What Is Cyber Forensic Information Technology Essay
Cyber forensics is the process of acquisition, authentication, analysis and documentation of evidence retrieved from the systems or online used to commit the crime. The systems could be from computers, networks, digital media or storage devices that could contain valuable information for the investigators to examine. From online, it could be from e-commerce domains or other websites. In cyber forensics, file or data carving techniques are most commonly used to extract digital evidence from the source; hard drive or online domain (Ibrahim, 2011, p. 137). Computer forensics is important not just because it does recover files hidden or deleted away from storage devices and systems but it can also tell forensics experts whether are there any suspicious activities going on or had the systems been tampered with. Computer forensics had helped solved the issue of recovering information from files where file system is unavailable or file system structure is corrupted. Files may be intentionally deleted or worse formatted to the interest of the suspect to conceal his actions. In today’s modern era where technology plays a part in almost all the electronic devices, it is important to know when required, how a trained forensics specialist can perform up to expectation, in collecting and present his evidence findings to corresponding agencies (Ibrahim, 2011, p.138).
History of Cyber Forensics
The uprise of cyber forensics started as early as 1984, in response to the growing demand from law enforcement agencies like FBI (John, 2003, p. 366). However digital forensics has been around as early as nearly the first birth of computer (Greg, 2012, p. 1). Since 1980s, forensics applications are developed by relevant law enforcement agencies to examine computer evidence. Due to forensics growing needs, FBI set up CART; also known as Computer Analysis and Response Team. CART was tasked with the role of analysing computer evidence. CART functions and techniques were so greatly used and performance by them was so great; other law enforcement agencies outside the country quickly emulated them by establishing the same cyber forensics department (John, 2003, p. 366).
Examinations of forensics evidence are normally held in forensics laboratories or clean rooms by computer forensics investigators. A good and knowledgeable forensics expert is best preferred to be in the process of examination, as it is always vital to perverse the integrity of the data and not destroy it. Many forensics experts have their own standards and procedures on how computer forensics examinations are conducted which can be a big issue. Having double standards could jeopardize the integrity, creditably and validity of the digital evidence which could result in serious implications along the way. Therefore, as early as 1991, suggestions were made to streamline and standardise the examination processes and protocols had been raised. The purpose was to smoothen out rough edges approach used in evidence finding. Eventually, all these led to the formation of International Organization on Computer Evidence and Scientific Working Group on Digital Evidence (SWGDE). It became a worldwide effort to help law enforcement agencies around the globe to work together more closely with regards to forensics examinations (John, 2003, p. 366).
Over the years as modern technology advances, so have the criminal activities on the Net, using these technologies. Crimes not only doubled with the advance of technology but showed no sign of slowing down with the current situation. Criminals cracked their brains how to bypass security flaws in the systems while security teams’ brainstormed on how to improve security systems to keep criminals off. Billions of dollars were lost to cybercrime which part of it went into criminal pockets and fund illegal activities. It will always be a cop and thief game to see who stepped up to the task of stopping each other from doing crime on the Internet first (John, 2003, p. 367).
What is Digital Evidence?
Digital evidence is evidence in the form of soft copy but not hardcopy as the term suggested so. It can be in any type of data format, it can be part of texts, images, audio or video. Digital evidence is not quite similar to physical crime evidence. Evidence from physical crime scene is durable to a certain extent, it can be kept and took down with camera and explained. However, this is not the case for digital evidence, any wrong move to examine the evidence might alter or destroy the evidence without able to rollback (Eoghan, 2011, p. 7).
Digital evidence is so fragile, it can be easily damaged, modified or destroyed purposely. That is why most of the time, original evidence are often duplicated and analysis is carried out on the duplicated copy to prevent any mishap of damaging the original copy. Scope of digital evidence examination can be very broad, it can be either online or offline. Examples of them are credit card transactions, Internet communications history, hard drives and other storage devices (Barry, William, Catherine, 2009, p. 295). Digital evidence is very critical to an investigation because the information on the evidence can tell the investigator what really happened and pieced together the whole picture. Forensics experts are looking for any form of metadata, suspicious content and other data residing in the hard drive. Every single click by the user on the computer was recorded by the system and a trained forensics expert can tell from one look what types of activity and desire the user was engaged in. better than anyone else. The recorded logs act like a behavioural database; documenting every single movement on the laptop used by anyone (Eoghan, 2003, p. 8).
