History Of What Is Cyber Forensic

Published Date: 02 Nov 2017

Cyber forensics is the process of acquisition, authentication, analysis and documentation of evidence retrieved from systems or from online. The systems could be from computers, networks, digital media or storage devices that could contain valuable information for the investigators to examine. In Cyber forensics, file or data carving techniques are most commonly used to extract important data from the source. (Ibrahim Baggili p137)

http://books.google.com.sg/books?id=fiDXuEHFLhQC&dq=introduction+cyber+forensics&source=gbs_navlinks_s

Computer forensics is important not just because it does recover files hidden or deleted from storage devices and systems but it also tells investigators whether there is any suspicious activity going on or had the systems been tampered with. Computer forensics had helped solved the issue of recovering information from files where file system is unavailable or file system structure is corrupted. Files may be intentionally deleted or worse formatted to the interest of the suspect to conceal his actions. (Ibrahim Baggili p138)

http://books.google.com.sg/books?id=fiDXuEHFLhQC&dq=introduction+cyber+forensics&source=gbs_navlinks_s

history of cyber

http://books.google.com.sg/books?id=BKYSfjEsi78C&dq=history+cyber+forensics&source=gbs_navlinks_s

Cyber Forensics started as early as 1984, in response to the growing demand from law enforcement agencies like FBI. Since then, forensics softwares are developed by agencies to examine computer evidence. Due to its growing needs, FBI set up CART; also known as Computer Analysis and Response Team. CART was tasked with the role of analysing computer evidence. CART functions and techniques were so greatly performed; other law enforcement agencies outside the country quickly emulated them by establishing the same cyber forensics department. (John Rittinghouse, p 366)

Examinations of forensics evidence are normally held in forensics laboratories or clean rooms by computer forensics investigator. A good and knowledgeable investigator is best preferred in the process of examination, as it is always important to perverse the integrity of data and not destroy it. Many forensics specialists have their own standards and procedures of how computer forensics examination is conducted which can be a problem if the digital evidence needs to be transported to another laboratory. It could result in serious implication along the way. Examination processes and protocols had been streamlined and standardised as early as 1991 in the States and rough edges approach to eliminate evidence were smooth out over the years. Eventually, all these lead to the formation of International Organization on Computer Evidence and Scientific Working Group on Digital Evidence (SWGDE). It became a worldwide effort to help law enforcement agencies around the globe to work together more closely. (John Rittinghouse, p 366)

Over the years, modern technology advance, so does the criminal activities on the Net using these technologies. Crimes not only doubled but showed no sign of slowing down at the moment. Criminals cracked their brains to penetrate security flaws in the systems while security teams’ brain stormed on how to keep criminals off. Billions of dollars are lost to cybercrime which goes into the criminal pockets. It is police and thief game to see whether who stepped up the task of stopping each other from doing crime on the Internet. (John Rittinghouse, p 367).

What is digital evidence?

http://books.google.com.sg/books?id=6gCbJ4O4f-C&dq=digital+evidence&source=gbs_navlinks_s

http://books.google.com.sg/books?id=6gCbJ4O4f-IC&dq=digital+evidence&source=gbs_navlinks_s

Digital evidence is evidence in soft copy not hardcopy as the term said so. It can be any form of data type. It can be in the form of text, images, audio or video. Digital evidence is not quite similar like to physical crime evidence, evidence from physical crime scene is durable to a certain extent, but digital evidence is not. ( Eoghan Casey, p 7)

Digital evidences can be easily damaged, changed or destroyed purposely. That why, most of the time, original evidence are often duplicated and analysis are carried out on the copy to prevent any mishap of damaging the original copy. Scope of digital evidence examination can be very broad, it can be from online and offline. Examples of them are credit card transactions, Internet communications, hard disks and other storage devices. (By Barry A.J. Fisher, p 295)

Digital evidences are very critical to an investigation because the information of the evidence can tell the investigator what really happen and piece out the whole picture. Forensics experts are looking for any form of metadata, suspicious files and other data. Every single click by the owner of the computer was recorded by the system and a trained forensics expert can tell what kind of activities and desires the owner was engaged in better than anyone else. The whole thing is like a behavioural database, documenting every single movement on the laptop. ( Eoghan Casey, p8)

It will be unthinkable in this modern age of technology, where digital evidence is not available. It means criminals, terrorists and law breaking offenders are using technology to commit their crimes and avoid apprehension or worst, take arresting those using legal means to a whole new level for law enforcement agencies. If this is the case, it will mean these criminals will get away scot-free. Digital evidence can tell judges or investigators who is right or wrong, it can also prove one’s innocent in a crime. Digital evidence can also unveil a bigger crime in the making, like homicides, sex offenses, drug dealing, credit card theft, or planned terrorist attacks be it whether it is civil disputes or commercial disputes. ( Eoghan Casey, p6)

However, sometimes forensics expert can meet its match, people who are technically knowledgeable in hiding their tracks. It will make uncovering one’s track of dirty doing more tedious and difficult. ( Eoghan Casey, p8)

Key principles of cyber

**missing**

Explain the key principles of cyber forensics.

