Cyber Forensics or Computer Forensics is a branch of forensic science that deal with searching, discovery, recovering, collecting, analyzing and reporting of evidence in a digital device in a forensically sound manner and in a way that evidence found are preserved and presentable in a court of law. Digital forensic practice is the capturing, processing and investigation of data, this practice allow professionals to help organizations and device/media users clear doubts and settle dispute. Cyber forensics analyst investigate cyber crime by the gathering of evidence from a suspected device, storage media or capturing data from a network. Cyber crime investigations conduct by cyber forensics expert are also include internet fraud, web, social media and email crime.
Evidence gathered and processed must be admissible and presentable in a court of law. For evidence to be admissible in a court of law, the evidence must have relevance and be legally permissible, reliable, correctly identified, with its integrity preserved. Because of this, evidence must be handled carefully and properly monitored throughout the evidence life cycle, which entails the evidence gathering and application processes that include the discovery and recognition, protection, recording, collection, identification, preservation, transportation, presentation in a court of law, and the return of evidence to owner. Preservation of evidence includes recording all information related to the computer crime until investigation procedures and legal proceedings are completed; safeguarding magnetic media from deletion, storing evidence in the appropriate environment, documenting, and following a strict methods for securing and accessing evidence.
Types of digital forensics
Digital forensics have evolved into sub-disciplines. These sub-disciplines are include:
- Computer Forensics: Evidence on computers, laptops and storage media in support of investigations and legal proceedings.
- Network Forensics: The monitoring, capture, storing and analysis of network activities or events in order to discover the source of security attacks, intrusions or malicious network traffic and security breaches.
- Mobile Devices Forensics: Recovery of electronic evidence from mobile phones, smartphones, SIM cards, PDAs, GPS devices and tablets.
- Digital Image Forensics: The extraction and analysis of digitally acquired photographic images to validate their authenticity by recovering the metadata of the image file to ascertain its history and analysis of steganographic images using steganalysis technique.
- Digital Video/Audio Forensics: Collection, analysis and evaluation of audio and video recordings.
- Web Forensics: Counterfeit website identity investigations; website scanning and analysis to determine the Person(s) responsible for a fraudulent or harmful website.
- Email Forensics: Verifying validity of an email address, email analysis to confirm original owner of an email address, tracing email sender.
The 5 basic stages of digital forensic process is: Identification, Preservation, Collection, Analysis and Reporting.
Key steps in Computer Forensics Investigation
- Identify Computer Crime
- Collect Preliminary Evidence
- Obtain Court warrant for seizure; if required
- Perform First Responder Procedures
- Seize Evidence at the Crime Scene
- Transport Evidence to the Forensic Lab
- Create two copies of the evidence
- Generate MD5 Checksum on the Images
- Maintain a Chain of Custody
- Store original evidence in a secure location
- Analyse the image copy for evidence
- Prepare a Forensic Report
- Submit the report to the client
- Attend the court and testify as an expert witness; if required
Forensic practice is for investigating cyber crimes and other activities that include Data Capturing (Volatile Data or Non-Volatile Data), Data recovery and Data Acquisition (Static or Live data acquisition: Data acquisition is the process of copying or obtaining data from a digital device or storage media) Data Recovery is the use of Data Recovery Tool for searching, discovering and recovering of loss or deleted data from a digital device or storage media. All data acquired or recovered are processed and preserved in a forensically sound manner.