Technology grows exponentially and this is good for our society because we can live better, we can keep in touch easily with each other regardless where we are and even there will be more jobs opportunities in jobs that nobody knows today because they still have to be invented. However, this growth is challenging because there are increasingly more threats and we also have to keep studying again and again to learn new things. Therefore, I'm going to write about computer forensics this time which is a new field I’m studying these days, and it’s unknown for many IT engineers, but it is very important when we have to analyse an attack.
The forensic process has four phases which are collection, examination, analysis and reporting. The first one, collection, is for identifying, labelling, recording and collecting a data related to a specific event. The second one, examination, forensic tools and techniques are executed to identify and extract the relevant information from the collected data. The third one, analysis, is for analysing the results of the examination to get useful information. The last one, reporting, is for reporting the result of the analysis, which may include describing the actions performed, determining what other actions need to be done, etc.
The investigator role is very important in forensics because if the investigator makes something wrong with digital evidences, they can be modified or destroyed, thus the evidence would be useless. This is the reason why there are usually two roles into the investigation. One role called Digital Evidence First Responder (DEFR) for identification, gathering, acquisition and preservation of the digital evidence, and another role called Digital Evidence Specialist (DES) to help DEFR with the expertise of analysing determined evidences.
Investigators should work in a laboratory where they can store evidences securely because the integrity and security of evidences are very important. On the other hand, investigators should have all kind of operating systems and many hardware and software tools like password recovery software, forensic analysis suites, virtualization software, management project software, antivirus, etc.
|Forensic Analysis Suites|
Investigators should also keep the chain of custody which is a process where evidences are handled without any modification to assure the integrity, authenticity, traceability, preservation and location of digital evidences. The chain of custody is done through documentation and hashing.
Finally, it’s important to highlight that everyone could be an investigator to perform forensic activities because it’s not required any certification, although it helps. What’s really mandatory is to say always the truth and we must be unbiased to show clearly and understandably to the judge those technical aspects difficult to understand in a court of law.
Regards my friends, extends your knowledge, keep studying!!