The Fundamentals of Digital Forensics in Computer Reactive Security(2)
Computer forensics is the application of computer investigation techniques to thoroughly analyze digital media, software program, suite of applications, computer network resources, or a group of related cyber activities and therefore gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a digital media or data component and who was responsible for it. Computer forensics is also known in certain quarters as Cyberforensics, digital forensics, digital analysis, data query.
Computer forensics is about obtaining the proof of an illegal misuse of computers in a way that could lead to the prosecution of the culprit. Most computer forensics are built on the assumption of adequate audit trails. In other words, Computer Forensics is the study of legal evidence found in computers, digital storage media, program codes and networks. The objective remains to explain the current state of a digital artifact; such as a computer system, storage medium (e.g. hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image file, audio files, etc).
In today’s highly advanced world, computer forensics has become a big industry utilizing the application of proven scientific methods and techniques in order to recover data from electronic and digital media or from distributed networks. Digital Forensic specialists work in the field as well as in the lab. In practical terms, Computer Forensics uses specialized techniques for recovery, authentication, and analysis of electronic data when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of suspicious technical fault.
As a purely computer reactive security domain, computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary purposes, while trying to unravel the root cause analysis.
Fig 1: Computer Forensic operations can be performed on any of these digital components
In a hypothetical case involving the investigation of unauthorized deletion of files, computer forensic investigators typically follow a standard set of procedures: After physically isolating the computer in question to make sure it cannot be accidentally contaminated, investigators make a digital copy of the hard drive. Once the original hard drive has been copied, it is locked in a safe or other secure storage facility to maintain its pristine condition. All investigation is done on the digital copy only.
Investigators use a variety of techniques and proprietary forensic applications to examine the hard drive copy, searching hidden folders and unallocated disk space for copies of deleted, encrypted, or damaged files. Any evidence found on the digital copy is carefully documented in a “finding report” and verified with the original in preparation for legal proceedings that involve discovery, depositions, or actual litigation. Today, computer forensics has become its own area of scientific expertise, with accompanying coursework and certification.
Special tools are used that can display information in a format useful to investigators. All digital evidence must be analyzed to determine the type of information that is stored upon it.
Computer forensic operation can be performed on a number of digital information systems including whole computers, networks, hard disk drives, biometric templates, digital cameras, flash drives, CDs, iPods, PDAs, calculators, digital watches, laptops, netbooks, remote control devices, blackberry phones, Cellphones, smart phones, digital scanners, digital phones, floppy drives, printers, etc.
APPLICATIONS OF COMPUTER FORENSICS
1. Investigation of computer-based financial crimes.
2. Legal evidence involving cybercrime.
3. Analysis of cyber breaches.
4. Cybersecurity breaches: A forensic analyst needs to localize the damage and determine how the system was compromised. This he does through a rigorous and methodical process that recognizes best practices in chain of custody.
5. Enhancing data security capabilities of digital systems.
6. Detecting violations of corporate computer policy.
7. Organizational discipline: Evaluating the information/data recovered to determine employee discipline and if and how it could be used again for decision purposes.
GLOBAL STANDARDS IN COMPUTER FORENSIC PROCEDURES
Practically, computer forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel. These processes make use of specialized tools to gather, preserve, analyze and dispose digital evidence. In order for analyzed digital evidence to qualify for legal admissibility the entire process has to conform to global best practices in the field, although individual country’s legal systems also play a big role in this acceptance.
There are eight (8) expanded steps in performing basic computer forensics; although certain quarters tend to collapse multiple steps into one.
1. System isolation or acquisition: This is the investigator’s first exercise of physically or remotely obtaining possession of the digital system, computer, or any electronic device, all network/external physical storage devices mappings from the system. In the case of any other data processing systems other than a computer, physical security and custody must be provided to ensure that data is not tampered with. If the object of investigation is a network it must be locked down and all external accesses blocked.
2. Duplication: This is also called digital replication of media. It is the process of creating an exact duplicate of the original evidentiary media. This is done in order to have something to work with. It is also called media imaging.
3. Locking: The original media is then kept away. As a mandatory standard, all investigation is done on the duplicated digital copy, only.
4. Identification and analysis: This is also called digital examination or evaluation. This step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites. Discovering data on computer system searches for encrypted, deleted, hidden files or damaged file information. If the machine is still active, any intelligence which can be gained by examining the applications currently open is recorded. If information stored solely in RAM is not recovered before powering down it may be lost. This results in the need to collect volatile data from the computer at the onset of the response.
