***Welcome to ashrafedu.blogspot.com * * * This website is maintained by ASHRAF***

Posts

    Latest Updates

    Friday, May 27, 2022

    Disk based Analysis

    Disk forensics is the science of extracting forensic information from digital storage media like Hard disk, USB devices, Firewire devices, CD, DVD, Flash drives, Floppy disks etc..

    The process of Disk Forensics are:

    1. Identify digital storage devices

    First step in Disk Forensics is identification of storage devices at the scene of crime like hard disks with IDE/SATA/SCSI interfaces, CD, DVD, Floppy disk, Mobiles, PDAs, flash cards, SIM, USB/ Fire wire disks, Magnetic Tapes, Zip drives etc. These are some of the sources of digital evidence.

    2. Seizure and Acquisition of Storage devices

    Next step is seizing the storage media for digital evidence collection. This step is performed at the scene of crime.

    In this step, a hash value of the storage media to be seized is computed using appropriate cyber forensics tool. After computing the hash value, the storage media is securely sealed and taken for further processing.

    An exact copy of the original evidence is to be created for analysis and digital evidence collection. Acquisition is the process of creating this exact copy, where original storage media will be write protected and bit stream copying is made to ensure complete data is copied into the destination media. Acquisition of source media is usually done in a Cyber Forensics laboratory.

    3. Authentication of the evidence

    Authentication of the evidence is carried out in Cyber Forensics laboratory. Hash values of both source and destination media will be compared to make sure that both the values are same, which ensures that the content of destination media is an exact copy of the source media.

    4. Preservation of the evidence

    Electronic evidences might be altered or tampered without trace. Once the acquisition and authentication have been done, the original evidence should be placed in secure storage keeping away from highly magnetic and radiation sources. One more copy of image should be taken and it needs to be stored into appropriate media or reliable mass storage. Optical media can be used as the mass storage. It is reliable, fast, longer life span and reusable.

    5. Verification and Analysis of the evidence

    Verification of evidence before starting analysis is an important step in Cyber Forensics process. Hash value of the evidence is computed and compared it with the hash value taken at the time of acquisition. If both the values are same, there is no change in the content of the evidence. If both are different, there is some change in the content. The result of verification should be properly documented.

    Analysis is the process of collecting digital evidence from the content of the storage media depending upon the nature of the case being examined. This involves searching for keywords, picture analysis, time line analysis, registry analysis, mailbox analysis, database analysis, cookies, temporary and Internet history files analysis, recovery of deleted items and analysis, data carving and analysis, format recovery and analysis, partition recovery and analysis, etc.

    6. Reporting the findings

    Case analysis report should be prepared based on the nature of examination requested by a court or investigation agency. It should contain nature of the case, details of examination requested, details of material objects and hash values, result of evidence verification, details of analysis conducted and digital evidence collected, observations of the examiner and conclusion. Presentation of the report should be in simple terms and precise way so that non-technical persons should be able to understand the content of the report.

    7. Documentation

    Documentation should be started from the planning of case investigation and continue through searching in scene of crime, seizure of material objects, chain of custody, authentication and acquisition of evidence, verification and analysis of evidence, collection of digital evidence and reporting, preservation of material objects and up to the closing of a case.

    It is very important in every step of the Cyber Forensics process. Everything should be appropriately documented to make a case admissible in a court of law.

    No comments:

    Post a Comment

    Network session analysis

    Network session analysis Network session analysis is a method of monitoring network activity and availability to identify issues, such as ...