The consequences will be unthinkable in this revolution age of technology, if digital evidence is not available. It means criminals, terrorists and law breaking offenders are using technology to commit their cybercrimes and avoid apprehension due to the lack of evidence, or worst, bring arresting those using legal means to a whole new level for law enforcement agencies. If this is the case, it will mean these criminals will get away scot-free. Digital evidence can tell judges or investigators the truth, it can also prove one’s innocent in a crime. Digital evidence speaks the truth. Digital evidence can also unveil a bigger crime plot in the making, like murder, drug dealing, credit card theft, or planned terrorist attacks
However, sometimes forensics expert can meet their match, people who are technically knowledgeable in forensics and know how to hide their tracks. This will make uncovering one’s track of dirty doing more tedious and difficult. (Eoghan Casey, p. 6 – 8)
The very first step of starting an investigation on the crime scene itself is to preserve the digital evidence in the way itself. It is a critical step because of the fragility of digital evidence and procedures are needed to be in placed to avoid contamination or loss of the evidence. Contamination can also mean altering, damaging or destroying the digital evidence. It is important to minimise any chances of corrupting the digital evidence at the point of seizure and whole of the investigation process (Boddington, 2011, p. 4).
There are methods and techniques out there to aid fellow forensics experts to prevent digital evidence from being unintentionally tampered with. Experts can utilise method such as Imaging and Write-block. Imaging is equivalent to ghosting a backup copy of the whole computer hard drive (evidence) into a soft copy. So investigators work on the ghosted copy of the hard drive and the original hard drive is kept one side. In any case, if the ghosted copy is corrupted; investigators can pull out the original hard drive and create another copy to work on. Write-block is another good way to prevent original evidence being altered. The evidence media is connected with a special machine that can prevent any attempt to overwrite the data on the device. Thus, the evidence on the hard drive cannot be altered as any attempt to write on the media had been blocked by the special machine (Barry, William, Catherine, 2009, p. 301).
The reason behind preservation of digital evidence is simple. When submitting digital evidence for documentations or legal purposes in any court or legal department, legitimate proof is required to show correct findings on the investigation. It had to show the same as the exhibit seized at the crime scene. This phenomenon is also commonly known as chain of custody. For example, in a cyber-forensics crime environment, such exhibits would be media storage devices, a copy of digital evidence from the hard disk seized and so on (Boddington, 2011, p. 5). Chain of custody basically is a map that clearly depicts the process of how digital evidence were processed; collected, analysed and preserved in order to be presented as digital evidence in court. A chain of custody will also be needed to showcase whether the evidence is trustworthy or not. To meet all the requirements for chain of custody, three criteria are essential. Firstly, no alteration must be done to the evidence from the day of seizure. Secondly, a duplicate copy needed to be created and it had to be functional; not corrupted. Lastly, all evidence and media are secured. Able to provide this chain of custody is unbroken is an investigator primary tool in authenticating all the electronic evidence (John, 2005, p. 247).
If the chain of custody is broken, digital evidence collected from the scene submitted to the court can be denied as the evidence might had been altered and might not tell the truth of the evidence. This is a prosecutor worst nightmare. In any situation, chain of custody is best followed to prove that evidence does not get contaminated and stayed in original state. However, there are occasions where collecting evidence without altering the data is not possible, especially when forensics tools were used. Such act will prove to be a serious implication to justify the evidence is intact and submission of such evidence will be challenged by the opposing team (Boddington, 2011, p. 6).
Once preserving the evidences is done, it’s time to locate relevant evidence that can make a difference in the legal battle (Boddington, 2011, p. 8). The general first rule of thumb when locating the evidence is do not rush, as one is eager to get the investigation started, wants to find as many evidences as possible. However, the more one rushes the more mistakes the one is likely to make. Rushing into an investigation can have dire consequences, consequences like causing evidence to be lost prematurely or altered unintentionally (John, 2005, p. 249).
Besides locating evidence, investigators must also maintain high integrity and reliability of the digital evidence, doing so, will minimise metadata being altered and destruction of important evidence (John & Rudolph, 2010, p. 126). Digital evidence can be in any file format; email, notepad or video or it can have no file format due to the fact that it had been encrypted. Forensics experts need to browse through thousands of files in the computer system or network to spot and collect suspicious files. Forensics experts are trained and taught to focus on area of interests within the system. Examples of such areas are like Recycle bin, Windows Registry and Internet Temp Folder. Focusing on these areas saved tremendous hours of searching. These areas will tell the investigators what took had happened and who did it (Boddington, 2011, p. 8). To examine such a wide range of file types after taking consideration the area of interests. The process of examination gets whole lot tougher and tedious. Investigators will bring in tools to help facilitate them with locating and collecting of the evidence. Forensics experts often use tools like OSforensics, XYR tools, Quick Stego or other sophiscated toolkits to aid them in the finding. All these tools will help investigators to decide whether they are looking at the correct areas or not and whether did they missed out anything important. Such equipment not only uncovers hidden or deleted files, it can also reveal the importance of the file whether it is relevant to the case or not (John, 2005, p. 249).
