Lecture 9 - Process Of Digital Forensics Steps 1 & 2 Flashcards
What are the steps of computer forensics?
1 . Seizure
2. Acquisition
3. Analysis
4. Reporting
What should be done upon arriving at the crime scene.
The scene should be searched extensively , while labelling and registering (formally as this is an investigation) all hardware equipment found and place it safely in antistatic bags. Harddrives must be removed if computer is found powererd off , otherwise a decision needs to be made whether live forensics procedure will be undertaken
What is essential in investigation for digital forensics?
Taking pictures and screenshots for supporting evidence is essential in the investigation
What is the purpose of a seizure?
to prevent digital devices in question from being used and data on them getting changed
What happens in the step of a seizure?
- equipment and hardware inspection
- labelling
- registry
- bagging
- bios time & harddrive details
What should we be aware of when seizing the device?
tower bomb or even USBs
hidden inside a plug
What is a registry?
practically the Database for the OS itself. It contains all the configuration data for the system – and is organized in a hierarchical way.
contains e.g. recently used software, users, files, connected devices
What are the 5 areas of the registry for Windows.
HKEY_CURRENT_USER
HKEY_HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
Why is getting BIOS time important?
As if the computer time is set wrong, then the evidence might be pointing the investigation in the wrong direction
What is the purpose of the acquisition step?
To create a digital forensic copy of the device storage. This can be of any format.
What is the purpose of the acquisition step?
To create a digital forensic copy of the device storage. This can be of made into any format.
What tools can be used for the acquisition step?
FKT IMager or Data Duplication
-> these are both bit by bit copying
What is important during acquisition?
use iof write blockers to avoid changing the original in unwanted ways. It helps in eliminating the possibility of contaminating evidence
What is special about the cloned drive during the acquisition stage?
that it has a generated hash value (this is kept safely), in this way the forensic
examiner will ensure that while analysing the data he\she will not make any changes in the copy and use it as a proof that can be presented in court
What is a good practice in digital forensics?
It is a good practice for an investigator to work on a second copy, then there is no need to recopy if there is a mistake
