senioren computerkurs

 Introduction

Computer forensics is the practice of collecting, analysing and reporting on digital information in a way that is legally admissible. It may be used in the detection and prevention of crime and in just about any dispute where evidence is stored digitally. Computer forensics has comparable examination stages to other forensic disciplines and faces similar senioren computerkurs.

About any of it guide

This guide discusses computer forensics from a simple perspective. It is not connected to particular legislation or intended to promote a certain company or product and isn't written in bias of either police force or commercial computer forensics. It is targeted at a non-technical audience and provides a high-level view of computer forensics. This guide uses the term "computer", nevertheless the concepts affect any device effective at storing digital information. Where methodologies have been mentioned they're provided as examples only and don't constitute recommendations or advice. Copying and publishing the whole or part of this information is licensed solely beneath the terms of the Creative Commons - Attribution Non-Commercial 3.0 license

Uses of computer forensics

You will find few areas of crime or dispute where computer forensics can't be applied. Police force agencies have been among the initial and heaviest users of computer forensics and consequently have often been at the forefront of developments in the field. Computers may constitute a 'scene of a crime', for example with hacking [ 1] or denial of service attacks [2] or they could hold evidence in the proper execution of emails, internet history, documents or other files strongly related crimes such as for instance murder, kidnap, fraud and drug trafficking. It is not merely the content of emails, documents and other files which can be of interest to investigators but additionally the 'meta-data' [3] related to those files. A computer forensic examination may reveal when a document first appeared on a pc, when it absolutely was last edited, when it absolutely was last saved or printed and which user carried out these actions.

Recently, commercial organisations have used computer forensics to their benefit in a number of cases such as for instance;

Intellectual Property theft

Industrial espionage

Employment disputes

Fraud investigations

Forgeries

Matrimonial issues

Bankruptcy investigations

Inappropriate email and internet use within the work place

Regulatory compliance

Guidelines

For evidence to be admissible it must be reliable and not prejudicial, meaning that at all stages of this technique admissibility should be at the forefront of a pc forensic examiner's mind. One set of guidelines which has been widely accepted to help in this is actually the Association of Chief Police Officers Good Practice Guide for Computer Based Electronic Evidence or ACPO Guide for short. Even though the ACPO Guide is targeted at United Kingdom police force its main principles are applicable to any or all computer forensics in whatever legislature. The four main principles out of this guide have been reproduced below (with references to police force removed):

No action should change data held on a pc or storage media which can be subsequently relied upon in court.

In circumstances in which a person finds it necessary to access original data held on a pc or storage media, that person must be competent to do so and manage to give evidence explaining the relevance and the implications of these actions.

An audit trail or other record of all processes placed on computer-based electronic evidence should be created and preserved. An independent third-party should manage to examine those processes and achieve the exact same result.

The person responsible for the investigation has overall responsibility for ensuring that what the law states and these principles are adhered to.

To sum up, no changes should be designed to the initial, however if access/changes are necessary the examiner must know what they're doing and to record their actions.

Live acquisition

Principle 2 above may improve the question: In what situation would changes to a suspect's computer with a computer forensic examiner be necessary? Traditionally, the computer forensic examiner will make a copy (or acquire) information from a device which will be turned off. A write-blocker[4] would be used to create a defined bit for bit copy [5] of the initial storage medium. The examiner works then out of this copy, leaving the initial demonstrably unchanged.

However, it is sometimes extremely hard or desirable to modify a pc off. It may not be possible to modify a pc off if doing this would result in considerable financial or other loss for the owner. It may not be desirable to modify a pc off if doing this would signify potentially valuable evidence might be lost. In both these circumstances the computer forensic examiner would have to carry out a 'live acquisition' which may involve running a small program on the suspect computer to be able to copy (or acquire) the info to the examiner's hard drive.

By running such a program and attaching a destination drive to the suspect computer, the examiner will make changes and/or additions to the state of the computer which were not present before his actions. Such actions would remain admissible so long as the examiner recorded their actions, was aware of these impact and could explain their actions.

Stages of an examination

For the purposes of this information the computer forensic examination process has been divided in to six stages. Although they're presented within their usual chronological order, it is necessary during an examination to be senioren computerkurs. Like, through the analysis stage the examiner could find a fresh lead which may warrant further computers being examined and would mean a come back to the evaluation stage