What Cyber Forensics Can Reveal?
According the Judd Robbins, the expectations from Cyber Forensics are that it:
- Protects the subject computer system during the forensic examination from any possible alteration, damage,data corruption, or virus introduction;
- Discovers all files on the subject system. This includes existing normal files, deleted yet remaining files, hiddenfiles, password-protected files, and encrypted files;
- Recovers all (or as much as possible) of discovered deleted files;
- Reveals (to the extent possible) the contents of hidden files as well as temporary or swap files used by boththe application programs and the operating system;
- Accesses (if possible and if legally appropriate) the contents of protected or encrypted files;
- Analyses all possibly relevant data found in special (and typically inaccessible) areas of a disk;
- Prints out an overall analysis of the subject computer system, as well as a listing of all possibly relevant files and discovered file data and,
- Provides expert consultation and/or testimony, as required.Cyber forensics process encompasses five key elements:
- The identification and acquiring of digital evidence: Knowing what evidence is present, where it is stored andhow it is stored is vital in determining which processes are to be employed to facilitate its recovery. In addition, the Cyber forensic examiner must be able to identify the type of information stored in a device and the format in which it is stored so that the appropriate technology can be used to extract it. After the evidence is identified the cyber forensic examiner/ investigator should image/ clone the hard-disk or the storage media.
- The preservation of digital evidence is a critical element in the forensic process. Any examination of the electroni- cally stored data can be carried out in the least intrusive manner. Alteration to data that is of evidentiary value must be accounted for and justified.
- The analysis of digital evidence —the extraction, processing and interpretation of digital data—is generally regarded as the main element of cyber forensics. Extraction produces a binary junk, which should be processed, to make it human readable.
- Report the findings, means giving the findings, in a simple lucid manner, so that any person can understand. The report should be in simple terms, giving the description of the items, process adopted for analysis & chain of custody, the hard & soft copies of the findings, glossary of terms etc.
- The presentation of digital evidence involves deposing evidence in the court of law regarding the findings and the credibility of the processes employed during analysis