Digital forensics involves the identification, collection, preservation, examination, and analysis of digital evidence. It is a technical, computer-related field involved in the collection and examination of evidence from computers, including audio, video, and graphical images.
Adding the ability to practice sound computer forensics will help you ensure the overall integrity and survivability of your network infrastructure. You can help your organization if you consider computer forensics as a new basic element in what is known as a “defense-in-depth” approach to network and computer security. For instance, understanding the legal and technical aspects of computer forensics will help you capture vital information if your network is compromised and will help you prosecute the case if the intruder is caught.
Today Information and Communication Technology (ICT) is being used for collecting, storing, editing and passing on information in various forms. Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Evidence might be sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. Computer specialists can draw on an array of methods for discovering data that resides in a computer system, or recovering deleted, encrypted, or damaged file information. Any or all of this information may help during discovery, depositions, or actual litigation.
CURRENT PERCEPTION OF FORENSIC SCIENCE
Before discussing the current perception of forensic science, this discussion focuses on stages commonly involved in adapting society’s concept of malicious use of various technologies. First is a realization by consumers that the new technology can be used for unauthorized and possibly unlawful purposes. Growing concern follows as incidents take place and become more serious. The increasing volume of misuse and percentage of unlawful activity eventually causes authorities to recognize that they need some level of expertise to help identify, understand, and thwart any future wrongdoing. Authorities then cultivate certified expertise, building on a deeper understanding of the problem, its symptoms, and the motivations of those involved in wrongful activities.
Based on these stages, the depth of their implementation becomes a function of several related factors. The first factor addresses the complexity involved in the technology. True subject matter experts are required to have a complete understanding of the associated technology as a prerequisite to stating conclusions about the evidence. The second factor is that sufficient research must employ the techniques needed to examine and analyze evidence that could become proof. Up to the present, actions to address both of these related factors have been closely aligned with the formation and evolution of most forensic disciplines.
II. WHAT IS COMPUTER FORENSIC
“E-discovery” or electronic discovery is the part of the discovery process that focuses on finding evidence in electronic form, typically from a computer. Computer forensics is an emerging discipline dedicated to the collection of computer evidence for judicial purposes, and as such supports the e-discovery process.
Computer forensic science at its core is different from most traditional forensic disciplines11. Firstly, the product of forensic examination is different. Rather than producing interpretive conclusions, the computer forensic examiner produces direct information and data (i.e. computer records) that may subsequently be used to develop an opinion – most probably by someone else. Adding the ability to practice sound computer forensics will help you ensure the overall integrity and survivability of your network infrastructure.
The field of forensics has developed over many centuries. The earliest record of forensics dates back to 1248 C.E., when a Chinese physician named Hi Duan Yu wrote The Washing Away of Wrongs. Yu presented the anatomical and medical knowledge of the time as it related to law, such as the difference between drowning, strangulation, and death by natural causes.Fingerprint identification was not used and understood until 1892. The first forensic lab was established in the United States in 1930. DNA evidence was first used as evidence at a trial in 1996
Traditional forensic analysis can be controlled in the laboratory setting and can progress, incrementally, and in concert with widely accepted forensic practices. In comparison, computer forensic science is almost entirely technology and market driven, generally outside the laboratory setting, and the examinations present unique variations in almost every situation.
Traditionally computer forensic investigations were performed on data at rest—for example, the content of hard drives. This can be thought of as a dead analysis. Investigators were told to shut down computer systems when they were impounded for fear that digital time-bombs might cause data to be erased.
In recent years there has increasingly been an emphasis on performing analysis on live systems. One reason is that many current attacks against computer systems leave no trace on the computer’s hard drive—the attacker only exploits information in the computer’s memory. Another reason is the growing use of cryptographic storage: it may be that the only copy of the keys to decrypt the storage are in the computer’s memory, turning off the computer will cause that information to be lost.
Several Open Source tools are available to conduct an analysis of open ports, mapped drives (including through an active VPN connection), and open or mounted encrypted files (containers) on the live computer system. Utilizing open source tools and commercially available products, it is possible to obtain an image of these mapped drives and the open encrypted containers in an unencrypted format. Open Source tools for PCs include Knoppix and Helix. Commercial imaging tools include Access Data’s Forensic Toolkit and Guidance Software’s EnCase application.
The aforementioned Open Source tools can also scan RAM and Registry information to show recently accessed web-based email sites and the login/password combination used. Additionally these tools can also yield login/password for recently accessed local email applications including MS Outlook.
