COMPUTER FORENSICS: AN OVERVIEW
Author: Yashwanth A S, III year of LL.B. from Dr RML College of Law, Bangalore.
The term “Computer Forensics” includes: “Collection, preservation, analysis and presentation of computer-related evidence and determining the past actions that have taken place on a system using computer forensic techniques.”
Computer forensics is the application of investigation and analysis techniques to assemble and preserve evidence from a specific-computer during a way that's suitable for presentation during a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to search out exactly what happened on a computing machine and who was answerable for it.
Forensic investigators typically follow a typical set of procedures
After physically isolating the device in question to create sure it cannot be accidentally contaminated, investigators make a digital copy of the device's storage media. Once the initial media has been copied, it's locked in a very safe or other secure facility to keep up its pristine condition. All investigation is finished on the digital copy.
The uses of computer forensics are varied. They vary from helping enforcement officials within the investigation of kid pornography, to investigating fraud, murder, espionage, rape and cyber-stalking. Within the private sector, computer forensics has been employed by commercial organizations to research a good range of cases including industrial espionage, fraud, material possession theft, forgeries, and disputes with employees, regulatory compliance, bankruptcies and for the inappropriate use of a computer, Internet and email within the workplace.
Purpose of the pc Forensics
Classic Forensics and Computer forensics uses technology to look for digital evidence against the law. It will try to retrieve information whether or not it's been altered or erased so it's utilized within the pursuit of an attacker or a criminal.
By its nature, the web can't be within one jurisdiction, so as that consequently the pc forensics is closely related to this idea. Nowadays, citizens of the Information Society use a fresh quiet document which possesses the upper hand: the digital document.
An honest revolution started with Computers: they provide the prospect of converting any reasonable data, text, picture or sound into a protracted binary sequence. This sequence is transferred into several filing devices that are in constant evolution.
But where a typical forensics specialist might collect and preserve fingerprints or other physical evidence, the pc forensics specialist collects and preserves digital evidence.
This collection of digital evidence must be done through carefully prescribed and recognized procedures so that the probative value of digital evidence is preserved to make sure its admissibility in an exceedingly lengthy proceeding. As traditional forensics may involve people with different specialities, computer forensics similarly involves an outsized number of professional specialities working together to assemble, preserve and analyse digital evidence.
Why can we like Computer Forensics?
Consider a hypothetical scenario where a criminal has broken into an organization’s premises and stolen critical assets (money, data or reports). A responsible executive would haven't hesitated in calling in professional forensics examiners and increasing all of the necessary cooperation. Such cooperation might involve cordoning off the crime scene to substantiate that:
• The realm isn't disturbed.
• Evidence isn't accidentally contaminated or tampered with.
• Forensics professionals have access to mandatory information or locations.
Sources of information one obvious source of knowledge is additionally a user’s computer, yet potential sources of digital data within a computer aren't always obvious. While digital data exists on a computer’s Winchester drive, digital data may additionally be located on media devices attached or inserted to a computer form of a CD ROM, floppy diskettes, backup tapes and memory cards also as within the cache memories of the pc. Data may additionally be located on shared drives, also named as network drives or file servers.
These shared drives act as centralized data repositories for user data that may be thought of as an electronic file room, with files indexed to facilitate the access by individuals and groups.
In many business environments, users save their work data, including processing documents, e-mail messages, accounting and spreadsheet files to shared drives.
Data may additionally be found in other locations:
• Smart cards may contain valuable information which will be of use to a computer criminal.
• IPDAs could even be accustomed to store passwords or other useful data.
• Portable handsets reveal the callers’ identities
• whenever a private enters a building the building security system creates an electronic record.
General challenges posed by digital evidence as electronic data differ from traditional paper documents, they have to be handled accordingly.
Electronic v Paper Documents
Electronic documents are created at much greater rates than paper documents. Today nearly 6.8 trillion e-mail messages are generated within the USA once a year additionally to other electronic files that are generated, like processing documents, spreadsheets, databases, graphic files and voice mail files5. These data files are often stored in an exceeding multitude of locations and through search terms are formulated to beat the random data storage problem, in many instances search terms are an imprecise and flawed solution at the best. When broad and all-encompassing search terms are used, the resultant number of documents captured is usually quite large.
Handling issues with Digital Data
Digital data poses other challenges: digital data must be properly extracted and handled thanks to its perishability; digital data are often erased, corrupted or modified in any number of the way including Improperly keyed commands, Booby traps, Improper procedures Stray magnetic fields or merely starting a computer change files. Therefore the pc Forensic specialist must ensure that any collected digital evidence isn't altered during and after its acquisition.
Chain of Custody
Throughout the strategy, the forensics specialist must also assure an accurate chain of custody to make sure that the evidence obtained retains its probative value. The importance of maintaining an accurate chain of custody cannot be overemphasized.
For any action to even have an opportunity of success, there must be complete, thorough, and convincing evidence that has been protected through a secure chain-of-custody procedure that tracks who has been involved in handling the evidence and where it's been stored. The PC Forensic specialist must take special care to safeguard digital evidence from deliberate or inadvertent changes or erasure. Otherwise, the knowledge collected won't be considered as valid evidence in exceeding proceedings.
The cybercrime, as explained within the previous paragraphs, is continually expanded thanks to an outsized range of applications. During this paper, forensic analysis focuses on non-volatile memory. The future work concerns the normalization of the model to the opposite legislations, defining e new model in relevancy differing types of media like an itinerant, tablet and volatile memory and into a cloud computing. The last aspect could even be the new challenge of the pc forensics.
However, this issue of cyber-crime which can be made to the Italian system within the sphere of cybercrime and computer forensics due to its flexible nature. Additionally, the Linux tools regarding each phase are limited to a quick description or mention only because their complex nature, characterized by various options, is well explained by many guides or manuals. Nevertheless, the paper provides a complete list of them and hence the thanks to analyzing a low cost.
The discipline of computer forensics is extremely much concerned with the presentation of legally acceptable evidence, reports and conclusions. This has made it necessary that computer forensic investigators must follow certain rules and guidelines to preserve the integrity of their work. Work isn't done, for instance, on the physical device in question, rather after it's been physically isolated, the forensic analyst must make a digital copy of the information. It’s the forensic analyst’s responsibility to avoid any change of information on a tool that will be used as evidence in court. The audit trail created by the analyst must even be understandable and a 3rd party should be ready to achieve the identical results using the identical processes.