UNIT4
UNIT4
UNIT4
Cyber forensics plays a key role in investigation of cybercrime. “Evidence” in the case of
“cyber offenses” is extremely important from legal perspective. There are legal aspects involved in
the investigation as well as handling of the digital forensics evidence. Only the technically trained
and experienced experts should be involved in the forensics activities.
The goal of digital forensics is to determine the “evidential value” of crime scene and related
evidence.
The Florida Computer Crimes Act was the first computer crime law to address computer
fraud and intrusion. It was enacted in Florida in 1978.
There are two categories of computer crime: one is the criminal activity that involves using
a computer to commit a crime, and the other is a criminal activity that has a computer as a target.
Forensics means a “characteristic of evidence” that satisfies its suitability for admission as
fact and its ability to persuade based upon proof.
Digital forensics is the application of analyses techniques to the reliable and unbiased collection,
analysis, interpretation and presentation of digital evidence.
1. Computer forensics
It is the lawful and ethical seizure, acquisition, analysis, reporting and safeguarding of
data and metadata derived from digital devices which may contain information that is notable
and perhaps of evidentiary value to the trier of fact in managerial, administrative, civil and
criminal investigations. In other words, it is the collection of techniques and tools used to find
evidence in a computer.
2. Digital forensics
It is the use of scientifically derived and proven methods toward the preservation,
collection, validation, identification, analysis, interpretation, documentation and presentation of
digital evidence derived from digital sources for the purpose of facilitation or furthering the
reconstruction of events found to be criminal, or helping to anticipate unauthorized actions
shown to be disruptive to planned operations.
Chain of custody means the chronological documentation trail, etc. that indicates
the seizure, custody, control, transfer, analysis and disposition of evidence, physical or
electronic.
“Fungibility” means the extent to which the components of an operation or product can
be inter-changed with similar components without decreasing the value of the operation or
product.
Chain of custody is also used in most evidence situations to maintain the integrity of
the evidence by providing documentation of the control, transfer and analysis of evidence.
1. Computer forensics.
2. Network forensics.
Network forensics is the study of network traffic to search for truth in civil, criminal and
administrative matters to protect users and resources from exploitation, invasion of privacy
andany other crime fostered by the continual expansion of network connectivity.
This is a very important discussion, especially, for those who are students of legal courses.
It was mentioned in that the Indian IT Act amended the Indian Evidence Act. According to the
“Indian Evidence Act 1872,” “Evidence” means and includes:
1. All statements which the court permits or requires to be made before it by witnesses, in relation
to matters of fact under inquiry, are called oral evidence.
2. All documents that are produced for the inspection of the court are called documentary
evidence.
Paper evidence, the process is clear and intuitively obvious. Digital evidence by its very nature is
invisible to the eye. Therefore, the evidence must be developed using tools other thanthe human eye.
There are number of contexts involved in actually identifying a piece of digital evidence:
1. Physical context: It must be definable in its physical form, that is, it should reside on a specific
piece of media.
2. Logical context: It must be identifiable as to its logical position, that is, where does it reside
relative to the file system.
3. Legal context: We must place the evidence in the correct context to read its meaning. This may
Following are some guidelines for the (digital) evidence collection phase:
1. Adhere to your site’s security policy and engage the appropriate incident handling and law
enforcement personnel.
2. Capture a picture of the system as accurately as possible.
Mail server software is network server software that controls the flow of E-Mail and the mail client
software helps each user read, compose, send and delete messages.
E-Mail tracing is done by examining the header information contained in E-Mail messages to
determine their source.
As per FBI’s (Federal Bureau of Investigation) view, digital evidence is present in nearly every
crime scene. That is why law enforcement must know how to recognize, seize, transport and
store original digital evidence to preserve it for forensics examination.
1. Is admissible.
2. Is authentic.
3. Is complete.
4. Is reliable.
5. Is understandable and believable.
Let us now understand what is involved in the digital forensics process.
The Digital Forensics Process
The digital forensics process needs to be understood in the legal context starting from
preparation of the evidence to testifying. Digital forensics evidence consists of exhibits, each
consisting of a sequence of bits, presented by witnesses in a legal matter to help jurors establish
the facts of the case and support or refute legal theories of the case.
Fig: Process model for understanding a seizure and handling of forensic evidence legal
framework.
Digital evidence can be collected from many sources. Obvious sources include
computers, cell phones, digital cameras, hard drives, CD-ROM, USB memory devices and so
on. Non-obvious sources include settings of digital thermometers, black boxes inside
automobiles, RFID tags and web pages (which must be preserved as they are subject to
change).
