Computer forensics (also referred to as Computer forensic science) is a branch of digital forensic science regarding proof found in computers and digital storage media. The aim of computer forensics is to look at digital media in a very forensically sound manner with the aim of distinctive, preserving, recovering, analyzing and presenting facts and opinions concerning the digital info.
The computer forensics plays a significant role in a corporation because our dependency on computing devices and internet is increasing day-by-day. in step with a survey conducted by the University of California, 93% of all the information generated throughout 1999 was generated in digital type, on computers, only 7% of the remaining info was generated using different sources like paper etc. It not forever straight forward to gather pieces of evidence because the knowledge is also tempered, deleted, hidden or encrypted.
Digital forensics investigation could be an extremely hot task that desires the expose of varied tools, techniques, and tips for finding and ill the digital evidence from the crime scene or the digital equipment utilized in the crime. With digital equipment like smartphones, tablets, palmtops, smart tv, etc having increasing process capabilities and computation speed, the likelihood of use of those devices in cybercrime can’t be dominated out. A forensic investigator should not only have a deep understanding of the operating of those devices and conjointly active exposure to the tools for correct data retrieval in order that the worth and integrity of the information is preserved.
A computer is often used on purpose or accidentally to cybercrime. The intentional use is to use your computer to send hate mails or putting in a cracked version of an associate degree otherwise licensed code into your computer. Unintentional use is that the computer you’re victimization contains the virus and it unfolds into the network and out of doors the network inflicting major loss to somebody in monetary terms. Similarly, a computer is often directly wont to commit a digital crime. for instance, your computer is employed to access sensitive and classified knowledge and therefore the data is distributed somebody inside/outside the network, the World Health Organization will use this data for his own profit. The indirect use of the computer is once whereas downloading a crack of code, a trojan horse holds on within the computer, whereas creates a backdoor within the network to facilitate hacker. currently, the hacker logs into your computer and uses it for committing cybercrime. associate degree knowledgeable computer forensics investigator plays a vital role in identifying the direct and indirect attack. computer forensic consultants also are helpful for recovery of accidental knowledge loss, to sight industrial undercover work, counterfeiting, etc.
In massive organizations, as presently as cybercrime is detected by the incident handling team, that is liable for observance and detection of security events on a computer or network, initial incident management processes are followed. this is often an associate degree in-house method. It follows the following steps:
- Preparation: The organization prepares tips for incident response and assigns roles and therefore the responsibilities of every member of the incident response team. Most of the large organizations earn a name within the market and any negative sentiment might negatively have an effect on the emotions of the shareholders. Therefore, efficient communication is needed to declare the incident. Hence, distribution of the roles supported the skill-set of a member is vital.
- Identification: Supported the traits the incident response team verifies whether or not an occasion had truly occurred. one amongest the foremost common procedures to verify the event is
examining the logs. Once the prevalence of the event is verified, the impact of the attack is to be assessed.
- Containment: Supported the feedback from the assessment team, the longer term course of action to retort to the incident is planned during this step.
- Eradication: During this step, the strategy for the wipeout or mitigate of the reason behind the threat is planned and dead.
- Recovery: It’s the method of returning to the conventional operational state when eradication of the matter.
- Lesson Learned: If a replacement form of the incident is an encounter, it’s documented in order that this knowledge is often wont to handle such things in the future.
The second step within the method is computer forensic investigation is doled out to search out the proof of the crime, which is usually performed by third-party corporations. the computer forensic investigation involves the following steps:
- Establish incident and evidence: this is often the primary step performed by the system administrator wherever he tries to collect the maximum amount of info as attainable concerning the incident. supported this info the scope and severity of the attack are assessed. Once the proof of the attack is discovered, the backup of the identical is taken for the investigation purpose. The rhetorical investigation is rarely performed on the first machine however on the information that’s remodeled from the backup.
- Collect and preserve evidence: varied tools like Helix, WinHex, FKT Imager, etc. are wont to capture the information. Once the backup of the information is obtained, the custody of the proof and therefore the backup is taken. MD5(message digest) hash of the backup is calculated and matched with the first one to test the integrity of the information. Other important sources of knowledge like system log, network info, logs generated by Intrusion Detection Systems(IDS), port and method info also are captured.
- Investigate: The image of the disk is remodeled from the backup and therefore the investigation is performed by reviewing the logs, system files, deleted and updates files, processor uses and process logs, temporary files, secret protected and encrypted files, images, videos and knowledge files for attainable steganographic message, etc.
- Summarize and Presentation: The summary of the incident is given in chronological order. supported the investigation, conclusions are drawn and the attainable cause is explained.
While finishing up the digital forensic investigation, rules and procedures should be applied. Especially whereas capturing the proof. It ought to be ensured that the actions that are taken for capturing the information don’t amendment the proof. The integrity of the information ought to be maintained. It should be ensured that the devices used for capturing the backup are free from contamination. Moreover, all the activities associated with seizure, access, storage or transfer of digital proof must be absolutely documented, preserved and obtainable for the review. prevention is usually higher than the cure. it’s forever counseled to fine tune your intrusion detection system like firewall occasionally perform penetration tests on your network to avoid pray to the hacker. however last but not the least, report the crime.
Shake a tree and a computer forensics certification is guaranteed to fall out. If this list is overwhelming, do a quick survey of job descriptions and talk to your colleagues/mentors. Most employers (e.g. Department of Homeland Security) will specify their preferred accreditations.
- CCE: Certified Computer Examiner
- CEH: Certified Ethical Hacker
- EnCE: EnCase Certified Examiner
- GCFE: GIAC Certified Forensic Examiner
- GCFA: GIAC Certified Forensic Analyst
- GCIH: GIAC Certified Incident Handler
- CCFE: Certified Computer Forensics Examiner
- CPT: Certified Penetration Tester
- CREA: Certified Reverse Engineering Analyst
In our survey of job descriptions, we have seen employers call for technical skills such as:
- Network skills, including TCP/IP-based network communications (much of modern forensics involves reading network traces)
- Windows, UNIX and Linux operating systems
- C, C++, C#, Java and similar programming languages
- Computer hardware and software systems
- Operating system installation, patching and configuration
- Backup and archiving technologies
- Cryptography principles
- eDiscovery tools (NUIX, Relativity, Clearwell, etc.)
- Forensic software applications (e.g. EnCase, FTK, Helix, Cellebrite, XRY, etc.)
- Data processing skills in electronic disclosure environments
- Evidence handling procedures and ACPO guidelines
- Cloud computing
Jobs and Responsibilities
During the course of your day, you may be required to:
- Conduct data breach and security incident investigations
- Recover and examine data from computers and electronic storage devices
- Dismantle and rebuild damaged systems to retrieve lost data
- Identify additional systems/networks compromised by cyber attacks
- Compile evidence for legal cases
- Draft technical reports, write declarations and prepare evidence for trial
- Give expert counsel to attorneys about electronic evidence in a case
- Advise law enforcement on the credibility of acquired data
- Provide expert testimony at court proceedings
- Train law enforcement officers on computer evidence procedures
- Keep abreast of emerging technologies, software and methodologies
- Stay proficient in forensic, response and reverse engineering skills