This will be my 1st post in english. As my promise before in twitter and email, i will talk about digital forensic security analysis. Firstly, i will introduce basic concept and theory about digital forensic itself. Three main parts of digital forensic are : digital investigation, digital forensic investigation, and digital evidence. I will discuss the three main parts one by one.
A digital investigation is a process where we develop and test hypotheses that nswer questions about digital events, by using the scientific method where we develop a hypothesis using evidence that we find.
The digital device was either used to commit a physical crime or it executed a digital event that violated a policy or law. Examples of the case are when an attacker gains unauthorized access to a computer, a user downloads contraband material, or a user sends a threatening e-mail. When the violation is detected, an investigation is started to answer questions such as why the violation occurred and who or what caused it to occur.
Digital Forensic Investigation
A digital forensic investigation is a process that uses science and technology to analyze digital objects and that develops and tests theories, which can be entered into a court of law, to answer questions about events that occurred. In other words, a digital forensic investigation is a more restricted form of digital investigation.
Digital evidence is a digital object that contains reliable information that supports or refutes a hypothesis.
The important part in digital forensic is digital forensic investigation. There are procedure step-by step to do a digital forensic investigation. The procedure are :
➢ Preliminary Investigation
➢ Site Investigation
➢ Evidence Acquisition
➢ Preservation of Original Media
➢ Analysis of Data
Here the explanation about procedure in digital forensic infestigation :
a. Forensic Environment
➢ Establish sterile conditions to ensure that all media is freshly prepared
Forensic workstation is scanned for any malware
Target media for forensic copy is wiped
➢ Validate all software licenses used for the investigation (obsolete or not, up to date or not, etc)
➢ Establish file directories and security for investigation data and report
➢ Ready essential forms
Letter of Authorization or Warrant
Chain of Custody
Scope of Work
2. Prelimiary Investigation
Profile the target user – are they computer savvy?
What kind of evidence could be associated with this case? Images? Documents? Spreadsheets?
How long has it been since the digital activity?
How do you plan on procuring the digital evidence?
3. Site Investigation
➢ Take pictures of the scene :
- Asset tag
- Removable media in the area
- Connections – internal and external
➢ Inventory and describe all hardware
➢ Ensure Chain of Custody form is properly completed
4. Evidence Qcquistion
➢ If possible, make a forensic copy at the scene using
- a bit-stream imaging program (court-certified)
➢ Make sure you use a write-blocking device!
➢ Use static-prevention wrist strap when handling evidence
➢ Record initial configuration – only change settings if necessary to provide write block, or to allow connectivity (i.e. jumpers, write block notches)
➢ Record ALL activity!!!
5. Preservation of Original Media
➢ Create a cryptographic hash of the entire disk
➢ Create bit-image copies
➢ Create a cryptographic hash of the copy and compare with the results obtained from the original. MUST MATCH..!!
➢ Be sure to lock the original disk in a limitedaccess room or container
6. Analysis of Data
➢ Only work on the forensic copy!
➢ Record the initial file structure and associated external metadata
➢ Stay within your scope of work!!!
*Analysis Data Step by step : * ➢ Timeline analysis
➢ Media analysis
➢ String or Byte search
➢ Data Recovery
Four Forensic Principles = Success
➢ Minimize data loss
➢ Take notes about everything
➢ Analyze all data collected
➢ Report your findings
Oke, this is the end of part one. I will continue to Part 2 next day. Thanks :)
PS : Material taken from slide that provided by Mr. Ahmad Zaid Zam Zani, instructor in Digital Forensic Training held by ID-SIRTII/CC