For the purpose of digital evidence examination, “imaging of electronic media” (on which the
evidence is believed to be residing) becomes necessary.
Analysis, interpretation and attribution of evidence are the most difficult aspects encountered by
most forensics analysts. In the digital forensics arena, there are usually only a finite number of
possible event sequences that could have produced evidence.
Recall the mention of network forensics. We have already discussed that open
networks can be the source of many network-based cyber attacks. A situation like this leads to
the point that network forensics professionals need to understand how wireless networks work
and the fundamentals of related technology.
Wireless forensics is a discipline included within the computer forensics science, and
specifically, within the network forensics field. The goal of wireless forensics is to provide the
methodology and tools required to collect and analyze (wireless) network traffic that can be
presented as valid digital evidence in a court of law.
Approaching a Computer Forensics Investigation
From the discussion so far, we can appreciate that computer forensics investigation is a
detailed science. Now, let us understand how a forensics investigation is typically approached
and the broad phases involved in the investigation. The phases involved are as follows:
1. Secure the subject system (from tampering or unauthorized changes during the
investigation);
2. take a copy of hard drive/disk (if applicable and appropriate);
3. identify and recover all files (including deleted files);
4. access/view/copy hidden, protected and temp files;
5. study “special” areas on the drive (e.g., the residue from previously deleted files);
6. investigate the settings and any data from applications and programs used on the
system;
7. consider the system as a whole from various perspectives, including its structure and
overall contents;
8. consider general factors relating to the user’s computer and other activity and habits in
the context of the investigation;
9. Create detailed and considered report, containing an assessment of the data
and information collected.
Typical Elements Addressed in a Forensics Investigation Engagement Contract
Typically, the following important elements are addressed before while drawing up a
forensics investigation engagement contract
1. Authorization
2. Confidentiality
3. Payment
4. Consent and acknowledgment
5. Limitation of liability
Laboratory responsible for any accidental damages to the data or equipment in its possession
including but not limited to surface scratches, deformations and cracks.
1. Customer’s representation: Customer needs to warrant the forensics laboratory that he/she is
the owner of, and/or has the right to be in possession of, all equipment/data/media furnished to
the laboratory and that collection, possession, processing and transfer of such
equipment/data/media are in compliance with data protection laws to which customer is
subjectto.
2. Legal aspects/the law side: Both the parties need to agree that the agreement shall be governed
by prevailing law in every particular way including formation and interpretation and shall be
deemed to have been made in the country where the contract is signed.
3. Data protection: The computer forensics laboratory (engaged in the investigation) will hold the
information that the customer has given verbally, electronically or in any submitted form for the
purpose of the forensics investigation to be carried out as per contracted services from the
forensics laboratory.
4. Waiver/breach of contract: The waiver by either party of a breach or default of any of the
provisions on this agreement by either party shall not be construed as a waiver of any succeeding
breach of the same or other provisions, nor shall any delay or omission on the part of either party
to exercise or avail itself of any right, power or privilege that it has, or may have hereunder
operates as a waiver of any breach or default by either party.
Solving a Computer Forensics Case
These are just some broad illustrative steps and they may vary depending on the specific
Case in hand.
1. Prepare for the forensic examination.
2. Talk to key people to find out what you are looking for and what the circumstances
surrounding the case is.
3. If you are convinced that the case has a sound foundation, start assembling your tools to
collect the data in question. Identify the target media.
4. Collect the data from the target media. You will be creating an exact duplicate image of
the device in question. To do this, you will need to use an imaging software application like
thecommercial in Case or the open-source Sleuth Kit/Autopsy.
5. To extract the contents of the computer in question, connect the computer you are
investigating to a portable hard drive or other storage media and then boot the computer
under investigation according to the directions for the software you are using.
6. When collecting evidence, be sure to check E-Mail records as well. Quite often, these
messages yield a great deal of information.
7. Examine the collected evidence on the image you have created. Document anything that
you find and where you found it.
8. Analyze the evidence you have collected by manually looking into the storage media and,
if the target system has a Windows OS, check the registry.
9. Report your findings back to your client. Be sure to provide a clear, concise report; this
report may end up as evidence in a court case.
There are four broad types of requirements, namely, the physical space, the hardware
equipment, the software tools and the forensics procedures to be followed to aid those involved in the
cybercrime investigation.
Apart from the physical space requirement, another key requirement for a computer
including a network server with a large storage capacity (preferably configured for the standard
removable hard drives).
Fig: (a) SIM card reader, (b) iButtons, (c) flash memory, (d) SIM card.
On the software side, there are several requirements for setting up a forensics laboratory. The
standard forensics software package, such as EnCase, Web Case, Forensics Tool Kit, Password
Recovery Tool Kit, etc. are expensive products.
