Examining The Types Of Computer Forensics Information Technology Essay
According to John R. Vacca “Computer forensics, also referred to as computer forensic analysis, electronic discovery, electronic evidence discovery, digital discovery, data discovery, data recovery, computer analysis, and computer examination, is the process of methodically examining computer media (hard disks, diskettes, tapes, etc.) for evidence”[1]. Highlight of computer forensics is the evidence is generally captured by the computer without the user’s knowledge. To unveil the evidence various forensic tools are used. This is a very popular growing technique in Information technology but not many people know of it. In my personal experience I asked few friends who belong to the IT industry about what they think of Computer Forensics, the replies I received were totally offset from what computer forensics is all about. Though this is an emerging field, we lack experts. In order to achieve success in computer forensics we need IT professionals, law enforcement officials, Judges and lawyers to be aware and trained to strictly enforce law against computer related crime [1]. The objective of Computer Forensics is to find evidence by recovering, analyzing computer related data which can then be produced in the court of law [1]. A person who does computer forensics is also known as computer forensics analyst/specialist. Computer forensics evidence is generally used by criminal prosecutors in cracking down homicides, drug trafficking and child pornography [1]. Corporations also employ or hire analysts to track down on internal crime such as data theft, setting up logic bombs to disrupt normal activities and misuse of resources.
The methodology consists of the following steps [2]:
Get the evidence without tampering them.
Validate recovered evidence with original data.
Analyze data.
Computer Forensics Technologies
Computer forensics technologies are made use of in different fields like military, law enforcement and computer analysts to serve the very purpose of identifying computer crime.
Military computer forensics technology [1].
The features of military computer forensics involve discovering evidence and gauging the effect on the victim and assess the nature and motto of the attack. The emergence of CFX 2000 which is an acronym for Computer Forensics Experiment 2000 has transformed forensics technology from military research and development laboratories into being used by law enforcement. The idea of CFX-2000 is that “It is possible to accurately determine the motives, intent, targets, sophistication, identity, and location of cyber criminals and cyber terrorists by deploying an integrated forensic analysis framework” [1]. The framework uses the concept of SI-FI [1] which stands for Synthesizing Information from Forensic Investigations platform which enables cyber forensics investigations to be captured and analyzed using digital evidence bags [1] meant for storing electronic evidence. The outcome of CFX-2000 was in conformance with its intended objective to identify motive and identity of cyber criminals.
Law enforcement computer forensics technology [1].
As we know the evidence is generally captured and stored by the computer without the user’s knowledge, hence in order retrieve and analyze the evidence we need forensics software tools which are capable of gathering the hidden information from the computer. The procedures used in computer evidence capturing should always conform to federal computer evidence processing standards [1]. Various certification programs are made available for International Association of Computer Investigation Specialists (IACIS) [1]. Evidence from computers is susceptible to changes and possibly is erased, so trainees are trained in backing up the evidence. One of the examples for backup evidence software in use is “SafeBack” [1] software which overcomes some of the storage problems of electronic evidence. This software makes an identical copy of the hard drive and backs it up on external hardware devices or on the partition of the same computer. Several copies can be made from the original without altering the original data.
The law enforcement officials should also be trained in the following [1]:
Trojan horse programs: Computer forensics analyst should be well trained to handle evidence safely without letting destructive programs by anti social elements in destroying them.
Computer forensics documentation: Documentation is an important aspect of recording and preserving evidence and when there is an investigation, it is necessary to review documents which have been used in audits. Thus specialists should be trained in documentation methodologies.
File slack: Computer forensics analyst should also be trained in handling spurious data being dumped in memory locations causing file slack which should be taken care of in reducing risks in security.
Data hiding techniques: Training sessions involving concept of finding hidden data techniques for detection purposes should be incorporated by trainers. So analysts should be well versed in tools used in data hiding , one of the tools currently used is “AnaDisk Diskette Analysis Tool”[1]
E-Commerce investigations: Trainees are equipped with forensic tools which help in tracking the activities on the internet by the users and also help to identify pattern of browsing.
Text search techniques: This is a method where in particular strings are used to search for texts in a document using search functionalities. When an analyst completes the forensics training he will be equipped with “Text Search Plus Software” [1].
Disk Structure: Trained professionals must have a sound knowledge of the structure and storage locations in a disk and also understand where potentially data can be hidden on these disks.
Data Encryption: Knowledge of encryption is a must for a trained professional and should be able to distinguish between encryption standards and justify which one are stronger and better.
Data Compression: Experts are required to have an idea about compression and how data is hidden using compression techniques.
