Forensic analysis is a sensitive method of investigation that seeks to identify specific causes. Most of these types search done by the experts in these fields, who know the importance steps to make it easy. Forensics analysis is a source of information which used commonly or mainly in your data research.
Forensic analysis is carried out through several stages that help the forensic investigator work with the data that he has taken and that define the methodology to be followed in an investigation like this digital forensics service. These Stages of a Forensic Analysis would be the following four:
- Preliminary study
- Data acquisition
- Analysis and Research
- Preparation and Presentation of the Expert Report
Below we will see, briefly, what each of them consists of:
The initial step in our research is to gather information from the client through interviews and documentation. This allows us to have a preliminary understanding of the challenges that we may encounter. It is vital to collect all necessary details at this point, including:
System user, position, work hours, name, schedule, surname, and time at the company are all important information about the individual responsible for the equipment involved in the crime.
Affected equipment:Model, series, operating system, system description, equipment characteristics, cost, years of operation…
Location of the storage devices used by the system:Memories (USB, SD, MSD, RAM,…), hard drives,… and from these devices obtain the following data: brand, model, serial number, connection types the system hard drives,…
In summary, in this first stage the initial data collection takes place and a photographic record of the entire system and the devices under study must also be made.
Through acquisition, the data is obtained on digital media that were subjected to the cloning procedure: remember that as a forensic investigator you should never work with the original data but with bit-by-bit copies of it, which does not consist of a single copy of files. (backup) but in a complete image of the victim’s hard drive.
To have a low-level cloned image, it is necessary that the hard drive to be investigated has only read mode access enabled, to avoid any writing operations on the disk. To carry out these procedures, hardware and/or software tools are used that support all types of storage devices.
The verification of this data is carried out through hash functions, applying algorithms such as MD5 or SHA (these encryption functions allow the generation of a hexadecimal code that is compared with that of the original disk and thus verifies that it is an exact copy and that it is not its content has been changed).
This is one of the most critical stages of Forensic Analysis, because if done wrong, the investigation and all the analysis carried out will not be valid.
Once the security problem has been detected and what has been affected, it is important that the investigator in charge of carrying out the forensic analysis decides to turn off the equipment or not. This is a difficult decision because if the computer is turned off, there may be evidence that is still in the volatile memory, connected users, running processes, existing connections, system logs, etc. that would be lost with the shutdown.
Therefore, as a preventive measure, it is interesting and very useful to dump all this using the appropriate tool in each case before turning off the equipment.
Once all this data has been collected, it must be transferred to the center where the investigation will be conducted.
At this stage, digital evidence analysis is performed, a process that requires a good knowledge of the system being studied.
The information that must be collected in this phase is mainly:
- Logs of the analyzed systems.
- Intrusion detector records.
- Firewall logs.
Files of the system analyzed (in this case, care must be taken with the users’ personal folders. It must be taken into account that those folders that have been created by default in the installation of the operating system are not considered personal, such as those from the administrator account…)
When information is accessed we can define two types of analysis:
- Physical. It is the information that is not interpreted by the operating system.
- Logical. It is the information that is interpreted by the operating system, such as: directory structure, files that continue to be stored as well as those that have been deleted, times and dates of the creation or modification of the files, their size, contents. of the free sectors,…