Digital Forensic Analysis - Paper Example

Abstract

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Order now

The modern age has allowed for analysis of crimes from a different perspective, the digital dimension. Digital forensics purpose of uncovering the digital evidence of the case, ensuring that they are admissible in court. This report explains the digital forensic analysis process; that includes the forensic methodology used, tools and techniques of forensic analysis, analysis of forensic investigations, retrieval of deleted files and the lab results.

The paper explores various ways of mitigating threats and breaches into information systems It also explains expert planning for the field-the procedure of computer criminology, the expansive range of subjects inside computerized legal sciences and digital crimes. Furthermore, importance of digital confirmation in criminal and common examinations and data security is explored. This report also reveals the questionable premise and practical help for all parts of computerized research and the usage of digital proof in forensics and law implementation. A conclusion on forensic results and the legal implications and recommendations will then be drawn.

Methodology

This section unveils the details of how digital forensic analysis is conducted. It displays the structure of chronological events from evidence collection to processing of forensic data.

Investigations

This section provides details about the step by step process used in the examination of the forensic evidence in question, for example, a digital image of USB flash drive. It serves to explain the chain of custody and validation of the forensic evidence. It is a four-step model that includes seizure, acquisition, analysis of the digital media and constitution of the report into collected evidence (Chaski, 2005). The primary focus of the investigations is to recover the objective proof of criminal activity.

Secure programming fundamentals

Digital forensic analysis methodology refers to the "use of scientific verified tools and methods in collection, processing and presentation of evidence sourced from digital devices in facilitating or assisting the recreation of events of a legal offense" (Baryamureeba, Tushabe, 2004). It is a four-step process but may be condensed depending on the need or situation of the examiner. These include preparation, extraction, identification and analysis

Preparation

Preparation constitutes the development of devices and techniques of examining the requested data. The initial phase includes assessment of equipment plus the programming to ensure their integrity. Once this is done, the analyst copies the information in the original forensic request and validates it. The procedure makes an assumption that law requirements have been satisfied. After examiner checks the integrity of the information, an arrangement is created to extract the data.

Extraction

Extraction involves reorganization of the forensic data into a comprehensible form. Here the examiner sorts out and refines the judicial request into inquiries they comprehend. Selection of devices that allows for the response to the inquiries is done. The examiner has a prior information on what to look for in the request. These are added to a lead list. The list purpose to concentrate the analysis. As new leads are discovered, they are added to the outline, and exhausted ones stamped processed. In every search lead, the examiner derives significant information and marks it as prepared. The extracted information is the added to a new list which can be referred to an Extraction list. Results of all search leads are incorporated to the extraction list.

Identification

Identification constitute the assessment of the relevance of the extracted data to the forensic request. First, the examiner figures out what kind of item it is. On the off chance that it is not significant to the criminological demand, it is stamped as processed and the examiner moves on to the next item. The inspector is recommended to immediately halt the whole process, notify the prominent personalities including the requester and wait for further guidelines in case he or she stumbles upon an incriminating item that is not on the search warrant. On the off chance that the information is significant to the request, it is recorded on another list which can be referred to as Relevant List. It is a rundown of information applicable to the initial request. Extract data can also totally indicate the entirely new potential source of data which are recorded on another list referred to as new leads.

Analysis

Analysis involves making the extracted data have to mean about the forensic request. Here the examiner associates every one of the specs and paints an entire picture for the requester. Examiners additionally clarify why this data is significant and what it intends to the case. For each important item, the reviewers attempt to explain when it was made, gotten to, changed, gotten, sent, saw, erased, and propelled. They watch and clarify a succession of occasions and determine which events occurred simultaneously. Analysts record the results, and any information applicable to the forensic request, combine everything to the last list referred to as Analysis list.

Tools and techniques

Many examiners apply a variety of instruments in analyzing forensic data. Therefore, it is important to understand the origin and purpose of this tool. An essential toolkit should comprise different software that can be used in decrypting, authenticating, auditing, backing up and tracking and recovering the required forensic data (Carrier, 2003). Some of the analyzing tools used in digital forensics include Award Key Logger, Recuva, USBDeview, OpenPuff, and WinHex. These programs assist in data recovery, code breaking, and password recovery.

Web Log and Session Analysis

Scanning for residual proof after web activity is very important in filling up gaps in an advance forensic case. Some available tools used to investigate web browsers and analyze a broad range of information include Cacheback and Encase. The forensic examiner can analyze user activity such as blogging, emails, online banking among others. Jones (2003) clarified the structure of the index.dat file and step by step instructions to separately erased action records from Internet Explorer. It is also crucial to plot suspect movements along a timeline.

