Answered step by step
Verified Expert Solution
Link Copied!

Question

1 Approved Answer

Using at least 500 words - summarize the article. (The author discusses six reasons why proper forensics protocols must be followed when collecting computer evidence

Using at least 500 words - summarize the article. (The author discusses six reasons why proper forensics protocols must be followed when collecting computer evidence - can you think of any other reasons?) Please do not plagiarize (copy and paste any paragraph that's not yours) this paper will be checked. Please cite the paper with APA style citation. I need to see the author mentioned in the summary that you are writing as follow ( Author name and year of publication) image text in transcribed

Computer Forensics: The Six Steps Adrian T.N. Palmer Managing Director, Kroll Ontrack Computer Forensics Computer-based information is a key source of evidence in an increasing number of investigations and legal matters. This trend is not surprising as the proportion of corporate communication created electronically is now over ninety-three percenti. This increase in creating and using electronic documents now means that computers are quickly becoming a critical point of investigation for any company that needs to locate information about its business activity. As such, computer systems, be they one hard drive or a network of servers, are now routinely identified as the best place to begin collecting potential evidence. The types of investigations which centre on computer-based evidence are numerous and varied, from the personal to the political, fraud to theft. A growing number of these cases have highlighted the need for comprehensive computer forensic analysis in investigations that incorporate electronic data. Organisations need to make sure that the electronic evidence they collect is done in a manner which does not threaten the integrity of their data while also accurately identifying the what, where, how and whom of the computer-related behaviour. There are typically six stages in a computer forensic investigation: Consultancy The most effective place to begin a computer forensic investigation is to consult with client/expert to create a strategy for collecting, analysing and processing the data. This strategy may include analysis of where the critical information resides, as well as the identification of protocols that will ensure the admissibility of the data into evidence in a court of law, should it become necessary. Before any hard drive exploration begins, protocol dictates that forensic experts identify where key evidence is likely to be located and piece together user and system information in order to obtain a comprehensive and thorough account of the technological landscape. This first step in the computer examination is, therefore, to understand where data resides, what conduct is at issue, what the aim of the investigation is and what output is sought. Data Preservation Electronic evidence, like other types of evidence, is fragile. Entering data, loading software, performing routine system maintenance or simply booting a computer can destroy certain files or metadata (key facts about the data, such as its creation or last modified dates) that is stored on the hard drive. A computer forensic expert should ensure that: - Potential evidence is not damaged Computer viruses are not introduced Extracted data is protected from mechanical or electromagnetic damage A proper chain of custody is maintained throughout the process Failure to adhere to strict industry standards regarding data preservation will not only result in the loss of critical data but may impinge the credibility of any data that is recovered, potentially rendering it unreliable or inadmissible in a court of law. Data Collection Once the location of the relevant data is identified, it must be retrieved. Computer forensic experts can retrieve data from virtually all storage and operating systems, including many antiquated systems. Using proprietary tools, experts can collect a wide range of data and can: - Retrieve data from seemingly inaccessible media Access active data on the media Recover deleted data and/or deleted email - Access inactive and unused data storage areas of various computer media and retrieve potentially important text Access password protected and encrypted files Gather information from databases, contact managers, electronic calendars and other proprietary software Regardless of how the data is collected, a copy of all media (computer hard drives, servers, disks, tapes, etc.) must be made using appropriate and usually proprietary imaging software. This imaging process provides the client and computer forensic investigators with a \"snap-shot\" or mirror image of the data contained on the media. The \"snap shot\" is a perfect sector-by-sector copy of the drive, including all of the unused and partially overwritten spaces, the nooks and crannies where important evidence may reside. The imaging process is non-destructive to the data and does not require the operating system to be \"booted\

Step by Step Solution

There are 3 Steps involved in it

Step: 1

blur-text-image

Get Instant Access to Expert-Tailored Solutions

See step-by-step solutions with expert insights and AI powered tools for academic success

Step: 2

blur-text-image_2

Step: 3

blur-text-image_3

Ace Your Homework with AI

Get the answers you need in no time with our AI-driven, step-by-step assistance

Get Started

Recommended Textbook for

Canadian Cases In Financial Accounting

Authors: Carol E. Dilworth, Joan E. D. Conrod

2nd Edition

256111405, 978-0256111408

More Books

Students also viewed these Accounting questions