of the type of information we may
want to include in the summaries are the date, source/origin, destination,
service port, and duration of TCP connection occurring on the network, the URL
from every web request, the origin and destination of SMTP sessions, and the
user identification from all Telnet, FTP, and relogin sessions.
Conclusion
Practical
investigations tend to rely on multiple streams of evidence which corroborate
each other - each stream may have its weaknesses, but taken together may point
to a single conclusion.
Disk
forensics may remain for some time the single most important form of digital
evidence .Increasing number of computer crime means increasing demand for
computer forensics services. In doing computer forensics investigation,
choosing the right disk
imaging tool is very important. There
is no standard conformity of computer forensic imaging methodology or tool.
This paper only provides guidance and suggestions regarding imaging tool. It
should not be constructed as mandatory requirement.
0 comments:
Post a Comment