As my Promise before in here : http://digitoktavianto.web.id/introduction-to-digital-forensic-part-1.html, i will continue talking about computer forensic. It is still an introduction, because i think basic concecpt or fundamental theory, is the important part in everything. With a good basic concept theory, you can easily to understand every aspect of computer forensic. I found many articles in SANS reading room, from digital forensic forum, ebook, and i will share my mind about forensic after reading those materials. Okay, let’s begin with Part 2 about Introduction to Digital Forensic.
There is a relationship between computer forensic and computer security. We can easily find that computer forensic is part of computer security, right? BTW what is the main differences between computer security and computer forensic?
Computer Forensics is primarily concerned with the proper acquisition, preservation and analysis of digital evidence, typically after an unauthorized access or use has taken place.
While Computer Security the main focus concerns the prevention of unauthorized access, as well as the maintenance of confidentiality, integrity and availability of computer systems.
So, from the explanation, can we say that computer forensic is a part of computer security? In my opinion, yes. But for most reason, the fields of computer forensics and security sometimes overlap, especially during forensics investigations aimed at retrieving information protected by security measures. Computer forensic take a part after the incident occured. Nevertheless, Computer Security and Computer Forensics are complimentary in that greater familiarity with Computer Forensics may lead to greater awareness of the importance of both computer security, in general, and proper procedural controls governing the access and use of computers, networks and other devices.
There are some subdisciplines for Digital Forensic Security (Taken from Book Digital Forensic for Legal Professional : Understanding Digital Evidence from Warrant to the Curtroom) :
➢ Incident Response
That being said, the “incident” in incident response refers to a network security breach or attack. This attack can come from the efforts of a hacker, from a person within an organization, or from malicious code in the form of a worm, Trojan horse, or other malware. An incident response expert works to identify possible attacks against a network, determine whether the problem has spread and how to contain it, and then take measures to eliminate any malicious code. If necessary, steps will be taken to restore the data that has been compromised with clean backup files. Incident response experts also work to educate information technology (IT) personnel within an organization on how to protect their network with the appropriate security measures.
➢ Mobile Phone / Smartphone Forensic
The examination of mobile phone has become as common as the examination of computers due to their widespread use. This is easy to understand; just try to think of someone you know who does not own a cell phone. Cell phones contain a wealth of information, and examining them can recover data of evidentiary value. Some examples include the contacts on a phone, text messages, images, videos, audio recordings, and e-mail. Deleted information can be recovered on some cell phones as well. Due to the thousands of different models and makes of cell phones, in addition to the different types of cell phone networks and service providers, the ability to recover data from a cell phone is on a case-by-case basis. The general rule of thumb is that the more like a computer a cell phone is, a Blackberry or iPhone for instance, the greater the likelihood of being able to recover all of the data from it, especially deleted data.
➢ GPS Forensic
GPS records are also valuable as evidence, even if you cannot get the actual GPS unit. Records can be used to see the movement of a person or vehicle. By examining the data available in GPS units, it is possible to estimate how fast someone was driving, and if they made any stops and for how long. If a person is suspected of a crime, GPS records can be helpful in determining if that person went to the location where the incident happened, whether they were ever near it in the vehicle, or if the timeframe even allows for the possibility of that person being a suspect.
➢ Media Device Forensic
There are many possibilities of fnding data of evidentiary value on media devices. For instance, on a digital audio recorder, deleted audio recordings can be recovered. A music player, like an iPod, can be used like a portable hard drive to steal or hide data.
➢ Digital Photo and Video Forensic
Digital video and photo forensics is the enhancement and analysis of these individual slides. The primary difference between video and photo forensics is that with a photo, you would enhance them one at a time, and with a video, you might enhance a thousand at a time. Stringent care must be taken in the enhancement and analysis of videos and photos. Either too much enhancement or the wrong kind of enhancement can damage the photo or video from an evidentiary perspective, because these processes can create anomalies or features within the photo or video that were not there originally.
Okay, that’s all for now. I will continue to talk about digital forensic in next blog post. Stay tune here, and let’s share our knowledge together. Sorry for typo, bad grammar, and for everything. See ya !!