Cyber Crime and Cyber Terrorism



Download 5,67 Mb.
Pdf ko'rish
bet85/283
Sana19.05.2022
Hajmi5,67 Mb.
#604880
1   ...   81   82   83   84   85   86   87   88   ...   283
Bog'liq
Cyber crime and cyber terrorism investigators handbook by Babak

78
CHAPTER 7
Seizing, imaging, and analyzing digital evidence
(
Anson, et al. 2012
). The tools selected should also leave as small a footprint as 
possible, and operate in read only mode. Most RAM acquisition tools are portable, 
usually taking the form or a USB device and require no installation, again, to limit 
the footprint. Once the memory dump has been taken the computer should be shut 
down using the methods previously discussed.
IMAGE
It is essential that the process of forensically analyzing the media does not intro-
duce any contaminants from the investigator. Interacting with storage media without 
appropriate precautions will cause data to be written to the media and potentially 
invalidate the evidence. In order to reduce the likelihood of this happening foren-
sic analysis should not be performed on the actual media storage device seized but 
should instead be performed on an image, that is a sector-by-sector replica of the me-
dia. There are many software tools to allow an image to be acquired from the media, 
and it is not within the scope of this work to discuss them individually. However, it 
is recommend that the selected tool should boot from a live CD/DVD and that the 
evidence is mounted by the tool in “read only” mode to reduce the likelihood of ac-
cidently writing to it. Further re-assurance that the evidence has not been contami-
nated can be provided through the use of write blockers. Write blockers are devices 
which are placed in line between the system being used to analyze the media and 
the media storage device itself. They allow read commands to be passed through 
to the media storage device, but block write commands. Write blockers are readily 
available and allow for the attachment to and from a variety of different interfaces, 
e.g., USB, Firewire, SCSI, and SATA controllers. Finally when an image has been 
acquired it should be verified as an exact copy by comparing the hash values of the 
two images. Hash values are a fixed sized bit string created by passing data through a 
cryptographic hash function. Any modification of the evidence, however small, will 
change its hash value. If the hash files of the acquired image and that of the media 
being investigated are different then either the image is invalid, or the evidence itself 
has been compromised.

Download 5,67 Mb.

Do'stlaringiz bilan baham:
1   ...   81   82   83   84   85   86   87   88   ...   283




Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling

kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha


yuklab olish