Open in app

Sign in

Write

Sign in

Computer Forensic Investigation Process …

Rahul Kumar
5 min readJul 11, 2022

In this Process , we follow some steps which are as follows :-

Step 1. Acquire The Data

Getting Some Data from the hard-Disk or computer memory , we used three methods are as follows .

1. Build Computer Investigation Toolkit

Use the following guidelines when building and using a computer investigation toolkit:

Decide which tools you plan to use before you start the investigation. The toolkit will typically include dedicated computer forensics software, such as Sys internals, Encase, The Forensic Toolkit (FTK).

• Ensure that you archive and preserve the tools. You might need a backup copy of the computer investigation tools and software that you use in the investigation to prove how you collected and analyzed data.

• List each operating system that you will likely examine, and ensure you have the necessary tools for examining each of them.

• Include a tool to collect and analyze metadata.

• Include a tool for creating bit-to-bit and logical copies.

2. Collect the Data

Data collection of digital evidence can be performed either locally or over a network. Acquiring the data locally has the advantage of greater control over the computer(s) and data involved.

When using tools to collect data, it is important to first determine whether or not a rootkit has been installed. Rootkits are software components that take complete control of a computer and conceal their existence from standard diagnostic tools. Because rootkits operate at a very low hardware level.

3. Store and Archive

When evidence is collected and ready for analysis, it is important to store and archive the evidence in a way that ensures its safety and integrity.

• Ensure that no unauthorized personnel has access to the evidence, over the network or otherwise. Document who has physical and network access to the information.

• Protect storage equipment from magnetic fields. Use static control storage solutions to protect storage equipment from static electricity.

• Make at least two copies of the evidence you collected, and store one copy in a secure offsite location.

  • Ensure that the evidence is physically secured.
  • Physically secure and store the evidence in a tamperproof location.

Step 2. Analyze Network Data

The investigations focus on and examine images of the data. When network analysis is required:

  1. Examine network service logs for any events of interest. Typically, there will be large amounts of data.

2. Examine firewall, proxy server, intrusion detection system (IDS), and remote access service logs.

3. View any packet sniffer or network monitor logs for data that might help you determine the activities that took place over the network.

1. Analyze Storage Media

The storage media you collected during the Acquire the Data phase will contain many files. You need to analyze these files to determine their relevance to the incident, which can be a daunting task because storage media such as hard disks and backup tapes often contain hundreds of thousands of files.

  1. Whenever possible, perform offline analysis on a bit-wise copy of the original evidence.

2. Determine whether data encryption was used, such as the Encrypting File System (EFS) in Microsoft Windows. If you suspect data encryption was used, then you need to determine whether or not you can actually recover and read the encrypted data.

3. If necessary, uncompressed any compressed files and archives. Although most forensic software can read compressed files from a disk image, you might need to uncompressed archive files to examine all files on the media you are analyzing.

4. Create a diagram of the directory structure. It might be useful to graphically represent the structure of the directories and files on the storage media to effectively analyze the files.

Step 3. REPORT THE INVESTIGATION

The information that you gather and the documentation that you create throughout a computer investigation, as well as how to write a final report:

1 Gather and Organize Information

  1. Gather all documentation and notes from the Assess, Acquire, and Analyze phases. Include any appropriate background information.

2. Identify parts of the documentation that are relevant to the investigation.

3. Identify facts to support the conclusions you will make in the report.

4. Create a list of all evidence to be submitted with the report.

5. List any conclusions you wish to make in your report.

2. Write the Report

The following list identifies recommended report sections and information that should be included in these sections are as follows :

  • Purpose of Report
  • Author of Report
  • Evidence
  • Details
  • Conclusion
  • Supporting Documents

👉 Final Thoughts

Did you learn something new from this article or do you like it I want to hear your valuable response? Also if you love the article and want to keep going with this automation series then hit the clap 👏 and don’t forget to Share❤️ it with your friends.

Go to my LinkedIn for new updates related Cyber Attack and many more Articles …

I hope this is helpful, and I would be interested to hear about other resources that you find useful. Please leave a message here, on Medium.

–Rahul KT

Digital Forensic Tools
Process
Cybersecurity

--

--

Rahul Kumar

Written by Rahul Kumar

6 Followers

Hey! I’m Rahul Kumar Security Researcher From 🇮🇳 I’m building my skills in and threat intelligence, Digital Forensic, Open Source Intelligence Etc.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams