What is Digital Forensics?
Digital Forensics also called network forensics and has many definitions. In general, it is considered the application of science to the identification, collection, examination, and analysis of data while information integrity is preserved and a strict chain of custody is maintained for the data.
Types of Data:
While in the first step of forensics is to identify the sources of data from where you want to
get your data. The most common data sources are desktop computers, servers, network storage
devices, laptops, tablets, etc.
Inside your computer, you will find DVDs/CDs, External or Internal drives like flash drives or solid-state drives or hard disk drives, etc,
Volatile data:
Volatile data means the data that is exist only at a particular time like when the computer is running the data present in RAM which is volatile. This data is quite time sensitive because when we shut down our computer or close an application then this data will not be available to us.
Network Activity:
You can get this data from the service provider, You can get this data from logs, Also you can get it from the application usage Most of the time applications store previous sessions or projects, etc,
portable digital Devices:
You can get data from portable digital devices, portable digital devices are cell phones, audio recorders,
digital cameras or security cameras or there may be devices in the surrounding that contain data.
Usage of Digital Forensics:
According to the NIST Digital Forensics can be used in the following scenarios:
- Criminal Investigation
- Incident handling
- Operational troubleshooting
- log monitoring
- Data recovery
- Data Acquisition
- Due Diligence and regulatory compliance etc
Objectives of Digital Forensics:
The main objective of digital forensics is the process to take the evidence and the evidence itself.
The second object is to determine if it is a crime or it was an accident.
Another objective is to identify the necessary evidence as quickly as possible.
Another objective is to write a report in a timely manner and the report should be clear that anyone should understand it.
Forensics Process:
According to NIST, there are four steps involved in the forensics process:
Collection:
In the collection phase, the data is identified, labeled, recorded, and collected from different sources while
the integrity of data is preserved.
Examination:
In the examination step, large amounts of collected data are processed and particular interest data is extracted. The examination is examining the data that we are collecting.
Bypassing Controls:
Operating systems and network applications may have data compression, encryption, or access control lists so this will make a difficulty for us to examine the data that we have collected.
Sea of Data:
Even if we have collected GBs or even TBs of data, we have to filter our required data.
Tools:
There are different tools available to filter that data for us what is required of us.
Analysis:
In the analysis phase, the results of the examination are analyzed using legal methods and techniques.
Reporting:
In reporting phase, the results of the analysis are reported.
Steps to Collect Data:
The NIST data collection process contains the following phases:
Develop a plan to collect the data:
While collecting a data you should have a proper plan to know what data to collect, determine the value of that data that you are collecting whether the data is volatile or not, as we discussed above that volatile
data is data that is available now at this moment. If the computer shutdowns or the network goes off then the data state can be changed so our first priority is to get the volatile data because the state of volatile data is changing and are not remain in the same state. You must have a proper plan that how to collect the required data.
Collecting the data:
This is the hands-on step to collect the data, In this step, we are using different forensics tools to collect the data like volatile data, and duplicate the non-volatile data so that we don’t harm the original data and original data should not be harmed during the investigation.
verify the integrity of data:
The forensic tools that we are using in the data collection create a hash value for the original data when we create an image or backup of the original data then the forensic tool will create a hash value for that data. We can compare that hash value with the duplicated version of the hash data. If anything changes in the original data or data are altered by any means then it will generate a different hash value then these hash values will not be identical to each other. Through this, we can verify the integrity of data.
read more on Handling digital Assets: