A Forensic Investigation helps the organisation collecting and analyzing the data as evidence. The data collected by forensic investigation can be used as a proof in a court. Because of this, data must be protected in a safe way and needs to be prevented from modification.
What do you mean by forensic investigation?
Forensic investigation means to analyse the data from the computer and collect it as a proof if any incident happens. This is ever growing domain and lots of institutes are providing a specialised degree in this particular area.
There are mainly three steps in a forensic investigation:
1. Collecting the data
2. Analyzing the data
3. Prevent from modification
Forensic investigators use a different forensic procedure to collect the data and their primary task is to protect that data from modification so that, it can be shown as an evidence in a court.
Now I will explain how to perform forensic investigation:
Forensic investigators have special kind of tools to collect the data, for example, The Volatility, you can collect data include images, email, message, etc. They collect in specified format by following the order of volatility concept. So the volatility concept says, collect the data from most volatile to least volatile. Generally, the sequence of volatility concept is cache memory, RAM, Swap or paging file, hard drive data, logs stored on archived media.
Step 2: Capture the image
Capturing the image means to copy the exact data without any modification. A forensic capture image uses bit by bit tool to capture the data so that it can copy the data without any single modification and try to connect some hardware devices to the drives. Therefore, it can be write protected during the copy process. Encase and forensic toolkit are the most popular forensic tools used by the forensic experts.
Step 3: Prevent from modification
Hashing is an important concept which is generally used to prevent the data from modification. Hashing is used by most of the forensic experts to provide proof of the collected data that it has not been modified. So, to maintain the integrity i.e., to prevent from modification we need to take hash. You can take hash as many times you require and it will remain same as long as the data is same.
For example: After capturing an image of the disk, an expert can create a hash of the image and keep it safe and can also enable write protection mechanism to prevent the image from modification. Later, when that evidence is required they again take the hash and matches the later hash with the previous hash if it is same then it means data has not been modified and it is good to use as evidence in a court.
These were the basic three steps which sum up the whole forensic investigation process.
Apart from that, forensic investigation often includes analyses of network traffic and logs of the incident and also maintain a chain of custody. Chain of custody is a process that gives an assurance that evidence is collected in a proper way and handled properly.