Story Transcript
Digital Forensics and Investigation Methods
Author
Dr. Padmavathi Ganapathi Dean - School of Physical Sciences and Computational Sciences Professor Department of Computer Science Avinashilingam Institute for Home Science and Higher Education for Women (Deemed to be University) Coimbatore-641043 Tamil Nadu INDIA. Co-author
Dr. Digvijaysinh Mahendrasinh Rathod Associate Professor, Cyber Security and Digital Forensics Associate Dean - School of Cyber Security and Digital Forensics National Forensic Sciences University (NFSU), Ahmedabad Ministry of Home affairs, Government of India, Sector – 9 Gandhinagar, Gujarat.
1
Digital Forensics and Investigation Methods Author (s) Padmavathi Ganapathi a*, Digvijaysinh Mahendrasingh Rathod b a
Dean - School of Physical Sciences and Computational Sciences, Professor, Department of Computer Science, Avinashilingam Institute for Home Science and Higher Education for Women (Deemed to be University), Coimbatore, Tamilnadu, India. b
Associate Professor - Cyber Security and Digital Forensics, Associate Dean School of Cyber Security and Digital Forensics, National Forensic Sciences University (NFSU), Ahmedabad, Ministry of Home affairs, Government of India, Sector – 9,Gandhinagar, Gujarat.
First Edition 2022 ISBN: 9798887332390
@Copyright (2022): Authors. The licensee is the Publisher (Notion Press). 2
Preface The book on “Digital Forensics and Investigation Methods” deals with the analysis of digital forensics and the associated investigation methods. We are all living in digital era. On one hand, technology simplifies the daily chores and improves the quality of life of human. On the other hand, cyber crimes are on the raise. Criminals operate more safely and smartly in the digital era. They have changed their landscape of operations. Finding the evidence from digital media, preserving them and documenting the same need scientific and systematic approach. Forensic team must be exposed to the best techniques and tools to handle the cyber crimes and complicated digital based cases. This book focuses on the concept of digital forensics, different types of digital forensics, digital forensic investigation methods, tools used for digital forensics investigation, report writing and management of evidence. It also briefly explains the various digital forensics investigation models and the process involved in digital forensics analysis. This material will be useful to digital forensic investigation officers, students and working professionals to develop an interest in the domain. It is a useful material for cyber crime investigation team to tackle the cases promptly.
PADMAVATHI GANAPATHI Dean - School of Physical Sciences and Computational Sciences Professor - Department of Computer Science Avinashilingam Institute for Home Science and Higher Education for Women (Deemed to be University) Coimbatore - 641043.
3
Acknowledgment I, the Course Co-ordinator, is thankful to MHRD-UGC for sanctioning the MOOC on Cyber Security under SWAYAM platform. The entire resources are prepared for the SWAYAM-MOOC learners to offer the course free of cost. I would also like to place on record my sincere gratitude to all the administrators of Avinashilingam Institute for Home Science and Higher Education for Women (Deemed to be University), Coimbatore for their support and inspiration. I am grateful to all the subject experts who reviewed the scripts and the content writers who extended their fullest co-operation and timely help for preparing the script and running the course. I also would like to acknowledge the support of UGC-SWAYAM team for their excellent monitoring and execution of the program through their technical support and extraordinary enthusiasm. Finally, I acknowledge and thank the services rendered by Ms. Miruthula, M. Sc towards technical and secretarial assistance.
PADMAVATHI GANAPATHI Dean - School of Physical Sciences and Computational Sciences Professor - Department of Computer Science Avinashilingam Institute for Home Science and Higher Education for Women (Deemed to be University) Coimbatore - 641043. 4
Brief Contents S.No
Contents
1.
Digital Forensics
2.
Different Types of Digital Forensics
3.
Digital Forensic Investigation Methods
4.
Report Writing
5.
