Principles of Cyber Forensics

Hi everybody,

I'm a degree student and making research essay regarding with cyber forensics . But , u all know making research is very challenging if u are freshie to this issue. And , I'm so confused when I read about principle of cyber forensics . So, I wonder someone could explain it clearly .

Thank you all…….

Well, the primary thing about Forensics is to make sure that you do not change anything so it can be reproduced and validated by another examiner. That is why there are write blockers and procedures that protects evidence (example in the US they focus a lot on chain of custody). In non-law enforcement organisations and especially when doing e-discovery, the rules are less strict but the primary goal is the same.

The actual science part of IT Forensics (determining what has actually happened) is under development, though it is somewhat "sciency" today and is accelerating rapidly towards an established science.

Just look into the area of hardware write blockers. You will find that the harddrive manufactorers have their own standards and specific command sets and write blockers does not necessarily block everything (they block some write commands instead of just letting through some read commands). It is a good reason why you as an examiner should update your hardware regularly, or use two write blockers (one software based and one hardware based).

ok , thanks

This webpage outlines the various principles in the digital forensics process.

http//www.fbi.gov/about-us/lab/forensic-science-communications/fsc/april2000/swgde.htm

Corey Harrell

Only as a side note, if you could avoid completely using "cyber" it would be "better" IMHO
http//www.forensicfocus.com/Forums/viewtopic/p=6562994/

jaclaz

This webpage outlines the various principles in the digital forensics process.

http//www.fbi.gov/about-us/lab/forensic-science-communications/fsc/april2000/swgde.htm

Corey Harrell

I found the brief standard to follow in digital forensics process in this webpage )

Thank you Corey Harrell

The use of the term "cyber" appears to be linking more and more to any topic–security, intrusions, knowledge, policy, etc.–that pertains to networks or the Internet. A recent example of this is the U.S. Presidential directive in mid-February which uses the term "cyber" as reference to network, internetwork, or infrastructure issues. When my immediate colleagues and I hear the term, our minds interpret "cyber" as "network-related," with a heavy bias to network security.

Without an online or near-line capability, an isolated system can do little to facilitate "cybercrime" or "cyberintrusions." While one could certainly perform dataprocessing activity on an independent, disconnected system, I think that transfer of information from one entity to another must occur, in order to slap the "cyber" label on it. In most cases, such transfer requires network connectivity. Sure, one could save information from an isolated system to removable media and hoof it over to another system. But the term "cyber" does not leap out at me, when I see a pair of Birkenstock's or Nike's traipsing across the room. I would venture to guess that the term "cyber" doesn't conjure up the "sneakernet" image in the average IT professional mind either…or, in even the common user mind, for that matter.

Perhaps, my blathering belongs in another thread. The point I make for this thread is that the OP should focus on network security, network defense, network intrusions or the like, if the term "cyber forensics" is used. Anything else might fall under "computer forensics."

Merriam-Webster's Dictionary defines "cyber" as
of, relating to, or involving computers or computer networks (as the Internet) [e.g.]<the cyber marketplace>

Though, my guess is that the "involving computers" portion will soon be carved out and put into a footnote that begins with the words "archaic use…"

This webpage outlines the various principles in the digital forensics process.

http//www.fbi.gov/about-us/lab/forensic-science-communications/fsc/april2000/swgde.htm

Corey Harrell

I found the brief standard to follow in digital forensics process in this webpage )

Thank you Corey Harrell

The above weblink leads to information that makes no reference to, or statement about, 'cyber'. The content at the weblink is concerned with "collect and preserve digital evidence". To me this makes sense as it is a referral to and reference about digital evidence and digital forensics procedures associated with it.

At best "Cyber" is nothing more than a 'label/title' being applied to generically label any factual or assumed unlawful activity on/over e.g. certain technologies. At worst 'cyber' is a 'sticking plaster' which is being crudely applied to make everything appear technology/science neutral and thus a subset of 'cyber'.

Cyber has no defined forensics standards of its own, so it requires using existing standards out there which are not referenced to 'cyber'. A good example of this is the UK Forensic Regulator use of standards, which make no reference to cyber

Codes of Practice and Conduct
Appendix Digital Forensic Services
FSR-C-107-001
Consultation Draft
http//www.homeoffice.gov.uk/publications/about-us/consultations/forensic-science-regulator/digital-forensic-cons?view=Binary

Neither does cyber have its principles or practices that haven't already been adopted and implemented in existing areas of e.g. digital evidence. Corey's weblink above is a good example of this.

However, it is important to be seen to be objective in discussing 'cyber' and to highlight where guidelines do refer to 'cyber'. ACPO Guidelines 2012 makes reference to cyber

"This best practice guide has been produced by the ACPO Crime Business Area and was originally approved by ACPO Cabinet in December 2007. The purpose of this document is to provide guidance not only to assist law enforcement but for all that assists in investigating cyber security incidents and crime. It will be updated according to legislative and policy changes and republished as required."

http//library.npia.police.uk/docs/acpo/digital-evidence-2012.pdf

It would appear largely difficult though for ACPO to avoid using the term 'cyber' because the Guidelines document is labelled with the Police Central e-Crime Unit (PCeU) logo. PCeU is due to be integrated into the National Cyber Crime Unit (NCCU)

http//www.techweekeurope.co.uk/news/fixing-cyber-police-security-pceu-soca-national-crime-agency-106466

If you all have not yet died of boredom, there is some further reading about cyber here (if you can stand it lol )

http//trewmte.blogspot.co.uk/2013/02/cyber-wrapping.html
http//trewmte.blogspot.co.uk/2013/02/one-hit-hits-all.html
http//trewmte.blogspot.co.uk/2012/05/new-malware-invokes-label-cyber-weapon.html
http//trewmte.blogspot.co.uk/2011/10/cybercrime-really-its-ict-crime-by-any.html
http//trewmte.blogspot.co.uk/2011/09/cybercrime-procedures-deterrent-and.html
http//trewmte.blogspot.co.uk/2011/08/research-critiques-of-author.html
http//trewmte.blogspot.co.uk/2010/10/cyber-what.html