Which is a forensic technique that correlates information found on multiple hard drives?
|
Show Computer Forensics Explained: Computer forensics grouped together with digital forensic science; in a specific sense, the field of computer forensics pertains to the obtainment of legal evidence, which is stored in computer systems and digital storage media units. Those involved in computer forensics are responsible for examining digital media and files to recover, preserve, and analyze to ultimately identify facts concerning a legal matter or situation. Computer forensics, thus requires the inspection of an individual’s—who is involved in a legal matter—personal computer or digital files. The field of computer forensics is connected with the investigation of computer crimes. In an investigatory sense, the discipline of computer forensics will incorporate similar techniques and principles found in data recovery; however, the field of computer forensics will attach additional practices and guidelines which are implemented to create a legal audit trial. The evidence gathered from a computer forensics investigation is typically subjected to the same protocol and practices of other digital evidence. Evidence obtained from computer forensic techniques cannot be tampered with and must meet the constitutional guidelines of a fair legal trial. The History of Computer Forensics: In the early 1980s, computer systems were more accessible to consumers; as a result of this popularity, networks began to store personal information aligned with banking and identification purposes. As computers facilitated transactions and consumer activity, they attracted criminals interested in committing fraud and tampering with personal information. During this time, the discipline of computer forensics emerged as a method to investigate and recover digital evidence used in court systems. In a more modern sense, computer forensics is used to investigate criminal activity, including, fraud, child pornography, cyber stalking, cyber bullying, murder, and rape. The information recovered from computer forensics is used to elucidate upon the current state of a digital artifact, such as a storage medium, a computer system, or an electronic document. Once the information is obtained, the scope of a forensic investigation can vary from a simple retrieval of information to reconstructing a complex series of events. Computer Forensics used as Evidence: Evidence obtained through the implementation of computer forensics has been applied to criminal law cases since the early 1980s. In the court of law, information or evidence obtained from computer forensics is subject to the typical requirements for digital evidence—meaning the evidence obtained must be reliably obtained and admissible, as well as authenticated. In addition to these guidelines, various countries and jurisdictions have implemented specific regulations attached to the recovery of computer forensic evidence. Computer Forensics Process: Computer forensic investigations follow the standard digital forensic process, which includes the acquisition of evidence through a computer platform, subsequent analysis and reporting. A number of techniques are used during computer forensics investigations, including cross-drive analysis, live analysis, and the studying of deleted files. Cross-drive analysis refers to a forensic technique that correlates information present on multiple hard drives. The process can be used for identifying social networks or for performing anomaly detection. Live analysis is the process of examining computers within the operating system using a custom tool to extract the evidence. Commentscomments
 Under a Creative Commons license Open access AbstractThis paper introduces Forensic Feature Extraction (FFE) and Cross-Drive Analysis (CDA), two new approaches for analyzing large data sets of disk images and other forensic data. FFE uses a variety of lexigraphic techniques for extracting information from bulk data; CDA uses statistical techniques for correlating this information within a single disk image and across multiple disk images. An architecture for these techniques is presented that consists of five discrete steps: imaging, feature extraction, first-order cross-drive analysis, cross-drive correlation, and report generation. CDA was used to analyze 750 images of drives acquired on the secondary market; it automatically identified drives containing a high concentration of confidential financial records as well as clusters of drives that came from the same organization. FFE and CDA are promising techniques for prioritizing work and automatically identifying members of social networks under investigation. We believe it is likely to have other uses as well. KeywordsComputer forensics Forensic feature extraction Cross-drive analysis Data analysis Information extraction Cited by (0)Simson L. Garfinkel is a postdoctoral fellow at the Center for Research on Computation at Society at Harvard University, and a research affiliate at the Computer Science and Artificial Intelligence Laboratory at MIT. He is also a consulting scientist at Basis Technology Corp., which develops software for extracting meaningful intelligence from unstructured text, and a founder of Sandstorm Enterprises, a computer security firm that develops advanced computer forensic tools used by businesses and governments to audit their systems. Dr. Garfinkel has research interests in computer forensics, the emerging field of usability and security, and in personal information management. Copyright © 2006 DFRWS. Published by Elsevier Ltd. All rights reserved. What is a forensic image of a hard drive?Digital Forensics
A forensic image of a hard drive captures everything on the hard drive, from the physical beginning to the physical end. Performing a “copy and paste” via the operating system is not the same as a forensic clone. A true forensic image captures both the active and latent data.
What are the techniques used in computer forensics?Here are common techniques:. Reverse Steganography. Cybercriminals use steganography to hide data inside digital files, messages, or data streams. ... . Stochastic Forensics. ... . Cross-drive Analysis. ... . Live Analysis. ... . Deleted File Recovery.. What evidence can be found on a hard drive?Evidence in the hard drives of computers may be found in files created by the computer user (e.g., e-mails, spreadsheets, and calen- dars), files protected by the computer user (e.g., encrypted and password-protected files), files created by the computer (e.g., log files, hidden files, and backup files), and other data ...
What are forensic duplication techniques?A forensic duplication is an accurate copy of data that is created with the goal of being admissible as evidence in legal proceedings. Furthermore, we define forensic duplication as an image of every accessible bit from the source medium.
|
