Join Sandra Toner for an in-depth discussion in this video Applying science to digital investigations, part of Learning Computer Security Investigation and Response.
- In this video, we'll cover the basic concepts of Forensic Science as applied to Digital Evidence. Forensics is the use of a scientific approach to investigate and present valid evidence in a court of law. There's a lot of TV shows out there that have familiarized us with the different aspects of forensic science. Like DNA testing. The scientific process used in forensics also applies to digital evidence. So it must undergo processing, and examination, in a standardized way.
Another important thing is to maintain the integrity of the evidence. Methods such as recording the chain of custody are intended to keep the digital evidence secure, as it's being processed and investigated. If a device can store or communicate data, computer forensics can be applied. Which of the devices in this picture could be the subject of a computer forensics investigation? If you said all of them, you're right. There's all kinds of different investigations with some crossover, including disc forensics, e-mail forensics, network forensics, internet forensics, and mobile device forensics.
Now let's take a look at some of the principles of forensics. Like I mentioned earlier, it's incredibly important to follow a chain of custody and keep the evidence locked down. If you're trying to use the digital evidence in court, you need to be able to establish that it has not been altered. That means that from the moment the evidence is seized, until it's presented in court, you have to be able to account for it. Along the same lines, you should document everything. Record as much as detail as possible about the evidence, and the state it was found in.
Finally, and this one's an important one for beginners out there, Don't examine the actual evidence. Touch the evidence as little as possible. The best approach is to make a forensic duplicate, or a system copy to examine. If you follow these basic principles of forensics, you'll be able to keep your evidence legitimate, and admissible in court. Current digital forensic methods capture, preserve, and analyze digital evidence in general purpose electronic containers, called forensic containers.
The de facto standard for forensic analysis in law enforcement is the Expert Witness Format, EWF, used on EnCase software. There's also the Advanced Forensics Format. This is an extensible open format for the storage of disc images and related forensic metadata. As you start to learn computer forensics, keep in mind that there are standards for conducting a forensic investigation. Next, we'll take a closer look at what constitutes digital evidence.
This course covers the basics of computer forensics and cyber crime investigation. Author Sandra Toner provides an overview of forensic science, and discusses best practices in the field and the frameworks professionals use to conduct investigations. Then, after showing how to set up a simple lab, Sandra describes how to respond to a cyber incident without disturbing the crime scene. She dives deep into evidence collection and recovery, explaining the differences between collecting evidence from Windows, Mac, and Linux machines. The course wraps up with a look at some of the more commonly used computer forensics software tools.
- Applying science to digital investigations
- Understanding forensic frameworks
- Defining cyber crime: harassment, hacking, and identity theft
- Setting up a forensic lab
- Responding to cyber incidents
- Collecting and recovering evidence
- Examining networks for evidence
- Applying forensics to Windows, Mac, and Linux
- Working with forensics tools