Tag Archives: Forensics
How Computer Forensics Analysts Work
How Computer Forensics Analysts Work
Thanks to television shows most of us already have an idea of what forensics is. Although some scenes are not depicted correctly (examining specimens are more exhausting and mentally draining due to the constant demand for paying attention to details, they don’t look as easy as they are in television with swooping camera angles) they have given us an idea on what they do in collecting evidence.
Computer forensics is part of this investigation. Due to the higher incidence of cyber crimes they are now an essential part of the legal process.
We already have an idea on what they do. However a computer forensics job entails a lot of procedures and expertise. Like any other evidence electronic data can also be fragile and damaged. There are certain steps to be followed to ensure that the data will be collected without being tampered.
A day in the work of a computer forensic analyst
The first thing that an analyst will do is to secure the data and the machine. The data can never be analyzed in the same system that it came from so exact copies are made. Usually the data in a hard drive is duplicated to extract the information needed.
The collection process starts when the analyst examines the surroundings of the machine. Other physical evidence such as notes, disks and printouts are also taken. Photographs of the surroundings are also taken. The area is also examined for portable storage devices.
If the computer system is still operating the information will be collected by examining its applications. Computers that are used for illegal communications may not have all of the data stored in the hard drive. Information stored in Random Access Memory will be lost if the computer is shut down so this step is important.
Open source tools are used to analyze on live computers. Analysts can also obtain an image of mapped drives and encrypted containers while they are on. The data from network connections are captured first, then running applications, and lastly from the Random Access Memory.
The computer is then shut off carefully in a way that it will not loose any data. The method used will depend in the computer and the operating system it uses. If proper shut down is made volatile data can be lost. Pulling the plug is not advisable either because it may corrupt the file system and loose important data.
The analyst then inspects for trap and photographs the configuration of the system. A diagram will also be made including serial number and markings.
The analyst then makes an exact duplicate of the hard drive called Imaging. They often use hard drive duplicators or software imaging tools. This is done in sector levels to make bit-stream copies of ever part that is accessible to the user which can store data.
The original hard drive is then installed with a hardware write protection and sent to a secure storage. After making a complete and accurate copy the duplicated data can now be analyzed for evidence. Analysts use algorithm to make sure that the imaging process is verified. Two algorithms are generally used in this process.
The analyst then renders his opinion then documents everything that was done. A report is made that contains all the findings of the analyst and whether or not it has been used in an illegal activity or criminal act.
What Remains to be Today’s Computer Forensics Problem?
What Remains to be Today’s Computer Forensics Problem?
Computer forensics is one the fields today which often gets updated. Many agencies have found the application of computer forensics very useful especially in the investigation of fraudulent actions and crimes. More so, computer forensics is the procedure that is applied when electronic devices such as the computer media is placed under careful investigation.
The process involves the discovery and analysis of any available data whether they have been hidden or deleted. These are among the evidences that will support the defense and claim of a particular individual or company as they file for any legal action.
Moreover, computer forensics specialists use the tools that recover both the accidentally and intentionally erased files and information. So whether the loss of the data is blamed to the untoward occurrences of hardware failure, there is a better chance of recuperating them. One of the biggest computer forensics problems though is how to retain the original data without the slightest alteration in them.
So much to say, even during the process of shutting down the computer system to transfer the data into another media may cause changes in them. It is important that the computer forensics expert has the skill to maintain the exact form of the data. Nobody can exactly say when the data may be altered but with the most apt tool and the specialist’s skills, it can be possibly prevented.
Computer forensics attracted the attention of the public during the height of the Enron scandal which prompted the widest-ranging computer forensics investigation marked in the world’s history. As computers these days are becoming an integral part of human life, big quantities of data are being stored in these electronic devices.
More so, crimes and other fraudulent acts are likewise increasing in intervals. Computer forensics investigations are also done in emails, websites visited, chat histories, and many other forms of electronic communications.
The advances in today’s technology have shaped the improvement of computer forensics. The developers continually upgrade their tools to meet the increasing intensities of computer forensics problems. Modern software and tools are coming out into the market which nonetheless makes the task easier for the computer forensics experts. Thus, data is found and restored faster and with more preciseness.
These evidences need to be in their original format especially when they are to be used as evidences in the court. These proofs are often gathered from all kinds of computer media such as the discs, Pen drives, tapes, memory sticks, logs, emails, PDAs, handhelds, deleted information, and hidden documents.
The people’s common notion is that when the data is deleted from its location, the file is already completely deleted and unfound. This makes you wrong though. Upon deletion, what is erased is only that of the data’s reference location but the actual document remains intact in your computer system.
It is easiest to tell that the data have been deleted but the common computer forensics problem is where and how to find it and how to recover them without making traces of changes. Thus, the solution to the dilemma will entirely depend on the computer forensics professional’s skills.
Computer data security is very important so it is also significant that they remain original. Part of the training of these professionals includes the molding of their skills to be careful when handling the recovery of the data at all times.
However, it is not for them to conclude when data may be altered or not. This remains as one of the top computer forensics problems to date.
Find More Computer Part Articles