There are many type of Cyber crimes taking place in the digital world, it is important for the investigator to collect, analyze, store and present the evidence in such a manner that court will believe in such digital evidences and give appropriate punishment to the Cyber criminal.
The steps in a digital forensics follow an life cycle approach and consists of following steps
- Requirement Analysis – This preliminary step we should check our technological feasibility. Then investigator has to determine how we can protect the stored data from misuse and tampering that is known as chain of custody, that means investigator has to prove that nobody has alter or tampered the evidential data after it has been collected by him.
- Retrieval of Data – It is most crucial to identify the source and destination media. Generally the suspected computer or server storage is worked as a source media and data available on that is taken on to the other media for further investigation. So the investigator should has knowledge of different kind of storage devices, and how the data of that storage device is taken in to own storage devices without loss and alteration of the data, which can be further use as legal evidence in the court.
- Reliability – It is also vital to determine that, how much authenticated the data is? Therefore, the image we have created must be identical to original data. To check the originality of the data we should create the hashes of original data before we create the image. Immediately after creating the image, create the hash of image data. These two hashes must be match and if they don’t match then it shows something wrong happened with the imaging process and thus data is unreliable. That is suggested to use any complex algorithm to build the hash of the data like MD5 or SHA-1, which is very difficult to spoof.
- Review of Evidence – After getting all the data from the suspected resources it is most important things that how we get the data that can consider as evidence in the court of law. We require proper chain of evidence that can’t be challenge from the opposing party and that is only possible if all the evidence is relevant to the case. After collecting the large set of information it is important to extract the evidence data from media, therefore some tools like Forensic Tool Kit and EnCase are used for the analysis of collected information from the suspected computer. For Linux environment Coronor’s Toolkit is used for evidence collection and analysis. The analysis of the physical media layer of abstraction, which translates a custom storage layout and contents to a standard interface, IDE or SCSI for example. The boundary layer is the bytes of the media. Examples include a hard disk, compact flash, and memory chips. The analysis of this layer includes processing the custom layout and even recovering deleted data after it has been overwritten
- Representation of Evidence – Here due to lots of uncertainty in the validity and acceptability in the digital evidence it is equally important to represent the evidence in such a form that can be understood by the court. For many types of digital data records or logging data for processes it is obvious that they can potentially be relevant as digital evidence in the case of disputes. But sometimes court will not accept the same data as valid evidence because of the improper representation of the digital evidence.
- Repository of Data – After the successful investigation it is also equally important that how you can archive the data in repository for future use. First important thing is to determine what are the data that can be useful for future use and how long we have to store that data. So, in the legal procedure, the completed case may be re-open in future or opponent may go for appeal or revision in the higher court. Since it is very difficult to store all the data related to the case in the repository, investigator has to find that; what are the important datasets that can be useful for the future use and only those data is stored in the repository. Therefore, the removal of the data from the repository are depend on the likelihood of the case will be appealed.
