First Initial Idea

Computer Forensics( INITIAL IDEA 1)

Computer forensics is a branch of digital forensics relating to retaining evidence in data storage devices and computers. It mainly involves investigating, analysing, gathering and preserving data. The main goal however, is to conduct an organised investigation while maintaining evidences, detailing what exactly occurred on the respective computer devices and who is to be held responsible for it.
Various techniques, procedures and forensic toolkits are used; from using tools like 'BMAP' to search up hidden files in the slack-space to using software like FTK/Autopsy for memory acquisition.
Bmap is an important tool to use for investigations, and it is mainly the one that will be discussed in this research.



· Bmap is a data hiding tool that can hide data in a computer by using the slack space hidden in blocks.

· The file slack space is the leftover space that is on a computer’s hard disk drive when the file does not need the entire space allocated to it by the operating system. (Rouse, 2016)

· Examining this area is a significant task to forensic experts as criminals usually hide files in this area. (Rouse, 2016)


First responders in computer forensics play a vital role in an investigation as they are the first ones to arrive in the initial investigation scene. Not handling the evidence properly may lead to serious consequences.

The main responsibilities and requirements of first responders are:

· To identify the crime scene(infosavvy, n.d.)

· To protect the crime scene(infosavvy, n.d.)

· To preserve temporary evidence(infosavvy, n.d.)

· To collect complete details about the incident(infosavvy, n.d.)

· To document all the findings(infosavvy, n.d.)

· To package and transport the electronic devices(infosavvy, n.d.)

· To gather preliminary information at the scene. (infosavvy, n.d.)




Experts in the field of computer forensics are bound to follow the ACPO Principles of Digital Based Evidence. The Association of Chief Police Officers, or ACPO in short, provides a set of guidelines for Computer Based Evidence in which four principles are mainly involved (forensiccontrol, 2019);These include:
· “Principle 1: No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.” (Association of Chief Police Officers, 2012)
· “Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.” (Association of Chief Police Officers, 2012)
· “Principle 3: An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.” (Association of Chief Police Officers, 2012)
· “Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.” (Association of Chief Police Officers, 2012)


Nevertheless, operating systems are diverse and may each vary in architecture. However, the main focus of this essay would be about the Linux Operating system.




Reference(s):
Rouse, M., (2016). Slack Space (File Slack Space). [online] WhatIs.com. Available at: <https://whatis.techtarget.com/definition/slack-space-file-slack-space> [Accessed 8 November 2020].

info-savvy, (n.d). Roles of First Responder in computer forensics. Available at: <https://info-savvy.com/roles-of-first-responder-in-computer-forensics/> [Accessed 8 November 2020].


Forensiccontrol.com. (2019). ACPO Guidelines & Principles Explained. [online] Available at: <https://www.forensiccontrol.com/post/acpo-guidelines-principles-explained> [Accessed 8 November 2020].


Association of Chief Police Officers, (2012). ACPO Good Practice Guide ACPO Good Practice Guide For Digital Evidence. p.6.