Hello,
we hope this article help you,Its very useful post for every computer user, becoz from dis post we can learn about computer forensic, which is very important for these days.lets now about computer forensic
What is computer forensic?
The investigations that are related to the crime in case of the computer systems are called as the computer forensics.
Computer forensics (sometimes known as computer forensic science is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information.
CHFI is common forensic investigator course offered of EC-council.
Over view...
In the early 1980s personal computers became more accessible to consumers leading to their increased use in criminal activity (for example, to help commit fraud). At the same time, several new "computer crimes" were recognized (such as hacking). The discipline of computer forensics emerged during this time as a method to recover and investigate digital evidence for use in court. Today it is used to investigate a wide variety of crime, including child pornography, fraud, cyberstalking, murder and rape. The discipline also features in civil proceedings as a form of information gathering (for example, Electronic discovery)
Forensic techniques and expert knowledge are used to explain the current state of a digital artifact; such as a computer system, storage medium (e.g. hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image)The scope of a forensic analysis can vary from simple information retrieval to reconstructing a series of events. In a 2002 book Computer Forensics authors Kruse and Heiser define computer forensics as involving "the preservation, identification, extraction, documentation and interpretation of computer data" They go on to describe the discipline as "more of an art than a science", indicating that forensic methodology is backed by flexibility and extensive domain knowledge.
Forensic process:
Computer forensic investigations usually follow the standard digital forensic process (acquisition, analysis and reporting)Investigations are performed on static data (i.e. acquired images) rather than "live" systems. This is a change from early forensic practices which, due to a lack of specialist tools, saw investigations commonly carried out on live data.Techniques
A number of techniques are used during computer forensics investigations.- Cross-drive analysis
- A forensic technique that correlates information found on multiple hard drives. The process, which is still being researched, can be used for identifying social networks and for performing anomaly detection.
- Live analysis
- The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence. The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.
- Deleted files
- A common technique used in computer forensics is the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted dataMost operating systems and file systems do not always erase physical file data, allowing it to be reconstructed from the physical disk sectors. File carving involves searching for known file headers within the disk image and reconstructing deleted materials.
Volatile data
When seizing evidence, if the machine is still active, any information stored solely in RAM that is not recovered before powering down may be lost.One application of "live analysis" is to recover RAM data (for example, using Microsoft's COFEE tool) prior to removing an exhibit.RAM can be analyzed for prior content after power loss, because the electrical charge stored in the memory cells takes time to dissipate. The length of time for which data recovery is possible is increased by low temperatures and higher cell voltages. Holding unpowered RAM below −60 °C will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery. However, it can be impractical to do this during a field examination.
Analysis tools
Listed below are software tools that have been found to be useful in forensic examination of recovered evidence.
This list is a living list and should have new tools added as they become available and supersede older tools, which should be removed.