How to implement basic forensic procedures
This article is about the implementation of basic forensic procedures for security of the network. Forensic science, commonly known as forensics, is the application of science to matters of interest to the legal profession. This branch of science is not restricted to inspection of murder scene only; it is applied to any crime scene. Whenever and where ever a crime is committed the investigator can take refuge to Forensics. So the following article will discuss about the implementation of forensics in technology. As it is commonly known that computers are the kernel of communication and tracking and recording of information, and so it is prone to various kinds of crimes like deliberate date tampering, deletion of data, even performing various kinds of technical fraudulent so on and so forth. So computer forensic uses technology to seek computer evidence of the crime. It even attempts to retrieve information, erased or altered to track down the attacker or criminal. After this much knowledge about forensic, it is now time to know about a step by step process to implement the forensics in the investigation system.
Order of volatility
To capture the volatile data is the first job of the forensic team. The volatile data consists of register, cache, peripheral memory, random access memory (RAM), and network state, running processes etc which are the places that are not static or that can be erased or reinstalled any time. Because of its short "shelf life", it becomes very difficult for the team to clutch the data. For the risks factors of losing or even shattering the data, a particular order of volatility is to be maintained to secure the data according to its fragility. Otherwise data loss may happen, and this data loss may result to collapse of the entire investigation process, which is not at all intended. The order should exactly be like this- register, cache, peripheral memory first; random access memory (RAM) second; network state third; and the at last the running processes. Maintaining this sequence, while using or handling the volatile elements in a computer system will ensure that no data is lost at the time of investigating the volatile elements.
Capture system image
The images proving the evidences are always helpful in proving the true happenings and so the next challenge of the computer forensic team is to capture the system image. To do so the mirror image backup programme is applied. The mirror image backup is more accurate than normal copy because it replicates all sectors of the computer hard drive including hidden data storage areas also. The accuracy of the mirror image backup programmes is guaranteed by hashing algorithms. It creates a snapshot of the current system based on the content of the drive and stores them in the software memory box. This helps in proving that the evidence retrieved is real and not planted. This acts also as a justification of the evidence and thus showing that the evidence are not built but are natural and are picked up from the very incidence. One has to be properly trained to implement this programme in a controlled fashion to maintain the authenticity of the evidence. Mirror image backups are performed using handheld devices, some of which uses the Global Positioning System (GPS) to identify the spot of data capture.
Network traffic and logs
Most of the time, the extra pool of the data traffic is the time when the intruder enters the system to steal data or leak data. The hackers intentionally create virtual network modes and initiate their intrusion, within which he or she himself includes in it and then easily he can intrude himself into the system to leak out, wash out or delete a data. Most of the time, the IP addresses are identical, or most of the data traffic comes from few IP addresses, and there the data monitoring becomes necessary to be implemented. Monitoring network traffic and logs of the users of the system, is the next step to be followed by the forensic team. By using some software, the team can retrieve the history of usage of the system for collecting evidence for the crime being committed. The software keeps a record of the applications running and monitors the network bandwidth to check for intruders and unauthorized transfer of data. One of the commonly used programmes, hardware or software firewall, keeps a log of the port usage of the computers in the system and filters those usage.
CCTV camera is now installed everywhere to capture video footages and these footages helps a lot in investigation and especially the forensic investigations. Every facility in the networking industry has the feature of monitoring its employees and operations by video footage capturing. The forensic team analyses and scrutinize this footage to identify the discrepancies. This in turn helps them to recognize the ambiguity of actions and operations before, during, and after the commencement of the crime. Using video stills can improve the investigation by a lot as the investigation procedure gets a standalone proof there, or even can generate a clue out of it, which might help the forensic team to meet the investigation results.
Record time offset
The recordings are another step which acts as a great clue or even a direction finding way for the investigators. Often those recordings are deleted or washed away, but keeping them stored at some remote location, might become helpful in some occasions. The step to be followed next is to check the audio bytes of the evidence collected from the video footage. To do this the team has to implement the record time offset applications on the audio bytes. A galore of software is present in the sector to facilitate this action. This record time offset authenticates and validates the legitimacy of the evidence.
