by Corruption, theft and abuse have now gone from paper to electronic media, and almost all of the data in public and private institutions are now stored in electronic partners. That’s why the recovery and security of electronic data plays a crucial role in fraud investigations and dispute resolution. Forensic Informatics is briefly the process of collecting and analyzing electronic data to be accepted as evidence in courts. International procedures and methodologies are used by Forensic Informatics experts in order to manage the entire process correctly.
Computer Forensic experts; Almost all kinds of crimes involving corruption, theft, fraud, fraud, criminal damage, threats and blackmail, commercial law, finance and banking crimes, Internet banking frauds, child sexual abuse, fight against drugs, disclosure of trade secrets, embezzlement and electronic data. they play a vital role in enlightenment.
Electronic evidence can easily change or deteriorate due to their nature. For this reason, sensitive forensic investigations that require expertise on electronic data should not be left in the hands of people and companies known as computer technicians or computer scientists.
Which Fields Is Forensic Informatics Used?
Many important companies are currently working on forensic informatics. These studies; Image Inspection and Analysis, Audio Solution and Analysis, Forensic Information Services, Secure Data Deletion, Network Systems and Database Reviews, Information Security, Penetration Tests, Data Recovery, Shorthand, ISO 27001 & Internal Audit Consultancy, Technical Studies and Detections on Digital Evidence, Reputation Protection on the Internet, HTS, Base Station Location And GPS Reviews.
Computer Forensic Examination Process and Methods
Forensic Informatics Examination and methods should be well known. Because now, every crime definitely becomes the informatics pillar. It can cause people to be blamed for simple reasons or to escape crime due to simple ignorance.
It is easier to leave or erase evidence in virtual environments. It is a helpful issue not only in terms of crime but also in solving security-related problems in a network environment.
Computer Forensics Examination is a process and has 4 main methods.
- Definition
- Examination
- Analysis
- Reporting
Definition
Forensic Informatics Examination Identification process begins with the identification and collection of potential data storage resources (digital evidence) to be examined. Typical data sources are hard disks mounted on computers, CD, DVD, USB disks, flash disks, memory cards (MMC, sd), floppy disk, GPS, mobile phone. Are the resources limited to this? Of course not. Data such as a magnetic card copier, a database application, a website logs, a phone call traffic can also be the source.
Examination
Making exact copies of the collected data sources and conducting the research on these copies is the process of examination. It is essential to protect the data integrity of the evidence examined here. In other words, the evidence should be preserved from the moment the evidence is seized. The processes of collecting data from a working computer and a closed computer are different. In this narrative, the default is an intervention on a closed computer.
Analysis
In this process, the relevant data are extracted from the exact copy of the examined evidence.
Reporting
The process by which the information obtained during the analysis process is presented is the reporting process. Reporting should be clear and clear to the reader and should include evaluations rather than claims.
Of course, these 4 processes listed above are widely applied. The process can be flexible according to the resources defined. For example, in a system with 1000-2000 clients, it is not a practical solution to make exact copies of all computers in the system. Or, again, it doesn’t make sense to shut down the whole system to examine a database application that thousands of clients use. Therefore, the intervention method will change according to the characteristics of the systems. Perhaps no exact copies of some resources will be obtained, the examination will be made while the system is running.
Computer Forensic Crimes
When the word meaning is perceived as a combination of the words science and processing, it is the general name of the science of processing the information, which is the basis of science, which is the basis of science, in the communication of people in technical, economic and social fields, and the collection and processing of information in electronic devices.
What is IT Crime?
Although it does not have a clear definition accepted by everyone, it was defined as follows at the Paris Meeting of the European Economic Community Experts’ Commission in May 1983.
Cyber Crime: “Any kind of unlawful, immoral or unauthorized behaviour in a system that automatically processes information or transfers data”.
The European Economic Community has divided the IT crimes into 5.
- Deliberately entering, destroying, deleting, or destroying computer data in order to reach and transfer illegally to the resource or any value available on the computer.
- Deliberately entering, corrupt, deleting, or destroying computer data or programs to commit fraud.
- Deliberately entering, corrupt, deleting, or destroying computer data or programs in order to prevent the operation of computer systems.
- Damaging the rights of the legal owner of a computer program for commercial exploitation.
- It is to intervene by entering the system deliberately without the permission of the computer system officer, by overcoming the safety precautions set.
Computer Forensics Examination Methods
Cross drive analysis
A forensic technique that correlates information found on multiple hard drives. The process still under investigation can be used to identify social networks and to detect anomalies.
Live analysis
Examining computers within the operating system using special forensics or existing sysadmin tools to extract evidence. The application is useful, for example, when dealing with encrypted file systems where encryption keys can be collected and in some cases, the logical hard drive volume can be viewed before the computer is shut down.
Deleted files
It is a common technique used in forensics and recovery of deleted files. Modern forensics have their own tools for Recovery or for carving deleted data. Most operating systems and file systems do not always delete physical file data, allowing researchers to reconfigure from physical disk sectors. The file includes searching for known file titles within the carved disk image and rebuilding deleted materials.
Stochastic forensics
A method that uses the stochastic characteristics of a computer system to investigate the missing activities of digital artefacts. Its common use is to investigate data theft.
Steganography
One of the techniques used to hide data is done with steganography, which is the process of hiding the data inside a picture or digital image. For example, it would be to hide pornographic images or other information of children that a particular crime does not want to discover. Computer forensics experts can fight this by looking at the hash of the file and comparing it to the original image (if available). While the image looks exactly the same, the hash changes as the data changes.
Digital Evidence and Methods of Obtaining
Digital evidence acquisition methods cover certain stages, and all operations performed outside this framework may distort the evidence quality of the data.
In criminal courts, judicial authorities resolve the material convictions on the incident and then evaluate the legal aspect of the case. Therefore, it evaluates whether the alleged incident was committed if it was a crime within the framework of the laws and if it was, whether this incident was committed by the defendant. Within the scope of this evaluation, if it is concluded that the incident was committed, that the incident was a crime under the law, and that it was committed by the defendant, the necessary provisions will be made by the judge.
The evaluation of the language will take place as follows.
The data should have the quality of evidence. Evidence should be of a supporting nature to the criminal incident. In order for the data to qualify as evidence, the data must be realistic.
Evidence must be publicly available, and concrete evidence must be issued to the court in a report. Evidence should be in accordance with the issues specified in the law. Evidence must be obtained through the means of obtaining evidence in accordance with the relevant law article and specified in the law. Apart from the court wing, the plaintiff, defendant and their lawyers should also see the content of the evidence.
Issues to be Considered in the Collection of Digital Evidence
Every digital evidence must be backed up. If the digital evidence is connected to a local network, it should be separated from the network and stored in a designated safe place. Evidence transport and preservation procedures should be carried out within the framework of the laws and by whom and how it was done should be stated within the framework of the minutes. If the digital evidence is closed, it must not be opened in order not to spoil the evidence quality. If the evidence is open, the RAM image must be taken and then turned off. All data on the digital evidence should be imaged on a disk of sufficient size within the framework of technical conditions. The hash values of the copied data should also be taken. Nobody other than the person who will examine the evidence should have access to the evidence.