Management of Evidence Exercises
Appendix A: Learn More Appendix B: Glossary Appendix C: Acronyms and Abbreviations Appendix D: Other Exercises Answers to the Objective Type Questions
**********************************************************************************
5
Contents S.No Chapter 1 1.1
Contents Digital Forensics Digital Forensics
1.1.1
Digital Forensics - Definition
1.1.2
Evolution of Digital Forensics
1.1.3
Developments in Digital Forensics
1.1.4
Need for Digital Forensics
1.1.5
Objectives of Digital Forensics
1.1.6
Issues in Digital Forensics
1.1.7
Challenges in Digital Forensics
1.18
Digital Forensics Tools
1.1.9
Applications of Digital Forensics
1.1.10
Digital Forensics Strategies and Controls
1.1.11
Criteria for Selecting a Forensic Firm
1.2 Chapter 2 2.1
Conclusion Different Types of Digital Forensics Branches of Digital Forensics
2.1.1
Computer Forensics
2.1.2
Mobile Devices Forensics
2.1.3
Network Forensics
2.1.4
Database Forensics
2.1.5
Cloud Forensics
2.1.6
Digital Image Forensics
2.1.7
Digital Video / Audio Forensics
2.1.8
Memory Forensics
2.1.9
IoT Forensics
2.2
Case Study
2.3
Conclusion
Chapter 3
Digital Forensic Investigation Methods
3.1
Introduction to Digital Forensics Investigations
3.2
Digital Forensic Investigation 6
3.2.1
Why Investigate?
3.2.2
Pre-requisites for an Effective Investigation
3.2.3
Process Models of Computer Forensics Investigation
3.2.4
Digital Forensic Investigation Model
3.2.5
Phases Involved in Carrying out Computer Forensics Investigation
3.2.6
Maintaining Professional Conduct
3.2.7
Computer Forensic Tools
3.3
Conclusion
Chapter 4
Report Writing
4.1
Report Writing
4.1.1
Introduction to Report Writing
4.1.2
Characteristics of a Good Report
4.1.3
Key Points in Writing a Report
4.1.4
Report Writing for High Tech Investigations
4.2 Chapter 5 5.1
Conclusion Management of Evidence Management of Evidence
5.1.1
Ways to obtain Evidence Forensically
5.1.2
What we need to know while maintaining evidence?
5.1.3
Types for Evidence Collection
5.1.4
Evidence Storage
5.1.5
Preservation of Digital Evidence
5.1.6
Digital Evidence Examination
5.1.7
Other Analysis Techniques of Acquiring Evidences
5.2
Conclusion Exercises Appendix A: Learn More Appendix B: Glossary Appendix C: Acronyms and Abbreviations Appendix D: Other Exercises Answers to the Objective Type Questions
**********************************************************************************
7
Chapter 1 Digital Forensics 1.1 Digital Forensics The development of digital technology has paved way for the rise and severity of cyber incidents. An organization which counters this type of incident responds with a set of predetermined actions. One of the primary actions considered is using digital forensics methods to investigate and recover the digital proofs from the electronic devices. In other words, “The process of identifying, preserving, analyzing and presenting digital evidence in the court of law in a legally acceptable form” is known as the Digital Forensics. 1.1.1 Digital Forensics - Definition A subdivision of forensic science that emphases on refining and examining the evidences from the digital devices is called as digital forensics. It can also be called as the digital forensic science or computer forensics. Computer forensics usually deals with the crimes that are related with the computer and its associated devices constituting the entire crime scene. It is also useful in finding the evidence that resides in the computer during the investigation process. Digital forensics makes use of traditional forensics methods in finding and retrieving the evidences. Every forensic science certification requires a set of rules which are balanced and consists of ethical approach to investigations. The electronic evidences can be uncovered and interpreted using digital forensic techniques. Its main aim is to preserve the raw evidence thereby carrying out structured investigation process. This includes the collection, identification and validation of the digital information for reconstructing the events happened in the past. Despite digital forensics can be used to reconstruct the crime scene, they are most importantly used as witness in the court of law. For examining the evidentiary nature of evidences in court, it requires scrupulous standards. Hence, various efforts have been taken by the Government in order to have a deep understanding of obtaining the evidences through digital forensics. One of them includes the National Institute of Standards and Technology (NIST) that provides guidelines to Integrate Forensic Techniques into Incident Responses.
