This week, we read chapter 13 and we read about digital forensics analysis and its made to showcase the elements of a crime in evidence from stored digital materials. a forensic analyst is asked the following questions when in court about the evidence (as stated in the textbook):
- When restoring a backup to another machine, will it contain all of the files, no more and no less than were on the original?
- Will the restored version’s file be identical, faithful copies of the original?
- Will latent data be faithfully reproduced?
- Will the restored back up contain all the data, and only the data, on the original?
- How do we know that our answers to these questions are accurate?
In order to provide answers to these questions, the analyst has to prove the answers to the questions through the detailed notes taken and photographs, the extensive knowledge about the technology that they analyzed, tools required to analyze it. Not only does Computer forensics involve computer technology knowledge, it also involves an understanding of criminal law and the legal process.
Basically, this chapter went over details how forensic analysts have to present the technology evidence found in court. And in order to do that, they have to know the knowledge of courts and laws. Also, knowledge of all technology.
In order to take detailed documentation, computer forensics need to take many many pictures and also start taking detailed notes from the second they walk into the door and that means also noting the time they walked in and noting the time they walked out while taking the detailed information down. For pictures, I guess the pictures that computer forensics can take are the front and back pictures of the computer and in what condition the computer was found in. Also, make sure to keep the computer away from any type of magnetic/metal/silver things because you never know what type of special things a computer criminal has done in order to get rid of the information. As a computer forensics, you should be able to pull out anything that the computer criminal has deleted (if, you are lucky enough). However, it is hard and rare because computer criminals know how to back themselves up and clean up their evidence very very well.
One thing that stuck out to me while reading the chapter was wiping the analysis drive. The analyst needs to make sure the actual area is free of contamination of previous analyses. There should always be a analysis drive made just in case if it may be needed in court or asked for in court of further evidence. And also, to explain to court and to show proof that the drive was contaminated, a wiping analysis is done before restoring the image, he or she will be able to show it as evidence that the drive was contaminated. Mainly called the DoD wipe. After the wipe has been done, it is confirmed by hashing the blank drive and comparing and contrasting the hash value into a computer log and noting that it is the same.