The main issues that are attacked when evidence is presented in a court of law are credentials
and methodology. In some countries, the court may prefer the forensics evidence from government
appointed and/or neutral party laboratories rather than the evidence from private agencies where
opportunities for manipulation/exploitation are perceived.
Steganography is the art of information hiding. The threat raised by steganography is very
real. Its use is not easy to detect or intercept, as the information does not need to be broadcast across
the Internet. The hidden message can reside unsuspectingly on a website, for example, and can be
viewed from around the world.
Steganography is the art of information hiding. The threat raised by steganography is very
real. Its use is not easy to detect or intercept, as the information does not need to be broadcast across
the Internet. The hidden message can reside unsuspectingly on a website, for example, and can be
viewed from around the world.
Rootkits
The term rootkit is used to describe the mechanisms and techniques whereby malware
including viruses, Spyware and Trojans attempt to hide their presence from Spyware blockers,
Information Hiding
Let us now have an overview of some characteristics of information hiding and then we
discuss about analysis methods for determining the existence of and potential locations of hidden
information.
With the rampant use of the Internet, there is so much at stake; corporate data is not safe
anymore given that almost all information assets lie on the corporate networks. We are in the era
of Net-centric digital economy.
Criminals can gather small pieces about you, about your confidential data to generate what
is known as “digital persona,” that is, they keep track about your Internet activities, what resides
on your corporate networks, etc.
Social networking site is defined as web-based services that allow individuals to:
Although social networking sites have their uses, there are several associated security threats. The
concerns regarding social networking sites are:
Does the social networking site violate people’s intellectual property rights
Whether these sites infringe the privacy of their own users
Whether these sites promote fraudulent and illegal activities
Content preservation can be challenging given the dynamic, short-lived and often multi-format nature of
social media. There is generally no control over the content posted on social media networking sites.
High level of forensic skill is required to analyze and quantify the preserved data to answer questions
such as:
Security issues that are associated with social networking sites are:
Corporate espionage
Cross site scripting
Virus and Worms
Social networking site aggregators
Phishing
Network infiltration leading to data leakage
ID theft
Cyberbullying
Content-Based Image Retrieval (CBIR)
Spam
Stalking
Although there are well-developed forensic techniques, cybercrime investigation is not easy. Huge
amount of data is available and searching for evidence in that enormous data is not easy. Most of the
existing tools allow anyone to change the attribute associated with digital data.
Encryption is a commonly used antiforensics technique and keyword search can be defeated by renaming
file names. Cybercrime investigators often face a problem of collecting evidence from very large groups
of files. They need to use techniques like link analysis and visualization. To find leads they need to use
machine learning techniques (patterns).
There need to be a paradigm shift for network forensics techniques to analyze the real-time data and huge
amounts of data. Duration of forensics investigation may vary, some simple cases might take a few hours
and complex cases may take some years to solve.
Certain digital information other than the data itself may help in solving the case. Such information
might include data and timestamps of files, folder structure and message transmission tags. Real-time
data collection is more complex as it needs to address legalities and privileges involved in surveillance.
Technical Challenges
The two challenges faced in a digital forensic investigation are complexity and quantity. The complexity
problem refers to the data collected being at the lowest level or in raw format. Non-technical people will
find it difficult to understand such data.
Tools can be used to transform the data from low level format to readable format. The quantity problem
refers to the amount of data that needs to be analyzed. Data reduction techniques can be used to group
Identifying unknown entries during log processing
Identifying known files using hash databases
Sorting files by their types
Legal challenges
Digital evidence can be tampered easily, sometimes, even without any traces. It is common for modern
computers to have multiple gigabyte sized disks. Seizing and freezing of digital evidence can no longer
be accomplished just by burning a CD-ROM. Failure to freeze the evidence prior to opening files has
invalidated critical evidence.
There is also the problem of finding relevant evidence within massive amounts of data which is a
daunting task. The real legal challenges involve the artificial limitations imposed by constitutional,
statutory and procedural issues. There are many types of personnel involved in digital/computer forensics
like technicians, policy makers, and professionals.
Technicians have sound knowledge and skills to gather information from digital devices, understand
software and hardware as well as networks. Policy makes establish forensics policies that reflect broad
considerations. Professionals are the link between policy and execution who have extensive technical
skills as well as good understanding of the legal procedures.
Wireless forensics is a part of network forensics, which in turn is a part of computer forensics.
Wireless forensics is the methodology and tools required to collect, analyze the network traffic that can
be presented as valid digital evidence in the court of law. The evidence collected can include plain data,
or VoIP information (voice calls). Wireless forensics process involves: