Computer Forensics:
Computer forensics refer to a set of methodological procedures and techniques that
help identify, gather, preserve, extract, interpret, document, and present evidence from computing equipment, such that any discovered evidence is acceptable during a legal and/or administrative proceeding
Understand Digital Evidence:
Digital evidence is defined as “any information of probative value that is either stored or transmitted in a digital form”.
Digital evidence is circumstantial and fragile in nature,which makes it difficult for a forensic investigator to trace criminal activities.
According to Locard’s Exchange Principle, “anyone or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave”.
Sources of Potential Evidence:
User-Created Files
User-Protected Files
Computer-Created Files
Rules of Evidence:
- Understandable - clear to the judges
- Admissible - related to the fact
- Authentic - real and related to the incident
- Reliable - no doubt about the authenticity & veracity of evidence
- Complete - must prove actions or innocence
“Original Evidence is the best Evidence”
Forensic Readiness:
It refers to an organization’s ability to optimally use a digital evidence in a limited period of time and with minimal investigation costs.
Forensic readiness planning:
It refers to a set of processes to be followed to achieve and maintain forensic readiness.
-
Identify the potential evidence required for an incident
-
Determine the sources of evidence
-
Define a policy that determines the pathway to legally extract electronic evidence with minimal disruption.
-
Establish a policy to handle and store the acquired evidence in a secure
manner. -
Identify if the incident requires full or formal investigation.
-
Create a process for documenting the procedure.
-
Establish a legal advisory board to guide the investigation process.
-
Keep an incident response team ready to review the incident and preserve
the evidence.