COMPUTER AND NETWORK FORENSICS (SHOULD BE PLAGARISM FREE ANSWER) 1> When handlin

Question

COMPUTER AND NETWORK FORENSICS (SHOULD BE PLAGARISM FREE ANSWER)

1> When handling evidence, we need to consider several factors, including, but not limited to, the authenticity of the evidence and the integrity of the evidence.

We need to demonstrate that what we are presenting as evidence is what we are claiming that we are presenting as evidence. How do we demonstrate that what we have is in fact the image of the hard drive of the suspect's computer?

Also, we need to demonstrate that neither the original evidence nor any working copies were altered in any way, or if they were altered that it was done for a good reason and it is repeatable.

NEVER ALTER ORIGINAL EVIDENCE.

There are situations when imaging a drive that your copy may be different from the original. What could some of those situations be, what would be the differences between the original and the copy, and how could you justify that to keep a judge from throwing out the evidence?

Explanation / Answer

Well, All your doubts can be cleared by basic Network Forensics Fundamentals. There are basically 5 steps in network forensics to ensure proper care of evidence :

1. Collection

2. Identification

3.Transportation

4.Storage

5.Documentation

Your Question is particularly about Storage drive. So, let me start by answering this part : There are situations when imaging a drive that your copy may be different from the original. What could some of those situations be?

Well, There are several techniques that intruders may hide data.

–Obfuscating data through encryption and compression.

–Hiding through codes, steganoraphy, deleted files, slack space, and bad sectors. (Cryptography is one of example.)

–Blinding investigators through changing behavior of system commands and modifying operating systems.

Now, other part of question :

How do we demonstrate that what we have is in fact the image of the hard drive of the suspect's computer?

To ensure this, we should follow a standard procedure while taking image of hard drive. I am summarising these points below :

–Make an image copy and then restore the image to a freshly wiped hard drive for analysis

–Remount the copy and start to analyze it.

–Before opening it get information on its configuration

–Use tools to generate a report of lists of the disk’s contents (for example PartitionMagic)

–View operating system logs.

Now, Comes the last part : what would be the differences between the original and the copy, and how could you justify that to keep a judge from throwing out the evidence?

Well, the previous part solves this question also but I am going to mention one more point here for this part specifically :

Keep proof of integrity and timestamp the evidence through encryption of files of data

–Two algorithms (MD5 and SHA-1) are in common use today

TimeStamp is powerful thing. It can be used to prove many things. :)

Related Questions

Navigate

• Browse (All)
• Browse C
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.