The process of creating an exact duplicate of the original evidentiary media is often called Imaging. There are five basic steps to the computer forensics:
- Preparation (of the investigator, not the data)
- Collection (the data)
The investigator must be properly trained to perform the specific kind of investigation that is at hand. Tools that are used to generate reports for court should be validated. There are many tools to be used in the process. One should determine the proper tool to be used based on the case.
Fig 1: Forensic Life Cycle
RAM can be analyzed for prior content after power loss. Although as production methods become cleaner the impurities used to indicate a particular cell’s charge prior to power loss are becoming less common. However, data held statically in an area of RAM for long periods of time are more likely to be detectable using these methods. The likelihood of such recovery increases as the originally applied voltages, operating temperatures and duration of data storage increases. Holding unpowered RAM below − 60 °C will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery. However, it can be impractical to do this during a field examination
Given the success of forensic science in providing factual, testimonial evidence for the courts, this discussion presents a historical view of traditional methods used in forensic science. The purpose is to help us understand how we can apply similar techniques when dealing with information systems. Traditional forensic analysis methods include the following:
- Chromatography, spectroscopy, hair and fiber analysis, and serology (such as DNA examination)
- Pathology,anthropology, odontology , toxicology, structural engineering, and examination of questionable documents
- Behavioral patterns revealed by tests, such as polygraphs and psychological exams.
Most of these forensic disciplines began to flourish alongside the evolving science of criminalistics, which, in the United States, emerged during the 1920s. Advances in medicine, chemistry, and microscopy prepared the way for the adoption of scientific analysis rather than pure observation and intuition as the cornerstone of criminal investigation. The result of these advances was to replace supposition with reality (or fact) and present testimonial evidence to the trier-of-fact (judge or jury) in criminal or civil proceedings.
The vast majority of analytical methods employed by traditional forensic science grew out of university laboratories. In fact, before 1929 no official crime laboratory existed in the United States. Instead, police departments interested in using scientific analysis in crime solving would solicit the assistance of prominent university professors to help them collect and examine potential evidence (Eckert, 1997). Over time, more federal, state, and local jurisdictions realized the importance and necessity of scientific investigation. Professionals with particular interest in the forensic aspects of analysis began to transition their practices to newly established laboratories that focused on forensic analysis in support of the courts. This trend remains true to this day, although, as stated previously, forensic analysis of computer systems has taken a different evolutionary path.
The gradual paradigm shift, from intuition or supposition to fact derived from analysis, took hold in the early twentieth century for a number of reasons. The sciences, both hard (physics) and soft (biology), were advancing rapidly and many of their discoveries were being exposed to a larger percentage of the common population. Perhaps more important was the fact that surface observation alone had been proven time and time again to lead to suspect conclusions. Over time, conclusions presented as scientific evidence in the courts became subject to more rigorous scrutiny. Individuals in the court system realized that testimony proffered as scientific and conclusive was, for the most part, beyond their complete understanding.
In addition, the courts also understood that these analytical methods were not irrefutable. They were derived by experimentation that contained (or should contain) measures of error and other indices to help describe the veracity of statistics and narrative results. This concept led to the development of standards and rules of admissibility of expert testimony that must accompany scientifically derived testimonial evidence .
Mostly in criminal proceedings, the courts and public opinion have come to rely heavily on certain evidence derived by the scientific method. Perhaps the most commonly stated but least understood is DNA profiling. This relatively new method is performed for the courts as a technique used by forensic serologists. It is relied upon because of its purported ability to discriminate down to the level of the individual, thus replacing other, older methods like blood typing as a primary evidentiary mechanism.
Looking a little deeper, DNA analysis, though certainly more reliable than blood typing alone, is not a panacea. The general assumption is that presenting DNA evidence in court is irrefutable and can therefore not be contested. This supposition is based on studies of population genetics, where false-positive rates are exceptionally small, that is, one in billions. Or, stated another way, it is based on the probability that the DNA analysis will correctly determine that a defendant was the source of evidence found at the crime scene.
However, when gathering statistics that take laboratory practice and data collection factors into consideration, false-positive detection rates range from one per hundred to one per thousand (Koehler, 1995). The methodology begins to approach the false-positive rates for blood typing. This view of DNA evidence seems much more applicable to the courts since they are serviced by laboratories like those studied (Koehler, 1995). Thus, the studies based on population genetics can potentially become irrelevant since so much error can be interjected by incorrect collection and handling of the DNA source material.
There are many reasons to employ the techniques of computer forensics:
- In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases).
- To recover data in the event of a hardware or software failure.
- To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did.
- To gather evidence against an employee that an organization wishes to terminate.
- To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering