when are the results of computer forensics used? course hero

What is the importance of computer forensics?

18. What is computer forensics? When are the results of computer forensics used? Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining …

What type of data can be collected in a computer forensics investigation?

Jul 20, 2015 · The first is when the computer was or were used as an instrument to commit crime or involved in some other type of misuse . The second is when the computer is used as the target of a crime - hacked into and information stolen . The forensics experts gather the information and the information is stored to be used as an proof in the court .

What is the best book to learn computer forensics?

Computer Forensics. This is defined as the application of investigation and analysis techniques that are used to gather and preserve evidence from certain devices in a manner that is acceptable when it comes to presentation in a court of law (Mandia, Prosise & Pepe, 2016). Therefore, computer forensics can be very useful since it performs a structured investigation that can …

What is the first step in computer forensics?

COMPUTER FORENSICS OVERVIEW 2 A forensics specialist determines proof, discovers the importance of the proof, and compares the proof to a crime. The purpose of a forensic specialist is to give a better knowing of what occurred when it occurred, and how it occurred. Forensics includes investigation, research and analysis. These are the two basic primary tasks of …

Why is computer forensics important?

Therefore, computer forensics can be very useful since it performs a structured investigation that can maintain a document containing a chain of evidence to find what took place on a computing device and also who is responsible. Process of Investigation. The first process involves assessing the situation.

What is computer forensics?

Computer Forensics. This refers to a certain way or technique of carrying out analysis so as to get information that will be suitable when presented in the court of law . Additionally, computer forensics is also called cyber forensics (Maras, 2015).

What is the first step in the criminal justice process?

The first process involves assessing the situation. In this stage, the officer will simply determine the elements of a crime and also whether the law in the jurisdiction supports prosecution. The second stage involves conducting the initial investigation.

What is the first step in the process of investigation?

Process of Investigation. The first process involves assessing the situation. In this stage, the officer will simply determine the elements of a crime and also whether the law in the jurisdiction supports prosecution. The second stage involves conducting the initial investigation.

Why is computer forensics important?

To counteract those computer-related crimes, Computer Forensics plays a very important role. “Computer Forensics involves obtaining and analysing digital information for use as evidence in civil, criminal or administrative cases (Nelson, B., et al., 2008)”.

What is computer forensics?

A Computer Forensic Investigation generally investigates the data which could be taken from computer hard disks or any other storage devices with adherence to standard policies and procedures to determine if those devices have been compromised by unauthorised access or not.

What is computer investigation?

(2010), a computer investigation is to identify the evidences, preserve those evidences, extract them, document each and every process, and validate those evidences and to analyse them to find the root cause and by which to provide the recommendations or solutions.

What is the collection phase of forensics?

“The collection phase is the first phase of this process is to identify, label, record, and acquire data from the possible sources of relevant data, while following guidelines and procedures that preserve the integrity of the data” (CJCSM 6510.01B, 2012). There are two different types of data that can be collected in a computer forensics investigation. They are volatile data and non-volatile data (persistent data). Volatile data is data that exists when the system is on and erased when powered off, e.g. Random Access Memory (RAM), registry and caches. Non-volatile data is data that exists on a system when the power is on or off, e.g. documents in HD. Since volatile data is short-lived, a computer forensic investigator must know the best way to capture it. Evidence can be collected locally or remotely.

How to do non volatile data collection?

The first step in non-volatile data collection is to copy the content of entire target system. This is also called “forensic imaging”. Imaging helps to preserve the original data as evidence without any malfunction or changes in data which occurs during the forensic investigation. Forensic imaging will be created by forensic tools such as EnCase, ProDiscover and FTK. A forensic investigator uses a write blocker to connect to the target system and copy the entire contents of the target drive to another storage device by using any of those forensic tools. Hard drive cloning is nothing but to make a duplicate of the entire system. The difference between forensic imaging and hard drive cloning is that forensic imaging can’t be accessed without forensic tools, but hard drive cloning can easily be accessed with a mount drive. Hard drive cloning contains only a raw image, and every bit will be copied, and no other extra content will be added. Forensic imaging contains metadata ie., hashes and timestamps and it compresses all the empty blocks. Forensic imaging will hash with MD5 or SHA-2 to ensure the integrity of digital evidence (Nelson, B., et al., 2008).

What is a MFT file?

NTFS is the New Technology File System and NTFS Disk is a file. MFT is the Master File Table which contains information about all files and disks, and it is also the first file in NTFS. The records in the MFT are also called metadata.

What is NTFS disk?

NTFS disks are a data stream, which means they can be appended into another existing file. A data stream file can be stored as follows: C:echo text_mess > file1.txt:file2.txt. This file can be retrieved by the following command: C:more < file1.txt:file2.txt.

What is computer forensics?

Computer forensics is a combination of two terms: forensics, which refers to the scientific techniques or tests carried out in an attempt to detect a cyber-threat and computer, which is the medium used to convey data or information. In past studies, some scholars have defined forensics as the process of applying scientific techniques ...

What is the first step in computer forensics?

This initial step in computer forensics is to understand and identify the scenario. This is where the investigator points out the specific reason for conducting forensic analysis. The investigator also identifies the nature of the incident, the parties involved, and the resources required to satisfy the needs of the case.

Why is the collection of data important in the chain of custody?

The collection of data is the most critical step in this chain of custody because the entire analysis is primarily dependent on the collected data as evidence from the crime scene. Collection is defined as the process of data acquisition while maintaining the transparency or integrity of the data.

What is forensic team?

The Forensics Team is expected to follow a given structure while executing their documentation process. The contents of their documents are required to be preserved, verified, and appropriately documented. A forensic team must have in-depth know-how of every investigation.

What is the role of incident handlers?

The primary role of incident handlers is to monitor and act upon the occurrence of any computer security incidence. They check for malicious activities such as those related to breaching network policy, hijacking of server, RAT, installation of malicious codes or injection of code.

What are the different types of evidence?

Below is a look into some of the four major types of evidence; 1. Real/tangible evidence: As the name suggests, real evidence consists of tangible/physical material e.g., hard-drive, flash drive, etc. Apart from the material, a human also might be real evidence, e.g. an eye witness. 2.

What is evidence in court?

Evidence is the primary support for a claim in court. It can be classified using many types of different characteristics. Below is a look into some of the four major types of evidence;