There investigation collaboration. Furthermore, to recognize the evidence

There
are 4 evidence lifecycle to investigate
the employee’s computer,
there are preparation, evidence collection, preservation, examination
and analysis and
presentation. Firstly, the preparation. In the court, as an investigator needs to declare
in which to disturb the
evidence seized, thus, to
filing seize the evidence by the authorities that must be collected. (Subramaniam, n.d)

 

At the scene, as an investigator should
interpret the media description that likely detected. Furthermore, to conduct a brief preliminary that can be accomplished with
the suitable party. Deliberately, the preparation phase may contain the
responsibilities and borders installation, and to recommend the client on the
impact and the suggestion that may contain investigation conclusion. (Subramaniam,
n.d.) 

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

 

Second
evidence lifecycle is evidence collection. Device’s documentation is in the setting
and investigator’s journal should
be made. Moreover, the
number, the date of the evidence that be delivered by the label management. Therefore,
to interview with the user of the system that obtain
the computer’s IP
address, which the investigation collaboration. Furthermore, to recognize the evidence cause which hardware
and software that
be used by the investigator when it’s
applicable, forensically
and effective for the evidence breakdown A write-protected manned is acquired by the evidence which can be
achieved. The authority need
to be used to
identify the software to control the development of the disk acquisition and imaging. To develop an image of the suspect’s disk can be prepared by the software especially when the suspect’s disk duplicate.
(Subramaniam, n.d.)

 

Preservation:
The original data
has to be completely non-invasive that be used by the forensic method. At the same time to duplicate
files which to ignore the files and information prosperity. Therefore, to duplicating the copies the files can be visible
as well as it difference from free space which may contains hidden data, hidden
partitions that contains
hidden data, slack
space, registry
info, unallocated space,
temporary files, hidden files, history files and etc. (Subramaniam, n.d.)

 

Furthermore,
the examination and analysis is at this stage the result is
depended by the outstanding closing case, prosecution, settlement or conviction.
Additional during this development a due care must be taken and to avoid any
occupied with the original evidence. (Subramaniam, n.d.) 

 

Lastly,
the presentation, which the findings must be presented simultaneously manner that
may include screen captures, original files and etc. Furthermore, clear
evidence information with the
techniques simultaneously. (Subramaniam, n.d.)

 

The
admissibility of evidence
comes in four basic
forms that are
demonstrative evidence, documentary
evidence, real evidence and testimonial evidence. First off demonstrative
evidence, with efficiency enough for the task at hand, correctly and adequately to express testimony and in
another way is
unobjectionable and it will be admissible. Examples of demonstrative
evidence are diagram and the
scene of an
occurrence description. As a result of its purpose is to clarify testimony, the witness whose testimony is being illustrated
authenticates the
demonstrative evidence. (Findlaw,
n.d.)

 

Another
admissibility of evidence
is documentary evidence: The method of using document
that is genuine
whereas the same as
any other
real evidence. Moreover, the rule of evidence most highly contributed of where writing is being offered in evidence, thus, a copy or the content’s other secondary evidence, which
will not be received in document
distribution but the
clarification that is
offered for the original
insufficiency. (Findlaw, n.d.)

 

Furthermore, Real evidence: An action which based on the real evidence to convince the
terms and the defendant’s
performance. If it is written in a stumble way, as a result it may be relevant
to be presented. When real evidence that needs to be admissible, it must be
relevant, competent, and material. (Findlaw, n.d.)  

 

Lastly,
testimonial evidence. To view the problem that were questions of competence connection and therefore evidence expulsion
in which presenting in preference questions of weight for accomplishment to
classify, furthermore, competence guidelines are interpret and it will be affected in the
exclusion of evidence. (Findlaw,
n.d)

 

The type of evidence to be collected is the documentation at stages is where to organize the evidence
reliability. Furthermore, collecting
and handling the evidence
in documentation is required
to the chain of custody
preservation. It is
constant for individual
who handled important
evidence to be investigated. Be cautious that the note should be made when the
evidence was collected, that
is from where, and by whom. (Casey, 2011)

