Computer forensics (forensics) is an applied science of solving crimes related to computer information, the study of digital evidence, methods of searching, obtaining and fixing such evidence. It consists of three parts:
Data Gathering
If a suspect has installed rootkits to destroy evidence on command, there is a chance that important content will be lost. In such cases, an evidence chain is used - a document with information about how the evidence was processed, for further reporting. The chain begins with the processing of evidence.
Before you start, you need to prepare:
- Data collection is the process of obtaining information from the original source without damaging or altering it. There are many tools for this, depending on the OS and other features, in the article we will consider Linux-based tools.
- Data Preservation - Received digital evidence must be stored in its original state using cryptographic hashing algorithms.
- Data analysis is the interpretation of data and the extraction of information from them.
Data Gathering
If a suspect has installed rootkits to destroy evidence on command, there is a chance that important content will be lost. In such cases, an evidence chain is used - a document with information about how the evidence was processed, for further reporting. The chain begins with the processing of evidence.
Before you start, you need to prepare:
- a boot disk or flash drive, as suspects' tools cannot be trusted;
- powerful machine for the investigator.