Digital Forensics and Digital Investigation - Essay Example

Forensic Analysis in My Organization If your organization uses digital forensics, either by an in-house team or by contractors, interview the forensics team leader and discuss your organization’s forensic process The progress in technological growth in communications and data exchange has caused an entirely new form of offense, cyber crime. This has urged the computer and law enforcement professions to build up advanced expertise and avenues for gathering and evaluating data’s. It has then further developed into a science called computer forensics. The procedure of obtaining, examining, and relating digital evidence is critical in the success of prosecuting a cyber criminal. Because of the fast growth of technology, it is not easy for law enforcement and computer experts to be ahead of technologically knowledgeable criminal. In order to efficiently fight cyber crime, bigger stress must be placed in the computer forensic field of learning. That must comprise not only financial support but also should comprise international guidelines and laws, and training of the expert concerned in the procedure. The FBI, describe computer forensic science as ‘the science of obtaining, protecting, retrieving, and presenting information that has been processed electronically and stored on computer.’ Essentially, computer forensics is a digital police officer work (Oseles, 2001). In our organization we maintain an in-house forensics team. The forensics team leader of our organizations explains the organization’s forensics process in detail. The first step The first step in the end-to-end digital investigation (EEDI) procedure is collection of forensic data. It is necessary to carry out forensic examination of computer media, gathering logs of intermediate devices and collecting the outputs of intrusion detection systems. The next process is to dispose of duplicate data and standardize the data into a regular vocabulary. Actually duplicate data’s are not destroyed but just set it aside in case it requires afterward or in court. What is actually intended out of this process? Usually, EEDI is a superset of the whole thing about digital forensics. It presumes that one can take care of the forensics of a computer’s hard drive and also can gather the logs from a firewall and manage all the evidence appropriately as per the standard practices, for instance the Association of Chief Police Officers (ACPO) ‘Good Practice Guide for Computer-based Evidence’. The Objective The EEDI procedure is planned to assist the build up of an event timeline. While displaying evidence in front of a jury it is necessary to be conscious that the attempt to converse a complex procedure to people who have little knowledge or totally ignorant of how computer networks operate. The use of an event timeline is a method to present the picture across in a style that is both simple to know and firm enough to be considered important. The process also helps the investigator organize his or her testimony logically and simply. Developing the event timelines has one important limitation that one can’t presume the misplaced links. The whole picture is needed whether the chain of evidence is with forensic data or the results of traditional investigation. Therefore, the relationship among the forensic investigator and the traditional investigator is so imperative. Both investigators, using different approaches, support each other with leads and corroboration. At present there are problems in back tracing an expert intruder who knows how to confuse source addresses. Moreover, the expert intruder will choose intermediate computers that are inadequately managed and have little to give the investigator in the way of logs. Sorting the Evidence Sorting evidence should be to theorize the timeline and path of events. There are cases those have some solid evidence either forensic or traditional. Place that evidence out and settle the timeline. The intruder may have a lot of aims. In fact it is helpful to know the reason of the attack. Certain types of denial of service attacks can be done blind. That means, the attacker need not see the victim. Normally those attacks are distributed denial of service attacks, attacks against an extensive range of arbitrarily chosen addresses and attacks against a block of addresses (Stephenson , 2002). Analysis and Preservation It is important to prove in the court that the analysis and preservation was performed properly. The courts have specified that if the value calculated for the source and image match, the image is a legitimate copy and regarded as original. When law enforcement has control of the computer evidence, cautions should be taken to make sure that it is not infected or damaged. On the other hand, computer evidence may be vanished by other means, for instance age, electromagnetic force, and dropping of storage media. There must be precise standards and requirements together with regular updates to the processes for analysis, preservation, and management of the evidence. The general method used to investigate the evidence presently relies on proprietary software or hardware which denies the experts to know precisely what is happening under the proverbial hood. This is a grave concern; the experts must be able to clarify what is happening at each level of the duplication and analysis process. The expert must be acquainted with the major file systems and hypothesis regarding file system structure. In addition, so as to decide that the data was correctly preserved and analyzed, the computer forensics examiner/expert must know the engineering technicalities about these devices. Furthermore, preservation standards must to be created regarding the storage of original and duplicated evidence to prevent contamination and damage (Meyers and Rogers, 2004). Significance of preservation of data Shutting down a computer system in such a way that it will not alter the integrity of existing files is important. At the same time it is a complex computer security process. In the event of an alleged computer episode, great care should be taken to preserve evidence in its original status. Simply viewing files on a system would not result in change of the original media. But, just opening a file changes it. Legally, it is no more the original evidence and may be not allowable in any subsequent legal or administrative proceedings. Opening a file as well changes the time and date it was last accessed. This may not appear to be an important concern; still, it could later on become very important in the determination of who committed the violation and when it happened. Isolation of the involved computer system is perfect, but this may not be possible because of operational requirements, no attempts should be made to retrieve or view files at the local level. The isolation of a computer system so that evidence is not lost is of the greatest importance. Importance should also be given to other preservative media, handwritten notes, and documents found in the vicinity of the computer involved. These stuffs can be of useful in an ensuing investigation. Computer disks, CD-ROMs, tape storage media, and additional hard drives found near the involved computer as well ought to be isolated and protected (media.wiley.com, 2003). The technological progressions in communications networks and data exchange, computer linked crimes have risen. It is expected that the hi-tech crimes such as computer hacking, spreading of viruses, internet deception, and e-mail misuse will continue to rise over the next decades. For most organizations the question is when we are going to be the victim of a computer crime. Because of this trend, it has become crucial in the prosecution process that law enforcement officials and computer forensic specialist to manage the evidence appropriately and present it carefully. Many agencies offer training in the proper acquisition, examination, and utilization of electronic evidence. Not being able to use the data’s gathered in court is worse than not having it at all. The field of computer forensics will grow further and will start to see agencies with trained digital detectives on staff, not only to combat external and internal threats but also to analyze and arrange defensive procedures and applications for the agency. There will be a continuing need for computer forensic experts until the safety of our systems improves (Oseles, 2001). Our organization is concerned about the above said factors and maintains an in house trained forensic team to manage the crisis in cases such eventualities. References media.wiley.com, (2003) Computer Forensics and Incident Response Essentials. Retrieved April 09, 2008, from: http://media.wiley.com/product_data/excerpt/67/07645263/0764526367.pdf Meyers, M. and Rogers, M. (2004) Computer Forensics: The Need for Standardization and Certification, International Journal of Digital Evidence Fall 2004, Volume 3, and Issue 2 Retrieved April 09, 2008, from: http://www.utica.edu/academic/institutes/ecii/publications/articles/A0B7F51C-D8F9-A0D0-7F387126198F12F6.pdf Oseles, L. (2001). Computer Forensics: The Key to Solving the Crime, INSS 690 Term 1 Retrieved April 09, 2008, from: http://faculty.ed.umuc.edu/~meinkej/inss690/oseles_2.pdf Stephenson , P.(2002). Data Analysis – First Steps, Computer Fraud & Security Newsletter from Elsevier Advanced Technology, October 2002 issue Read More