Select and Analyse
Selecting evidence is often referred to the same meaning as analysing the evidence. Select and analyse the evidence that is going to be part of a legal lawsuit. Investigators do not just select all evidences and submit for lawsuit. Things like attribution and documents authentication played a part in the selecting of evidence. Suspects can lie but not the evidence. Attributing a crime to an individual is hard but with the help of forensics analysis, investigators can narrow down to an Internet account or User account that had been used to commit the crime. For instance, access to e-commerce domains makes it difficult for suspects to deny responsibility for the activities he did using the computer around the time reported. Alternatively, sources like credit card usage, CCTV footage or mobile phone messages can be used against him as well. Selecting evidence found across the hard drive to be used on suspect is tedious work as it got to match perfectly with the time of his illegal act, creating a timeline with it (Eoghan, 2009, p. 27).
Checking of metadata on documents for authentication may seem like a small properties of the file but it capture one of the most important aspect of forensics evidence. From the metadata, investigators are able to see when the file was created, last accessed and last modified. Using of date-time stamp on files and logs file will be able to determine whether documents that are documented falsely or fabricated by looking into consistencies in log files. These methods will help investigators to authenticate the validity of the digital evidence (Eoghan, 2009, p. 31).
Meticulously selecting and analysing the evidence found in the crime scene will help piece together the whole timeline of the act. Investigators might be able to tell from it the motive and intention of the suspect. Using evidence across the crime scene and cross referencing it accurately will piece together a series of event that can help to locate the suspect and prove his crimes. However, in the same situation doing it wrongly might twist the fact from fiction and caused inaccurate judgement on the crime (Eoghan, 2009, p. 21 – 23).
Investigators need to have the confidence to draw inference from evidence picked up from the crime itself, whether can it be used in a legal argument or not. Validating digital evidence requires verification of relevant parts of the digital domain where the evidence is created, processed and transferred, including the evidence file itself. No doubt that the job of an investigator is tough, preserve, locate and validate digital evidence, however, legal practitioners have greater challenge, to construct logical legal arguments (Boddington, R., Hobbs, V.J. & Mann, G, 2008, p. 3 – 5). Task of the investigator is to determine the credibly, validity and namely if the claim drawn from the evidence can be verified. For example, the assertion that an important word document was deleted would require confirmation of the existence of the deleted file through forensics tools. Incomplete or improper scanning of the available digital evidence during validation process of the investigate might jeopardise the evidence and people involve in the crime. In a more dire case, investigation can come to a halt and come to a standstill. (Boddington, R., Hobbs, V.J. & Mann, G, 2008, p. 7- 10).
In some cases, investigators might missed out key piece of digital evidence and resort to “cherry- picking” when selecting or discarding evidence to gain an upper hand in legal battle; sometimes an absence of evidence of evidence does not necessarily show evidence of absence – a phenomenon of the digital domain. To sum up how evidence is validate and presented in legal suit, it’s all up to the skill and knowledge of the investigators accumulated all of the years (Boddington, R., Hobbs, V.J. & Mann, G, 2008, p. 14).
Having selected and validated the digital evidence, the next step is to present the evidence found in an orderly manner in court (Boddington, 2011, p. 14). The digital evidence submitted can be in any format. It can be photo, CCTV footage, video or word processed document. Through digital presentation, it enables the case to be heard in court in a way such that it is faster and easier for the jury to judge and digest the information (The Stationery Office, 2007, p. 48). The fundamental in a courtroom is to administer justice and give a fair verdict. The role of investigators is to present digital evidence found and other relevant supporting documents to the court. It is always an investigator duty to present the evidence in an accurately, clear and non-bias view to the court. This is a rightful thing as a investigator should do. An investigator judgement must not be shaken by others in court and must not jump to conclusion, giving a clear and proper presentation. It is investigator professionalism by doing so. (Eoghan, 2011, p. 49)
Forensics tools played an important role in digital forensics, without the use of such high tech software in this modern era; it will put digital investigation back into primitive age. They had been developed for a single purpose in the past to aid forensics experts in the investigations of digital crime. They can be classified into three categories; Imaging Tools, Analysis Tools and Forensics toolkits (Panagiotis, 2006, p. 62).