Mapping of a data is an important aspect as they can easily make the findings and makes the search easy. Investigations first part is the searching session, where clues and evidences are searched and tracked down. The second phase is relating the search results and making them organized to trace the source of occurrence, and finally to investigate the source of occurrence and again arranging clues. After organizing those clues, the next and the final thing that is left is the identification of the motive of the culprit or the criminal. The next step is to take hashes and analyze the hashes of the system. Hash is any function that is used to map an arbitrary data or a fixed sized data. By monitoring the hashes the team can atomize the evidence and pin point the cause and actual source of ambiguity.
The screenshots of the system is further analyzed by the team. The screenshots as it is known are bits of evidence from the crime scene. These provide a clear observation of the exact order of actions performed and crimes executed. The mirror image backup is more accurate than normal copy because it replicates all sectors of the computer hard drive including hidden data storage areas also. The accuracy of the mirror image backup programmes is guaranteed by hashing algorithms. It creates a snapshot of the current system based on the content of the drive and stores them in the software memory box. This helps in proving that the evidence retrieved is real and not planted. This acts also as a justification of the evidence and thus showing that the evidence are not built but are natural and are picked up from the very incidence.
One has to be properly trained to implement this programme in a controlled fashion to maintain the authenticity of the evidence. Mirror image backups are performed using handheld devices, some of which uses the Global Positioning System (GPS) to identify the spot of data capture. Every facility in the networking industry has the feature of monitoring its employees and operations by video footage capturing. The forensic team analyses and scrutinize this footage to identify the discrepancies. This in turn helps them to recognize the ambiguity of actions and operations before, during, and after the commencement of the crime. Using video stills can improve the investigation by a lot as the investigation procedure gets a standalone proof there, or even can generate a clue out of it, which might help the forensic team to meet the investigation results
The important area of an investigation is the part to proof the criminal. All the proofs and evidences are matched and the motive of the criminal is absolutely clear to proof the thing, but everything gets struck due to lack of evidences. It is not so much tough to gather evidences, but the fact is that the evidences are the things that betray at right time the most. Next in the line is to net out witnesses, if any, of the crime. In doing so, the previous steps play a pivotal role. The team can easily identify the witnesses and take account of their experience. By doing so the team gets another step closer in the pursuit of the attacker or criminal.
Track man hours and expense
These steps include the application of software to track man hours and its expenses. The software helps in calculating the available man hours and man hours needed and at what expense. Calculation of the man hour makes the entire investigation procedure well under the budget synchronization. Anything in today's market is cost sensitive and the cost sensitivity, if to be adjudged and reconsidered, need a proper planning. Man Hour calculation is the key area to do that. As every extra man will charge extra cost and every non-working hour will also cost extra, which is completely unwanted and should be curbed or taken into consideration for a control. Anyway, the cost affectivity is that area, concentrating on which every small company sees a chance to grow or excel.
Chain of custody
A chain of custody must be started and maintained by the team as soon as the investigations begin. The chain of custody charts that the evidence was under strict control at all times and no unauthorized personnel was permitted to access it, reducing the chances of corrupting the evidence. The chain of custody is the record of the whereabouts of the evidence at all times.
It explains in detail the serial numbers of the systems involved, person who handled and had the custody of them and for what span of time. Chain of custody plays a very important role in legal authentication of the investigations. It is the process of chain wise identification of heads, which are to be inspected. So, until they are scheduled one after another, then it would become very much tough to reach the final results. So the team must, at the very beginning plan the chain, whom to be interrogated or whom to be investigated after whom. This also depends on the concept that making out these data from there would be helpful to make out the data from the next source or like that, which helps to finalize the chain.
Big Data analysisBig data analysis is the process of accumulating, categorizing and analyzing large set of data or big data. Big data analysis helps to discover the patterns, matrix, designs and other functional information about the data. This is the last procedure to be followed by the computer forensic team.
To conclude this vivid discussion, it can be sited that if the basic forensic procedures are implemented in an orderly and efficient manner security and stability of the network can be assured. One must be aware of the basic strategy and applicability of the measures of security and investigations. So, for the best results of the investigations, one is needed to learn and adopt the knowledge of forensic in telecommunication. By a thorough knowledge about it, the entire investigation can be chalked out easily to reach the solution or the final result.
Hence, the forensic procedures can help one know many things. They can help one know how to detect the culprit if some internet crime is done, how the traces can be made and etc. Also, they give us some guidelines which can let one understand that how important it is to not to become open to attacks since it is not too easy to get rid of them. Also, one can know how he can avoid some attacks and what he could have done in the defence.