Author Topic: What is Computer Forensics?  (Read 1360 times)

0 Members and 1 Guest are viewing this topic.

Offline sithari

  • ෆැන්ටසි රාළ FNLeader
  • *****
  • Posts: 783
  • Gender: Female
  • Forgive and Forget
What is Computer Forensics?
« on: August 10, 2006, 02:26:57 PM »
What is Computer Forensics?

From Wikipedia, the free encyclopedia

Computer forensics is the analysis of data processing equipment-- typically a home computer, laptop, server, or office workstation-- to determine if the equipment has been used for illegal, unauthorized, or unusual activities. It can also include monitoring a network for the same purpose.

Understand the Suspects

It is absolutely vital for the forensics team to have a solid understanding of the level of sophistication of the suspect(s). If insufficient information is available to form this opinion, the suspects must be considered to be experts, and should be presumed to have installed countermeasures against forensic techniques. Because of this, it is critical that you appear to the equipment to be as indistinguishable as possible from its normal users until you have shut it down completely, either in a manner which provably prohibits the machine modifying the drives, or in exactly the same way they would.

If the equipment contains only a small amount of critical data on the hard drive, for example, software exists to wipe it permanently and quickly if a given action happens. It is straightforward to link this to the Windows "Shutdown" command, for example. However, simply "pulling the plug" isn't always a great idea, either-- information stored solely in RAM, or on special peripherals, may be permanently lost. Losing an encryption key stored solely in RAM, and possibly unknown even to the suspects themselves by virtue of having been automatically generated, may render a great deal of data on the hard drive(s) unusable, or at least extremely expensive and time-consuming to recover.

Secure the Machine and the Data

Unless completely unavoidable, data should never be analyzed using the same machine it is collected from. Instead, forensically sound copies of all data storage devices, primarily hard drives, must be made.
4give & 4get