Digital forensics

src: i.ytimg.com

Digital forensics (sometimes known as digital forensic science ) is a forensic science branch that includes the recovery and investigation of material found on digital devices, often associated with computer crimes. The term digital forensics was originally used as a synonym for computer forensics but has been expanded to include the investigation of all devices capable of storing digital data. With roots in the personal computing revolution of the late 1970s and early 1980s, the discipline evolved haphazardly during the 1990s, and it was not until the early 21st century that national policy emerged.

Digital forensic investigations have a variety of applications. The most common is to support or disprove the hypothesis before criminal or civil courts. Criminal cases involve alleged violations of law prescribed by law and which are imposed by the police and prosecuted by the state, such as murder, theft and assault against the person. Civil cases on the other hand deal with protecting the rights and property of individuals (often associated with family disputes) but may also be related to contract disputes between commercial entities in which a form of digital forensics called electronic discovery may be involved.

Forensics can also be displayed in the private sector; such as during a company internal investigation or intrusion investigation (specialist inquiry into the nature and extent of unauthorized network intrusion).

The technical aspects of the investigation are divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis, and mobile device forensics. Typical forensic processes include seizures, forensic imaging (acquisition) and digital media analysis and report production into evidence collected.

In addition to identifying direct evidence of crime, digital forensics can be used to link evidence with a particular suspect, confirm alibis or statements, define intent, identify sources (for example, in case of copyright), or authenticate documents. Investigations have a much broader scope than any other field of forensic analysis (where the general purpose is to provide answers to a series of simple questions) that often involve complex timelines or hypotheses.

Video Digital forensics

History

Before the 1980s computer-related crimes were dealt with using existing laws. The first computer crime was recognized in the 1978 Florida Computer Crimes Act, which included laws against unauthorized modification or deletion of data on computer systems. Over the next few years, numerous computer crimes have been perpetrated, and legislation passed to deal with copyright, privacy/harassment issues (eg, cyberbullying, cyber stalking, and online predators) and child pornography. It was not until the 1980s that federal law began to introduce computer offenses. Canada was the first country to pass legislation in 1983. This was followed by the US Federal Fraud and Abuse Computer Act in 1986, the Australian amendment for their criminal acts in 1989 and the UK Abuse of Computers Acting in 1990.

1980s-1990s: Field Growth

Growth in computer crime during the 1980s and 1990s led law enforcement agencies to start building special groups, usually at the national level, to deal with technical aspects of the investigation. For example, in 1984 the FBI launched Computer Analysis and Response Team and the following year the computer crime department was set up in the British Metropolitan Police fraud squad. As well as being a law enforcement professional, many early members of these groups are also computer hobbyists and become responsible for initial research and early direction.

One of the first (or at least published) digital forensics examples is Cliff Stoll's pursuit of hacker Mark Hess in 1986. Stoll, whose investigation using computer and network forensics techniques, is not a special examiner. Many early forensic examinations follow the same profile.

Throughout the 1990s, there was a high demand for this new fundamental investigative resource. Tension in the central unit leads to the formation of regional, and even local, groups to help handle the load. For example, the UK National Hi-Tech Crime Unit was established in 2001 to provide a national infrastructure for computer crime; with personnel located in central London and with various local police forces (the unit was folded into the Serious Organized Crime Agency (SOCA) in 2006).

During this period digital forensics science grew out of ad-hoc tools and techniques developed by this hobbyist. This is in contrast to other forensic disciplines developed from work by the scientific community. It was not until 1992 that the term "forensic computer" was used in the academic literature (although it had previously been used informally); a paper by Collier and Spaul seeks to justify this new discipline into the world of forensic science. This rapid development resulted in a lack of standardization and training. In his 1995 book, "High-Technology Crime: Case Investigation Involving Computers ", K. Rosenblatt writes:

Seizing, preserving, and analyzing evidence stored on computers is the biggest forensic challenge facing law enforcement in the 1990s. Although most forensic tests, such as fingerprints and DNA tests, are performed by specially trained experts the task of collecting and analyzing computer evidence is often assigned to patrol and detective officers.

2000s: Developing standards

Since 2000, in response to the need for standardization, various agencies and agencies have issued guidelines for digital forensics. The Scientific Working Group on Digital Evidence (SWGDE) produced a paper in 2002, " Best Practice for Computer Forensics ", followed in 2005 by ISO standard publication (ISO 17025, General requirements for test and calibration lab competencies ). A leading European international treaty, the World Cybercrime Convention, came into force in 2004 with the aim of reconciling national computer crime laws, investigative techniques and international cooperation. The agreement has been signed by 43 countries (including the US, Canada, Japan, South Africa, Britain and other European countries) and ratified by 16 countries.