 

The representation of evidence in the previous
section is coincidental,
so it is assume the
computer behind an IP
address is reliable and
it prohibited classifying
or possessing. First off, to resolve an IP address in the direction of the person which is to
complete the machine scene that responsible
for the traffic. Subpoena
can be acquired by
the investigator from the
magistrate to petitioning
ISP return account information.
(Pdfs.semanticscholar.org,
2010)

 

Lastly
is the storage that means it is important to collect significant information during
the investigation scene. Nonetheless, for maintenance and operational purposes,
a large amount of metadata is distributed by node in a P2P network. Logging a
bundle of incoming and outgoing would be required a large storage measurement. (Myneedu and Guan, 2017)

 

To preserve type of evidence that may include identification. It is to classifying the type of evidence can be a challenge. Thus, a
subpoena or search
warrant needs to be preparation,
though it is crucial that
to include any location in which evidence may consist. Furthermore, the expression of Identification
must have correct phrasing
and must be specialized;
by using the expression as CPU which mean that to collect the computer’s Central
Processing Unit instead of the computer. (Daniel and Daniel, 2012)

 

Beside,
the collection is to
preserve the type of
evidence. This step is
decisive after all the
first real contact alongside
the evidence. However, if
not following the collection procedures, which can be lead to evidence’s adjustment or extermination,
hence, evidence misplacement. (Daniel and Daniel, 2012)

 

Furthermore, the existence of the blacklisted
is to active observing which may present a significant exposure of the IP
address. Yet, the inactive
application-level may control the addresses of the issue, on the other hand, it
collects a limited information quantity. (Myneedu and Guan, 2017)

 

Likewise, the Encryption, thus, to encrypted the communications between peers that involve P2P traffic
observation at the network
level. Despite the network
observe at numerous locations, the encryption adoption can make it practically to acquire consequential
information from the network. Despite the network data is encrypted, an initial
evidence collection tool needs to be effective and it should be carry out its
functions. (Myneedu and Guan, 2017)

 

Eventually,
the write-protection technologies, which can be read-only files, in addition to
the description of concept as files with the write-protection function when it started.
However, a file can be write-protection preservation. And so forth, the
original file preservation is to prevent inactivity and to evade the attack
from virus. (Zhang, 2014)

 

A
hardware tool that will be selected to analyse the evidence is write-blocker which
is a read-only device in order that to approve the user to read the data in a
suspect device without the modifying opportunity. In other word, it prevents a
storage device capacity for being modified or erased. Other than that, a
hard-drive duplicator is an imaging device that copies all files from the
suspect hard drive to the clean drive, furthermore, it can duplicate data in
flash drives. (www.dhs.gov, 2016)

 

Furthermore,
the Wiebetech33 generates several hardware write-blocking systems that are
used. Thus, the hardware can control adapters variance to deal with the types
of drive individually, which interfaces confronted in the environment. (Nelson,
2014)

 

In
addition, software system can be accomplished by write blocking. The original
evidence is protected by the FastBloc Software Edition34 when it is connected
to exact supported interface cards. There is another software write blocker
from ForensicSoft, Inc.35 (SAFE Block) that is available and also does not need
any additional licenses require. Hence, in window system on a window system,
the registry can be manipulating any USB connected device. (Nelson, 2014)

 

Sharing
illegitimate material is commonly used by P2P, which a tool the information separately
from evidence that based on Java Object Serialization (JOS). Based on the
requirement of JOS, by using this tool that is AScan, the personal information
concerning the users can be extracted. On the other hand, another great tool is
PyFlag, which any recorder network can be capture and reproduce. (Dezfouli and
Dehghantanha, 2014)

 

First
and foremost, the chain of custody is important for the investigation process, for
the reason that it is the first step digital video and audio evidence
corroboration.  Moreover, to classifying the
information arranged by the chain of custody even if this evidence has been
cloned.  Therefore, the improvement of
technology and it becomes more approachable so that the evidence has become
simple to adapt. Generally, as an investigator collects the evidence from the
client which they received from the police. 
Therefore, the investigator has to think carefully to the reports and
legal documents. The development has become accepted during the whole of
investigations when the original evidence for the investigator’s recovery. Whereas
at the site and to recapture the digital evidence, has to approach the
administrator information about the evidence, such as managerial log, date and
file information. (Primeau Forensics, n.d.)

