What is Cyber Forensics
Cyber Forensics is a science and it provides standard procedures and techniques to identify, gather and preserve the digital evidence And evidence must be admissible in the court of law.
What is digital evidence
Information that is either stored in digital devices or transmitted digitally and where data is in the form of binary numbers i.e. 0 or 1. It may be in hard disk, usb drive, mobile phone, Ram, CD, GPS etc. Digital Evidence is very fragile in nature, therefore it requires extra caution. Digital evidence can be internet based, standalone computer based or mobile devices etc. but must be reliable.
Why do we need Digital Evidence because these are helpful in solving cybercrime such as hacking, unauthorised transmission of information or data, identify theft, malicious attacks, stealing of commercial secrets or confidential information of state or country, creation of fake documents such as identity proofs, email communication between suspects/conspirators etc.
There are two types of digital evidence – volatile and non-volatile
Volatile – Data is lost as soon as device is powered off. Eg- system time, logged-on users, open files, network information, stuff stored in RAM etc.
Non-volatile Data– Permanently stored data on secondary storage devices such as Hard disk and memory cards, example- hidden files, hidden partitions, unused partitions etc.
At the time of digital evidence collection time is very crucial– If you delete a file then it is not deleted permanently. But over a period of time that deleted portion can be over written.
There are Some points which need to be taken care of while collecting digital evidence-
- It must be clear and understandable to the judges.
- It must be original, valid and should provide same results if repeated or during crime scene creation.
- It must be complete.
Cyber forensics has evolved a lot and due to emerging cybercrime now big organizations do have a dedicated forensics department. Because in case of any incident they can find the culprit, can mitigate risks, can provide suitable evidence to the law enforcement agencies or to the research department etc.
What is Data Acquisition– It is a process of imaging or collection of information as per Standard operating procedures. It is very crucial process therefore requires utmost attention. Data can be acquired from hard disks, usb disk, memory cards, mobile phones, ipad etc.
Types of Data Acquisition–
Data acquisition is of two types- Logical acquisition and Sparse Acquisition
During Logical acquisition, investigators can acquire selected files and file types. For example, files related to emails.
During Sparse Acquisition investigators may acquire deleted data also.
Data acquisition involves disk to image file data copying process and disk to disk data copying.
Disk to image file method is commonly used.
While copying or imaging the disk then data acquisition format to be decided. For example, you may choose Raw format or other formats as provided by the particular tools. There are many tools available in the market and they provide different-different formats. There is defined methodology for data acquisition, and we need to see whether we want to collect volatile data or non-volatile data or both.
There are many phases of computer forensics-
Response- as soon as any incident occurs and reported, cyber forensics team role begins.
Search and Seizure- Cyber forensics team starts looking for the devices involved in incident, isolates and seizes them as per defined standards. This action may block the cyber criminal’s entry into organization’s network.
Evidence Collection– After proper search and seizure of devices, evidence collection process begins as per defined protocols and standards.
Securing the evidence– Evidence are secured and protected because digital evidence is fragile in nature.
Data Acquisition – Data is acquired from the digital evidence with proper care. Because integrity of the evidence must remain intact
Data Analysis – Data is analysed and specific data that is useful for the court of law is collected.
Evidence assessment – Now evidence assessment takes place with respect to the occurred incident.
Documentation and reporting – Starts in accordance with the court of law.
And as per case, Expert Witness Testimony takes place.