This will be my 1st post in english. As my promise before in twitter and email, i will talk about digital forensic security analysis. Firstly, i will introduce basic concept and theory about digital forensic itself. Three main parts of digital forensic are : digital investigation, digital forensic investigation, and digital evidence. I will discuss the three main parts one by one.
Digital Investigation
A digital investigation is a process where we develop and test hypotheses that nswer questions about digital events, by using the scientific method where we develop a hypothesis using evidence that we find.
The digital device was either used to commit a physical crime or it executed a digital event that violated a policy or law. Examples of the case are when an attacker gains unauthorized access to a computer, a user downloads contraband material, or a user sends a threatening e-mail. When the violation is detected, an investigation is started to answer questions such as why the violation occurred and who or what caused it to occur.
Digital Forensic Investigation
A digital forensic investigation is a process that uses science and technology to analyze digital objects and that develops and tests theories, which can be entered into a court of law, to answer questions about events that occurred. In other words, a digital forensic investigation is a more restricted form of digital investigation.
Digital Evidence
Digital evidence is a digital object that contains reliable information that supports or refutes a hypothesis.
The important part in digital forensic is digital forensic investigation. There are procedure step-by step to do a digital forensic investigation. The procedure are :
➢ Preparation
➢ Preliminary Investigation
➢ Site Investigation
➢ Evidence Acquisition
➢ Preservation of Original Media
➢ Analysis of Data
➢ Reporting
Here the explanation about procedure in digital forensic infestigation :
1. Preparation
a. Forensic Environment
➢ Establish sterile conditions to ensure that all media is freshly prepared
Forensic workstation is scanned for any malware
Target media for forensic copy is wiped
➢ Validate all software licenses used for the investigation (obsolete or not, up to date or not, etc)
b. Documentation
➢ Establish file directories and security for investigation data and report
➢ Ready essential forms
Letter of Authorization or Warrant
Chain of Custody
Scope of Work
Non-Disclosure Agreement
2. Prelimiary Investigation
➢ Who?
Profile the target user – are they computer savvy?
➢ What?
What kind of evidence could be associated with this case? Images? Documents? Spreadsheets?
➢ When?
How long has it been since the digital activity?
➢ Where?
How do you plan on procuring the digital evidence?
3. Site Investigation
Physical Investigation
➢ Take pictures of the scene :
- Asset tag
- Removable media in the area
- Connections – internal and external
➢ Inventory and describe all hardware
➢ Ensure Chain of Custody form is properly completed
4. Evidence Qcquistion
➢ If possible, make a forensic copy at the scene using
- a bit-stream imaging program (court-certified)
➢ Make sure you use a write-blocking device!
➢ Use static-prevention wrist strap when handling evidence
➢ Record initial configuration – only change settings if necessary to provide write block, or to allow connectivity (i.e. jumpers, write block notches)
➢ Record ALL activity!!!
5. Preservation of Original Media
➢ Create a cryptographic hash of the entire disk
➢ Create bit-image copies
➢ Create a cryptographic hash of the copy and compare with the results obtained from the original. MUST MATCH..!!
➢ Be sure to lock the original disk in a limitedaccess room or container
6. Analysis of Data
➢ Only work on the forensic copy!
➢ Record the initial file structure and associated external metadata
➢ Stay within your scope of work!!!
*Analysis Data Step by step : * ➢ Timeline analysis
➢ Media analysis
➢ String or Byte search
➢ Data Recovery
7. Reporting
Four Forensic Principles = Success
➢ Minimize data loss
➢ Take notes about everything
➢ Analyze all data collected
➢ Report your findings
Oke, this is the end of part one. I will continue to Part 2 next day. Thanks :)
PS : Material taken from slide that provided by Mr. Ahmad Zaid Zam Zani, instructor in Digital Forensic Training held by ID-SIRTII/CC