Question

Based on the material from the "U.S. Department of Justice Forensic Examination of Digital Evidence: A Guide for Law Enforcement" document, explain some important parts of the computer forensic process.

Provide short and concise answers to the following questions:

What are some of the key considerations for an "on-site" examiner, also known as a "first responder"?

What are two attributes of a timestamp that could be located on a computer system? (List and explain.)

When documenting and reporting a computer forensic examination (investigation), what are some common notes that should be maintained? (List and explain.)

What are the four major steps to completing the processing of digital evidence?

Answer 1

The digital forensic approach is a recognized scientific and forensic approach utilized in digital forensics investigations.Forensics researcher Eoghan Casey defines it as a number of steps from the usual incident alert via to reporting of findings.The system is predominantly utilized in pc and cellular forensic investigations and contains three steps: acquisition, analysis and reporting.
Digital media seized for investigation is most of the time referred to as an "exhibit" in authorized terminology. Investigators employ the scientific process to recuperate digital evidence to help or disprove a hypothesis, either for a courtroom of legislation or in civil lawsuits.[2]
Personnel
The stages of the digital forensics system require distinct professional training and talents. There are two hard stages of personnel:[3]
Digital forensic technician
Technicians collect or procedure proof at crime scenes. These technicians are expert on the proper handling of technology (for instance easy methods to keep the proof). Technicians is also required to hold out "are living evaluation" of evidence. More than a few tools to simplify this system had been produced, most principally Microsoft's COFEE.
Digital evidence Examiners
Examiners specialize in one field of digital proof; either at a vast level (i.E. Laptop or network forensics and so on.) or as a sub-professional (i.E. Image analysis)
system units
There have been many makes an attempt to boost a method mannequin but thus far none had been universally permitted. Part of the reason for this can be considering that that a number of the system items had been designed for a detailed atmosphere, such as legislation enforcement, they usually hence could no longer be with no trouble applied in other environments equivalent to incident response. this is a list of the foremost items considering the fact that 2001 in chronological order:
The abstract Digital Forensic mannequin (Reith, et al., 2002)
The built-in Digital Investigative method (service & Spafford, 2003)
An elevated model of Cybercrime Investigations (Ciardhuain, 2004)
the enhanced Digital Investigation procedure model (Baryamureeba & Tushabe, 2004)[1]
The Digital Crime Scene evaluation mannequin (Rogers, 2004)
A Hierarchical, goals-situated Framework for the Digital Investigations process (Beebe & Clark, 2004)
Framework for a Digital Investigation (Kohn, et al., 2006)
The 4 Step Forensic procedure (Kent, et al., 2006)
FORZA - Digital forensics investigation framework (Ieong, 2006)
procedure Flows for Cyber Forensics coaching and Operations (Venter, 2006)
The normal method model (Freiling & Schwittay, (2007)
the 2-Dimensional evidence Reliability Amplification system mannequin (Khatir, et al., 2008)
The Digital Forensic Investigations Framework (Selamat, et al., 2008)
The Systematic Digital Forensic Investigation model (SRDFIM) (Agarwal, et al., 2011)[5]
The advanced data Acquisition mannequin (ADAM): A process mannequin for digital forensic follow (Adams, 2012)
Seizure
prior to the precise examination, digital media will likely be seized. In criminal instances this will in most cases be carried out via legislation enforcement personnel trained as technicians to be certain the upkeep of proof. In civil matters it will regularly be a enterprise officer, commonly untrained. Quite a lot of laws cover the seizure of material. In criminal issues, legislation regarding search warrants is relevant. In civil court cases, the idea is that a company is capable to investigate their possess gear with out a warrant, as long as the privateness and human rights of employees are preserved.

Once displays were seized, an unique sector level replica (or "forensic duplicate") of the media is created, customarily by way of a write blocking off gadget. The duplication procedure is known as Imaging or Acquisition.The replica is created utilizing a difficult-drive duplicator or software imaging tools corresponding to DCFLdd, Ditto Forensic FieldStation], IXimager, Guymager, TrueBack, EnCase, FTK Imager or FDAS. The usual force is then again to cozy storage to hinder tampering.
The obtained image is confirmed by utilizing the SHA-1 or MD5 hash services. At critical elements for the duration of the evaluation, the media is established again to ensure that the evidence continues to be in its common state. The method of verifying the snapshot with a hash operate is known as "hashing."
Given the issues related to imaging enormous drives, more than one networked desktops, file servers that are not able to be shut down and cloud assets new systems have been developed that combine digital forensic acquisition and ediscovery techniques.
Evaluation
After acquisition the contents of (the HDD) photo records are analysed to determine evidence that either helps or contradicts a hypothesis or for signs of tampering (to hide information).In 2002 the international Journal of Digital evidence referred to this stage as "an in-depth systematic search of proof related to the suspected crime".against this Brian carrier, in 2006, describes a more "intuitive process" wherein apparent evidence is first identified after which "exhaustive searches are carried out to filling in the holes"
in the course of the analysis an investigator traditionally recovers proof material utilizing a number of distinct methodologies (and instruments), as a rule commencing with restoration of deleted material. Examiners use professional instruments (EnCase, ILOOKIX, FTK, and so forth.) to help with viewing and recuperating knowledge. The style of information recovered varies relying on the investigation, but examples include electronic mail, chat logs, graphics, internet history or documents. The info may also be recovered from obtainable disk area, deleted (unallocated) space or from inside working method cache documents.
various forms of techniques are used to recover evidence, mainly involving some type of key phrase shopping within the bought snapshot file, both to establish fits to relevant phrases or to filter identified file types. Precise files (equivalent to photograph pix) have a designated set of bytes which identify the and end of a file. If recognized, a deleted file may also be reconstructed.[3] Many forensic tools use hash signatures to determine tremendous records or to exclude recognized (benign) records; bought knowledge is hashed and compared to pre-compiled lists such as the Reference knowledge Set (RDS) from the national application Reference Library
On most media forms, together with general magnetic difficult disks, as soon as information has been securely deleted it might never be recovered.
once evidence is recovered the know-how is analysed to reconstruct pursuits or actions and to arrive conclusions, work that may most likely be carried out via less specialized employees. Digital investigators, chiefly in crook investigations, have to make sure that conclusions are established upon information and their possess trained talents.In the united states, for illustration, Federal ideas of evidence state that a certified expert may just testify in the type of an opinion or otherwise provided that:
(1) the testimony is centered upon sufficient information or data, (2) the testimony is the product of nontoxic ideas and approaches, and (3) the witness has utilized the ideas and methods reliably to the data of the case

Reporting
When an investigation is completed the understanding is traditionally reported in a type suitable for non-technical members. Experiences may additionally comprise audit knowledge and different meta-documentation.
When accomplished, reviews are mostly handed to those commissioning the investigation, reminiscent of law enforcement (for crook cases) or the employing organization (in civil cases), who will then make a decision whether to use the proof in court docket. More commonly, for a criminal court docket, the file bundle will encompass a written educated conclusion of the evidence as well as the evidence itself (on the whole offered on digital media)