Digital Forensics’ Principles

There are some principles that will lead you to achieve your investigation’s goals. The investigator should be aware of the following Four principles.

  1. Record everything.
  2. Minimise data loss.
  3. Analyse all data collected.
  4. Report your findings.

 

Now the question is “Where is the data that needs to be analysed?”.

Basically, everything should be analysed and investigated when approaching a crime scene; plus, no one is allowed to access the crime scene area. The following figure shows some of the digital hardware that can analysed with the potential of finding information inside it.Picture1

 

Everything in the crime scene is valuable and should be subjected to an investigation and analysis carefully; along with the computer itself. Remember: do not despise anything, even the small things. The table below shows two different scenarios when investigating a digital crime scene (Live system and Dead system):

 

Live System   Dead System
acquisition copies the data using the suspect’s (operating) system. Usually, people try to avoid this acquisition, because the attacker can modify data or software can produce tampered data. In the live system, the power is still on, processes are still running, disks being access, and removable media keeps changing.   acquisition copies the data without the assistance of the suspect’s (operating) system. In the dead system, the power is off, the power id unplugged, no changes in the removable media.

 

 

Remember: the evidence is volatile, where the most volatile evidence can be found in (Memory) and the least can be found in (Removable media). Below is the order for the most volatile to the least (from top to bottom):

  1. Memory.
  2. Network Status and Connections.
  3. Processes Running.
  4. Hard Drive Media.
  5. Removable Media such as, floppy drive, zip drive, USB sticks and more.

Note: the evidence in the Memory, Network Status and Connections and Processes Running will be destroyed if the power cut off.