The Procedure For Computer Forensic Investigations Information Technology Essay

First of wholly, the forensic research worker should fix a basic probe program. First off I, the forensic research worker have already acquired the grounds of the false kidnapped victim, Amy Capri from her parents. I would besides do the attempt to fix the probe stage by inquiring the parents for her watchwords to derive entree to her notebook ( if she has set any ) and noteworthy booklets that has been encrypted. The 2nd most of import thing to make is to obtain & amp ; finish an grounds signifier and to set up a concatenation of detention. The chief intent of this finishing this grounds signifier is fundamentally to document what has been done to the original grounds and its forensic transcripts and to maintain a log of whoever who accesses the grounds. The grounds signifiers are catatoriged in 2 signifiers, which are single-evidence signifier and multi-evidence signifiers severally. The difference between the both is that the single-evidence signifier is merely used for one grounds, while the multi-evidence signifier is to cover up to 10 grounds objects. After the needed grounds signifier has been filled, the following measure is to procure the grounds, in which in this instance, is the notebook.

Hire a custom writer who has experience.
It's time for you to submit amazing papers!


order now

We must foremost take the necessary safeguards to forestall the informations to be by chance destroyed. Taking heat into consideration, I should ne’er allow the grounds of all time lie in a hot auto as terrible heat such as sunlight warps the difficult thrusts and makes the informations grounds indecipherable. The following factor to take note is inactive electricity, as vehicle rugs and low humidness generates inactive electricity in which it consequences in unwanted harm to any electrical grounds, therefore gum elastic mats should be used alternatively. Momentum besides plays a portion in procuring and transporting grounds firmly. As all traveling transit has brakes by default, we shouldnaa‚¬a„?t overly brake as the contents of the notebook have momentum and by braking unnecessarily, without the proper grounds storage equipment, informations grounds may be compromised. Last, I must be certain that nil in my vehicle that generates energy either magnetically or by wireless moving ridges have the possible to harm computing machine devices.

In order to forestall all the reference evidence-destroying environmental jeopardies possibilities as stated above, I must utilize sanctioned secure grounds bag to hive away the grounds, the shop the bag into a secure container to hive away the notebook in it. For the grounds bag, I will utilize computing machine safe bag ( antistatic ) and for the container used to hive away the grounds bag, I would utilize a well cushioned container so as to buffer the grounds from being approximately thrown about during transit. When the grounds bag is being stored in the secure container, a typical research worker will utilize grounds tape to seal all the gaps. Following, I will compose my initials onto the tape so as to turn out that the grounds has non been tampered with.

Once the grounds has safely reached the designated forensic lab, foremost and first, a forensic workstation should be prepared. An illustration of a forensic workstation is FRED ( Forensic Recovery of Evidence Device ) as it has many pre-loaded forensic package and hardware suited for the forensic probe. We following obtain the grounds bag from the secure container and effort to do a forensic transcript of the grounds by utilizing bit-stream transportation. The difference of a bit-stream transportation compared to a simple backup transcript is that the backup package merely copy known files and that it can non copy deleted files or email message or to retrieve file fragments from the difficult thrust. Whereas the spot stream transcript makes an exact transcript of the full difficult thrust. In order non to change the original grounds, forensic boot floppy disc and write blocker devices will be used to forestall authorship of informations to difficult disc from go oning. After a forensic transcript has been made, the grounds will be firmly returned to its container. Last, the copied grounds will be processed utilizing computing machine forensic tools.

Hardware resources needed to analyse a notebook

Sing the hardware resources that are needed to analyse the notebook ; I would use the initial-response field kit as it has all the bare necessity for a forensics probe. Inside the tool kit is a little computing machine toolkit that is used to level the notebook apart to analyse its physical construction. A big capacity external difficult disc is recommended as it is used to hive away all critical informations and groundss that are found at the offense scene. The overseas telegrams that I will utilize for informations transportation would be the IDE thread overseas telegram ( ATA-33 or ATA-100 ) , the SATA overseas telegram and fire wire. I would besides necessitate a Digital 35mm camera with movie and flash to capture images of the offense scene and to take shootings of different angles of the notebook or other groundss. For the storage and waterproofing I would be conveying along computing machine grounds bags which are antistatic to protect them from any unwanted inactive electricity. Evidence labels, tape, tickets and lasting market would besides be brought along to seal and label my initials for informations unity. Evidence log signifiers would be besides brought along to set up a concatenation of detention. As for my laptop, I would necessitate one with forensic package and, arranger for bear downing and an excess battery ( to the full charged ) for exigencies. For entering and logging intents, a dicitation recording equipment would be used to maintain paths of my advancement throughout my forensic probe. This recording can besides be used as and grounds in tribunal to province the assorted findings that I descrying making my probe.