Erased Files: Training also involves recovering lost or erased data files in the computer.
Boot process and memory resident programs: Professionals should have adequate insight into the booting process and know when exactly the programs are loaded and the influence of some of the programs in the memory and their possible destructive action.
Business computer forensic technology [1]:
Various types of business computer forensics technology are discussed below:
Remotely monitoring computers [1]: This is a method used by analysts to capture evidence without being in close proximity of the offender’s computer.
Creating electronic documents which can be tracked [1]: These tools enable agents to track views of offenders pertaining to certain documents. The tools identify the connection to the documents that have been stolen.
Recovery software for computer theft [1]: These tools will locate your stolen computer once the software is installed on the computer. Once the computer is connected to the internet the owner of the computer is sent an email and this will enable police to identify the geographical location.
Forensic services[1]: Forensic experts can track crime anywhere in the world and be able to recover the lost data or track misappropriation of your valuable resources like recovery your passwords, hidden files, deleted files, encrypting and decrypting emails, identify intruders on your computers, identify hackers and track down stolen computers.
Role of a computer forensic investigator [3]:
Typically the role of a computer forensic investigator is recovering data and finding evidence from computer crime scenes. Most of the computer forensics investigators work for the police department and assist them in tracking down criminals and convicting them in court and usually forensic investigators are called upon to testify in the court explaining their role in gathering evidence. As discussed previously computer forensics investigators are well trained personnel with adequate knowledge in encryption, operating systems, security concepts, viruses and databases.
Some of the activities performed by investigators are [3]:
Collecting, gathering or finding evidence from any form of electronic media.
Rebuilding damaged computers in an attempt to find evidences.
Documenting what they find, observed and reports as per industry standards.
Often testify in the court of law explaining evidence collection.
Research on their domain expertise and share knowledge using online forums for security issues.
Train fellow officers in performing the above mentioned activities.
Incident Response Methodology [4]:
Incident response is a systematic approach in handling and responding to a security attack [6]. The schematic below in figure 1, shows the components involved in incident response.
Figure 1: Components of Incident Response [5]. Image Courtesy: http://searchnetworking.techtarget.com/searchNetworking/Downloads/IncidentResponseChapter2.pdf
Pre-Incident preparation [4]:
Preparing for an incident is very essential to both the organization and the incident response team. Prior preparation is needed to be better equipped once the incident occurs because it is difficult to predict future incidents. It is not limited to shear tools and techniques but also the communication media that will be the target for an investigation. Preparing the organization involves making security checks on communications media, training employees and also making sure that risk mitigation and assessment is taken care of. Preparing the incident response team is based on the skill set they possess they will be briefed about the hardware and software to be part of the investigation , any documentation standards needed to be followed and making sure the incident response team follows guidelines conforming to policies and procedures of the organization.
Detection of incidents[4]:
Incidents must be detected first in order to be solved. This is the major step in incident response; the attack is usually detected by computer users, an admin or other security detection software. When an incident occurs usually a log is maintain to record the details like nature of attack, date and time of the incident, affected programs and who reported the incident , based on this information an incident response team will be formed.
Initial response [4]:
Once the incident response team gets the log of the incident, the action the team takes is known as initial response. The members who were involved in identifying the incident are the ones in making this step happen. This phase includes collecting information about the incident, framing a strategic team, enlisting the measures needed to be taken during the next phase. Initial response phase also involves talking to the person who witnessed the incident, learning about the vulnerabilities of the incident, going through the reports from the earlier phase like accessing information logs and determine the network infrastructure at the place of occurrence of the incident.
Formulate response strategy [4]:
This phase deals with formulating the best suited response strategy taken into consideration the legal, social, economic, political and business factors [4] involved in the incident. When formulating strategies the extent to which the systems might be affected, what could be the source of the attack, are there any privacy breaches and potential loss in terms of money are also discussed in the formulated strategy plan.
Investigate the incident [4]:
Investigation phase is the one where the data is collected pertaining to the evidence and further analyzed to find the source and nature of attack. The main idea of investigating is to identify the criminal responsible for the incident and eventually convict them in the court of law. When the investigation is completed steps needed to avoid future incidents similar to those happened will also be identified and reported.
Reporting [4]:
Reporting is a phase where all the events which have happened during the incident response activity are to be recorded and reported. This should include all the details starting from the incident recognition, initial response, action plans, data collections and analysis and investigation of the incident. The reporting should be as clear as possible and should be in conformance with business requirements and easily understood by the people who are or will be part of the incident response team. There should be no ambiguity to the reader following the reports when reviewed. The reports are to written legibly and should have a formatting which is consistent throughout.
