Forensics is the practice of collecting, analyzing and reporting digital information. It can be used to detect or prevent crime, recover lost files, or for other similar tasks.
While the concept of forensics is quite simple, it can involve a lot of complicated tools and methodologies to successfully complete a forensics challenge.
Types of ForensicsEdit
Forensics is a very broad term. Many people use the same words but with different meaning. In general forensics can be divided into the following categories:
- Cyber Forensics (Gather evidence regarding malware, unauthorized access, etc)
- Digital Forensics (The most broad term for any type of forensic activity)
- Media Forensics (Recovering lost files such as family pictures or word documents)
- Mobile Forensics (Recovering data from a mobile device)
- Computer Forensics (Recovering data from the Hard drive of a computer)
- Network Forensics (Analyze data sent over a network)
First Rule of ForensicsEdit
The first rule of forensics is to Ensure Data Integrity. This can be very challenging. Often, the nature of the forensic process changes the original data. For example, suppose you wanted to recover data that was lost on a hard drive. If you install a program on that hard drive you run the risk of overwriting the portion of the hard drive that contains the lost file, making the recovery impossible.
Before attempting to recover something of critical importance ensure that you understand how your actions could potentially compromise the data you are looking for.
A few techniques to help with this include:
- Hashing files (to make sure they don't change)
- Transfer data accross the network and save it on another machine using a tool like netcat
- Don't install or copy anything on the machine - That includes drivers,