Computer forensics is apparently not an easy process like they show on TVs. It includes a range of processes, analyses, examinations and what not. Usually, the computer forensic examination process is classified into six stages and they are presented in their general chronological order.
- Readiness
In this process, the clients are enlightened about system preparedness. And when it comes to the forensic examiner himself, readiness will comprise proper training, testing on a regular basis and software and equipment verification, acquaintance with legislation, handling unexpected challenges if any, and making sure that the data extraction or on-site acquisition is ready and complete.
- Evaluation
This stage comprises receiving the instructions, clarifying the vague and ambiguous instructions, risk analysis and allocation of roles and resources. Risk analysis involves an assessment of the probability of physical threat on breaching the suspect’s property and how to handle it. Commercial companies should also be aware of health and safety problems, conflict of interest challenges and of probable risks like financial or image on accepting a special project.
- Collection
If acquisition is executed on-site instead of at company facilities like Elijaht computer forensics labs, then it would also comprise ascertaining and securing devices which preserve the proof and documenting the scene. In this stage, interviews and meetings with staff who holds relevant information are held. This stage also comprises labelling and bagging items of evidence from the site to be sealed in a labelled tamper-evident bags. Take into consideration the security and safe transportation of the material to the examiner’s lab.
- Analysis
The examiner offers feedback to the client during analysis and then it takes a further path narrowed down to particular areas. Analysis must always be correct, thorough, unbiased, recorded, repeatable and accomplished within the timeline and resource allocated. The primary requirement of a computer forensic tool is that it does the task assigned to it and the way to ensure this is by regularly testing and calibrating them before the analysis takes place.
- Presentation
A structured report is produced based on the findings which address the points in the initial instructions. It also covers any other information which is relevant to the case. The report must be presented by keeping the reader in mind. It should have non-technical jargon. The examiner should be prepared for further meetings or conferences to discuss the report further.
- Review
This is an underestimated stage as it is considered to be adding more to the costs. The review can be simple and fast and include a general analysis of the challenges, advantages, and further improvements to be focused on. Feedback should also be sought at this stage.
Comments