Resolution [4]:
Resolution phase is the one where the purpose is solving the problem and making sure the problem doesn’t repeat again in the future. According to (Vacca R John)”it is always a good idea to collect all evidence before implementing any security measures that would alter the evidence obtained” [4]. The resolution techniques involves recognizing the company’s priorities in identifying incidents with high importance and classifying them, understanding the nature of the incident that has occurred and ways to find fixes in the futures. Any lost data or version should be reverted back to its previous stand point if necessary. Implementing security measures like virus protections, spyware, malware and firewalls or any other intrusion detecting software. Determining the roles and responsibilities for further actions, corrections and maintenance are taken care of.
Computer Forensics Investigation [7]
In the world where is computer resources are exploited to the maximum leaving behind a trail when somebody boots onto a computer is very common. Even the more learned IT specialists are at times bound to leave some track of their activities in haste. In the discussions to follow we will discuss various forms of investigation ranging from internet via email and messengers to network forensics investigation [7]. Our scope of discussion is not only limited to internet and emails but wireless handheld devices which are commonly used nowadays are also a target for the attacker as anybody could connect to anyone’s cell phone within no time, as teenagers are not very concerned to protect their privacy by not sharing their cell phone numbers with random people they meet. To an extent social networking sites provide you with most information you would need to make a move on a person without his or her consent and pose a threat or an attack in the future. The following media for investigations will be discussed in detail [7]:
E-mail and Internet Forensics[7]
Data Forensics[7]
Document Forensics[7]
Mobile Forensics[7]
Network forensics[7]
E-mail and Internet Forensics [7]:
E-mail forensics is becoming more prominent these days as most people rely on emails and internet for communication, gone are days when communication was predominantly postal mail or via telephone. To start off with email forensic investigation the primary requisite for the analyst is understanding how the email transits and reaches the receiver from the sender. The investigator must have sound knowledge about the protocols used in communication via mail and the concepts of different layers in communication systems. E-mails are always easy source of evidence for an investigator because he has access to the computer where the messages would be downloaded and also the server where the details of correspondence are also stored. The next step in investigation is scanning through the headers and body of the email, headers gives you information regarding who is sending the email, to who, subject and date. The function of the header is to route the message to the recipient. The investigator often accesses the client’s computer for email messages if they are using client based services like Outlook, Outlook express..Etc[7]. If the client is using a web based email service like Gmail, yahoo, MSN etc we need to access the service provider for information, but it is not retrievable all the time[7]. In that case we need play around with the local computer and its cache items and temporary files to trace down deleted items. Once the email is identified it doesn’t take much to ascertain the evidence. Investigators usually look through internet history for their browsing pattern and also instant messenger’s chat history to check what is going on in the background [7]. This could also help in public chat rooms for identifying those culprits who lure underage children into sex chat and exploitation [7].
Data Forensics [7]:
Forensic investigator must have knowledge about physical storage data drives on a computer before venturing into finding evidence. The primary motive of an analyst to look into the hard drive of their client’s computer is to recover deleted and cached files [7]. Deleted files could be the missing link in an investigation process. Once the deleted file is recovered it still shows the time and date of the file created, last accessed and deleted, this gives enough information to an investigator. Usually cache is accessed on a computer to file that the suspect would have visited using internet, knowledge of file systems is essential in recovering files from cache. The investigators often go through the registry of the computer to search for installed applications even if they seem deleted, passwords are also tagged to the registry if the user is using the auto fill options in the browser. It provides information pertaining to the routers connected to the computer, any unread mails in the computer system like outlook [7]. Finally the investigator will reconstruct the data that has been captured from anywhere in the computer using forensic tools [7].
Document Forensics [7]:
When documents are sought as evidence it is very important to relate the document to the suspect, which is a challenge that forensic investigators face. Documents often speak about when they were created, when they were last modified and when they were deleted. With these leads it is easy for the analyst or whoever is performing the investigation to trace the subject to the document and provide it as evidence. The concept that leads to tracing documents is metadata [7], which gives important information about data on the computer. Generally when an application or software is installed on a machine it is automatically tagged to the current user. Also the partitions on the computers are given names and also the history logs are maintained for all applications on a computer and their corresponding owners. In order to access metadata analyst usually makes use of the properties options in all applications. Once the data about the data has been identified tools are made use of to extract metadata and then the results are mapped to the documents and henceforth evidence sought!.
