Data Analysis & Evidence Assessment refers to the process of going through the data and finding the relevant evidential data and its relevance to the crime. This section will explain the process of analyzing the data in order to use it for proving the crime and the perpetrator.
Data Analysis
Data analysis refers to the process of examining, identifying, separating, converting, and modeling data to isolate useful information. In forensic investigation, the data analysis helps in gathering and examining data to find its relevance with the incident in order to submit the findings to an authority for conclusions and decision-making.
Thoroughly analyze the acquired data to draw conclusions related to the case. Data analysis techniques depend on the scope of the case or client’s requirements, and the type of evidence.
This phase includes:
- Analyzing the file content for data usage
- Analyzing the date and time of file creation and modification
- Users associated with file creation, access, and file modification
- Physical storage location of the file
- Timeline generation
Identify and categorize data in order of relevance to the case, such that the most relevant data serves as the most important evidence to the case.
Related Product : Computer Hacking Forensic Investigator
Data Analysis (Cont’d)
AccessData’s FTK
Source: http://www.accessdata.com
FTK Imager is a data preview and imaging tool that enables analysis of files and folders on local hard drives, CDs/DVDs, network drives, and examination of the content of forensic images or memory dumps. FTK Imager can also create MD5 or SHA1 hashes of files, review and recover files deleted from the Recycle Bin, export files and folders from forensic images to disk and mount a forensic image to view its contents in Windows Explorer.
EnCase Forensic
Source: https://www.guidancesoftware.com
EnCase is a popular multi-purpose forensic platform that includes many useful tools to support several areas of the digital forensic process. This tool can collect a lot of data from many devices and extract potential evidence. it also generates an evidence report.
Enase Forensic can help investigators acquire large amounts of evidence, as fast as possible from laptops and desktop computers to mobile devices. EnCase Forensic directly acquires the data and integrates the results into the cases.
This tool enables searching of several thousands of files that exist on a system with a variety of search choices like:
- GREP
- Conditional
- Boolean
- Word searches
The integrity of evidence has to be maintained in a format that the courts trust.
The Sleuth Kit (TIC)
Source: http://www.sleuthkit.org
The Sleuth Kit (TV) is a library and collection of command line tools that allows investigating disk images. The core functionality of TSK allows analyzing volume and filing system data. The plug-in framework also allows incorporating additional modules to analyze file contents and build automated systems. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.
Post-investigation Phase
The responsibility of the investigators does not end with finding the evidence data and analyzing it, but they should also be able to explain how they arrived at the conclusion to the prosecutors, attorneys, and judges. This section will provide knowledge on assessing the data, documenting it in an easily understandable manner, and creating easy to read reports.
Also Read : Duplicate the Data & Recover Data Lost
Computer Forensics Investigation Methodolgy
Evidence assessment is the process of relating the obtained evidential data to the incident for understanding how the complete incident took place. This section will discuss the process of evidence assessment.
Evidence Assessment
Evidence assessment is about evaluating the evidence and clues related to the incident that can be helpful in solving the case. Assessment of evidence is a crucial stage in the forensics process. Evidence assessment depends on the type of incident, the objectives required to perform the incident, the loopholes present for incident occurrence, etc. During the assessment, it is important to assess the digital evidence in correlation with the scope of the case in order to decide the course of action.
Procedure:
Assess thoroughly by analyzing the search warrant and other legal authorization, such as the case details, the nature of the hardware and software, and the circumstances of evidence acquisition.
Case Assessment
In this phase, the investigator assesses the impact of the incident on the organization, the reasons and the source of the incident, steps required to tackle the incident, the investigating team required to handle the case, the procedure of investigation, and the possible outcome of the forensic process. Case assessment is important to implement a proper plan in handling the case and achieving desired results.
The guidelines for performing case assessment:
- Initially examine the investigator’s service request.
- Get the legal authority to obtain a forensic examination request.
- Ensure that the request assignment has sufficient required assistance.
- Provide the complete chain of custody.
- Check if the evidence requires forensic processes, such as analysis of DNA, fingerprints, tool marks, trace evidence, and questioned documents.
- Establish the potential evidence sought.
- Review the case investigator’s request for service.
- Check if there is a possibility to follow investigative methods, such as to identify a remote storage location, to send a preservation order to an Internet service provider (ISP), and to obtain email.
- Identify the relevance of various network elements to the crime scene, such as credit cards, check papers, scanners, and
- Obtain additional details such as email addresses, ISP used, and names.
- Evaluate the skill levels of the users to identify their expertise in destroying or concealing the evidence.
- Set the order of the evidence examination.
- Ascertain the requirement for additional personnel.
- Identify the requirement for additional equipment.
Processing Location Assessment
Decide the place to examine the evidence after accessing it. The recommendation for the environment includes a forensic work area or laboratory. It Is better to have a controlled environment in case the examination is onsite.
Considerations for the assessment location might include the following:
- The time required to recover the evidence when onsite,
- Logistic and workforce concerns related to long-term deployment.
- Business impact of a time-consuming search.
- Any equipment, resources, media, training, and experience suitable for an onsite examination.
Questions related to this topic
- How do you Analyse assessment data?
- What is assessment evidence?
- What are the basic tools of data analysis?
- What are the ways to gather evidence for a report?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com