Digital Forensic Computers Forensic Forensic Models Information Technology Essay
Today the increasing number of computer and electronics components has demanded the use of Digital forensic showing that the digital forensics can be implemented in specialized fields of law enforcement, computer security, and national defense. In the information technology period, information stored in the devices are digital as mostly the institution or organization use computer storage media as compare to paper used by writers, scholars, scientists, musicians, and public figures. This gives new challenges to these concern persons related to accessing and preserving information, data recovery and maintaining trust. In this article, review of the currently available investigation processes, methodologies, different tools used by forensics experts and finally a conclusion will be done.
Digital Forensic, Computer Forensic, Forensic Models, Computer Forensic Investigation, Digital Forensic Methods, Forensic Techniques, Forensic Tools
Digital forensics is the branch of forensic involving the recovery and investigation of material found in digital devices due to incident of computer crime occurrence. Digital forensic is a synonym for the computer forensic in early start but today it includes other area of investigation like computer, database, and network, mobile which are capable of storing digital data.
Due to much advancement in various types of technology devices, media, digital forensics has defined the sub branches according to the investigation required. One of the digital forensics branches are Computer forensics, Mobile device forensics, Network forensics, Forensic data analysis and Database forensics.
Computer forensics involves the examination of the digital media stored in the computers for investigation purpose, mobile forensic is recovery of digital evidence from a mobile device, network forensic is the getting evidence related to network traffic, information gathering or evidence collection of intrusion detection, forensic data analysis is investigate the pattern of fraudulent action using structure data while the final one is database forensic is the study of databases and their metadata including the its contents, log files and in-RAM data investigation.
When the computer forensic is in consideration usually three different sets of people from Law Enforcement agencies, Military, Business & Industry are involved with the intention of tracking down attackers/hackers and criminals who attack the security of systems and use computers for unauthorized activities. Computer Forensic address the issues of National and Information Security, Corporate Espionage, White Collar Crime, Child Pornography, Traditional Crime, Incident Response, Employee Monitoring, Privacy Issues.
In the following this paper start with investigation phases, methods and techniques and tools how this information helps the novice in the computer, network, mobile and database forensic.
Forensic Methodologies ââ‚¬” Phases of Computer Forensic
Before discussing the forensic methodologies one should be familiar with the few terms of forensic terms. One of them is forensic evidence. A brief overview of evidence, categorization, rules, standard guide, and its basic principles in order to ensure the chain of custody will be outlined.
Evidence is any item or information gathered at the scene of a crime, or at related locations, which is found to be relevant to an investigation. There are many different types of evidence, from DNA and tire marks, to bloodstains and fingerprints Evidence should be Admissible, Authentic, Complete, Reliable and Believable. Evidence chain of custody protects its integrity. It can be categorized as primary (best type evidence using documentation), secondary (Oral or eye witness), direct, conclusive, circumstantial, corroborative and opinion evidence. There are guides available for Computer Based Evidence e.g. By Association of Chief Police Officers. During evidence collection following principle should be strictly followed by investigator
There should be no change of data on a computer or other media taken
Person should be competent while accessing original data held on a target computer
Audit trail or other record of all processes applied to computer-based evidence should be created and preserved.
He will ensure the law and principles of possession and access to information contained in a computer.
So many forensic investigation processes have been developed till now. The objective in this paper is to make the forensic investigation process or model with common phases of forensic to perform the intended investigation as compared to others model. Few models that exist are mentioned below.
Computer Forensic Investigative Process (1984)
Abstract Digital Forensics Model (ADFM) (2002)
Enhanced Digital Investigation Process Model (EDIP) (2004)
Computer Forensics Field Triage Process Model (CFFTPM) (2006)
Scientific Crime Scene Investigation Model (2001)
Common Process Model for Incident and Computer Forensics (2007)
Network Forensic Generic Process Model (2010)
Here is the generic investigation process namely the Generic Computer Forensic Investigation Model (GCFIM) proposed in this article that share the common phases with previously developed models. Figure below, demonstrate the proposed GCFIM.
Pre Process is the first phase of Generic Computer Forensic Investigation Model. In this phase the tasks are linked to other tasks that required to be completed before the investigating and collecting the official data. These tasks are having the required approval from concern authority, preparing and setting up of the tools to be utilized, etc.
Acquisition and Preservation is the second phase of Generic Computer Forensic Investigation Model. In this phase tasks performed related to the acquiring and collecting evidence in acceptable manner in which concern data is together base on the accepted methods utilizing a variety of recovery techniques, then the task is identifying the digital components from the acquired evidence, and finally in this phase the tasks are transporting, storing and preserving of data such as creating a good quality case management and ensuring an acceptable chain of custody. Overall, this phase is where all concern data are captured, stored and presented for the next phase.