Mobile Forensics [7]:
Handheld devices are fast replacing desktop computers and music systems are becoming mobile. This also means that crime is no longer stationary where the data is only in transit, but with mobile devices the person , the device and the data are all on the move. This creates more variables to be identified, extracted and analyzed for evidence. There are also different modes of communication in wireless system so it is a more daunting task for the investigator to keep up with. The mobile devices these days have all the features that a personal computer can have. As far as forensic investigation goes the analyst starts off from who their service provider is, once you are a registered subscriber, the service provider often have details about your whereabouts, bank accounts you have tagged to your account, what is your data package, data usage, your call lists, your SMS-text records. These are used when the suspect is on the run. But when a suspect is inquired with the physically available handheld device, we will have access to his contacts list, his tasks list, pictures, videos, recorded conversations his remainders and alarms, which might be the required leads in finding the evidence. All the mobile devices have memory location where data have been stored to extract data USB cables can be plugged onto the computer to extract data. If the data is to be dealt with the SIM card in the phone usually a copy of the SIM card is made and worked upon [7]. Also when the mobile device is procured the device should be out of range of all wireless networks, Bluetooth, and infrared technologies to avoid attempts to tamper or destroy evidence found on the mobile devices.
Network Forensics [7]:
This is the forensics method which uses analysts over the network to find evidence and identify suspects. Since computer forensics is considerably new in this technological era not many developments have shaped up in network forensics. The benefits of network forensics would be to identify crime by not accessing the suspect’s computer or even without the knowledge of the end user[7]. An analyst in this domain will be thorough with the various network layers in communication systems and also will be able to identify and troubleshoot problems with the components in the networks system. The challenging part in network forensics is the enormous traffic involved between networks and servers and it is simply not easy to duplicate events that have already occurred. The network forensic investigators are pressed into service when there is a breach in network security in LAN’s, WAN’s or computers which are connected to the network. Whenever there is an attack on the network or any part of it the Intrusion detection system, IDS [7] keeps a track all the events that have occurred during, before and after the attack. This is the source the investigators seek to start of the proceedings. Once the event logs are unveiled and understood the evidence is capturing by using retrieval tools. It is always a good idea to back up networks to prevent minimal loss.
Court and trials:
The last stage after the investigation has been completed is appearing in the court with all the evidence and try to win the case. Prior to appearing in the court steps have to be taken to ensure the evidence needed to fight the case is in place, formatted and documented well and have a sense of anticipation as to what might come up during the trial and what might need to be submitted as exhibits. Also the forensic specialist must be aware of all political, legal and ethical aspects of fighting the case. The evidence doesn’t alone stand good for a reasonable outcome but also how well the jury understands computer forensics also comes into picture.
Future of Computer Forensics:
Computer forensics is a budding field and scope for improvement and advancement is imminent. With the ever growing technological advancements it is very difficult to gain expertise. Everyday a new malicious program is been detected and only when they have affected the internet system we learn about what has happened. Even though intrusion prevention systems are updated with new patches, there are always threats prevailing which we are oblivious about and often caught off-guard. The advancing standards in encryption and cryptography will make it hard for investigators to tear down on communication media to gather evidence. One of the important upcoming threats know as “Drive-by” Hackers is haunting security professionals who could gain access to your computers or handheld devices without coming in physical contact with you. The scope for computer forensics is enormous but at the same the threats that will be posed to corporate organizations are unimaginable today. We have never witnessed large scale destruction by hackers or malicious programmers on major transport systems, financial institutions or pose threat to national intelligence agencies world over. But when it does happen the question that will be raised will be how will the incident response team react or make the initial response as the pre-incident preparation would be absent as the threat will be a first incident or attack ever, as far as nature and the target of attack is concerned.
Conclusion:
Forensic technology is a developing and emerging field of information science which has not been really put to test with serious threats. So far so good, but with technological advancements the need of the hour is not just for computer professionals to be aware and trained of what computer forensics is all about, but the whole system comprising of common man, law enforcement officers, forensic specialists, lawyers and jury should all be oriented with what this study is all about and how we could prepare ourselves when we are struck by computer criminals. Most of the crimes go unnoticed and many companies are not willing to fight computer crime but rather are inclined towards fixing the loopholes in the security systems. This encourages offenders to challenge the system with advanced strategies and techniques in hacking or attacking the system. Organizations should start taking initiatives to report crimes so that forensic specialists can take over and act upon. Usually organizations are not willing to report attacks fearing downfall of their reputation. The cost of training for computer forensic professionals is higher because training is generally provided by private firms and more often than not bigger companies can only afford to hire them. In all, future directions should concentrate on how computer forensics and growth in information technology and security can keep pace with each other and prevail with any adversity posed by inquisitive criminals.
Order Now