Question

• In addition to legal and procedural inhibitions on the use of digital evidence in criminal trials, the use of such evidence is subject to best practices of forensics evidence analysis. As a special subset of professional criminal forensics, these standards also apply to computer forensics.

DESCRIBE four considerations that best practices dictate, which should be employed when recovering system forensics evidence.

• A general maxim of computer forensics analysis is that the best digital evidence is normally original or a "true copy" of the information in question. Digital evidence, by its nature, is based on hexadecimal expression of fixed- length data segments, which must be complete to fully express the underlying information.

IDENTIFY AND DESCRIBE three reasons why system forensics examiners would want to recover digital evidence from bit-level backups.

Answer 1

Four best practices for system forensics evidence recovery:

1. Proper identification:

It is important to properly identify and recognize the evidence sources and evidence. Looking at the documentation can be beneficial as well. It mainly depends on the evidence value and volatility.

2. Gathering:

Identification is the best way to know about the sources and gathering helps in collecting all the potential alternatives. One can use static or live acquisition. Live acquisition can sometimes be used for critical issues.

3. Integrity:

It is important to acquire data without actually compromising the data integrity. This can be achieved using imaging or other backup plans. Mostly hash values are used to perform encryption on the data and keep the original file intact.

4. Preservation:

Preservation of incidents and data evidence is also very important. It mainly depends on the way data was collected and possessed. Documentation at different stages can be really helpful.

Three reasons to recover evidence from bit-level backups:

• Bit-level backup recovery can be faster as compared to other systems.
• It is very easy to monitor minute changes and modifications.
• Their consumption of system resources is very less. This means that running processes are not affected at all.