Cyber Forensics or Computer Forensics is a branch of forensic science that deals with searching, discovery, recovering, collecting, analyzing, and reporting of evidence in a digital device in a forensically sound manner and in a way that evidence found are preserved and presentable in a court of law. The digital forensic practice is the capturing, processing, and investigation of data, this practice allows professionals to help organizations and device/media users clear doubts and settle disputes. Cyber forensics analyst investigates cybercrime by the gathering of evidence from a suspected device, storage media, or capturing data from a network. Cybercrime investigations conducted by cyber forensics experts also include internet fraud, web, social media, and email crime.
Evidence gathered and processed must be admissible and presentable in a court of law. For evidence to be admissible in a court of law, the evidence must have relevance and be legally permissible, reliable, correctly identified, with its integrity preserved. Because of this, the evidence must be handled carefully and properly monitored throughout the evidence life cycle, which entails the evidence gathering and application processes that include the discovery and recognition, protection, recording, collection, identification, preservation, transportation, presentation in a court of law, and the return of evidence to an owner. Preservation of evidence includes recording all information related to the computer crime until investigation procedures and legal proceedings are completed; safeguarding magnetic media for deletion, storing evidence in the appropriate environment, documenting, and following strict methods for securing and accessing evidence.
Types of digital forensics
Digital forensics has evolved into sub-disciplines. These sub-disciplines include:
- Computer Forensics: Evidence on computers (Windows or Linux), laptops and storage media in support of investigations and legal proceedings.
- Network Forensics: The monitoring, capture, storing, and analysis of network activities or events in order to discover the source of security attacks, intrusions, or malicious network traffic and security breaches.
- Mobile Device Forensics: Recovery of electronic evidence from mobile phones, smartphones, SIM cards, PDAs, GPS devices, and tablets.
- Digital Image Forensics: The extraction and analysis of digitally acquired photographic images to validate their authenticity by recovering the metadata of the image file to ascertain its history and analysis of steganographic images using steganalysis technique.
- Digital Video/Audio Forensics: Collection, analysis, and evaluation of audio and video recordings.
- Web Forensics: Counterfeit website identity investigations; website scanning and analysis to determine the Person(s) responsible for a fraudulent or harmful website.
- Email Forensics: Verifying the validity of an email address, email analysis to confirm the original owner of an email address, tracing the email sender.
The 5 basic stages of the digital forensic process is Identification, Preservation, Collection, Analysis and Reporting.
Key steps in Computer Forensics Investigation
- Identify Computer Crime
- Collect Preliminary Evidence
- Obtain Court warrant for seizure; if required
- Perform First Responder Procedures
- Seize Evidence at the Crime Scene
- Transport Evidence to the Forensic Lab
- Create two copies of the evidence
- Generate MD5 Checksum on the Images
- Maintain a Chain of Custody
- Store original evidence in a secure location
- Analyze the image copy for evidence
- Prepare a Forensic Report
- Submit the report to the client
- Attend the court and testify as an expert witness; if required
The forensic practice is for investigating cyber crimes and other activities that include Data Capturing (Volatile Data or Non-Volatile Data), Data recovery and Data Acquisition (Static or Live data acquisition: Data acquisition is the process of copying or obtaining data from a digital device or storage media) Data Recovery is the use of Data Recovery Tool for searching, discovering and recovering of lost or deleted data from a digital device or storage media. All data acquired or recovered are processed and preserved in a forensically sound manner.
READ: Cyber Forensic Tools
READ: Forensic Data Recovery
READ: Forensic Data Acquisition
READ: Cyber Crime Investigation