Forensic investigation steps should be well known because it can open new doors for people to be blamed for easy reasons. It’s easier to leave or delete evidence in virtual environments.
Computer Forensics investigation is a process and it has 4 main ways.
- Definition
- Examination
- Analysis
- Reporting
Definition
Forensic Informatics review identification period begins with the identification and collection of potential data storage resources (digital evidence) to be examined.
Typical data sources: computer hard drives, CD, DVD, USB disks, flash disks, memory cards, mobile phones. etc.
Examination
It is the research process to make exact copies of the collected data sources. It is essential that the evidence examined here preserves data integrity. In other words, the proof should be preserved from the moment the evidence is seized.
Analysis
in this process, the data about the subject is extracted from the exact copy of the examined evidence.
Reporting
The information is presented. The reporting should be clear and should include evaluations rather than claims.
Hardware and Software Used
Encase Forensic Software
It’s one of the most used software in the world. It’s paid software commercially released by the company Guidance Software and it runs on windows
With Encase Forensic software;
In addition to e-evidence such as hard disk, usb memory, RAM, file, folder, server; Forensic copies of smartphones and tablets can be taken and examined,
It can calculate hash on e-evidence and forensic copy,
It can recover data,
It can work with the password finding/cracking software called “Passware Kit Forensic”
It can show the e-mail content without the need for an external program
In addition to previewing files with various extensions, external file viewers can also be added to the program.
Forensic Toolkit (FTK) software
It is a paid software commercially released by AccessData Software company.
With Forensic Toolkit software
Password of more than 100 applications can be recovered,
Automatic analysis can be done,
Control options such as stopping, pausing and resuming ongoing processes are available
Editable reports,
Comprehensive data analysis,
It is designed in such a way that the operations on the database will continue non-stop in case the FTK program stops working with an error
SQLite database
It has the ability to find/crack passwords of encrypted domains such as Credant, SafeBoot, Utimaco, SafeGuard Enterprise and Easy, EFS, PGP, GuardianEdge, Pointsec and S/MIME.
Cellebrite UFED Touch Ultimate
it receives suitable data from gps devices, tablets, computers, sim cards and some music players for forensic examination
if it supports the model:
it can get physical forensic copy
it can get logical forensic copy
it can extract the current file content,
it can extract files such as existing or deleted applications, passwords, e-mails, messages, contacts, gps information etc.
XRY
XRY hardware can be used with the program installed on the Windows
with the XRY, content extraction can be performed on the model which have 3 different inputs at the same time.