8
1.1.2 Evolution of Digital Forensics The Digital forensics process was carried out even before 40 years. It came into existence during 1970s as a reply to service request from the law enforcement community. In the beginning, the most common form of crime that took place was the financial fraud. The criminals used computer as an object of the crime to victim certain users and gain financial benefits from them. After ten years, many training courses centering digital forensics were established by organizations covering areas such as Association of Proficient Fraud Assessors, the National Consortium for Justice Information and Statistics, and the High-Tech Crime Investigation Association (HTCIA). The International Association of Computer Investigative Specialists (IACIS) was the first ever digital forensics company formed for data access. The rudimentary retrieval capabilities like undelete or unformat was provided by the old forensics‟ tools like MACE (Modified, Accessed, Created, Entry modified) and Norton. There were only a single individual and computers involved in the investigation process. The open-source community-driven model is the emerging progress of digital forensic tool that promotes the tool progression modular, extensible, vigorous and supportable through numerous platforms. The development of including add-ons, plug-ins and digital evidence bag (DEB) meta-format can be provided by the Software and standards baselines. In order to address the rising needs of law enforcement in providing a structure approach during investigation process, the FBI recognized the Computer Analysis and Response Team (CART). This led to the contribution of developing standards for forensics by the government in the 1984. During early 1990s, the FBI was supporting the US Postal Service by forming their own computer forensics unit. A group of federal crime laboratory directors became the Scientific Working Group on Digital Evidence (SWGDE) and conducted meeting once in two years to deliberate mutual interest areas. Additionally, Technical Working Group (TWG) was formed after the discussion with Mark Pollitt (Unit chief of CART) and Scott Charney (Vice President for Security Policy at Microsoft and served as Chief of the Computer Crime and Intellectual Property Section (CCIPS)) to bring the forensic issues related to digital evidence and address them. This group was formed to examine the digital evidence via legal aspects and needs search warrant to seize the computer related 9
evidences. The need for law enforcement agencies led to the development of National Hi-Tech Crime Unit in the United Kingdom in 2001, with resources incorporated in London. Further, in 2006, it became as the Serious Organized Crime Agency (SOCA). 1.1.3 Developments in Digital Forensics Digital forensics began to consistently develop over years based on the growing needs of cybercrime investigation. This can be described as follows:
In the year 1993, the first International Conference on Digital Evidence was conducted in the United States. In the year 1995, the International Organization on Computer Evidence (IOCE) was designed.
In 1998, International principles, guidelines and procedures for digital evidence were created by IOCE appointed by G8 and the International Criminal Police Organization (INTERPOL) Forensic Science Symposium were conducted giving response awareness to various computer forensics issues. This led to the need for standardizing the digital evidences to be produced in court as a valuable evidence.
After two years in 2000, the SWGDE issued “Best practices for Computer Forensics”.
The Budapest Convention on Cybercrime signed on 2001, was made effective on the year 2004. This was the first ever international treaty on cybercrimes that functioned to resolve national computer crime laws, examination practices and international cooperation focusing on copyright infringements, e-fraud, child pornography, hatred misconducts and network security abuses. The sixteenth country to endorse the Convention was the United States in the year 2006.
In 2005, the International Organization for Standardization (ISO) issued ISO 17025, to provide overall necessities for the testing capability and standardization workshops. 1.1.4 Need for Digital Forensics The importance of digital forensics is consistently increasing as most of the
digital devices like computers are vulnerable to attack by criminals. The prosecution of a suspect who compromises digital network or computer devices can be identified 10
using digital forensic procedures. Most of the administrations depend completely on electronic devices and the networks to promote their corporate tactics by storing, processing and recovering data. Hence, huge data are formed, gathered and disseminated through digital means by the administrations across various networks. Therefore, the forensics experts must examine these devices and gather the evidence from them. In order to analyze crucial evidences involved in the crime process, they must use specific tools based upon the type of crime. In order to have an advanced digital forensic investigation requirement such as a new design, improved mechanism and processes are to be full-filled. Forensic experts face difficulty due to the expansion of huge data rate owing to the consumption of large storage space in recent years. Digital forensic procedures are primarily used by remote organizations and law enforcement agencies to seize, reserve and scrutinize the electronic evidences available on different devices. Digital evidence collected at crime scene has to be analyzed and proven by identifying the connections between the retrieved information. The hunt for electronic proof involves a monotonous process consuming large amount of time. The processing of an extremely huge evidence in a restricted time frame leads to delay in the dispensation. The law enforcement agencies were one of the primary and wide handlers of digital forensics consistently initiating the developments in the fields. But there are also cases where computer forensics lacks in its application during investigation process. Computers are the most commonly used object as the crime at the crime scene. It includes various attacks like hacking or denial of service attacks. Computers are also used as a storage device that may hold evidences in the email forms, browsing history, files or documents related to crimes. The use of digital forensics examination is to find the first appearance of the document on victim computer, the time stamp of various activities like last edited, saved, printed or modified and the identity of the user. There exists a large variety of fields in commercial organizations that uses computer forensics to identify the evidences. They are:
Intellectual Property theft
Industrial espionage
Employment disputes
Fraud investigations 11
Forgeries
Bankruptcy investigations
Inappropriate email and Internet usage in the workplace
Regulatory compliance
1.1.5 Objectives of Digital Forensics The objective of Digital forensics helps in providing guidelines for:
Following the primary response procedure and access the victim‟s device or other resources after the incident. Designing procedures at the suspected crime scene to ensure the noncorruption of digital evidences.
