The Key Principles Of Cyber Forensics

Published Date: 02 Nov 2017

Ba ba ba la la la

Explain the key principles of cyber forensics

Discuss investigation processes used to: preserve

Preserve evidence is the process of preserving any evidence found at the crime screen. Such evidence can be either the physical or digital evidence. Before any investigation or collection of evidence can be make, we need to what type of crime has been committed and do we need a search warrant in order to carry out the legal process of evidence collection. One example is that the most common is that a police officer did not acquire the evidence in a legal way, in which this evidence will be inadmissible in court. For this review, I will ensure/take it that all legal and search warran have been produced. Or take care of.

Once all this have been taken care of, the first thing we step in the crime screen is to conduct a "no touch" examination of the physical site which can includes any observations, video recordings, any photo taking and hand written command.

For Computer Forensic crime, we need to take a higher step to preserve all evidence. We can start of identified how many computer (PC/Macbook, Notebook, Servers etc) are there in the crime screen. Is there any external/internal device that are connected to these computer. The placement of the such equipment like, keyboard, mouse, printer, scanner, cables and wires which they are connected, switches, router and even modem. Such setup can be important items of evidence. Hence by having a video recording or photo taking can be record.

There are 3 main type of computer setup(Stand-alone computer, network and server) which each of them will have a different process to follow to ensure the preserve of data. Some of the evidence maybe lost during the priocess. For example, disconnecting the computer from the network or power supply can damage or destroy crucial evidence.

First we need to check is the computer is turn on or off. If the computer is turn off, do not turn it on again. If the computer is turn on, we need to check is there on-screen information should be noted of( Screen saver, is it password protected, any wallpaper) take note of it with video recording or photo recording.

One of the common way to preserve and shutdown the computer is as follow,

Stand-alone Compuer (Non-Network): Disconnect all power sources by unplugging from the back of the computer. If the computer is a notebook, remove the batteries. Disconnect any device connect to it and put everything in the evidence bag.

Non Stand-alone computer (Networked): This is the compter which joined to the company network. Same shutdown process as stand-alone computer.

Servers: The process for server will be different, one reason is Pulling the plug could severely damage the system; disrupt legitimate business; and/or create officer and department liability. Determination should also be made as to the extent of data that should be seized and the search warrant cover. Next, If shutdown is necessary, use the appropriate commands.

After which a chain-of-custody will have to be in place. As to keep prsvers the evidence from the crime screen to any where that it need to be teansoirted(forensic lab).

When it reached the forencis lab, we will need to determining the Best methods to do create backup copy of the sied data. acquire digital evidence

1) Disk-To-Image File

Creating a bit-stream disk-to-image file is the most common method forensic investigators use. When using this

method, forensic investigators are able to make as many copies of the digital evidence as they need. Investigators

are able to image the original disk to another disk. An investigator can then make use of other tools such

as EnCase, FTK, Smart, Task, and Ilook to read and analyze the image file.

Disk-To-Disk Copy

If an investigator is unable to create a bit-stream disk-to-image file, the alternative is to create a bit-stream

disk-to-disk copy of the suspect’s disk drive in order to acquire the information from it. There are several bitstreaming

programs that can copy the information from one disk to another. Disk-to-disk imaging tools include

SafeBack, SnapCopy, and Norton Ghost. Many of these applications run under MS-DOS.

Sparse Data Copy

There are times during a forensic investigation when an investigator finds incriminating evidence in a particular

file or folder. Therefore, it would not be necessary to create a bit-stream disk-to-image file or a disk-to-disk

copy. The investigator would just need to create a sparse data copy of the folder or file. A sparse data copy

is a copy that an investigator makes of only part of a large set of data in which only the data pertinent to the

investigation is included.

------

Let’s assume you want to "freeze" the system as it is and immediately halt all

processing. In that case, you may want to literally pull the power plug out of the

wall (or pull it from the back of the computer). Removing power immediately

stops all disk writes, but it destroys anything in memory. Such an abrupt crash

could also corrupt files on the disk. You may find that the very evidence file you

want was corrupted by the forced crash

----

1) Stand-alone computer (non-networked)

2) Computer join to Network (Networked computer)

3) Server

2)

Networked computer

We also need to know the following

Computer is it tunning

Search warring cover the power to shut the compouter down(if it a running server)

the scene must be recorded and preserved wechain of custody is not broken

Physical evidence can be found at the crime scene and it can establish that a crime has been committed. Sometimes it can also provide a link between a crime and its victim or between a crime and its perpetrator.

digital evidence can be xxxxxxxxxxxxxxxxxxxxxx

This is the process of preserv ing the integrity of the digital evidence, ensuring

the chain of custody is not broken. The data needs to be preserved (copied)

on stable media such as CD-ROM, using reproducible methodologies. All

steps taken to capture the data must be documented. Any changes to the

evidence must also be documented, including what the change was and the

reason for the change. You may need to prove the integrity of the data in a

court of law.

===

Evidence should be preserved to such an extent that a third party is able to repeat

the same process and arrive at the same result as that presented to a court

===

Preserving

This is the process of preserv ing the integrity of the digital evidence, ensuring

the chain of custody is not broken. The data needs to be preserved (copied)

on stable media such as CD-ROM, using reproducible methodologies. All

steps taken to capture the data must be documented. Any changes to the

evidence must also be documented, including what the change was and the

reason for the change. You may need to prove the integrity of the data in a

court of law.

Conduct a "no touch" examination of the physical site that includes

observations and recordings. When entering the site, each detail of

the scene must be recorded and preserved. It is a good idea to bring

video or still-camera equipment to provide visual backup for written

records. The placement of the computer equipment, keyboard,

mouse, computer output, references, cables and wires, and switches

may all be important items of evidence. Written logs must be created,

initialed, witnessed, or corroborated and then filed in a secure place.

Evidence bags

Discuss investigation processes used to: Locate

Concerns with remote wireless storage often focus around

the inability to locate the device. In this instance, it

would be impossible to prove that an offence had been

committed. However, when considering remote wireless

storage, the investigator is encouraged to consider the

artefacts on the seized machines in question according to

existing practice. Artefacts such as cached images, typed

URLs etc. are still to be found, together with evidence that

a remote storage device has been used.

Discuss investigation processes used to: Select

Discuss investigation processes used to: Analyse

Discuss investigation processes used to: validate

Discuss investigation processes used to: present evidence obtained from a computer

Believable

The evidence you present should be clear, easy to understand and

believable by a jury. There’s no point presenting a binary dump of

process memory if the jury has no idea what it all means. Similarly, if

you present them with a formatted version that can be readily

understood by a jury, you must be able to show the relationship to the

original binary, otherwise there’s no way for the jury to know whether

you’ve faked it.

Discuss and the importance of crime reconstruction hypotheses and alternative hypotheses

Conclusion

most students overlook and underestimate the conclusion – this is where you summarise the facts described in the body of your essay and add your own conclusions based on what you have read. No new material should be added here.

References

Commonwealth Consoldated Acts, Search Warrant http://www.austlii.edu.au/au/legis/cth/consol_act/ca191482/s3f.html

how-does-evidence-get-thrown-out-of-court http://www.avvo.com/legal-guides/ugc/how-does-evidence-get-thrown-out-of-court

Sadfadsfads

Fasdfasdfadsfads

Adfsfadsfadsf

Commonwealth Consolidated Acts