Scribd
Upload
75 views6 pages

Cardinal Rules Od Cyber Forensic

The document outlines the cardinal rules of cyber forensics, emphasizing the importance of preserving evidence and maintaining its integrity during investigations. Key rules include never mishandling evidence, not working on original evidence, and ensuring that results are repeatable and verifiable. Adhering to these rules is crucial for the admissibility of evidence in court.

Uploaded by

sanskrati116-20
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
75 views6 pages

Cardinal Rules Od Cyber Forensic

The document outlines the cardinal rules of cyber forensics, emphasizing the importance of preserving evidence and maintaining its integrity during investigations. Key rules include never mishandling evidence, not working on original evidence, and ensuring that results are repeatable and verifiable. Adhering to these rules is crucial for the admissibility of evidence in court.

Uploaded by

sanskrati116-20
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

SUBJECT FORENSIC SCIENCE

Paper No. and Title PAPER No.16: Digital Forensics

Module No. and Title MODULE No. 26: Cardinal Rules of Cyber Forensic

Module Tag FSC_P16_M26

FORENSIC SCIENCE PAPER No.16: Digital Forensics


MODULE No. 26: Cardinal Rules of Cyber Forensic
TABLE OF CONTENTS

1. Learning Outcomes

2. Introduction

3. Cardinal rules of Cyber Forensic


3.1 Never Mishandle the Evidence
3.1.1 Disk imaging tool top level requirement
3.1.2 Importance of Imaging
3.1.3 Chain of custody
3.2 Never work on the Original Evidence
3.3 Never Trust the Subject’s Operating System
3.4 Document Everything
3.5 The results should be repeatable and verifiable by a third party
4. Summary

FORENSIC SCIENCE PAPER No.16: Digital Forensics


MODULE No. 26: Cardinal Rules of Cyber Forensic
1. Learning Outcomes

After studying this module, you shall be able to know

 What are cardinal rules?


 Why cardinal rules are necessary in cyber forensic world?
 What procedure to follow?
 What precaution to take?

2. Introduction

The role of computer forensic professional is to collect evidence from a suspect’s


computer and conduct systematic approach to determine whether or not the suspect
committed a crime or not.

Before the investigator works on the case certain rules and procedure must be followed.
The Cardinal rules have been evolved to facilitate a forensically sound examination of
computer media and enable a forensic professional to testify in the court in respect of
their handling a particular piece of evidence.

If appropriate forensic tools and techniques are applied, same results are obtained
irrespective of the fact who examines the media or which specific tools and techniques
are employed.

3. The Cardinal Rules of Cyber Forensic

There are basically five cardinal rules to be followed systematically by cyber forensic
examiner.
3.1 Never Mishandle the Evidence
3.2 Never work on the Original Evidence
3.3 Never Trust the Subject’s Operating System
3.4 Document Everything
3.5 The results should be repeatable and verifiable by a third party

FORENSIC SCIENCE PAPER No.16: Digital Forensics


MODULE No. 26: Cardinal Rules of Cyber Forensic
3.1 Never Mishandle the Evidence

The first cardinal rule says to preserve the evidence, which means that the evidence
should not to be tampered with or contaminated. Secure collection of evidence is
important to guarantee the evidential integrity and security of information. The best
approach for this matter is to use disk imaging tool. Choosing and using the right imaging
tool is very important in cyber forensics investigation.

3.1.1Disk imaging tool top level requirement

 The tool shall make a bit-stream duplicate or an image of an original disk or


partition on fixed or removable media.
 The tool shall not alter the original disk
 The tool shall be able to verify the integrity of a disk image file
 The tool shall log I/O errors
 The tool should provides good documentation

3.1.2 Importance of Imaging:

To preserve the original evidence, a forensic copy or imaging of the original data is done
using specialized software and write blocker so that integrity of evidence is not altered.
The analysis is done now on forensic copy of evidence. The original evidence is to be
preserved into safe custody.

3.1.3 Chain of Custody:

To document the evidence, like who recovered the evidence and when, and who
possessed it and when a chain-of-evidence form is generated and filled, which helps the
examiner to document what has and has not been done with both the original evidence
and the forensic copies of the evidence.

3.2 Never Work on the original evidence

The second cardinal rule says not to work on the original evidence as the digital evidence
is very fragile in nature. To maintain the integrity of the digital evidence and any
unknowing alteration, preserve the original evidence in its pristine condition.

FORENSIC SCIENCE PAPER No.16: Digital Forensics


MODULE No. 26: Cardinal Rules of Cyber Forensic
Pros and cons of using original evidence:

It is easier to work on the original evidence and the cost related to it is also low.
If analyzed directly, the digital evidence will lose its integrity, authenticity and will not
be admissible in any court.
3.3 Never Trust the Subject’s Operating System

Computer criminal can modify the routine operating system commands to perform
destructive commands. Using the subject’s operating system could easily destroy data
with just a few keystrokes. When the subject computer starts, booting to a hard disks
overwrites and changes evidentiary data.

To make sure that data is not altered, we need to monitor the subject’s computer during
initial bootstrap to identify the correct key to use access the CMOs setup.

3.4 Document Everything

To document the evidence chain-of-evidence form is created. It serves the following


functions.

 Identify the evidence


 A legal authority copy should be obtained.
 Chain of custody including initial count of evidence to be examined,
 Information regarding the packaging and condition of the evidence upon receipt
by the examiner,
 Lists the dates and times the evidence was handled.
 Documentation should be preserved according to the examiner’s agency policy

3.5 The results should be repeatable and verifiable by a third party

The fifth cardinal rule says that the analysis done on the evidence should be completely
audited by the third party. To establish the integrity of information a cryptographic hash
value, such as MD5 or SHA-1 are calculated so that it can be proven to the courts.

Chain of custody forms are created if evidence are used in court or verified by any third
party. The same process can be conducted and verified by any expert or person.

FORENSIC SCIENCE PAPER No.16: Digital Forensics


MODULE No. 26: Cardinal Rules of Cyber Forensic
4. Summary

 Recognizing the fragile nature of the digital data, major task is to preserve the
evidence against accidental or intentional manipulation.
 Stick to the methodology and cardinal rules of computer forensics then perform
analysis and presentation of the evidence so that the prime objective of computer
forensics is met and the evidence should be accepted by the court of law.

FORENSIC SCIENCE PAPER No.16: Digital Forensics


MODULE No. 26: Cardinal Rules of Cyber Forensic

You might also like