Brain Dump

Digital Forensics

Tags
security

The [see page 3, process] of collecting, examining, analysing and reporting of digital evidence (sometimes involved in cyber crime) without any damage.

Digital forensics is the detection, extraction and preservation of digital evidence from digital media that is accurate, authentic and admissible as evidence in a court of law.

The [see page 5, principles] of digital forensics are:

  • The crime-scene has to be frozen, evidence must be collected early and without contamination.
  • There must be continuity of evidence.
  • Examination procedures must be auditable (experiments must be reproducible and obtain the same results by a \nth{3} party).

The Forensic Process

The [see page 5, stages] a forensic-investigator will go through when acquiring some digital evidence.

Authorisation and Preparation

Is a [see page 6, prior process ]where you must confirm the a search isn't going to violate any laws (or lead to liability cases). Examiners should obtain instructions and written authorisation from attorneys before acting.

Warrants are usually required prior to accessing private information from an employee (unless they consent). In this case the computer can be confiscated to prevent tampering until the police arrive.

Identification

Finding the [see page 8, devices] and hardware where digital evidence could be found.

Preservation & Collection

Capturing a device identified in the previous stage in a way that doesn't contaminate or damage the evidence we'd like to acquire.

For example: by turning off the internet, will this contaminate the data on the device?

Examination

[see page 14, Examine] the physical and meta-properties about the device that can be documented in the chain of custody.

For example: is the charger required to access it, have we found a password lock.

Analysis

[see page 16, Analysing] the digital evidence found on the device using specialised tools.

This is divided into 3 major stages:

  1. Filtering and reduction: filter out irrelevant or not useful data. Essentially reduce the data-set to only applicable data.
  2. Classification and evaluation of sources: Identify what and where information on the device is and came from. Includes correlating evidence from several sources.
  3. Data recovery: Find and reconstruct deleted data in nearly their original state.

Reporting

[see page 18, Reporting] evidence found from various digital devices on the case to numerous stakeholders.

Links to this note