Forensics Methodology

Investigative Process

  • Assesss

  • Aquire

  • Analyse

  • Report

Forensics Topics

Hard Disks and File System

Data Aquisition

Anti-Forenscis

OS Forensics

Network Forensics

Web Attack Investigations

Database Forensics

Forensics in the cloud

Malware

Email Investigation

Mobile

Reporing

Rules of a forensic investigator

  • limit access to original evidence

  • make duplicate copies and examine those

  • record changes (we need to be able to justify)

  • chain of custody

  • setting standards (wait to aquire the evidence)

  • know your own limitations (find a proper person with the resources)

  • secure storage

  • legal (understand the jurisdiction, is it a crime to investigate?)

  • industry tools (know the latest tools)

ETI (Enterprise Theory of Investigation)

Types of evidence:

volatile: system time, processes, command history, etc.

non volatile: still available fter cutting the power (event logs, partitions, swap file, hidden files, registry)

Characteristics of Digital Evidence

  • Admissible Evidence relevant to the case, act in support of the client presenting it, and be well communicated and non- prejudiced.

  • Authentic investigators must provide supporting documents regarding the authenticity, accuracy, and integrity of the evidence with details such as source and its relevance to the case. If necessary, they must also furnish details such as author of the evidence or path of transmission.

  • Complete must either prove or disprove the consensual fact in the litigation

  • Reliable extract and handle the evidence while maintaining a record of the tasks performed during the process to prove that the evidence is dependable. Forensic investigation is conducted only on the copies of evidence.

  • Believable present evidence in a clear manner to the jury and obtain expert opinions where necessary

Best Evidence Rule

The best evidence rule is to prevent any alteration of digital evidence, either intentionally or unintentional.

Duplicate will also suffice as evidence under the following conditions:

ï‚· Original evidence is destroyed due to fire and flood. ï‚· Original evidence is destroyed in the normal course of business.

ï‚· Original evidence is in possession of a third party.

Federal rules of evidence

Laws

PreviousDigital Forensics InvestigatorNextCloud Security Engineer

Last updated