International Journal of Computer Applications (0975 – 8887)

Volume 50 – No.5, July 2012

Digital Forensics
Ravneet Kaur, Amandeep Kaur
Assistant Professor in Computer Science
SDSPM College for Women, Rayya (Asr)
Guru Nanak Dev University, India

ABSTRACT evidence. Research groups like the Computer Analysis and

Digital forensics is a branch of forensic science concerned Response Team (CART), the Scientific Working Group on
with the use of digital information produced, stored and Digital Evidence (SWGDE), Laboratory Accreditation
transmitted by computers as source of evidence in Board (ASCLD-LAB), the Technical Working Group on
investigations and legal proceedings. Digital forensics has Digital Evidence (TWGDE), and the National Institute of
existed for as long as computers have stored data that could Justice (NIJ) have since been formed in order to discuss the
be used as evidence. For many years, digital forensics was computer forensic science as a discipline including the need
performed primarily by government agencies, but has for a standardized approach to examinations [2].
become common in the commercial sector over the past International Data Corporation (IDC) reported that the
several years. Originally, much of the analysis software market for intrusion-detection and vulnerability-
was custom and proprietary and eventually specialized assessment software will reach 1.45 billion
analysis software was made available for both the private
dollars in 2006.
and public sectors. The first part of this paper provides a
brief overview of digital forensics Process, followed by the
models of digital forensics. In the further part of the paper,
Major initiatives
 National White Collar Crime Center (NW3C)
we consider the need of the “Digital Forensic Investigation
 National Center for Forensic Sciences (NCFS)
Model” which is currently an active area of research in the
academic world, which aims to ameliorate procedures  Digital Forensics Research Workshop (DFRW)
followed in this field. At last, we discuss challenges and  Computer Forensic Educator’s Working Group
future scope of digital forensics. (CFEWG)
 Cyber Tools Online Search for Evidence
General Terms (CTOSE) – European
Cyber Crime, forensics models, Investigation, Analysis,
One important element of digital forensics is the credibility
digital devices.
of the digital evidence. Digital evidence includes computer
evidence, digital audio, digital video, cell phones, digital
Keywords
fax machines etc. The legal settings desire evidence to have
Digital forensics, Investigation model, forensics process,
digital crime, digital devices. integrity, authenticity, reproductivity, non-interference and
minimization.
1. INTRODUCTION
Computer forensics emerged in response to the escalation 2. THE NEED FOR DIGITAL
of crimes committed by the use of computer systems either FORENSIC INVESTIGATION
as an object of crime, an instrument used to commit a crime MODELS
or a repository of evidence related to a crime. Digital It is important to understand the need of the “Digital
Forensic can be defined as Forensic Investigation Model” which is currently an active
area of research in the academic world, which aims to
“The use of scientifically derived and proven
ameliorate procedures followed in this field. The way
methods toward the preservation, validation,
Digital Forensic Science is implemented has a direct impact
identification, analysis, interpretation,
on
documentation and presentation of digital evidence
derived from digital sources for the purpose of  The prevention of further malicious events
facilitating or furthering the reconstruction of events occurring against the intended “target".
found to be criminal, or helping to anticipate  The successful tracing back of the events that
unauthorized actions shown to be disruptive to
occurred which led to the crime, and determining
planned operations." [4] the guilty parties involved.
 Bringing the perpetrators of the crime to justice.
Computer forensics can be traced back to as early as 1984
when the FBI laboratory and other law enforcement  The improvement of current prevention
agencies begun developing programs to examine computer mechanisms in place to prevent such an event
from occurring again.

5
 International Journal of Computer Applications (0975 – 8887)
Volume 50 – No.5, July 2012

 Improving standards used by corporate security concentrated mostly upon coming up with good models that
professionals to secure their respective corporate can be practiced [7]. Yet, it can be safely said that these
networks. models are mainly ad-hoc and much needs to be
 How everyone “plugged" into this digital accomplished in this particular domain.
environment can increase their awareness about
current vulnerabilities and prevention measures. 3. INVESTIGATION PROCESS OF
DIGITAL FORENSICS
There has been a need for a standard methodology used for Investigative process of digital forensics can be divided
all Digital Forensics investigations. There have been many into several stages. There are four major stages:
initiatives made to have models that have a general process preservation, collection, examination, and analysis see
to be followed for such investigations [5]. Research done figure 1.
by the scientific community has been fairly recent, and has

