Week 1 Flashcards
Objectives of Computer Forensics (R.A.P)
To Recover , Analyze and present computer-based material in such a way that it can be presented as evidence in the court of law.
Who Performs Computer Forensics (L.C.C.P)
Law Enforcement for Criminal Cases
Corporate IT security personal for criminal / civil cases
Corporate HR investigators for workplace investigations
Private investigators for various investigations
What does Computer Forensics Involve (P.I.E.I.D , L.I.F.P)
Preservation
Identification
Extraction
Interpretation
Documentation
Legal Processes
Integrity of Evidence
Factual Reporting of the information found
Providing expert opinion in the court of law
Preservation (P.O.M.C)
Preserve the integrity of the original evidence
Original evidence should not be modified or damaged
Make an image/copy of the original evidence and then perform analysis
Compare the copy to the original evidence to identify any modifications or damages.
Hashing (P)
prove that all the evidences are exactly the same as the original data, down to the very last bit !
What are the values returned by the hash called ?
Hash values , Hash codes , Hash sum , Hashes
Identification (S.L)
Start by identifying the evidence and its location.
Locating and identifying the evidence is a challenge for the Forensic Investigator.
Extraction (O.V.E)
Once the evidence is identified and located , the evidence should be extracted immediately.
Volatile data can be lost at any point of time. FI should extract these data from the copy he made from the original evidence.
Extracted data must be compared with original evidence and analyzed.
Interpretation (M.A)
Most important role of Fi during investigation is to is to interpret what he has found .
Analysis and inspection of the data must be interpreted in a lucid manner.
Documentation (M)
Maintained from the Beginning to End
Forensics in a nutshell
Evidence Acquisition
Investigation and Analysis
Report Finding
What is digital evidence (F.P.P.P)
Fragile , Protect , Preserve and Probative
Categories of Forensic Data (A.L.A)
Active Data - Data that can be seen
Latent Data - Data that exists despite being deleted
Archival Data - Data in backup
Persistent vs Volatile Data
Persistent Data - preserved when the computer is turned off
Volatile Data - Will be lost when the computer loses power or it is turned off.
What is a Forensic Image ?
Forensic image is a copy of original evidence generally collected by a tool that performs bit-level copying from one location to another.