 |
EVIDENCE
RECOVERY: THE PROCESS FOR RECOVERING ELECTRONIC EVIDENCE
|
 |
There are two primary steps for recovering electronic data;
"acquisition" of the target media, and a forensic byte-by-byte analysis
of the data.
Utilizing
special computer forensic tools the target media is acquired through a
non-invasive complete sector-by-sector bit-stream image procedure.
During the imaging process, it is critical the mirror image be acquired
in a DOS environment. Turning on the computer and booting into its
operating system (usually Windows) will subtly modify the file system,
potentially destroying some recoverable evidence.
The
resulting image becomes the "evidence file," which is mounted as a
read-only or "virtual" file, on which the forensic examiner will
perform their analysis. The forensics software used by CFI creates an
evidence file that will be continually verified by a Cyclical
Redundancy Checksum ("CRC") algorithm for every 64 sectors (block) of
data and a by a MD5 128 bit encryption hash file for the entire image.
Both steps verify the integrity of the evidence file, and confirms the
image has remained unaltered and forensically intact. Using the MD5
hash encryption, changing even one bit of data will result in a
notification that the evidence file data has been changed and is no
longer forensically intact.
