401d8 read34 - carlosjorr/reading-notes GitHub Wiki

Forensics Investigation with Autopsy

What are the main differences between computer forensics and cybersecurity?

Computer Forensics vs. Cybersecurity:

Computer Forensics:

Focus: Computer forensics is the practice of collecting, analyzing, and preserving electronic evidence to investigate and reconstruct digital incidents or crimes. It involves the recovery of data from digital devices and analyzing it to uncover evidence for legal proceedings. Purpose: The primary purpose of computer forensics is to investigate and provide evidence related to digital crimes, such as hacking, data breaches, fraud, and intellectual property theft. Activities: Computer forensic experts gather evidence, conduct analysis, and maintain a strict chain of custody to ensure the integrity of evidence. They often work with law enforcement and legal authorities. Scope: Computer forensics deals with post-incident analysis and evidence gathering after a breach or cybercrime has occurred. Examples of Tools: Encase, FTK (Forensic Toolkit), Autopsy, Volatility (for memory analysis), Wireshark (for network analysis). Cybersecurity:

Focus: Cybersecurity focuses on protecting information systems, networks, and data from cyber threats, attacks, and vulnerabilities. It encompasses a wide range of practices to safeguard digital assets. Purpose: The primary purpose of cybersecurity is to prevent, detect, and respond to cyber threats and attacks, thereby reducing the risk of data breaches and unauthorized access. Activities: Cybersecurity professionals design and implement security measures, perform vulnerability assessments, monitor network traffic, and respond to security incidents. Scope: Cybersecurity addresses both preventive measures and real-time protection against ongoing threats. Examples of Tools: Firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), antivirus software, security information and event management (SIEM) tools.

What are the six stages of a computer forensics examination? Six Stages of a Computer Forensics Examination:

Identification: Identify and isolate potential digital evidence. This involves determining what devices or systems are relevant to the investigation.

Collection: Safely collect and preserve digital evidence using forensically sound methods. This includes creating a digital copy of the original data to maintain its integrity.

Acquisition: Create a forensic image or duplicate of the original data to ensure that no changes are made to the original evidence during analysis.

Analysis: Analyze the acquired data to uncover relevant information. This involves examining files, metadata, system logs, and other artifacts to reconstruct events.

Documentation: Document the entire process, from the initial identification of evidence to the final analysis. This documentation serves as a record for legal purposes and ensures the integrity of the investigation.

Presentation: Present the findings and evidence in a clear and concise manner, suitable for legal proceedings. This involves creating reports, presenting expert testimony, and explaining the technical details to non-technical audiences.