IT forensics
The term IT forensics is made up of IT , i.e. H. the abbreviation for information technology , and forensics . A uniform definition of the term has not yet established itself. In common parlance, IT forensics refers to the scientific expertise that enables information technology to be assessed and appraised by the public or within legal proceedings . Since data and system states can not be taken directly to appearances, this is usually a report of an expert or the report of an expert witnessing resorted.
In the IT forensics guide published by the Federal Office for Information Security (BSI), IT forensics is defined as "the strictly methodical data analysis carried out on data carriers and in computer networks to investigate incidents, including the possibilities of strategic preparation the point of view of the plant operator of an IT system ”. The BSI thus embeds IT forensics in the processes of IT operations and describes the preparation and clarification of incidents.
The large consulting service providers, on the other hand, such as lawyers or auditing firms, limit IT forensics to the detection and investigation of criminal offenses in the field of computer crime .
Process model
According to the Secure-Analyze-Present (SAP) model, the activities of the IT forensic scientist are divided into three phases. These phases are preceded by the preparation in which the organizational and technical prerequisites are created. For example, the applicable statutory provisions (e.g. data protection) must be collected and compliance with them must be ensured. In companies, this preparation is referred to as "forensic readiness".
Secure
In the secure phase, the potentially relevant data in the respective situation is identified and saved. The aim of the phase is to save all data as unchanged as possible. It must regularly be weighed up which data change is accepted in order to e.g. B. to save volatile data. Decisions and the procedure are to be documented in such a way that they can be understood and evaluated by a third party. In order to rule out unwanted and avoidable changes to the data, so-called write blockers are used when creating a forensic duplicate , which prevent write access to the data carrier. The identity of the copy with the original is ensured through the calculation, the comparison of cryptographic hash values.
analysis
In the analysis phase, the saved data is analyzed and evaluated. The selected analysis methods are based on the facts to be investigated, are based on the state of science and technology and must be comprehensible to third parties.
Present
In the present phase, the analysis results are presented in a way that is appropriate for the target group. In addition to the results, the conclusions must be presented so that the results can be understood and evaluated by third parties.
Sub-areas of IT forensics
- Operating system forensics
- Cloud forensics
- Digital multimedia forensics
- Malware forensics
- Network forensics
- Smartphone forensics
Web links
- forensicswiki.org
- IT Forensics Guide - BSI's basic work on IT forensics (March 2011).
- NIST Digital Evidence
- Digital Forensic Research Workshop
Individual evidence
- ^ The Computer Forensics FAQ. The Computer Forensics Open Guide, accessed February 3, 2020 .
- ↑ XXXV: On the "Evidence of Information Technology Expertise". Schmid, Viola, December 7, 2012, accessed March 24, 2019 .
- ↑ Guide "IT Forensics", Version 1.0.1. Federal Office for Information Security, March 1, 2011, accessed on March 24, 2019 .
- ↑ Alexander Geschonneck: Computer Forensics. Recognize, investigate and investigate computer crimes. 5th updated and expanded edition. dpunkt Verlag, Heidelberg 2011, ISBN 978-3-89864-774-8 . P. 2.
- ↑ IT Grundschutz M 6.126 Introduction to Computer Forensics. Federal Office for Information Security, 2009, accessed on March 24, 2019 .
- ↑ Digital forensics in companies. Dissertation. University of Regensburg, 2016, accessed on March 24, 2019 .