1 / 11

Outline

Fundamentals of Computer Forensics by Jim Bates, published Feb 1997 , International Journal of Forensic Computing. “…This article presents an introduction to some of the more general ideas and practices which defined my concept of computer forensics.” Jim Bates. Outline. Terms Definition

ranae
Download Presentation

Outline

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fundamentals of Computer Forensicsby Jim Bates,publishedFeb 1997, International Journal of Forensic Computing “…This article presents an introduction to some of the more general ideas and practices which defined my concept of computer forensics.” Jim Bates

  2. Outline • Terms Definition • Computer Specific Considerations • Storage Specific Considerations • Forensic Considerations • Considerations for the Courts • Two Forensic Data Collection Systems • Conclusion • Questions

  3. Terms Definition • Forensic: “of or used in courts of law” (concise oxford dictionary). • Computer: any electronic device which is capable of processing and/or storing information.

  4. Computer Specific Considerations • Media independency - the content of the information is independent : • With the way the information is stored. • From information storage. Thus the information can be altered without trace. • This fact leads to much concern when considering the forensic implications of electronically stored information. • “…It is a fact that when such information is copied, there is no way to distinguish which is the original and which is the copy without reference to additional external information.” [Jim bates] This has both advantages and disadvantages when considered from a forensic point of view.

  5. Storage Specific Considerations • Temporary storage. • The information relies upon an external power source for its maintenance and will be lost at once if the power source is removed, e.g. RAM chips. • Volatile storage. • The information relies upon an internal power source, and will be lost if the power source is removed, e.g. CMOS.

  6. Storage Specific Considerations • Semi-permanent storage. • The information, once stored, is independent with a power source for its continued maintenance. It may be changed under the appropriate operating conditions. This is where most forensic interest will be centered, since most processing data stores on it, e.g. Floppy disk, hard disk. • Permanent storage. • The information, once stored, it is unchangeable by normal processing hardware, e.g. ROM chips.

  7. Forensic Consideration • The forensic analysis process falls into three distinct areas: • Collection. • Examination. • Evaluation. • These must be undertaken in this order with examination and evaluation taking place upon the collected copy(i.e. The forensically sound copy) rather than on the original data. • Forensically sound copy – “…a copy of computer stored information containing as an absolute minimum the full operating arena of information stored in all active semi-permanent storage.” Jim Bates.

  8. Considerations for the Courts • The forensic investigation requires to maintain: • The absolute integrity of the evidence under examination. • Evidential continuity. • “…it is not the content that needs protection but its integrity. This protection takes two forms:” Jim Bates. • A secure method of determining that the copy is genuinely taken when the computer in question. • A secure method of determining that the copy has not been tempered with since the copy was taken.

  9. Two Forensic Data Collection Systems • DIBS. • Procedure. • Drawback. • The secured evidence maybe tampered with. • Time-consuming and expense for making two copies. • DIVA.(the Digital Integrity Verification and Authentication protocol). • A alternative approach.

  10. Conclusion • The purpose of forensic investigation is to present the observations and conclusions in court.

  11. Questions? • Do you think it is very difficult that a suspect bypasses the two forensic data collection system? • How to bypass them?

More Related