yannaing wrote:
Hi everybody,
I'm a degree student and making research essay regarding with cyber forensics . But , u all know making research is very challenging if u are freshie to this issue. And , I'm so confused when I read about principle of cyber forensics . So, I wonder someone could explain it clearly .
Thank you all.......
Well, the primary thing about Forensics is to make sure that you do not change anything so it can be reproduced and validated by another examiner. That is why there are write blockers and procedures that protects evidence (example: in the US they focus a lot on chain of custody). In non-law enforcement organisations and especially when doing e-discovery, the rules are less strict but the primary goal is the same.
The actual science part of IT Forensics (determining what has actually happened) is under development, though it is somewhat "sciency" today and is accelerating rapidly towards an established science.
Just look into the area of hardware write blockers. You will find that the harddrive manufactorers have their own standards and specific command sets and write blockers does not necessarily block everything (they block some write commands instead of just letting through some read commands). It is a good reason why you as an examiner should update your hardware regularly, or use two write blockers (one software based and one hardware based).
↧