Phases of Cyber Forensics 

Contexts in source publication

Context 1

... computer situated in Britain as a launch pad for his attack. Challenges behind these situations are both technological and jurisdictional. Confidentiality, integrity and availability are the cardinal pillars of cyber security and they should not be compromised in any manner [2]. Attackers also begin using anti-forensic techniques to hide evidence of a cybercrime. They may hide folders, rename files, delete logs, or change, edit or modify file data [7]. To combat these kinds of crimes, Indian Government established Cyber Forensics Laboratory in November, 2003. Cyber forensics II. P becoming HASES OF C as YBER a source F ORENSICS of investigation because Cyber human forensics expert has witnesses four are distinct important phases: since incident courts will identification, not recognize acquisition software of evidence, tools such analysis as Encase, of evidence, Pasco, Ethereal and reporting as an with expert storage witness of [8]. evidence Cyber forensics [10]. Figure 2 is useful shows for many various professionals phases of cyber like military, forensics private process sector and and each industry, phase academia, responsibility. and The law. These identification areas have phase many mainly needs deals including with data incident protection, identification, data evidence acquisition, collection imaging, and checking extraction, of the interrogation, evidence. The normalization, acquisition phase analysis, saves and the reporting. state of a computer system It is that important can be for further all professionals analyzed. The working analysis in phase the emerging collects the field acquired of cyber data and forensics examines to it have to find a working the pieces and of functioning evidences. The lexicon reporting of terms phase like comprises bookmarks, of cookies, documentation webhit etc., and evidence that are uniformly retention. applied throughout the profession and industry. Cyber forensics international guidelines, related key terms and tools are focused in the cyber forensics field manual [7]. The objective of Cyber forensics is to identify digital evidence for an investigation with the scientific method to draw conclusions. Examples of investigations that use cyber forensics include unlawful use of computers, child pornography, and cyber terrorism. The area of cyber forensics has become prominent field of research because: 1) Forensics systems allow the administrator to diagnose errors 2) Intrusion detection systems are necessary in avoiding cyber crimes 3) Change detection can be possible with proactive forensics Cyber forensics can be used for two benefits [9]: 1) To investigate allegations of digital malfeasance 2) To perform cause analysis II. P HASES OF C YBER F ORENSICS Cyber forensics has four distinct phases: incident identification, acquisition of evidence, analysis of evidence, and reporting with storage of evidence [10]. Figure 2 shows various phases of cyber forensics process and each phase responsibility. The identification phase mainly deals with incident identification, evidence collection and checking of the evidence. The acquisition phase saves the state of a computer system that can be further analyzed. The analysis phase collects the acquired data and examines it to find the pieces of evidences. The reporting phase comprises of documentation and evidence retention. The identification phase is the process of identifying evidence material and its probable location. This phase is unlike a traditional crime scene it processes the incident scene and documents every step of the way. Evidence should be handled properly. Basic requirement in evidence collection is evidence must be presented without alteration. This requirement applies to all phases of forensics analysis. At the time of evidence collection, there is a need of thorough check of system logs, time stamps and security monitors. Once evidence collected, it is necessary to account for its whereabouts. Investigators would need detailed forensics to establish a chain of custody, the documentation of the possession of evidence. Chain of custody is a vital part of computer forensics and the legal system [11] and the goal is to protect the integrity of evidence, so evidence should be physically secured in a safe place along with a detailed log. Figure 3 shows the evidence and chain of custody which is useful during incident investigation. Handling specific type of incidents like Denial of Service, Malicious Code, Unauthorized access etc are described in computer security incident handling guide [12]. The acquisition phase saves the state of evidence that can be further analyzed. The goal of this phase is to save all digital values. Here, a copy of hard disk is created, which is commonly called as an image. Different methods of ...

Context 2

... computer situated in Britain as a launch pad for his attack. Challenges behind these situations are both technological and jurisdictional. Confidentiality, integrity and availability are the cardinal pillars of cyber security and they should not be compromised in any manner [2]. Attackers also begin using anti-forensic techniques to hide evidence of a cybercrime. They may hide folders, rename files, delete logs, or change, edit or modify file data [7]. To combat these kinds of crimes, Indian Government established Cyber Forensics Laboratory in November, 2003. Cyber forensics II. P becoming HASES OF C as YBER a source F ORENSICS of investigation because Cyber human forensics expert has witnesses four are distinct important phases: since incident courts will identification, not recognize acquisition software of evidence, tools such analysis as Encase, of evidence, Pasco, Ethereal and reporting as an with expert storage witness of [8]. evidence Cyber forensics [10]. Figure 2 is useful shows for many various professionals phases of cyber like military, forensics private process sector and and each industry, phase academia, responsibility. and The law. These identification areas have phase many mainly needs deals including with data incident protection, identification, data evidence acquisition, collection imaging, and checking extraction, of the interrogation, evidence. The normalization, acquisition phase analysis, saves and the reporting. state of a computer system It is that important can be for further all professionals analyzed. The working analysis in phase the emerging collects the field acquired of cyber data and forensics examines to it have to find a working the pieces and of functioning evidences. The lexicon reporting of terms phase like comprises bookmarks, of cookies, documentation webhit etc., and evidence that are uniformly retention. applied throughout the profession and industry. Cyber forensics international guidelines, related key terms and tools are focused in the cyber forensics field manual [7]. The objective of Cyber forensics is to identify digital evidence for an investigation with the scientific method to draw conclusions. Examples of investigations that use cyber forensics include unlawful use of computers, child pornography, and cyber terrorism. The area of cyber forensics has become prominent field of research because: 1) Forensics systems allow the administrator to diagnose errors 2) Intrusion detection systems are necessary in avoiding cyber crimes 3) Change detection can be possible with proactive forensics Cyber forensics can be used for two benefits [9]: 1) To investigate allegations of digital malfeasance 2) To perform cause analysis II. P HASES OF C YBER F ORENSICS Cyber forensics has four distinct phases: incident identification, acquisition of evidence, analysis of evidence, and reporting with storage of evidence [10]. Figure 2 shows various phases of cyber forensics process and each phase responsibility. The identification phase mainly deals with incident identification, evidence collection and checking of the evidence. The acquisition phase saves the state of a computer system that can be further analyzed. The analysis phase collects the acquired data and examines it to find the pieces of evidences. The reporting phase comprises of documentation and evidence retention. The identification phase is the process of identifying evidence material and its probable location. This phase is unlike a traditional crime scene it processes the incident scene and documents every step of the way. Evidence should be handled properly. Basic requirement in evidence collection is evidence must be presented without alteration. This requirement applies to all phases of forensics analysis. At the time of evidence collection, there is a need of thorough check of system logs, time stamps and security monitors. Once evidence collected, it is necessary to account for its whereabouts. Investigators would need detailed forensics to establish a chain of custody, the documentation of the possession of evidence. Chain of custody is a vital part of computer forensics and the legal system [11] and the goal is to protect the integrity of evidence, so evidence should be physically secured in a safe place along with a detailed log. Figure 3 shows the evidence and chain of custody which is useful during incident investigation. Handling specific type of incidents like Denial of Service, Malicious Code, Unauthorized access etc are described in computer security incident handling guide [12]. The acquisition phase saves the state of evidence that can be further analyzed. The goal of this phase is to save all digital values. Here, a copy of hard disk is created, which is commonly called as an image. Different methods of ...