Hash Analysis

Hashing is an essential tool in the digital forensic investigation. To efficiently screen data, the forensic expert is mostly based on hash-based techniques, which is hash values acts as digital fingerprints. Cryptographic hash capacities, for example, MD5 and SHA-512 have a high functioning power that allows for decryptions of digital data via hash values. The hash values can be traced back to the suspects original operation point.

Device imaging procedures

Forensic image processing involves the restoration and enhancement of digital surveillance imagery (Gonzalez, Woods, 2007). Some the digital devices that can undergo imaging process include disk, drives, files, mobile and network systems.

Disk image processing; this involves reading a disk e.g. Compact disk from the start to the end and translating the data to forensic image format. The process revolves around duplicating the original copy of data using suitable imaging tool and verification of the integrity of the data to prove that the copy is exact and unaltered.

Network imaging; this involves the use of a cross network cable that creates a connection between two computers. The system requires the inclusion of network interfaces, cross network cable and bootable Linux disk that is not accessed by the hard drive of the subject's computer. The analyst can the extract data from the suspect device to his or her device bypassing the windows blocks like passwords.

Drive imaging: It involves geometry of the drive. The procedure involves logical analysis of information in allocated space and physical analysis of information in the unallocated and slack disk spaces.

File imaging; this includes mounting of the forensic image to access the file system they contain. Once the file is mounted, the examiner uses any suitable too like search, view to analyze the data. To avoid any alterations, the forensic image the file is mounted in read-only mode.

Mobile device imaging; The procedure involves a logical acquisition of data using suitable tool that helps in recovery of files and directories in phone drive; this unveils information like call record, text message, and contact. The examiner can analyze alternative recover data by physical acquisition from the internal memory.

Relevance to investigation

Digital imaging enables the examiner to explore the information embedded within the devices used by the suspects via the use of appropriate tools. It also helps in keeping the integrity of the forensic data intact through validation of the duplicated copy.

Log inspections

It refers to the analysis of network event log and Syslog to identify a breach within a system and even track down the perpetrators of such breaches. Network system foundation containing system gadgets, for example, switches, switches, firewalls, servers, and so on create occasion log information and Syslog information each time a movement happens on your system. Event log information and framework log data flow records resemble digital fingerprints left by everybody who got to the system gadgets and applications. Forensic examiners can plot the digital fingerprints to detect the anomaly and recreate the crime scene. The events log machines used by the examiner are encrypted ensuring that the forensic data is safe and secure and by preventing temperament.

Retrieval of deleted file

This process refers to the recovery of otherwise inaccessible or damaged data in digital media for forensic investigation. It purposes to help reconstitute and recreate crime and close the gaps and holes in a forensic investigation. The process involves the recovery of deleted data from digital storage system such as hard drives using the appropriate forensic tools. The procedure involves tracking and auditing trails that are finally mapped into a log. The records assist in legal proceedings and makes the evidence admissible in court

Lab results

The following is an example of a lab result of camera analyzed for forensic evidence.

The results explain the timeline, and the specs of the camera, which can be traced back to the owner in case or she is suspect in criminal investigation processes.

Conclusion

Digital innovation has significantly contributed to the rising level of cybercrimes around the world. Criminals have become more sophisticated in their execution plans; therefore, law authorization is forced to step up and devise new ways of dealing with the change to level the playing field. This goal plan involves the creation of new apparatuses that can efficiently combat and solve these case and digital forensics seems to provide that solution. Through it, experts can scan digital devices used in crimes and come up with evidence that is admissible in court.

References

Baryamureeba, V., & Tushabe, F. (2004, August). The enhanced digital investigation process model. In Proceedings of the Fourth Digital Forensic Research Workshop (pp. 1-9).

Carrier, B. (2003). Defining digital forensic examination and analysis tools using abstraction layers. International Journal of digital evidence, 1(4), 1-12.

Chaski, C. E. (2005). Whos at the keyboard? Authorship attribution in digital evidence investigations. International journal of digital evidence, 4(1), 1-13.

Gonzalez, R. C., & Woods, R. E. (2007). Image processing. Digital image processing, 2.

Jones, K. J. (2003). Forensic analysis of internet explorer activity files. Forensic Analysis of Microsoft Windows Recycle Bin Record...