Everyone involved in the computer forensics process requires authorization from the appropriate authorities to monitor and gather information related to a computer intrusion. Normally, a system administrator as a forensic investigator would follow a standard set of procedures to capture and authenticate log files from a system under her authority so that they could be admissible in court of law. This involves various steps including the physical isolation of the computer in question to ensure that it cannot be contaminated accidentally. Investigators then make a digital copy of the hard drive after which they lock the original drive in a safe or other secure storage facility to maintain its pristine state.
They therefore carry all investigation on the digital copy where they utilize a variety of techniques and proprietary forensic applications to inspect the copy of the hard drive, searching concealed folders as well as unallocated disk space for copies of damaged, encrypted or deleted files (SearchSecurity. com, 2009). The practice of digital forensics is currently involving three stages, the first stage being securing of evidence. Securing entails imaging or the process of producing exact copies of the seized digital medium.
The copies must contain the exact same information as the original and in order to prove this, the investigators use cryptographic hashing techniques. This first phase is therefore of great significance in ensuring that the evidence is admissible in court. The second stage involves analysis of evidence. Here, the investigators enumerate evidence items in the data set. Normally, the data set is very large and the investigators consequently find the process intricate. This is because it is difficult to determine the exact pieces of information that have value as evidence. The third stage involves evaluation, which is the process of assessing the implications of the enumerated evidence items in the investigation.
The investigators evaluate such issues as what the evidence tell them about the use of the computer and the user’s actions. This phase is very crucial because the objective of any given investigation is to provide evidence of a chain of events. Digital evidence has many physical characteristics. For instance, it is easy to copy and modify them. However, keeping it in its original state is not easy.
In a computer system, electromagnetic record is stored in the binary form that is 0 or 1. The copied object is the same as the original one but one can conveniently adjust it.
Please type your essay title, choose your document type, enter your email and we send you essay samples