Performing Data acquisition process and preventing data duplication.
Recovering deleted files and deleted partitions from digital media to extract and validate the evidence.
Providing guidelines for analyzing digital media evidences and log files to preserve and derive conclusions from them. Also investigate network traffics and logs to correlate events thereby identifying wireless and web attacks, tracking emails and its related crimes.
Producing a well-defined digital forensic report based on various processes elaborated in digital forensic enquiry.
Conserving the evidence by following the chain of custody.
Developing accurate procedures in order to have standardized forensic results in the court of law.
Presenting digital forensics results in the court as a proficient witness.
1.1.6 Issues in Digital Forensics The various issues faced by the digital forensics experts during examination are broadly classified into three different categories as displayed in figure 1.1.
12
Technical Issues
Issues in Digital
Encryption Increasing storage space Development of innovative technologies Anti-forensics
Accepted Standards Fit-to-practice
Legal Issues
Forensics
Administrative Issues
Figure 1.1 Issues in Digital Forensics 1.1.6.1 Technical issues The various types of technical issues include, ˗ Encryption ˗ Increasing storage space ˗ Development of innovative technologies ˗ Anti-forensics o Encryption The aim of encrypting data is to hide the sensitive data using various keys or passwords. Unless possessing the encrypted key, one cannot read the encrypted data. The key used by the suspect can be hidden in some other file or document that may be present in the same or different computer. It may also be present in the computer‟s volatile memory which is the RAM and it may be automatically destroyed during system shut-down. Hence, a method that may be employed in these situations is the live acquisition techniques. o Increasing storage space Usually the analysis computer stores a large range of data storage devices. Therefore, for searching and analyzing these data ranges requires a sufficient power processing and enough storage capacity for data efficiency. o Development of Innovative technologies There is a massive development of new technologies every year including updated hardware, software and operating systems with frequent updations. It 13
becomes extremely complex for a forensic assessor to be a master in all the existing and new technologies. To handle this situation, the forensic examiner must be continuously trained on the evolving technologies to carry out further testing and experimenting mechanisms. Hence, by sharing and networking the ideas of the evolving technologies with other forensics examiners becomes helpful. o Anti-forensics It refers to the practice of preventing the process of computer forensic analysis. It includes methods such as encrypting or data over-writing making it unrecoverable, file modification, using metadata and obfuscation of files also known as disguising files. There are very rare usages of anti-forensics tools and it is totally ambiguous to identify their existence or the evidence presence which may be hidden. 1.1.6.2 Legal issues These are types of issues that confuse or distract the forensics examiner from carrying out the digital forensics process. For example, a Trojan Defense contains a piece of computer code injected and may be hidden to perform malicious activities, key-logging, inappropriate file upload and downloads and installation of malicious viruses. These Trojans cannot be identified or traced easily and are usually hidden in the computer without the user‟s knowledge. They may be automatically induced to perform malicious activities. This legal issue may help the lawyers in defending the suspect from accusing. A genuine examiner has well defined identification and addressing of all the possible arguments during the process of analyzing and report writing. 1.1.6.3 Administrative issues There are two types of administrative issues identified. They are: ˗ Accepted standards and ˗ Fit to practice o Accepted standards Computer forensics has an excess number of standards and guidelines of which the universally accepted are comparatively less. The explanations why only few of them are universally accepted are due to the tie-up of the standard-setting bodies in specific legislations, the standards were intended at law enforcement agencies or commercial forensics, the writers of the standards are not recognized by 14
their peers, or there comes a practice of spending high joining fees for professionals deterring experts from taking part. o Fit to practice Most of the jurisdictions lack eligible professionals to preserve the integrity of the digital forensics and to check the competence. This results in employing unfit individuals to carry out forensics examination thereby posing a negative impact of the profession as a whole or production of improper case documentations. 1.1.7 Challenges in Digital Forensics
There are numerous encounters faced by the digital forensic field. These challenges are unanswerable even by experts all over the world. Some of the major challenges can be described as follows: -
Device proliferation
-
Lack of training and resources
-
Cloud forensics
-
Encryption
-
Legal issues
The various challenges in digital forensics is displayed in figure 1.2.
Device proliferation
Legal issues
Challenges in Digital Forensics
Encryption
Lack of training and resources
Cloud Forensics
Figure 1.2 Various challenges in Digital Forensics 1.1.7.1 Device proliferation
Most of the devices such as mobile phones and IoT use an extensive range of operating systems, communication provisions and file arrangements that rises the 15