Training issues are also gaining attention. Commercial companies (often forensic software developers) began offering digital certification and forensic analysis programs incorporated as topics at the UK specialist investigation training facility, Centrex.

Since the late 1990s mobile devices have become more widely available, evolving beyond simple communication devices, and have been found to be a rich form of information, even for crimes not traditionally associated with digital forensics. Nevertheless, digital mobile phone analysis has lagged behind traditional computer media, largely due to problems over proprietary device properties.

The focus has also shifted to Internet crime, particularly the risk of cyber warfare and cyberterrorism. The February 2010 report by United States Combined Forces Command concluded:

Through the virtual world, enemies will target industry, academia, government, and the military in the air, land, maritime, and space domain. In the same way as the air power transformed the World War II battlefield, cyberspace has broken the physical barriers that protect a nation from attacks on commerce and communications.

The field of digital forensics still faces unresolved issues. A 2009 paper, "Digital Forensic Research: The Good, the Bad and the Unaddressed", by Peterson and Shenoi identifies the bias against the Windows operating system in digital forensic research. In 2010 Samson Garfinkel identified the problems facing future digital investigations, including the growing size of digital media, the widespread availability of encryption to consumers, the increasingly diverse operating systems and file formats, the more individuals who have multiple devices, and the legal limitations on researchers. The paper also identifies advanced training issues, as well as very high costs to enter the field.

Development of forensic tools

During the 1980s there were very few specialized digital forensic tools available, and consequently the researchers often carried out a direct analysis of the media, examining computers from within the operating system using existing sysadmin tools to extract evidence. This practice carries the risk of modifying data on the disk, either accidentally or otherwise, leading to a claim of evidence interference. A number of tools were created in the early 1990s to address the problem.

The need for such software was first recognized in 1989 at the Federal Law Enforcement Training Center, which resulted in the creation of IMDUMP (by Michael White) and in 1990, SafeBack (developed by Sydex). Similar software developed in other countries; DIBS (hardware and software solutions) was released commercially in the UK in 1991, and Rob McKemmish released the free Fixed Disk Image for Australian law enforcement. These tools allow the reviewers to make exact copies of a piece of digital media to work, leaving the original disk intact for verification. In the late 1990s, as demand for digital evidence, more and more advanced commercial tools such as EnCase and FTK were developed, allowing analysts to examine copies of media without using live forensics. Recently, the trend toward "direct memory forensics" has grown so the availability of tools like WindowsSCOPE.

Recently, the same tool development has occurred for mobile devices; investigators â € <â €

The digital forensics market is witnessing strong growth globally with increasing digitization worldwide. Digitalization has increased the cyber market and also the threats that come with it. In the past it has been observed that hackers have increasingly attacked the network layer rather than the application layer. Distributed denial of service (DDoS) attacks have become a common technique for stealing confidential information from organizations. This technique allows hackers to send malicious data to users' web servers and network resources to increase traffic. More examples of cyber attacks will continue to support the growth of the digital forensics market worldwide. However, the market may experience some growth restrictions because people are still unaware of forensic technology, especially in some Eastern European countries compared to other regions.

Maps Digital forensics

The forensic process

Digital forensic investigations generally consist of 3 stages: exhibition acquisition or imaging, analysis, and reporting. Ideally the acquisition involves taking pictures of computer volatile memory (RAM) and creating exact sector-level duplicates (or "forensic duplicates") from the media, often using blocking devices to prevent original modifications. However, the growing size of storage and development media such as cloud computing has led to more use of 'direct' acquisitions where 'logical' copies of data are obtained instead of full images of physical storage devices. Both the obtained image (or logical copy) and the original media/data are hashed (using algorithms like SHA-1 or MD5) and the values ​​are compared to verify an accurate copy.

An alternative (and patented) approach (dubbed 'hybrid forensics' or 'distributed forensics') combines digital forensics and ediscovery processes. This approach has been realized in a commercial tool called ISEEK presented together with test results at a conference in 2017.

During the analysis phase, an investigator finds evidence material using a number of different methodologies and tools. In 2002, an article in the International Journal of Digital Evidence referred to this step as "an in-depth systematic search for evidence related to a suspected crime." In 2006, forensic researcher Brian Carrier described "intuitive procedures" in which clear evidence was first identified and then "a complete search was made to begin filling the hole."

The actual analytical process can vary between investigations, but common methodologies include performing keyword searches across digital media (in files and unallocated and empty spaces), recovering deleted files and extraction of registry information (eg for user account lists, or devices USB attached).

