 |
|
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.
|
We received
28678999
page views since August 2004
|
| |
Computer Forensics World FAQ (Frequently Asked Questions)
Category: Main -> Basic Questions
| Answer | | · What exactly is Computer Forensics? Generally speaking, computer forensics is considered to be the use of analytical techniques to identify, collect, preserve, and examine evidence/information which is magnetically stored or encoded [ Back to Top ]
| | · Why is Computer Forensics employed? Normally, to provide digital evidence of a specific or general activity. The forensic investigation itself can be initiated for a wide variety fo reasons. The most high profile cases are usually in the area of criminal investigation, or perhaps civil litigation, but forensic techniques can be of value in a wide variety of situations, including, simply tracking the steps taken when data has been lost. [ Back to Top ]
| | · What are the common situations in which forensics are used? Many, including:
Unauthorized disclosure of corporate data (by accident or design)
Employee internet abuse
Damage assessment and analysis
Industrial espionage
Criminal fraud and deception cases
More general criminal cases (many criminals simply do store information of various types on computers) [ Back to Top ]
| | · How is a forensic investigation typically approached? Very broadly, the main phases are sometimes considered to be:
- secure the subject system (from tampering or unauthorized changes during the investigation);
- take a copy of hard drive/disk (if applicable and appropriate);
- identify and recover all files (including deleted files);
- access/view/copy hidden, protected and temp files;
- study 'special' areas on the drive (for example, the residue from previously deleted files);
- investigate the settings and any data from applications and programs used on the system;
- consider the system as a whole from various persepctives, including its structure and overall contents;
- consider general factors relating to the users computer and other activity and habits, in the context of the investigation;
- create detailed and considered report, containing an assessment of the data and information collected.
Throughout the investigation, a full audit log of all your activities should be maintained and recorded. It is not unreasonable to include this in the report. [ Back to Top ]
| | · Are there any actions that should be avoided during an investigation? It is certainly important to avoid changing time or date stamps (typically of files) or of course changing data itself. The same applies to the overwriting of unallocated disk space (eg: which can happen on re-boot). 'Study don't change' is an important catch-phrase. [ Back to Top ]
|
|
|
|
|