The sole purpose of the imaging tools is to image a hard drive, making a bit-by-bit copy. This bit-by-bit copy image file is often known as the analysis drive. During this process of creating a copy of the suspect’s hard drive, it is important that no additional data was inserted. It will alter not just the integrity and the validity of the evidence resided in the hard drive. Out in the open market, there are a few trustworthy and easy to use imaging tools developed for forensics examinations. One of them is Norton Ghost. Symantec’s Norton Ghost 9.0 has been out in the market for quite some time. It is a backup and restoration utility that can work on Windows, Linux and DOS systems. Its prominent function featured the creation of backup images without having to restart the system. Other features of Norton Ghost include Ghost Server, cloning back a machine with the image created earlier on. It also featured Ghost Explorer. This function allows creator to view the files inside the image where the hard drive was cloned (Panagiotis, 2006, p. 63). Tools that fall into analysis category have a wide range. Tools like Quick Stego and DriveSpy are good examples of analysis tools. DriveSpy was designed to emulate and improve the capabilities of DOS to meet the needs of forensics examinations. It can be used to analyse DOS and non-DOS partition using a built in sector hex viewer (Panagiotis, 2006, p. 63 – 64).
Software like Quick Stego detects hidden text message inside a larger message. Such text is not available through the naked eye of a human; it requires software like quick stego, which can detect it. The term for detecting hidden text is known as stenography. The hidden information can be in plain texts or images. This technique is often useful for hiding particular messages not wanted to be seen by people, expect those who know they are receiving information embedded with stenography. Quick stego is simple and easy to use software. It helps forensics experts to dig deeper into the system with the help of it, it might lead to uncover a bigger plot not yet found by the investigators (Lech & Andrew, 2008, p. 60). Forensics tools can make a difference for forensics experts. It helped forensics experts to better analysis the system and gather more evidence. In another words, it is like post mortem forensics. Tools like OSforensics and ProDiscoverTools have the ability to do, it gives the investigator the ability and capability to process recent activity and logs of the system to better understand the suspect movements. It also features the capability to recover deleted file and discover delete activities, intended to hide from the examiner. Besides the features mentioned, both tools had other functions like email analysis or index search analysis, which give a more straightforward and easier format to understand (Lech & Andrew, 2008, p. 61 – 65).
Hypothesis and alternative hypotheses
After finding evidences in a crime scene, investigators might have their own hypothesis that fit the crime. Many predictions may follow through, forming other hypotheses, some are correct to a certain extent while others are wrong. Part of the forensics experts is to figure out which hypothesis is the right one by eliminating the others. Success of the analysis lies on how carefully and thoroughly the hypothesis is being questioned. Therefore, it is critical to consider other reasons and explanations to cross out wrong hypotheses. Once all the hypotheses had been reviewed and only one of them have been established as the most reasonable, fit closest to the series of event relating to the crime according to evidence found and timeline. Investigators can then convey their work to decision makers to make their final decision (Eoghan, 2009, p. 24). On occasions, if initial hypothesis had been disapproved, a new one must be formed and analysed until one hypothesis is found to be concreted and able to withstand questions asked by the court. This is to ensure hypothesis gets it full support from the evidence themselves and able to tell the story of the real crime (John, 2005, p. 66).
Cyber crime is evolving from day to day and it is getting more and more sophiscated. Criminals are using more and more innovating and creative ways to commit crimes and hide their tracks. Measures and policies were in placed to prevent from bypassing the system flaws from causing impact to the businesses and the societies (John, 2005, p. 182). The demand for forensics examination on crime systems had surged greatly in the 21st century, where technology plays a part in all electronic devices. It has helped law enforcement agencies in the identification of cyber and computer-assisted crime. Organisations are stressing the importance on the need to have capabilities and abilities using computer forensics tools to identify misuse of organisation systems in the office (Greg, 2012, p. 6).
Computer forensics was initially designed and developed to assist in the practical application of the technology. However, in the recent years, it spark off a new sensation in academic research, exploring new ways to better obtain forensic evidence, every new research done is a new insight gained by the investigators. However, as technology advances, so have the criminals, law enforcement agencies, organisations and indivulas needs to know basic protection measures to safeguard their own asset from falling into the wrong hands. (Nathan Clarke, 2010, p58)Order Now