Forensic

Subject: Advanced Operating System

Class: 3L5CS
Group Member: Jennifer Manhice(2021381007), Pedro
Pereira(2020341058)
Forensic
Concept of Forensic:
Forensic Science is the use of science to solve crimes and legal disputes. Cybersecurity
Forensics is the prevention, detection, and mitigation of cyberattacks, in conjunction with
the capability to gather digital evidence and conduct cybercrime investigations. Forensic
investigation is to uncover the details of a breach or malicious attack and the party or parties
responsible. Most importantly, is to call out that for digital evidence to be admissible in court
of law, the process taken by the forensic expert must not modify any of the original data,
and the results must be untainted by whichever party is funding the work. This means when
working on forensics, all work is done on a digital copy of the system. Using a variety of
techniques , the role of the forensic investigator may include:

 Monitoring a network infrastructure for breaches/attacks;

 Mitigating the effects of a network breach;
 Applying risk assessment methodologies in selecting and configuring security
controls to protect information assets;
 Preparing a cybersecurity forensics evidence report.
Forensic Data capture provides the information needed to verify the number of high priority
or more complicated incident investigations that often lead to breach of investigation. If a
breach is validated all data and results will be required by government and regulatory
bodies, however, the data will be of most use to investigators because of the detail in the
way it is collected, and the depth of its contents. Two types of data are typically collected in
data forensics. This first type of data collected in data forensics is called persistent data.
Persistent data is data that is permanently stored on a drive, making it easier to find. The
other type of data collected in data forensics is called volatile data. Volatile data is
impermanent elusive data, which makes this type of data more difficult to recover and
analyze. Types of collected data may include:

 Actions performed by a person or technology;

 Notification of an event
 Details of an event
 Activity consistently gathered electronically and in real-time from a given source.

Data Loss:
Forensics expert and educator Rob Lee from Sans Institute stated “ Data is incredibly
difficulty to get rid of”. This is due to individuals that have files stored on a single drive might
have connections into the cloud, might have e-mail stored on Yahoo or Hotmail, and could
have data posted on Twitter accounts, and it’s just everything is spread everywhere.
For someone intent on destroying data, Lee says, there are three basic tactics:

 Delete the file: which is largely ineffective because of the proliferation of backups
that exist on the machine or on servers.
 Wipe the hard drive: which can be effective, even with just a single-pass electronic
wipe.
 Destroy the hard drive: which is harder to accomplish than it sounds, Lee says.

Data loss prevention (DLP) is a set of tools and processes used to ensure that sensitive data
is not lost, misused, or accessed by unauthorized users. DLP software classifies regulated,
confidential and business critical data and identifies violations of policies defined by
organizations or within a predefined policy pack, typically driven by regulatory compliance
such as HIPAA, PCI-DSS, or GDPR. Once those violations are identified, DLP enforces
remediation with alerts, encryption, and other protective actions to prevent end users from
accidentally or maliciously sharing data that could put the organization at risk. Data loss
prevention software and tools monitor and control endpoint activities, filter data streams on
corporate networks, and monitor data in the cloud to protect data at rest, in motion, and in
use. DLP also provides reporting to meet compliance and auditing requirements and identify
areas of weakness and anomalies for forensics and incident response.
Examples for main uses case for data loss prevention:

 Personal Information Protection/Compliance;

 IP Protection;
 Data Visibility.

Data Wiping:
Data wiping is another examples of an anti-forensic techniques. Data wiping is used to delete
files and file systems, rendering them unrecoverable. Data wiping is used to securely delete
securely unwanted files. However, the misuse of data wiping can destroy pieces of evidence
to be spoiled in a digital forensic investigation. To cope with the misuse of data wiping, we
proposed an anti-anti-forensic method based on NTFS transaction features and a machine
learning algorithm. This method allows investigators to obtain information regarding ‘which
files are wiped’ and ‘which data wiping tools and data sanitization standards used’. When
getting rid of or reusing outdated digital equipment, one of the biggest concerns for
computer users and many businesses is data security, confidentiality, or privacy. When you
sell, give away, or discard your outdated PC or hard drives, your company information or
private documents could easily end up in the wrong hands. Deleting files or formatting drive
is not enough to irrevocably erase your data. Hawk Eye offers secure data wiping services in
your own secure premises. Non-physical sanitization is data wiping with professional erasure
software that overwrites the entire hard-drive with random data until it is considered
irretrievable. It is considered environment friendly and allows digital devices to be reused,
resold or donated, we provide both options to our clients.
Data Recover:
Data recovery, although a must when the need arises, isn’t something you can easily dabble
with if you lack the technical knowledge and skills required. Forensics is another concept
that is just as complex as it is different from data recovery. But as our world is increasingly
becoming more digital, the world of data recovery now intertwines with that of forensic. Of
course, you’ve probably seen it already on CSI. Forensic experts are tasked to retrieve lost
data from damaged hard drive that were intentionally damaged when the crime was
committed. Forensic data recovery is an exclusive process of restoring data and files which
will be utilized for legal purposes. Unlike common data recovery tools out there, forensic
data recovery is more complicated. It is used to recover data and files from storage devices
taken as proof or found at crime scenes.
Focused recovery and analysis areas include:

 Admissible digital evidence;

 Event Reconstruction;
 Quality of Recovered Data;
 Spoliation of Evidence.

When we engage forensic?

Forensics experts are ultimately focused on the finest of details and hence can make all the
difference when it comes to cases that need to be stitched together to present a clear and
robust case. While forensic expert witnesses are by no means necessary in all criminal or
civil cases, the additional scientific rigour they offer can be highly advantageous, especially
where complicating factors, insufficient evidence, or significant disputes exist. For anyone
contemplating engaging the services of a forensic expert witness, whether in the area of
psychiatry, psychology, dentistry, medicine, or any other domain, navigating the process can
be both confusing and time-consuming. This does not have to be the case, however, with an
understanding of when to consult a forensic witness and what to look for when you do.
When it comes to drafting forensic witness reports and giving testimony in court,
qualifications and expertise is essential. Given the often complex nature of cases, forensic
experts are asked to investigate, having the ability to think laterally and beyond the obvious
is also key. It is experience that allows a forensic expert to determine the most likely
hypotheses in a case, test them scientifically, and present evidence that will lead to a
successful case outcome.

How we engage forensic?

The primary objective of digital forensics is to identify, collect, preserve, and analyze
electronic data in a way that is legally admissible and scientifically sound. Digital forensics is
a complex and multi-step process that is designed to collect and analyze digital evidence in a
way that is both legally admissible and scientifically sound. More specifically, digital forensics
aims to:
  Investigate cybercrime;
 Recover lost or deleted data;
 Support legal proceedings;
 Prevent digital misconduct;
 Protect critical infrastructure.
Sources:
 5 Steps for Conducting Computer Forensics Investigations | Norwich University
Online
 Got Evidence? How to Improve Forensic Science | NIST
 The 8 Best Forensic Data Recovery Software [2023] (wondershare.com)
 De-Wipimization: Detection of data wiping traces for investigating NTFS file system
- ScienceDirect
 Forensic science - Wikipedia