Basic understanding about Cyber Forensics
Cyber forensic, sometimes known as computer forensic refers to the practice of extracting information, analyzing the data and gaining intelligence into activities that involve the use of technology as a structured chain of evidence that can be presented in the court of law or identify a cyber crime.
In other ways, it is also known as Digital forensics and is the process of gathering evidence in the form of digital data during cybercrime cases. Digital forensics is the process through which skilled investigators identify, preserve, analyze, document, and present material found on digital or electronic devices, such as computers and smart phones.
The type of information retrieved from the cyber analysis are mentioned as below:
- Information logs and understanding of ethical and legal issues related to data and data acquisition.
- Metadata details such as time, file type, size and volume of data.
- Contents such as text, audio, video.
- Technology data such as sms, email, social media files, chat history, deleted files etc.
- Password recovery, login details recovery, typewritten document examination.
- Call history of mobile, sim card data recovery, mirror imaging, hashing.
- Ability to gather information from network servers, databases, smart phones, tablets, hard disk, memory card, SD card and other digital devices.
Digital Forensic Process
The
digital forensic process generally consists of five steps: identification,
preservation, analysis, documentation, and presentation.
Identification:
Identify
the purpose of investigation and the resources required.
Preservation:
Ensure
that Data is isolate, secure and Preserved for further study and analysis
purpose.
Analysis:
Identify
tools and techniques to use, process data, logs and interpret results.
Documentation:
Documenting
the crime scene along with evidence such as photographs, sketch, screenshot
etc.
Presentation: Process of summarizing and explanation of conclusion with facts
about the analysis.
Digital
Evidence:
Digital
evidence is any data that is stored or transmitted using a computer over
internet or offline that supports or counter a theory of crime. So Digital
evidence must be handled carefully to preserve the integrity. Digital triage is
a pre-digital-forensic phase that sometimes takes place as a way of gathering
quick intelligence. Although effort has been undertaken to model the digital
forensics process, little has been done to-date to model digital triage.
Keep in Mind always:
Be Careful! THIS COMPUTER HAS NO BRAIN. USE YOUR OWN!!
There are several professional tools widely used for the Digital Forensic analysis by Spy agencies, law enforcement agency, FBI, CBI, Cyber Police, ethical hackers, forensic examiners etc.
- FTK Imager
- Nagios
- Autopsy Forensic
- Redline
- Snort
- Accessdata
- Magnet, Axiom
- Helix
- Wireshark
- OpenText Encase
These tools come with a variety of features so it can be used as per specific requirements such as Windows forensic, Linux forensic, Disk forensic, network forensic, wireless forensic, email forensic etc.
In
windows forensics investigators, ideally Collect Volatile Information and
Non-Volatile information from the Operating System.
Volatile
information is information that is lost the moment a system is powered down or
loses power. This Volatile information usually exists in physical memory or
RAM. It holds data for a temporary time.
Non-Volatile information is kept on secondary storage devices and persists after a system is powered down. It holds data for permanent time.
Reference
https://www.splunk.com/en_us/blog/learn/cyber-forensics.html
https://www.exterro.com/basics-of-digital-forensics
https://www.magnetforensics.com/products/magnet-axiom-cyber/
https://www.sans.org/digital-forensics-incident-response/
https://www.nist.gov/digital-evidence
Thanks
-DR
