Computer forensic is a branch of forensic technology that involves essentially around computer crimes and legal proof that pertain and revolve around digital data. The main goal of computer forensics is to describe the current talk about of the digital artifact and to provide research on the data as data to the court.
A officer or investigator upon getting the laptop from the parents should first establish if the laptop is activate or not. In the event the laptop is jogging perform a power shutdown by keeping down onto the energy button and remove the battery. In case the laptop is displaying clear signs or symptoms of data of visible evidentiary value onscreen. The police official should first seek trained complex personnel who've experience and trained in capturing and preserving volatile data before proceeding. The authorities investigator would also immediately shutdown the laptop through unusual shutdown if there is any sign or indicator of activity onscreen indicating data has been overwritten or deleting. Indicator of damaging process has been performed using the pc data safe-keeping system.
This is to ensure that no more evidence has been lost or being tamper. The investigator would also need to check if there is any disk in the disk drive and have a picture of the disc on the disc drive before adding in to the anti static handbag. The investigator would next place tapes across all disk drives so that no press would be placed in the drive drives. The investigator would also place tapes on the power button on the laptop. This is to ensure that no the evidence wouldn't normally be tamper in order to maintain the integrity of the data.
If you can find cables and wire connections mounted on the laptop. The investigator would also uniquely label, document and take pictures of the wiring, cables and devices connected to the laptop. If there is devices attach at the other end of the cords it would also be photographed and documented from it being connected to the laptop. The device, cables and cables would then be individually recorded and photographed before investing in the evidence tote.
The paperwork of the evidences also needs to include a details record of the notebook brand, model, serial number, attachments on the notebook and it present state. The surrounding environment where it was being use should be photograph as proof. In case the notebook is jogging photographing the display help in aesthetically documenting the talk about of it and what was running upon the original response. Taking photos of front, side and back of the computer. An image of the notebook and the surrounding environment and the devices linked help in the reconstruction of the setup if the notebook need to be taken up to the lab for further investigation. Documentation is important as it allow the court to verify that correct forensic techniques are being take up and undertaken. In addition, it effectively allows the recreation of the activities that are performed through the preliminary response.
An evidence custody form is also necessary to be able to facts the chain of custody has been in place. As it proof that proper guardianship of the evidence and the status of the data upon guardianship to facts that proper forensic facts has been occurred.
All potential proof should be "Carrier- and-tag identifies the procedure of placing criminal offenses scene research into luggage and tagging them with single or multi research form. This help in withholding the chain of custody as well as the integrity of the evidence. Information should be maintained in anti-static hand bags to prevent destruction through electrostatic discharge.
Computer manuals of the laptop if there are any would also be studied for research in the laboratory. A copy of the hard disk drive image will also be made out of programs and also generating of an hash sum to check on for consistency or integrity in it. The copy data would then be handed to the correct party supporting in the investigations. The source duplicate would be retained in a locked room with limited or constrained access and kept in anti static luggage. This is to ensure that there is a string of command in place and that the source data is usually available rather than tamper. In order to preserve the key copy data and also allow recreation of procedures if necessary.
When carrying digital proof, the investigator or the first responder should take notice in protecting of the evidence express. The first responder should keep digital facts away from magnetic fields made by radio transmitters, magnet or any other form of magnetic field that may affect the talk about of the evidence. Potential risks like heat, cold, dampness or static electricity should be taken note. While transport, mobile phones should be retained in faraday isolation bag.
Digital information should be stored in a secure, climate-controlled environment that is not subject to extreme heat or humidity that may damage hardware.
Digital evidence should not also be expose to magnetic areas, moisture, dust or vibration that may affect the condition of the data or destroying it. Data custody form also needs to be use to identifies the data, who has handled it and the date.
The hardware and tools that needed to examine a notebook are:
Large-Capacity disk drive
IDE ribbon cable, 36 inch
Linux Live Compact disc ( Backtrack 4. 0 )
Laptop IDE 40- to 44 pin adapter
Anti static proof bag
Evidence log form
Firewire or USB dual write-protect exterior bay IDE drive drive box
Faraday isolation handbag ( For cellphone )
One of the key dissimilarities between notebook and desktop are that due to the size of the desktop and it capacity to be personalized the hardware generally follow a certain suggestions or rules. This make forensic easier on desktop as the tools available have the ability to process most desktop pcs. However with notebooks becoming more common in today world tools that are commonly use for desktop are required to be altered and change.