Preserve

http://researchrepository.murdoch.edu.au/3716/1/digital_evidence.pdf

The very first step of starting an investigation on the crime piece itself is to preserve the digital evidence in the way itself. It is very critical because of the fragility of digital evidence and procedures needs to be taken to avoid contamination or loss of the evidence. Contamination can also mean altering, damaging or destroying the piece of evidence. It is important to minimise any chances of corrupting the digital evidence at the point of seizure and during the investigation process. (don kerr, p4 )

There are methods out there to allow forensics experts to prevent digital evidence from being unintentionally being tampered with. Experts can use methods such as Imaging and Write-bock. Imaging is equivalent to ghosting a backup copy of the whole computer hard disk (evidence) into a soft copy. So investigators work on the ghosted copy of the evidence and the original copy is kept one side. In any case, the ghosted copy is corrupted; investigators can pull out the original evidence and create another copy to work on. Write-block is another good way to prevent original evidence being altered. The evidence media is connected with a special machine that can prevent any attempt to overwrite the data on the device. (barry p301)

http://books.google.com.sg/books?id=JeheoVz6cWwC&dq=preserve+digital+evidence+preservation&source=gbs_navlinks_s

The reason behind preservation of digital evidence is simple. When submitting digital evidences for documentation or legal purposes in any court or legal department, legitimate proof is required to show correct findings of the investigation. It had to show the same as the exhibit seized at the crime scene. This is also commonly known as chain of custody. For example, in a cyber-forensics crime, such exhibits would be media storage devices, a copy of digital evidence from the hard disk seized and so on. (don kerr, p 5)

Chain of custody basically is a map that shows the process of how digital evidence were process; collected, analysed and preserved in order to be presented in court. A chain of custody will also be needed to showcase whether the evidence is trustworthy or not. To meet the criteria for chain of custody, a few requirements are essential. Firstly, no additional information was added to it. Secondly, a duplicate copy was created and it had to be working. Lastly, all evidence and media was secured. (John R. Vacca p 247)

If chain of custody is broken, digital evidence collected from the source submitted to the court can be denied as the evidences might had been altered and might not tell the truth of the evidence. In any situation, chain of custody is best followed to prove that evidence does not get contaminated and stayed in original state. However, there are occasions where collecting evidence without altering the data is not possible when external tools are used. Such act, will become a serious challenge to justify the evidence is intact and submitting of such evidences will be challenged by the opposing team. (don kerr p6)

Locate

Once preserving the evidences is done, it’s time to locate relevant evidence that can make a difference in the crime. (don kerr, p8). The first rule when locating the evidence is do not rush, as one is eager to get the investigation started, wants to find as many evidences as possible. However, the more one rush the more mistakes the investigator is likely to make. It can have dire consequences, causing evidences to be lost permanently. (john, p 249)

Besides locating edvenices, investigators must also maintain integrity and reliability of the digital evidence, doing so, will minimise metadata being altered and destruction of important evidence.( John Vacca, K Rudolph p 126)

http://books.google.com.sg/books?id=astqv8hRnT0C&dq=locate+digital+evidence&source=gbs_navlinks_s

Digital evidence can be in any file format; email, notepad or video or it can have no file format due to the fact that it had been encrypted. Forensics experts need to browse through thousands of files in the computer or network to locate suspicious file. Forensics experts are trained and taught to focus on areas of interests within the system. Focusing on these areas save tremendous hours of time. Example of such areas are such as windows log files, user accounts and registry file, these areas will tell the investigators what took place. (don kerr , p8)

To examine such a wide range of files type and considering the area of interests. The process gets whole lot tougher and tedious. Investigators will bring in tools to help facilitate them with locating and collecting the evidence. Forensics experts often use tools like OSforensics, XYR tools, Quick Stego or other sophiscated toolkits to aid them in investigation. All these tools will help investigators to decide whether they are looking at the correct areas or not. Such equipment not only can uncover hidden or deleted files, it can also tell whether the file is relevant to the case or not. (John R. Vacca p249)

Select and analyse

http://books.google.com.sg/books?id=xNjsDprqtUYC&dq=digital+forensics+analyze&source=gbs_navlinks_s

