Section 5: Digital Evidence Controls – Computer Forensic Analysis – and Recovering Files

/in , , , , , , /by

Section 5: Digital Evidence Controls, Computer Forensic Analysis, and Recovering Files

(Section 5: Digital Evidence Controls, Computer Forensic Analysis, and Recovering Files)

Section 5: Digital Evidence Controls, Computer Forensic Analysis, and Recovering Files

Preserving Information for Forensic Analysis

Digital evidence can be stored and maintained in physical or digital devices. After information collection, it will be moved to physical media for storage and where it can be accessed. The data acquired and the device used for storage are secured until the information is required for forensic analysis. The physical and digital storage systems or a smart management system are integrated to form the evidence management system to be used at the organization. Preservation is required to ensure the legal admissibility of the information stored. The evidence management system will include drive imaging, hash values, and a clear chain of custody (Simon, 2023). Rather than the original information, the company will create images of the evidence that will be used for analysis. The analysist will develop a duplicate of the drive used to store the information to help retain the original evidence for investigation. Investigators can exclusively use the duplicate image rather than the original media. (Section 5: Digital Evidence Controls, Computer Forensic Analysis, and Recovering Files)

Hash values will also aid in preserving the evidence or information generated when duplicates or images of the original media are produced. The hash values will help determine the authenticity and integrity of the duplicates as an exact image of the original information. Hash values will help ascertain if the information was altered at any point, which is a vital part of forensic analysis and admitting the evidence in court if necessary (Simon, 2023). Creating new or editing existing files generates new hash values that can only be accessed using special software. The hash values must match the expected values, and if not, they will help confirm that the evidence was altered. A clear chain of custody is vital in digital evidence preservation. The company forensic analyst or investigator will document all media and evidence transfers on the Chain of Custody (CoC) forms and capture signatures and dates after handing off media. The chain-of-custody paperwork will help determine that the image of the digital evidence is or was under known possession from the time the duplicate or image was created (Simon, 2023). A lapse in the chain of custody would allow the company to nullify the legal value or dependability of the image. Generally, the primary purpose of preserving the evidence is to ensure legal admissibility. (Section 5: Digital Evidence Controls, Computer Forensic Analysis, and Recovering Files)

Digital Evidence Controls

JP Morgan Chase works with a cybersecurity forensic investigator whose main role at the company is to watch over the data and find innovative ways to protect the data. Approaches used to control digital evidence include risk reviews and vulnerability analysis that help identify potential threats. The investigator conducts forensic preservation work and preliminary investigations, adopting established standards (JP Morgan Chase Company, n.d.). The investigator also helps identify violations of the JP Morga Chase Code of Conduct and identifies, collects, and preserves the associated digital evidence. The organization, through the investigator, conducts forensically sound collection and analysis of electronic evidence using different tools to enhance security, compliance, and legal processes. (Section 5: Digital Evidence Controls, Computer Forensic Analysis, and Recovering Files)

JP Morgan Chase preserves network and host-based digital forensics on Microsoft Windows-based systems and other necessary operating systems like LINUX and adopts standard digital forensic and network monitoring tools to plan and carry out forensic support independently. The organization adopts High-Security Access (HSA) systems for forensic investigations. It conducts an enhanced annual screening of users of the systems, including checking criminal and credit backgrounds (JP Morgan Chase Company, n.d.). Additionally, the organization ensures technology governance, risk, and compliance by regularly validating the effectiveness of the controls, assessing risk annually to ensure the implemented controls can protect the organization’s information, and adopting security policies and procedures to govern receipt, transmission, processing, storage, retrieval, access, and presentation of the information. The principle of least privilege is adopted to grant personnel access to the information. Physical facilities hosting the data are restricted and have detective monitoring controls and controls for hazards like fire and water. (Section 5: Digital Evidence Controls, Computer Forensic Analysis, and Recovering Files)

Computer Forensic Tools for Forensic Analysis and File Recovery

The autopsy/the Sleuth Kit will be used for disk analysis. The tool is recommended for its ease of use, extensibility, speed, and cost-effectiveness. The Sleuth kit is a command-line tool that helps conduct forensic analysis of hard drives and smartphone images. The Autopsy is a GUI-based system using the Sleuth Kit in the background (Kaushik et al., 2020). Its modular and plug-in architecture ensures that the user can easily incorporate additional functionality. Law enforcement agencies and organizations can use this tool to investigate activities or events in a computer, analyze disk images, and recover associated files. The tool can analyze both Windows and LINUX disks. The Volatility tool will also help with memory forensics, incident response, and malware analysis. Often, investigations determine what activities occurred at the time of the incident. Volatility is used to link device, network, file system, and registry artifacts to confirm the list of all running processes, active and closed network connections, running Windows command prompts screenshots and clipboard contents that were in progress at the time of the incident (Mohanta et al., 2020). Investigators will use Volatility to assess processes, check command history, and retrieve files and passwords from the system. (Section 5: Digital Evidence Controls, Computer Forensic Analysis, and Recovering Files)

References

JP Morgan Chase Company. (n.d.). Cybersecurity Forensic Investigatorhttps://www.wayup.com/i-Financial-Services-j-JP-Morgan-Chase-Company-827769314821227/

JP Morgan Chase Company. (n.d.). JPMorgan Chase & Co. Minimum Control Requirementshttps://www.jpmorganchase.com/content/dam/jpmc/jpmorgan-chase-and-co/documents/supplier-minimum-control-requirements.pdf

Kaushik, K., Tanwar, R., & Awasthi, A. K. (2020). Security tools. In Information Security and Optimization (pp. 181-188). Chapman and Hall/CRC.

Mohanta, A., Saldanha, A., Mohanta, A., & Saldanha, A. (2020). Memory Forensics with Volatility. Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware, 433-476.

Simon, M. (2023). Methods to preserve digital evidence for computer forensicshttps://www.criticalinsight.com/resources/news/article/3-methods-to-preserve-digital-evidence-for-computer-forensics

 
Do you need a similar assignment done for you from scratch? Order now!
Use Discount Code "Newclient" for a 15% Discount!