The main structures difference is a notebook being small and much smaller in size requires hardware to be much smaller, like the motherboard, memory, and hard disk.
Also with some maker installing drivers on their laptop for several function eg. Webcam, biometric fingerprint scanning device set an even of difficulty in analysis as some of this program may not be able to run on a different computer system without the appropriate driver.
The difference in architecture of laptop and computer requires different forensic approach and procedures. The interface of an IDE laptop hard disk drive for instance credited to manufacturer maybe smaller than a normal 40 " pin ATA ribbon connector. As due to the constraint of your laptop size the hard disk might be smaller.
The internal structure of a laptop is a lot more delicate so it is a lot harder for the investigator to obtain the devices and aspect for imaging or storage as facts.
Smaller size laptop known as netbooks aren't installed with a CD Rom drive unlike a desktop computer due to their restriction in proportions. This further complicate forensic process which certain forensic tools that required live Compact disk are not able to be use. This might require the use of USB thumb drive loaded with the OS to be able to remove images and information.
Laptop unlike Desktop computer also does not permit the use of more than one hard disk at exactly the same time. So imaging procedure for hard disk drive would take longer time as it cannot be done simultaneously.
Most laptops do not allow the utilization of CD-Rom and the floppy drive at the same time. Unlike the Computer desktop system this complicates the procedure of common tools used for desktop.
FTK Imager and DCFLdd control would be use for imaging.
FTK Imager is a forensic glass windows based mostly acquisition tool found in various forensic toolkits like HELIX, SANS SIFT Workstation and FTK Toolkit. FTKImager support storage of drive image in EnCase or Smart extendable and dd format. With Isobuster technology being built-in it, it allows FTKImager to image Compact disc to a ISO/CUE document combination.
DCFLDD can be an increased version of dd it allows hashing for the sent data, wiping of drive with known patterns and verifying that the image is identical to the harddisk, using bits. Additionally, it may put into multiple documents, logs and data can be piped into exterior applications.
The use of two different imaging software with it produced hash value allow comparison to be able to ensure that there is persistence and integrity in the hash value of both image.
It is important to acquire just as much information as is feasible from the encompassing environment as they could be crucial to analysis and handling of the case. As they could probably provide a clue to the time line, possible password phrases, that might help in aiding the steps in investigations and step.
Additional research might include papers with possible password phrases, handwritten notes, bare pads of newspaper with impression of previous writing onto it. Hardwares, software manuals and documentations. Calendars, books or graphic material these form of materials and article should be treated as it can be evidences and maintained in compliance with department insurance policies or protocols.
Hashing is a way for minimizing large suggestions into an inferior insight. Common hashing algorithm like MD5 and SHA-1 are generally used to check the integrity of the info as data for the courtroom.
It is required to have 3 indie investigations on the reliability of the image to be computed and registered for further reference and support as data in judge. The first check would be against any tool that is jogging. The next check would be following the disk image duplicate is complete to check that there is reliability in the drive images. The very last check is the steadiness of the recipient data image against the source data.
In most file the document headers contain determining information for the computer to identify it. Image record headers are often manipulated to trick investigator into looking over it. An individual would often change the document header into different format eg. JPEG to DOC file format. If a forensic investigator were to carry out a search on the device for pictures, he'd simply view it as a doc data file and skip it.
Another reason is the fact that examining recovered data remnants from document in slack or free space. The data file header might be harm and cannot be readable. Thus there is a need to
examined it record header by using a HEX editor to be able to correct it for it have the ability to view.
Phillips, Amelia, Nelson, Monthly bill, & Enfinger, Frank. (2005). Guide to computer forensics and investigations. Course Technology Ptr
by National Institute of Justice April 2008
Computer Offense and Intellectual Property Section Offender Section, United States
Department of Justice. Searching and Seizing Pcs and Obtaining Electronic
Evidence in Felony Investigations. http://www. cybercrime. gov/s&smanual2002. htm