Figure1. Digital forensics Process

 Preservation: Preservation stage corresponds to collected information. They may include log
\freezing the crime scene". It consists in stopping files, data files containing specific phrases, times-
or preventing any activities that can damage stamps, and so on.
digital information being collected. Preservation  Analysis: The aim of analysis is to “draw
involves operations such as preventing people conclusions based on evidence found".
from using computers during collection, stopping  Reporting: This entails writing a report outlining
ongoing deletion processes, and choosing the the examination process and pertinent data
safest way to collect information. recovered from the overall investigation.
 Collection: Collection stage consists in finding
and collecting digital information that may be 4. THE ABSTRACT DIGITAL
relevant to the investigation. Since digital
FORENSIC MODEL
information is stored in computers, collection of The abstract digital forensics model [1] proposes a
digital information means either collection of the standardized digital forensics process that consists of nine
equipment containing the information, or
components:
recording the information on some medium.
Collection may involve removal of personal
1. Identification: It recognizes an incident from indicators
computers from the crime scene, copying or
and determines its type.
printing out contents of files from a server,
recording of network traffic, and so on. 2. Preparation: Preparation entails the preparation of
 Examination: Examination stage consists in a tools, techniques, search warrants, and monitoring
\in-depth systematic search of evidence" relating authorizations and management support.
to the incident being investigated. The outputs of
examination are data objects found in the

Figure2: The abstract digital forensic model

6
 International Journal of Computer Applications (0975 – 8887)
Volume 50 – No.5, July 2012

3. Approach strategy: It develops a procedure to use in 8. Presentation: It involves the summary and explanation
order to maximize the collection of untainted evidence of conclusions.
while minimizing the impact to the victim.
9. Returning evidence: It ensures physical and digital
4. Preservation: Preservation which involves the isolation, property is returned to proper owner.
securing and preservation of the state of physical and
digital evidence. 5. THE INTEGRATED DIGITAL
INVESTIGATION MODEL (IDIP)
5. Collection: It entails the recording of the physical scene
and duplicate digital evidence using standardized and 5.1 Readiness phases
accepted procedures.
The goal of this phase is to ensure that the operations and
6. Examination: It involves an in-depth systematic search infrastructure are able to fully support an investigation. It
of evidence relating to the suspected crime. includes two phases:

7. Analysis: Analysis involves determination of the  Operations Readiness phase

significance, reconstructing fragments of data and drawing  Infrastructure Readiness phase
conclusions based on evidence found.

Figure3. The integrated digital investigation model (IDIP)

5.2 Deployment phases  Documentation phase; which involves taking

The purpose is to provide a mechanism for an incident to photographs, sketches, and videos of the crime
be detected and confirmed. It includes two phases: scene and the physical evidence. The goal is to
capture as much information as possible so that
 Detection and Notification phase; where the the layout and important details of the crime
incident is detected and then appropriate people scene are preserved and recorded.
notified.  Search and collection phase; that entails an in-
 Confirmation and Authorization phase; which depth search and collection of the scene is
confirms the incident and obtains authorization performed so that additional physical evidence is
for legal approval to carry out a search warrant. identified and hence paving way for a digital
crime investigation to begin
5.3 Physical Crime Scene Investigation  Reconstruction phase; which involves
phases organizing the results from the analysis done and
The goal of these phases is to collect and analyze the using them to develop a theory for the incident.
physical evidence and reconstruct the actions that took  Presentation phase; that presents the physical
place during the incident. It includes six phases:- and digital evidence to a court or corporate
management.
 Preservation phase; which seeks to preserve the
crime scene so that evidence can be later 5.4 Digital Crime Scene Investigation
identified and collected by personnel trained in phases
digital evidence identification. The goal is to collect and analyze the digital evidence that
 Survey phase; that requires an investigator to was obtained from the physical investigation phase and
walk through the physical crime scene and through any other future means. It includes similar phases
identify pieces of physical evidence. as the Physical Investigation phases, although the primary
focus is on the digital evidence. The six phases are:-

