Disk forensics is the science of extracting forensic information from digital storage media like Hard disk, USB devices, Firewire devices, CD, DVD, Flash drives, Floppy disks etc..
The process of Disk Forensics are:
1. Identify digital storage devices
First step in Disk Forensics is identification of storage devices at the
scene of crime like hard disks with IDE/SATA/SCSI interfaces, CD, DVD, Floppy
disk, Mobiles, PDAs, flash cards, SIM, USB/ Fire wire disks, Magnetic Tapes,
Zip drives etc. These are some of the sources of digital evidence.
2. Seizure and Acquisition of Storage devices
Next step is seizing the storage media for digital evidence collection.
This step is performed at the scene of crime.
In this step, a hash value of the storage media to be seized is computed
using appropriate cyber forensics tool. After computing the hash value, the
storage media is securely sealed and taken for further processing.
An exact copy of the original evidence is to be created for analysis and
digital evidence collection. Acquisition is the process of creating this exact
copy, where original storage media will be write protected and bit stream
copying is made to ensure complete data is copied into the destination media.
Acquisition of source media is usually done in a Cyber Forensics laboratory.
3. Authentication of the evidence
Authentication of the evidence is carried out in Cyber Forensics
laboratory. Hash values of both source and destination media will be compared
to make sure that both the values are same, which ensures that the content of
destination media is an exact copy of the source media.
4. Preservation of the evidence
Electronic evidences might be altered or tampered without trace. Once the
acquisition and authentication have been done, the original evidence should be
placed in secure storage keeping away from highly magnetic and radiation
sources. One more copy of image should be taken and it needs to be stored into
appropriate media or reliable mass storage. Optical media can be used as the
mass storage. It is reliable, fast, longer life span and reusable.
5. Verification and Analysis
of the evidence
Verification of evidence before starting analysis is an important step in
Cyber Forensics process. Hash value of the evidence is computed and compared it
with the hash value taken at the time of acquisition. If both the values are
same, there is no change in the content of the evidence. If both are different,
there is some change in the content. The result of verification should be
properly documented.
Analysis is the process of collecting digital evidence from the content
of the storage media depending upon the nature of the case being examined. This
involves searching for keywords, picture analysis, time line analysis, registry
analysis, mailbox analysis, database analysis, cookies, temporary and Internet
history files analysis, recovery of deleted items and analysis, data carving
and analysis, format recovery and analysis, partition recovery and analysis,
etc.
6. Reporting the findings
Case analysis report should be prepared based on the nature of
examination requested by a court or investigation agency. It should contain
nature of the case, details of examination requested, details of material
objects and hash values, result of evidence verification, details of analysis
conducted and digital evidence collected, observations of the examiner and
conclusion. Presentation of the report should be in simple terms and precise
way so that non-technical persons should be able to understand the content of
the report.
7. Documentation
Documentation should be started from the planning of case investigation
and continue through searching in scene of crime, seizure of material objects,
chain of custody, authentication and acquisition of evidence, verification and
analysis of evidence, collection of digital evidence and reporting,
preservation of material objects and up to the closing of a case.
It is very important in every step of the Cyber Forensics process.
Everything should be appropriately documented to make a case admissible in a
court of law.
No comments:
Post a Comment