Architectural hardware differences between a notebook and a desktop computing machine

The architectural hardware difference between a notebook and desktop computing machine is its mobility, public presentation, construction and ability to execute in exigencies. The laptop is a nomadic personal computing machine possessing most if non all of what a desktop computing machine possesses, while the desktop computing machine come separate parts such as talkers, proctor and the CPU. In footings of public presentation, the desktop computing machine surpasses the laptop ( but now itaa‚¬a„?s non the instance as the laptop now can be closely compared ) . In the instance of a fire or blackout the desktop computing machine would hold a high chance of being destroyed due to the weight of the CPU, while on the other manus the laptop can runs instead on battery power and with its light weight, it can be fleetly carried to safety unhurt. Last, the desktop and laptop construction is built different, the desktop hardware is stored in a CPU casing whereas the laptop hardware is all combined and compacted inside its shell. If dismantlement is required for a forensic probe, the laptop would take a long clip to execute an probe.

Tools or equipment that might be needed to execute a forensic image acquisition.

As for the tools needed to execute a forensic image acquisition, the laptop would necessitate a different set of ATA thread connection as the IDE difficult thrust uses lesser pins than the typical 40-pin thread connection. Most laptop does non let the usage of one difficult disc at any given clip and it besides does non let the usage of a cd-rom and floppy disc at the same clip. The laptop besides does non come with a built in floppy thrust so we can non utilize a bootable floppy thrust to boot up the notebook, alternatively we need to utilize a bootable CD-Rom to do a bit-stream transcript of the targetaa‚¬a„?s difficult thrust as compared to the desktop who has the capableness to boot from the floppy thrust and able to work together with a CD-ROM.

Tools needed to make image based on scenario

Based on the scenario given, I am traveling to merely one tool to make the image and will be following rigorous guidelines. I would hold to guarantee that this forensic tool be able to do bit-stream transcripts or image of a chosen divider, do certain that this tool will non change the original grounds disc, that this tool be able to verify the unity of the disc image file, should be able to log outstanding inside informations and that the certification that came with it matches what it says. The tool I will be utilizing will be HELIX 2.0, ground being that HELIX 2.0 is forensics package that is able to run as a windows application and as a standalone bootable disc in Linux in named sorts of runing systems. HELIX consists of celebrated forensic package such as FTK IMAGER, adepto, AIR 1.2.5, Netcat and many more. Helix 2.0 is besides a freeware and is used by many forensic research workers.

Extra Evidence or hints

In the sentinel for extra grounds, the first things that I would look out for is data storage devices or books such as mp3 participants, USB pollex thrusts, external difficult thrusts, CD-ROMs ( CD-R, CD-RW, DVD ) , floppy discs, nomadic devices ( manus phones, PDAs, Blackberry ) , cameras, recording equipments, camcorder, journals, image albums, booklets, booklets, magazines. Finding these would be a boring occupation so I would foremost inquire the parents for any known concealment musca volitanss in the house so I can trip off my hunt from at that place. After making a thorough hunt of her house, I would next continue to her school and attack her instructors to inquire for any alteration in her academic surveies or attitude close to her clip of disappearing. Her friends would be my following marks as they would hold been near to her in school or in any extra-currilicular actives after school. I would inquire them if she had mentioned any subjects of going abroad or of person in peculiar and the local haunts they would venture to.

Method used to continue the unity of the grounds

In respects to continuing informations unity, I would utilize a MD5 hash to continue informations unity. Hashing is deemed of import in the forensic field as it guarantee that a peculiar file, booklet or divider has non been modified in anyhow, for when it has been, the MD5 hash would be different. It is safe to state that utilizing MD5 to continue informations unity as the opportunity of a modified file holding the same hash as the original file or another file is one in a billion times. Therefore hashing is a really importing constituent in informations saving.

Bad extensions and why it is of import to repair it

Bad file extensions may be straight or indirectly due the jinx values in a file or image. Normally itaa‚¬a„?s the first 10 bytes of the file heading that has been changed. So by altering it to the correct values, I will be able to return the file to its original province. Most of the times, files that have bad extension have hidden messages or images hidden in them non seeable until farther probing, so by cognizing how to return the bad extension, I will be able to happen more hints that lead me closer to shuting the instance.