[source](https://unsplash.com/photos/flha0KwRrRc)
* **What are the objectives of computer forensics**
Cyber forensic is a branch of science which deals with tools and techniques for investigation of digital data to find pieces of evidence against a crime which can be utilized in the court of law. It is a practice of extracting, preserving, documenting and analyzing evidence from digital devices such as computers, digital storage media, smartphones, etc. so that they can be used to make expert opinion in legal/administrative matters.
* **What happens if computer forensics is ignored or practised badly?**
You risk destroying vital evidence or having forensic evidence ruled unacceptable in a court of law. Also, you or your organization may face new laws that mandate regulatory compliance and assign liability if certain types of data are not rigorously protected. Recent legislation makes it possible to hold organizations responsible in civil or criminal court if they fail to protect customer data.
* **Who may be involved in computer forensics in an organisation?**
Staff with computer forensic training, identifying computer forensic companies with the skills already that can assist, or a combination of both.
* **The initial incident management processes implemented, upon detecting a suspected cyber-crime in an organisational setting**
1. Preparation: The organization prepares guidelines for incident response and assigns roles and the responsibilities of each member of the incident response team. Most of the large organizations earn a reputation in the market and any negative sentiment may negatively affect the emotions of the shareholders. Therefore, effective communication is required to declare the incident. Hence, assigning the roles based on the skill-set of a member is important.
2. Identification: based on the traits the incident response team verifies whether an event had actually occurred. One of the most common procedures to verify the event is examining the logs. Once the occurrence of the event is verified, the impact of the attack is to be assessed.
The second step in the process is forensic investigation is carried out to find the evidence of the crime, which is mostly performed by 3rd party companies. The computer forensic investigation involves the following steps:
• Identify incident and evidence: this is the first step performed by the system administrator where he tries to gather as much information as possible about the incident. Based on this information the scope and severity of the attack are assessed. Once the evidence of the attack is discovered, the backup of the same is taken for the investigation purpose. The forensic investigation is never performed on the original machine but on the data that is restored from the backup.
• Collect and preserve evidence: Various tools like Helix, WinHex, FKT Imager, etc. are used to capture the data. Once the backup of the data is obtained, the custody of the evidence and the backup is taken. MD5(message digest) hash of the backup is calculated and matched with the original one to check the integrity of the data. Other important sources of information like system log, network information, logs generated by Intrusion Detection Systems(IDS), port and process information are also captured.
• Investigate: The image of the disk is restored from the backup and the investigation is performed by reviewing the logs, system files, deleted and updates files, CPU uses and process logs, temporary files, password protected and encrypted files, images, videos and data files for the possible steganographic message, etc.
• Summarize and Presentation: The summary of the incident is presented in chronological order. Based on the investigation, conclusions are drawn and the possible cause is explained.
3. Containment: based on the feedback from the assessment team, the future course of action to respond to the incident is planned in this step.
4. Eradication: In this step, the strategy for the eradication or mitigate of the cause of the threat is planned and executed.
5. Recovery: it is the process of returning to the normal operational state after eradication of the problem.
6. Lesson Learned: if a new type of incident is encountered, it is documented so that this knowledge can be used to handle such situations in future.
* **Why is it important to report cyber-crime to the relevant authorities? Why may some organisations choose not to report a cyber-crime upon its detection?**
Some of the companies do not report a cybercrime incident because they worry this can harm their reputation. Some of the data are very sensitive and its exposure may impact their business negatively. But, the fact is until and unless a cybercrime incident is reported, the cybercriminals will never be crabbed by the law enforcement agencies. This can result in worsen the conditions and encourage the criminals to repeat these types of incidents with the same or the other organizations. So it is very important to identify and prosecute them. This will help not only to identify the existing threats to the economy and the infrastructure but also new threats are identified.
