Computer forensics or digital forensics is a term in computer science to obtain legal evidence found in digital media or computers storage. With digital forensic investigation, the investigator can find what happened to the digital media such as emails, hard disk, logs, computer system, and the network itself. In many case, forensic investigation can produce how the crime could happened and how we can protect ourselves against it next time.
Some reasons why we need to conduct a forensic investigation: 1. To gather evidences so that it can be used in court to solve legal cases. 2. To analyze our network strength, and to fill the security hole with patches and fixes. 3. To recover deleted files or any files in the event of hardware or software failure
In digital forensics, the most important things that need to be remembered when conducting the investigation are:
1. The original evidence must not be altered in anyways, and to do conduct the process, forensic investigator must make a bit-stream image. Bit-stream image is a bit by bit copy of the original storage medium and exact copy of the original media. The difference between a bit-stream image and normal copy of the original storage is bit-stream image is the slack space in the storage. You will not find any slack space information on a copy media.
2. All forensic processes must follow the legal laws in corresponding country where the crimes happened. Each country has different law suit in IT field. Some take IT rules very seriously, for example: United Kingdom, Australia.
3. All forensic processes can only be conducted after the investigator has the search warrant.
Forensic investigators would normally looking at the timeline of how the crimes happened in timely manner. With that, we can produce the crime scene about how, when, what and why crimes could happened. In a big company, it is suggested to create a Digital Forensic Team or First Responder Team, so that the company could still preserve the evidence until the forensic investigator come to the crime scene.
First Response rules are: 1. Under no circumstances should anyone, with the exception of Forensic Analyst, to make any attempts to recover information from any computer system or device that holds electronic information. 2. Any attempt to retrieve the data by person said in number 1, should be avoided as it could compromise the integrity of the evidence, in which became inadmissible in legal court.
Based on that rules, it has already explained the important roles of having a First Responder Team in a company. The unqualified person can only secure the perimeter so that no one can touch the crime scene until Forensic Analyst has come (This can be done by taking photo of the crime scene. They can also make notes about the scene and who were present at that time.
Steps need to be taken when a digital crimes occurred in a professional way: 1. Secure the crime scene until the forensic analyst arrive.
2. Forensic Analyst must request for the search warrant from local authorities or company’s management.
3. Forensic Analyst make take a picture of the crime scene in case of if there is no any photos has been taken.
4. If the computer is still powered on, do not turned off the computer. Instead, used a forensic tools such as Helix to get some information that can only be found when the computer is still powered on, such as data on RAM, and registries. Such tools has it’s special function as not to write anything back to the system so the integrity stay intake.
5. Once all live evidence is collected, Forensic Analyst cant turned off the computer and take harddisk back to forensic lab.
6. All the evidences must be documented, in which chain of custody is used. Chain of Custody keep records on the evidence, such as: who has the evidence for the last time.
7. Securing the evidence must be accompanied by legal officer such as police as a formality.
8. Back in the lab, Forensic Analyst take the evidence to create bit-stream image, as original evidence must not be used. Normally, Forensic Analyst will create 2-5 bit-stream image in case 1 image is corrupted. Of course Chain of Custody still used in this situation to keep records of the evidence.