Analysis is the third phase of Generic Computer Forensic Investigation Model. This is the core and the heart of the forensic investigation process. It has the largest part of phases including the tasks such as evidence tracing and validation, recovery of hidden or encrypted data, data mining, and timeline etc. Different types of analysis are performed on the acquired data using the appropriate tools and techniques to recognize the source of crime and eventually discovering the person accountable of the crime.
Presentation is the fourth phase of Generic Computer Forensic Investigation Model. The finding from analysis phase are documented and presented to the authority with expert testimony. The documentation presented also includes the adequate and acceptable evidence in order to understand by the concern party easily. The final outcome from this phase is either to prove or disprove the alleged criminal acts.
Post-Process is the last phase of Generic Computer Forensic Investigation Model. This phase concerns only the appropriate finishing of the investigation work. Digital and physical evidence should be appropriately handed over to the authorize owner and kept in secure place, if required. Finally but not the last, if there is a need to review the investigative process in each phase it should be done for the perfection of the future investigations.
Challenges during Forensic Investigation
There are some technical, legal, resource as well as general and specific challenges during the investigators face. Technical challenges are faced in finding the criminals over the internet; legal challenges are the result of not competitive with the currently technology, social environment and structure while the challenges in resources that the support should be available in all levels. The challenges that are faced during computer forensic in general and specific are the tools or techniques limitation from the private sector, no standard definition and agreements of computer crime, no proper background availability to perform testing, huge number of Operating System platforms and file formats due to which unavailability of experts with true titles. Other than these challenges during investigation it may take large space of memory from Gigabytes to Terabytes or even may require the storage area network. For computer forensic expert it is also challenging to have the expertise in RAID level, embedded system along with Network and Grid computing.
Now in the following few of the forensic tools in the domain of computer, network, mobile, database and some others are briefly described.
Reason for Using Computer Forensics Tools
There are multiple reasons for choosing the computer forensics tools like systems utilized by the defendants and litigants, to recover the lost data in case of hardware or software malfunction, to investigate about the computer usage in case of employee termination or when the system is attacked by an intruder.
To investigate computer crimes different computer forensic tools like disk imaging software for the file structure and hard disk content can be used, for comparing the data between original and copy Hashing tools can be used which assigns unique number for violation verification and for recovery the lost data or deleted data recovery programs can be used. Similarly software and hardware write tools can be used to reconstruct the hard drive bit by bit as these tools generate the copy of hard disk. Encase is well know commercial tool that can perform various tasks like disk imaging and verification and analysis of data while PC Inspector File Recovery is a free tool helps in revealing and recovering the contents stored in any type of storage media that is connected with the computer even if the content is deleted.
Network forensics deals with the capture, recording or analysis of network events in order to discover evidential information about the source of security attacks in a court of law.
There is a tool known as eMailTrackerPro that can track down the sender message by detecting the IP address in the header. If there is a need to view all information like IP address, country information or domain information SmartWhoIs can be used as free available network utility. To perform the web forensic famously known tool Mandiant Web Historian can help forensic examiner to verify how the intruders looked into the different sites by reviewing the history files of web site. Other tool Index.dat can be used to view the browsing history, the cookies and the cache as it gives the critical information about a cookie like its key-value pair, the website address associated with the cookie, the date/time the cookie was first created and last accessed and etc.
Ethereal is network packet analyzer, WinPcap is the packet capture tool used to capture the packets and AirPcap is the packet capture tool for the IEEE 802.11b/g Wireless LAN interfaces.
Mobile forensics as the name implies is to investigate data from mobile device for evidence purpose regardless of the mobile system of GSM / GPRS / WIFI technology. Investigator concentrate on either call data or SMS/Email data with the help of different commercial, non commercial, open source, command line or physical mobile forensic tools. The forensics process for mobile devices differ in these three main categories: seizure, acquisition, and examination/analysis while other aspects of the computer forensic process still apply. Some Commercial Forensic Tools include AccessData’s MPE+, FINALMobile Forensics by FINALDATA, Oxygen Forensic Suite, while Open source tools include iPhone Analyzer, the Mobile Internal Acquisition Tool, and TULP2G plug-ins. Performing mobile forensic using command line System commands, AT modem commands and Unix command dd can be used.
Tools used for database forensic are ACL, Idea and Arbutus as it is the forensic study of databases and their metadata. These tools record action in the documented form about the forensic expert on the database as he uses database contents, log files and in-RAM data. Still there is need to do research in this field to perform database forensic that demands skill experts.
The information provided in this article helps the reader with basic understanding of digital forensic and its branches with the aim to do further research in specific area of this field. Different Forensic methodologies are outlined in order to give the choice to forensic expert to choose this methodology or design his own process model. Further the different tools especially the open source one can enhance the forensic expert skills. Today the technology is advancing very rapidly and developing skills in multiple areas enhances the professional career and money value of the individual.Order Now