The evidence obtained is analyzed to reconstruct events or actions and to reach conclusions, frequent jobs can be performed by less specialized staff. When the investigation is complete, the data is presented, usually in the form of a written report, in layman's terms.

src: www.secugenius.com

Apps

Digital forensics is commonly used both in criminal law and private investigations. Traditionally it has been linked to criminal law, in which evidence is gathered to support or challenge the hypothesis before the court. As with any other forensic field, this is often part of a broader investigation that includes a number of disciplines. In some cases, collected evidence is used as a form of intelligence gathering, which is used for purposes other than litigation (eg to find, identify or stop other crimes). As a result, intelligence gathering is sometimes held with less stringent forensic standards.

In a civil litigation or a digital forensics company issue forms part of the electronic discovery process (or eDiscovery). Forensic procedures are similar to those used in criminal investigations, often with different legal requirements and limitations. Outside the digital forensics court can be part of the company's internal investigation.

Common examples might follow unauthorized network intrusions. The examination of a forensic specialist into the nature and extent of the attack is performed as a damage restriction exercise. Both to establish the extent of the intrusion and in an attempt to identify the attacker. Such attacks are commonly done through phone lines during the 1980s, but in the modern era it is usually spread over the Internet.

The primary focus of digital forensic investigation is to restore objective evidence of criminal activity (called actus reus in legal language). However, the variety of data stored on digital devices can help with other areas of investigation.

Attribution

Meta and other log data can be used to connect actions to individuals. For example, a personal document on a computer drive might identify its owner.

Alibis and statements

The information provided by those involved can be cross-checked with digital evidence. For example, during an investigation into Soham's murder, the alibi of the perpetrator was not proven when the cell phone records of the person he met showed that he was out of town at the time.

Intent

As well as finding objective evidence of the crime committed, the investigation may also be used to prove the intention (known as the law of mens rea). For example, the Internet history of Neil Entwistle's convicted killer includes references to sites that discuss How to kill people .

Source evaluation

Artefact and meta-data files can be used to identify the origin of a particular piece of data; for example, an older version of Microsoft Word embeds a Unique Global Identifier into a file that identifies the computer it has created. Proving whether files produced on digital devices being checked or obtained from elsewhere (eg, the Internet) can be very important.

Authenticate documents

Associated with "Source evaluation," meta data associated with digital documents can be easily modified (for example, by changing the clock your computer can affect file creation dates). Authentication documents are concerned with detecting and identifying the falsification of such details.

Limitations

One of the major limitations of forensic investigation is the use of encryption; this disrupts the initial examination in which the evidence concerned may be placed using the keyword. The law to force individuals to reveal encryption keys is still relatively new and controversial.

src: www.aliasforensics.com

Legal considerations

Digital media checks are covered by national and international laws. For civil investigations, in particular, laws may limit the ability of analysts to conduct checks. Restrictions on network monitoring, or reading of personal communications often exist. During criminal investigations, national laws limit how much information can be seized. For example, in the UK, confiscation of evidence by law enforcement is governed by PACE law. During its early existence, "The International Organization of Computer Proof" (IOCE) is one of the agents working to establish compatible international standards for seizing evidence.

In the UK the same laws that include computer crime can also affect forensic investigators. Computer abuse in 1990 caused laws against unauthorized access to computer material; this is of particular concern to civilian investigators who have more restrictions than law enforcement.

The right of individuals to privacy is one of the areas of digital forensics that most have not yet been decided by the courts. The US Electronic Communications Privacy Act places restrictions on the ability of law enforcement or civil investigators to intercept and access evidence. These actions make the difference between stored communication (eg email archives) and transmitted communications (such as VOIP). The latter, which is considered more as a privacy invasion, is more difficult to obtain a warrant. ECPA also affects the company's ability to investigate the computers and communications of its employees, an aspect that is still debated to what extent the company can perform such monitoring.

Article 5 of the European Convention on Human Rights affirms privacy restrictions similar to ECPA and limits the processing and sharing of personal data both within the EU and with external countries. The UK's law enforcement ability to conduct digital forensics investigations is enacted by the Powers Legal Investigation Rules.

Digital evidence

When used in digital evidence the court of law is under the same legal guidance as any other form of evidence; courts usually do not require more rigorous guidance. In the United States, the Federal Rule of Evidence is used to evaluate the acceptance of digital evidence, the British PACE and Civil Proofs have similar guidelines and many other countries have their own laws. US federal law limits seizures only with clear evidence. This is admittedly not always possible with digital media prior to the examination.

The law dealing with digital evidence deals with two issues: integrity and authenticity. Integrity ensures that the act of seizing and obtaining digital media does not alter the evidence (either original or copy). Authenticity refers to the ability to confirm the integrity of information; for example that the media is imaged according to the original proof. The ease with which digital media can be modified means documenting the chain of surveillance of the scene, through analysis and, ultimately, to the court, (a form of audit trail) essential to establish the authenticity of the evidence.

