The Hindu Business Line : Work on original or back-up?

According to Vijay Mukhi, Chairman of FICCI- IT cell,most cyber forensics experts generally work on the original device (say a laptop which has been used for a cyber crime), and not on the back-up copy as in other developed countries.

However, Goyal of Sysman disagrees: “The cardinal principle in eforensics is to never work on the original device. We generally create a master image of the original and carve out several child images out of the master image. We would work only on the child images and not even on the master image.”

Working on the original could potentially destroy the evidence and give rise to the claim that the evidence has been planted.

C-DAC says in a note on the cyberforensics.in Web site: “In the event of a suspected computer incident, care must be taken to preserve evidence in its original state. While it may seem that simply viewing files on a system would not result in alteration of the original media, opening a file changes it.”

It further notes that: “From a legal sense, it is no longer the original evidence and may be inadmissible in any subsequent legal or administrative proceedings.”

However, the Hyderabad based forensics scientist says that certain situations demand working on the original device using which the cyber crime has been committed.

Taking a back-up copy of the server would demand switching off the server for several hours; this would not be feasible for many data-centric organisations. Moreover, hard disk imaging is a costly affair; it costs anywhere between Rs 5,000 and Rs 25,000 to image one hard disk.

Today, there are several Linux-based tools that enable live forensics, the scientist says.

“The entire computer system (which is the centre of the cyber crime) can be viewed and accessed using a CD. By the very nature of the tool, nothing on the computer can be altered.” Hence, the original copy could still be admissible in the court of law.

adith@thehindu.co.in