7
 International Journal of Computer Applications (0975 – 8887)
Volume 50 – No.5, July 2012

 Preservation phase; which preserves the digital  Video, audio, GIS materials, VoIP systems,
crime scene so that evidence can later be sensor net data, SCADA systems, etc.
synchronized and analyzed for further evidence.  Increasing usage of USB thumb drive, iPod, cell
 Survey phase; whereby the investigator transfers phone/PDA, digital camera, remote storage
the relevant data from a venue out of physical or devices, removable media
administrative control of the investigator to a  Long-term storage in appliances and home media
controlled location. blur the notion of “local storage”
 Documentation phase; which involves properly  Peer-to-peer file sharing
documenting the digital evidence when it is  Data outsourcing: Google Docs, Yahoo Photo
found. This information is helpful in the Album, and many others
presentation phase.
 Search and collection phase; whereby an in-
depth analysis of the digital evidence is Challenge 2: Image Large, Active Disk
performed. Software tools are used to reveal Farms
hidden, deleted, swapped and corrupted files that  How to image large, active disk farms
were used including the dates, duration, log file dynamically?
etc. Low-level time lining is performed to trace a  Imagine asking amazon.com or ebay to
user’s activities and identity. discontinue service while the drives are
being copied
 Reconstruction phase; which includes putting Challenge 3: Anti Forensics
the pieces of a digital puzzle together, and  Encryption
developing investigative hypotheses.  Encrypted files & Whole drive
 Presentation phase; that involves presenting the
encryption (EFS)
 Steganography and other information hiding
digital evidence that was found to the physical
 Evidence elimination tools
investigative team.
Challenge 4: Trust of Audit Trails
5.5 Review phase
This entails a review of the whole investigation and  How can we trust audit trails?
identifies areas of improvement.  Always possible that an intruder may edit or
delete the audit trail on a computer,
The IDIP model does well at illustrating the forensic especially weakly-protected PC.
 Increasingly sophisticated rootkits that
process, and also conforms to the cyber terrorism
dynamically modify the kernels of running
capabilities [6] which require a digital investigation to systems to hide what is happening, or even
address issues of data protection, data acquisition, imaging, to produce false results
extraction, interrogation, ingestion/normalization, analysis
and reporting. It also highlights the reconstruction of the
6.2 Open Problems
events that led to the incident and emphasizes reviewing
the whole task, hence ultimately building a mechanism for There are various open hard problems. Here is just a list of
quicker forensic examinations. samples:
 Forensic tool testing and validation Open vs.
Close Source
6. RESEARCH CHALLENGES &  Solutions against anti-forensics techniques
OPEN PROBLEMS[9]  Network attack attribution
 Botmasters
6.1 Research challenges  Criminals using stepping stones or Tor
 Device Diversity  Anonymous VoIP threatening callers
 Volume of Evidence  Fighting against online fraudsters
 Distributed Evidence  Click fraud
 Trust of Audit Trails  Auction frauds
 Spammers
 Testing and Validation  Phishing
 Anti-forensics  Insiders
 Digital right management related issues.
Challenge 1: Device Diversity
7. FUTURE SCOPE
 Traditional storage devices: Simple data In this study, work has been done in development of
and image files. Systematic Digital Forensic Investigation Model.
 We are seeing Following are few pointers for direction of future scope of
research in these areas:

8
 International Journal of Computer Applications (0975 – 8887)
Volume 50 – No.5, July 2012

1. Future research should sample a larger number of [3] Brian Carrier and Eugene H Spafford,(2003) Getting
respondents, collect detailed demographics information and Physical with the Investigative Process International
not only look at identifying issues, but also obtain feedback Journal of Digital Evidence. Fall 2003, Volume 2,
on methods for addressing these issues. Issue 2.
[4] Gary L Palmer. (2001). A Road Map for Digital
2. Application of the new model in variety of cases and Forensic Research. Technical Report DTR-T0010-
improvement in light of feedback. 01, DFRWS. Report for the First Digital Forensic
3. Identification of new constraints in terms of Research Workshop (DFRWS).
technological advancement will require model to be [5] M. M. Pollitt, An ad hoc review of digital forensic
updated with time. models, In Systematic Approaches to Digital Forensic
Engineering, 2007, pages 43{54. University of Central
8. REFERENCES Florida, USA, IEEE, April 10- 12, 2007 2007.
[6] National Institute of Justice. (2002). Results from
[1] Mark Reith, Clint Carr and Gregg Gunsch, (2002) an Tools and Technology Working Group, Governors
Examination of Digital Forensic Models International Summit on Cybercrime and Cyberterrorism,
Journal of Digital Evidence, Fall 2002, Volume 1, Princeton NJ.
Issue 3. [7] Lindsey, T. Challenges in Digital Forensics. 2006
[2] Michael Noblett, Mark.M.Pollitt and Lawrence Presley, Available from:
(2000) Recovering and Examining Computer http://www.dfrws.org/2006/proceedings/Lindsey-
Forensic Evidence, Forensic Science pres.pdf.
Communications, Volume 2, Number 4. [9] Dr. Yong Guan, Digital Forensics: Research Challenges
and Open Problems December 4, 2007