Lawyers argue that since digital evidence can theoretically be altered it undermines the reliability of evidence. US judges began to reject this theory, in the case of US v. Bonallo court ruled that "the fact that it is possible to alter the data contained in the computer is clearly not enough to make it untrustworthy." In the UK guidelines such as those issued by ACPO are followed to help document the authenticity and integrity of the evidence.

Digital investigators, especially in criminal investigations, should ensure that conclusions are based on factual evidence and expert knowledge of their own. In the US, for example, the Federal Rules of Providence states that a qualified expert may testify "in the opinion of the other or in" as long as:

(1) the testimony is based on sufficient facts or data, (2) testimony is the product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case.

The digital forensics sub-branches can each have their own specific guidelines for investigating and handling evidence. For example, a mobile phone may be required to be placed on a Faraday shield during foreclosure or acquisition to prevent further radio traffic to the device. In the UK, computer forensic examinations in criminal matters are subject to ACPO guidelines. There is also an international approach to provide guidance on how to handle electronic evidence. The "Electronic Evidence Guide" by the Council of Europe offers a framework for law enforcement and judicial authorities in countries seeking to regulate or improve their own guidelines for the identification and handling of electronic evidence.

Investigation Tool

The existence of digital evidence depends on the tool used to extract it. In the US, forensic tools are subject to Daubert standards, in which judges are responsible for ensuring that the processes and software used are acceptable. In a 2003 paper Brian Carrier argues that Daubert's guidelines require forensic tool codes to be published and reviewed by colleagues. He concludes that "open source devices may be more clear and comprehensive meeting guideline requirements than closed source tools." In 2011 Josh Brunty stated that the scientific validation of the technologies and software associated with performing digital forensic examinations is essential for any laboratory process. He argues that "digital forensic science is based on the principles of repetitive processes and quality evidence so knowing how to design and maintain a good validation process is a key requirement for any digital forensic examiner to defend their methods in court." "

src: i.ytimg.com

Branch

Digital forensic investigations are not limited to retrieving data only from computers, because laws are violated by criminals and small digital devices (eg tablets, smart phones, flash drives) are now widely used. Some of these devices have volatile memory while some have non-volatile memory. Adequate methodologies are available for retrieving data from volatile memory; however, there is a lack of a detailed methodology or framework for retrieving data from non-volatile memory sources. Depending on the type of device, media or artifact, digital forensic investigations are branched into different types.

Computer forensics

The purpose of computer forensics is to explain the state of today's digital artifacts; such as computer systems, storage media or electronic documents. This discipline typically includes computers, embedded systems (digital devices with imperfect computing power and onboard memory) and static memory (such as USB pen drives).

Computer forensics can handle a variety of information; from logs (such as internet history) to the actual files on the drive. In 2007 the prosecutor used a restored spreadsheet from Joseph E. Duncan III's computer to demonstrate pred- tedations and secure the death penalty. The assassin Sharon Lopatka was identified in 2006 after an email message from him detailing the torture and death fantasy found on his computer.

Forensic mobile device

Mobile device forensics is a digital forensics sub-branch that deals with the recovery of digital evidence or data from a mobile device. This is different from Computer forensics because mobile devices will have an integrated communication system (eg GSM) and, typically, proprietary storage mechanisms. Investigations typically focus on simple data such as call and communication data (SMS/Email) rather than in-depth recovery of deleted data. SMS data from mobile device investigations helped to free Patrick Lumumba in the murder of Meredith Kercher.

Mobile devices are also useful for providing location information; either from gps tracking/internal location or via a mobile site, which keeps track of devices within their reach. The information was used to track the kidnappers of Thomas Onofri in 2006.

Network forensics

The forensic network is concerned with monitoring and analysis of computer network traffic, both local and WAN/internet, for information gathering, evidence collection, or intrusion detection. Traffic is usually intercepted at the packet level, and is either stored for later analysis or filtered in real-time. Unlike other areas of digital forensic network data is often fickle and rarely enters, making discipline is often reactionary.

In 2000, the FBI lured computer hackers Aleksey Ivanov and Gorshkov to the United States for a fake job interview. By monitoring network traffic from partner computers, the FBI identifies passwords that allow them to collect evidence directly from Russian-based computers.

Analysis of forensic data

Forensic Data Analysis is a branch of digital forensics. It tests the structured data in order to find and analyze patterns of fraudulent activity resulting from financial crimes.

Forensic Database

The forensic database is a branch of digital forensics that deals with the study of forensic databases and their metadata. Investigations use the contents of database, log files, and data in RAM to create timelines or recover relevant information.

src: static1.squarespace.com

Education and Research

Center for academic education and research in forensic science:

North America: Penn State University offers Major Security and Risk Analysis, a Master of Professional Studies in Information Science, a Master of Professional Studies at Homeland Security, and a Ph.D. in Information Science and Technology in the field of digital forensics.

Source of the article : Wikipedia