IT Forensics, also called Digital Forensics. Science is still very new in Indonesia so that an expert or a professional in the field of Digital Forensics is still very small. Therefore we as lay people still do not know exactly, what exactly is IT Forensics or Digital Forensics is. To see this let us learn together. Digital forensics is derived from the disciplines of information technology (information technology / IT) in computer science, especially science that addresses the IT security of digital evidence findings after an event occurs.
The word itself is generally forensic means to bring to justice. Digital forensics or computer forensics is sometimes called the science of analyzing digital evidence that can be justified in court. Computer forensics activity itself is a process of identifying, maintaining, analyzing, and using digital evidence under applicable law.
The experts also gave their definition of IT Forensics in each are as follows:
§ According Noblett, the role is to take, maintain, restore, and presenting data that has been processed electronically and stored on computer media.
§ According to Robin Judd, which is simply the application of computer investigation and analysis techniques to determine the legal evidence that may be.
§ According to Ruby Alamsyah (one forensic expert IT Indonesia), sometimes called digital forensics or computer forensics is the science of analyzing digital evidence that can be justified in court. Digital evidences including mobile phones, notebooks, servers, any technology tool that has the storage media and can be analyzed.
The goal of IT Forensics is to secure and analyze digital evidence by way of describing the current state of a digital artifact. The term digital artifact can include a computer system, storage media (hard disk, flash disk, CD-ROM), an electronic document (eg an email or image), or even a series of packets moving over a computer network. Digital evidence is obtained in the form of information / digital format. This digital evidence can be evidence of real and abstract (must be treated before it becomes a real proof). Some examples of digital evidence include: · E-mail · Spreadsheet software source code file · File · form · Video · Audio image · Web browser bookmarks, cookies · Deleted files · Windows registry · Chat logs
There are four key elements that must be considered forensic digital evidence in regard to information technology, are as follows:
1. Identification of the digital evidence (Identification / Collecting Digital Evidence). It is the earliest stage in information technology. At this stage is to identify where the evidence is located, where the evidence is stored, and how they are kept to facilitate the investigation.
2. Storage of digital evidence (Preserving Digital Evidence). Form, content, meaning of digital evidence should be kept in a sterile place. In order to make absolutely sure there are no changes, it is vital to note. Because of slight changes only in digital evidence, will change the results of the investigation as well. Digital Evidence naturally temporary (volatile), so that its presence would be very careful if not easily damaged, lost, altered, crashed.
3. The analysis of digital evidence (Analizing Digital Evidence). Evidence once saved, need to be reprocessed before it is given to the needy. In this process the required scheme will be flexible according to the cases at hand. Evidence that has been obtained should diexplore back some points related to criminal investigations, among others: a. Who had done. b. What has been done (Ex. use any software) c. The results of the process of what is produced. d. Time did. Any evidence found, should then dilist evidence what are the potential that can be documented.
4. Digital evidence presentation (Presentation of Digital Evidence). Conclusions will be obtained when all the stages had been passed, regardless of the size of objectivity acquired, or obtained the standard of truth, at least the ingredients here then that would be a "capital" for the court. Digital process where digital evidence will dipersidangkan, tested authentication and correlated with the cases. At this stage is important, because this is where the processes that have been done before will be parsed and proven truth to the judge to disclose the data and information events.
To further facilitate understanding the working mechanism of the following is an expert in digital forensics. There are several stages, the main thing is after receiving the digital evidence should be done acquiring process, imaging or cloning is copying the common language with precision the exact same 1-to-1. For example, there is a hard disc we want cloned to a hard disc B, the hard disc is exactly the same 1:1 as hard disc contents even in the hard disc A A are hidden or deleted (delete). All came to a hard disc B. Of these clones then perform a digital forensic analysis. The analysis can not be performed from the original digital evidence for fear of changing evidence. If the work made a mistake on your hard disk cloning, then it could be another repeat of the original. So no need to do an analysis of the original evidence. Second, analyze the content of the data, especially the already deleted, hidden, encrypted, and internet history a person who can not be seen by the public. For example, what are the sites that have seen a terrorist, anywhere emailing, and others. It could be to find a very important document as evidence in court. So it is very important now digital forensics.