 

The investigator may access a
search warrant from a magistrate on observed evidence. Therefore, the search
warrant may indicate targets consistently where characterize as electronic
devices communicating or accumulating qualified digital prohibited.
(Pdfs.semanticscholar.org, 2010)

 

In the time of investigation,
there is no necessity to adjust the evidence existent as a result of all
analysis is handled on the original source representation and to determine the evidence
that can be exacted from the particular accumulate, image, and documented to
original source and duplicated. Whereas, to deal with all types of evidence that
fact the entire procedures are used reproducible, trustworthy and valid,
therefore, it is compulsory. (Scanlon and Kechadi, n.d.)

 

 

Furthermore, the valuable to
remember the development of forensic which capable to recover other evidence. In
this situation, the procedures should be developed; hence, the order completion
and examinations appearance should be carry out to collect complete content of evidentiary.
(Madhub, 2014)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Task 2

Date: 10th January
2018 (2pm)

 

Investigating the employee’s computer system

 

The investigator may access a
search warrant from a magistrate on observed evidence. Therefore, the search
warrant may indicate targets consistently where characterize as electronic
devices communicating or accumulating qualified digital prohibited. (Primeau
Forensics, n.d.)

 

The process
of the chain of custody is the original package materials protection. Take as much
physical evidence snapshot. Take capacity of the screenshots of the evidence. The
declaration’s document date, time and information. To consume the evidence reproduction
into the forensic computers. And lastly, a test analysis performance for
further working clone corroboration. (Primeau Forensics, n.d.)

 

A judicial legitimacy is
allowed by a legal authorization which to the evidence; therefore, important
steps is handling evidence. Further, to seize evidence is required by the
search warrant (Antwi-Boasiako and Venter, n.d.). In the time of investigation,
there is no necessity to adjust the evidence existent as a result of all
analysis is handled on the original source representation and to determine the
evidence that can be exacted from the particular accumulate, image, and
documented to original source and duplicated. (Scanlon and Kechadi, n.d.)

 

There are two categories of
techniques that are Storage device capacity and Storage Capability Query. First
off the Storage Device Capability Observation is to adopt the device labels
consideration and technical specifications, therefore, the device termination. On
the other hand, Storage Device Capability Query is to adopt a program the device
objection for its information effectiveness. (Carrier and Spafford, 2006)

 

A
hardware tool that will be selected to analyse the evidence is write-blocker
which is a read-only device in order that to approve the user to read the data
in a suspect device without the modifying opportunity. (www.dhs.gov, 2016)

 

The collection of evidence, as follows:  the removable media is established by the
application and virtualized in RAM without any trace on the hard disk. the malware
is RAM without the evidence on the hard disk. Lastly, the well known website that
offer the users to perform to cover their tracks which they created. (Henry,
2009)

 

The
process of analysis may include to the files fragments and hidden files have to
recognize and recover and location catalogue e.g. slack, free or used space.
Moreover, the file structures, headers, and characteristics to be analysed for
determining on data each and every file description. Furthermore, deleted, cloaked,
encrypted, cloaked fragmented files must to be inspected. All graphic files
size has to be presentation. The Internet activities, the chat archives, and the
email communications that based on complicated searched performance. To
demonstrate drive’s directory structure collection. And reports development
(Subramaniam, n.d.)

 

One of
the documentation of evidence is the system duplication. Therefore, the evidence
may found during the image investigation, which helps to recreate the scene and
review. Finally the forms of camera/video photography, graphics are used, and
notes are made on the document. Thus, the documentation at the scene is begin
at the chain-custody. (Jawad Abbas, 2015)

 

In
chain of custody, the documentation has to include the device description and
device protection from electromagnetic interference. Moreover, to confirmation
to produce the data source is not change. However if change, the document may
cause the change. (Graves, 2013)