Selecting the evidence is often referred to the same meaning as analysing the evidence. Select and analyse the evidence that is going to be part of a legal lawsuit. Investigators don’t just select all evidences and submit for lawsuit. Things like attribution and documents authentication played a part in the selecting of evidence. Suspects can lie but not evidence, attributing a crime to an individual is hard but with the help of forensics analysis, investigators can narrow down to an Internet account or User account that had been used to commit crime. For instance, access to e-commerce accounts makes it difficult for suspects to deny responsibility for the activities he does using the computer around the time reported. Alternatively, sources like credit card usage, CCTV footage or mobile phone messages can be used against him as well. Selecting evidence found across the hard disk to be used on suspect is tedious work as it got to match perfectly against the time of his illegal act. (Eoghan Casey, pg 27, handbook of digital forensics inviestigna)

Document authentication check for the metadata of the file. It may seem like a small properties of the file but it capture one of the most important aspect of forensics evidence. From the metadata, investigators can tell when the file was created, last accessed and last modified. Using of date-time stamp on files and logs file will be able to determine whether documents that are documented falsely or fabricated by looking into consistencies in log files. These methods will help investigators to authenticate the validity of the digital evidence. (Eoghan Casey, pg 31, handbook of digital forensics inviestigna)

Meticulously selecting and analysing the evidence found in the crime scene will help piece together the whole timeline of the act. It might be able to tell us the motive and intention of the suspect. Using evidence across the crime scene accurately will be able to piece together a series of event that can help to pin down the suspect and prove his crime. However, doing wrong might twist the facts and cause inaccurate judgement. (pg 21)

Validate

http://researchrepository.murdoch.edu.au/1878/1/Validating_digital_evidence_for_legal_argument.pdf

Investigators need to have the confidence to draw inference from evidence picked up from the crime itself, whether can it be used in a legal argument or not. Validating digital evidence requires verification of relevant parts of the digital domain where the evidence is created, processed and transferred, including the evidence file itself.

No doubt that the job of an investigator is tough, preserve, locate and validate digital evidence, however, legal practitioners have greater challenge, to construct logical legal arguments.

Task of the investigator is to determine the credibly, validity and namely if the claim drawn from the evidence can be verified. For example, the assertion that an important word document was deleted would require confirmation of the existence of the deleted file through forensics tools.

Incomplete or improper scanning of the available digital evidence during validation process of the investigate might jeopardise the evidence and people involve in the crime. In a more dire case, investigation can come to a halt and come to a standstill.

In some cases, investigators might missed out key piece of digital evidence and resort to "cherry- picking" when selecting or discarding evidence to gain an upper hand in legal battle; sometimes an absence of evidence of evidence does not necessarily show evidence of absence – a phenomenon of the digital domain.

To sum up how evidence is validate and presented in legal suit, it’s all up to the skill and knowledge of the investigators accumulated all of the years.

Evidence presnetation

http://books.google.com.sg/books?id=7BLnZDM6J84C&dq=present+digital+evidence+presentation&source=gbs_navlinks_s

Having selected and validate the digital evidence, the next step is to present the evidence found in an orderly manner in court. (don, p14) The digital evidence submitted can be in any format. It can be photo, CCTV footage, video or word processed document. Through digital presentation, it enable the case to be heard in court in a way such that it is faster and easier for the jury to digest the information. (The Stationery Office, chpt5, pg 48)

The fundamental of a courtroom is to administer justice, and the role of investigators is to present digital evidence found and other relevant document to the court. It is always an investigator duty to present the evidence in an accurately, clear and non-bias view to the court. An investigator judgement must not be shaken by others and must not jump to conclusion, giving a clear and proper presentation. It is investigator professionalism by showing so. (Eoghan Casey, p49)

Foresnsics software

Hypotheses and alternative hypotheses.

After finding evidences in a crime scene, investigators might come out with their hypothese that fit the crime. Many predicitons may follow through fro mthe hypothesis, some are correct, some are wrong. The job of the forensics expert is to figure out which hypothise is the right out by eliminating the others. Suceess of the analysis lies on how carefully and thoroughly the hypothesis is being questioned. Therefore, it is important to think about other reasons and explantions to cross out the hypothesis. Once all the hypothises had been reviewd and one of them had been established as the most reasonable, closest to the series of event relating to the crime according to evidences and timeline, investigator then can convey their work to decision makers. (handbook of digital, casey, pg 24)

On occasions, if intial hypothesis is disapproved, a new one must be formed and anaylze until one hypotheis is found to the concrete and able to whistand question by the court. This is to ensure, hypothesis get it full support from the evidence themselves and able to differentiate the innocent and non innocent.

conclusion