5. Extraction: This is the analysis and interpretation of resident information in order to determine what can be used as evidence. At this stage, email trends are analyzed, usage patterns are reconstructed and historic bandwidth usages are profiled to generate a sequence.
6. Documentation and Reporting: Once the analysis is complete, a report is generated. This report may be a written report, oral testimony, or some combination of the two, but it comes very handy when it is a fully-documented piece. The report is usually presented in a manner that it can be sequentially understood and forensically provable.
7. Verification and comparison: A fair comparison is made with the original for the purpose of ascertaining that manipulations do not occur.
8. Presentation: The full report is then tendered as a sequence of events that are provable evidences of what might have initially happened. This step involves the presentation of evidence discovered in a manner which is understood by law enforcement agents, solicitors, non-technically staff/management, and suitable as evidence as determined by domiciliary laws.
BEST PRACTICES IN COMPUTER FORENSIC PRACTICE
The following are some of the widely-recognized codes of ethics in the practice of computer forensics.
i. Acquire an authority to act
A professional forensic examiner usually acts based on a formal authority to carry out an investigation for the purpose of producing a report that can be tendered as legal evidence in a court, a tribunal or any other informal form of adjudication such as a panel of inquiry in a government organ or large corporate establishment. This authority should be in writing and should state clearly the purpose of the exercise.
ii. Control every exposure to original media:
Original media must be securely kept away in its pristine form and never be used in data analysis or mining besides its initial procedural replication. This is usually a subject of serious legal controversy when the defense counsel suspects that the original media might have been tampered with. If proved, this is capable of nullifying the entire forensic report irrespective of how long it might have taken to prepare it.
iii. Document all evidence:
Forensic examiners must professionally document evidence-based facts without bias and influence. It is best to capture information the way they appear without baseless inferences.
iv. Maintain good chain of custody
Effective chain of custody must involve chronological documentation showing the seizure, custody, control, transfer, analysis, and disposition of evidence, both physical and electronic. Documents should include name or initials of the individual collecting the evidence, each person or entity subsequently having custody of it, dates the items were collected or transferred, agency and case number, victim’s or suspect’s name, and a brief description of the item.
v. Be thorough in data analysis
Analysis on data segments on the replicated media must be total, complete and forensically repeatable. This is usually achieved by allocating enough time for analysis, using advanced tools and engaging qualified forensic experts.
vi. Be accurate
Apply all sound professional principles in data handling to ensure that the accuracy level of the digital evidence is very high.
vii. Use a credible method of evidence presentation
- The mode of evidence presentation must not only be logical but ethically convincing and legally admissible.
-The timeline and chronology of events in a digital evidence report must be consistent, sequential and logically provable.
viii. Maintain ethical reasons for digital evidence
The motive for conducting a computer forensic operation must not be rooted out of personal aggrandizement, mischief-making, sabotage or blackmail. It must be clearly stated in the authority letter and be as concise as possible. The following is a partial list of possible reasons for conducting a digital forensic operation
-Theft or destruction of trade secrets and intellectual property.
- Data recovery from bad or encrypted hard disk, mobile phone, PDA or flash drive
- Fraud targeted at or facilitated by a computer or electronic information system.
- Extortion perpetrated with the aid of computer techniques.
-Industrial espionage carried out using the enablement of computer information systems and other advancements in IT.
-Distribution of pornographic or other explicit content using digital image manipulation software in addition to steganograpic techniques.
- Virus/Trojan distribution.
-Homicide investigations: Digital analysis of biometric variations and cross-matching.
- Unauthorized use of personal information.
- Digital forgery including data swapping, manipulation and substitution.
- Perjury facilitated by IT-based falsification of oath.
- Unauthorized tracking of internet browsing habits.
- Research-based reconstruction of digital activities and remote cyber events.
- Unauthorized selling or tapping of a company’s internet bandwidth Investigation of wrongful dismissal claims.
- Analysis of the source and identity of cyber harassment in blogs and social media portals.
- Investigation of software Piracy cases.
1. Sherlock Holmes (Arthur Conan Doyle) series featuring Dr. Watson. Sherlock Holmes is a fictional character of the late 19th and early 20th centuries, known for his ability to take almost any disguise, and his forensic science skills to solve difficult cases. Recently in 2009, Sherlock Holmes movies have premiered as an action mystery film based on the character of the same name created by Sir Arthur Conan Doyle. Holmes investigates a series of murders, apparently connected to occult rituals. The film went on general release in the United States on December 25, 2009, and on December 26, 2009 in the UK.
2. Digital forensic reconstruction of the flight route of the US Airways emergency plane landing in River Hudson on January 17th, 2009 owing to a bird strike.