Key Principles Of Cyber Forensic

Published Date: 02 Nov 2017

INTRODUCTION

As the world started evolving into a globalized economy, Information Technology (IT) became one of the key determinants for economic growth and competiveness of enterprises. Whereas individuals use IT for education purpose, leisure, entertainment and etc. Hence, IT plays an important role in carrying out all social and economic processes and activities. However, there is a downside of IT-related threats when it is being abused.

With the increasing number of people who uses IT such as computer, internet, cloud technology, more information are being stored in them. This is especially so when people are using cloud technology where files can easily be shared across the world. These information might include information of an organization’s client or a civil or criminal case. Examples of crime cases are embezzlement, sexual harassment, financial fraud evidence, data theft, employees’ compensation fraud, or theft of trade secrets. (IT Chapter, 2003)

Cyber forensic, also known as computer forensics science, is the application of legal evidence which may be used in some specific types of prosecutions and investigations through obtaining, retrieving, persevering and presenting the digital data that has been processed and found in digital storage media and computers. (Gallegos, 2005) The main objective is to analyze electronic data in a forensically manner such that the facts and opinions of the information can be presented, identified, preserved, recovered and examined. Cyber forensic has the potential to affect certain types of investigations and prosecutions. (IT Chapter, 2003)

As the world is constantly moving forward to the new age, there is a need for sound forensic analysis and the implementation of a well-established incident response plan for all cyber crimes. Thus, this research paper is written to study the environment of Cyber Forensics. Critical topics related to cyber forensics will be discussed in detail.

DIGITAL EVIDENCE

Digital evidence means any electronic or digital information which can be obtained and retrieved through any digital or electronic media that can be used as evidence in court. The court is responsible for determining whether digital evidence is authentic, relevant, hearsay and whether it requires original source or a copied version. (Mena, 2004) Some examples include emails, computer logs, word processing documents, electronic images, internet histories, Global Positioning System (GPS) tracks, and digital videos, excel spreadsheets, mobile call logs and messages, instant messages, and etc. (Mali, 2012). Social media such as Facebook, Twitter are equally important. According to a news report, "In a recent case, a criminal had updated a status message saying ‘will take major steps next week’ and the very next week there was a big burglary case that came to light. The IP address of the criminal was tracked down and he was nabbed." (ENS, 2012)

In gathering digital evidence, there are some critical things to be considered. One must ensure that the search for evidence does not violate the laws and computer security professionals should get the necessary authorization before gathering such evidences. (Casey, 2000) With reference to Reed (1990), "Authentication means satisfying the court (a) that the contents of the record have remained unchanged, (b) that the information in the record does in fact originate from its purported source, whether human or machine, and (c) that extraneous information such as the apparent date of the record is accurate. As with paper records, the necessary degree of authentication may be proved through oral and circumstantial evidence, if available, or via technological features of the system or the record." Therefore, an authorized warrant search is required by law before evidence or properties can be seized. (Casey, 2000)

With the advancement in technology, the digital evidence encountered by law enforcement, investigators and lawyers has greatly increased, which resulted it being more relevant in their daily work. Some examples of key areas include: computer intrusion, fraud, identity theft, intellectual property theft, child pornography, sexual harassment and etc. (Hershensohn, 2005)

An example of Child pornography: Dominic Stone, a priest was caught for downloading child pornographic images. He denies and argued that someone might have accessed his computer without his knowledge. Upon checking the files in his computer, investigators have proven that during the downloading time, legitimate work was also performed. Furthermore, investigators could also see the meta data of the files such as when the files were added or modified. (DML, 2010)

Thus, digital evidences gathered from the crime scene is the key solution in identify incriminating suspects or solve the crime case. However, investigators and law enforcements must ensure that the process of collecting digital evidence follow strictly to the key principles of cyber forensic.

KEY PRINCIPLES OF CYBER FORENSIC

Before conducting a full forensic investigation, it is necessary to undertake certain measures to ensure that results used in court is desired. The most important measure is to ensure the accuracy of the evidence collected with clear chain of custody. This chain of custody should show how the evidence is being collected from crime scene to the investigator and finally to the court. (IPESCS, 2009) Evidence seized at the crime scene are protected and sealed with an evidence bag (refer to Error: Reference source not found) to ensure that the data is not being tampered or contaminated which preserves its integrity and followed by the initiating a chain of custody document (refer to Error: Reference source not found). (Olzak, 2007)

In the event where chain of custody has been broken or evidence is contaminated, any evidences found might not be valid in court. Thus, it is very important for an investigator to comply with the proper procedure and guidelines to ensure evidence remains clean and uncontaminated.

Based on the Association of Chief Police Officers, ACPO (2007) guideline on computer forensic, there are four main principles involved:

Investigators or law enforcement agencies should not change any of the evidence collected from computer or storage device that is to be presented in court.

In any event where a person needs to access the original data stored on the computer or storage device, this personnel must be forensically competent or train to be able to explain the relevance of the evidence and any implications of their own actions.

An audit trail should be fully documented and preserved with all procedures and processes applied to digital evidence. A third party should obtain the same result when evaluating those processes.

The law enforcement agency or investigator in charge has the overall responsibility to ensure that these principles and law are adhered to.

There are many different theories and principles adopted by forensics investigators, and the most commonly used is "Locard’s exchange principle". It states that when two objects come into contact, there is bound to be an exchange of material from one object to another. This means that traces of evidence such as operating system logs, user data or actions left on computer are bound to be left behind by crime suspects. (Brown, 2009)

Therefore, a sound forensic investigation would require investigators or law enforcement agency to follow closely to the above principles.

INVESTIGATION PROCESS

Cyber forensic is defined as the investigation process of acquiring, examining and analyzing of digital evidence such that it can later be presented in court. (Cross, Shinder, & Ebooks Corporation, 2008). In the context of crime investigation, cyber forensics is considered as the most complex investigation process where the strongest evidence comes from electronic source. (Reyes & Ebooks Corporation, 2007)

Despite being commonly used in criminal cases, computer forensic may also be used in corporate investigations or civil dispute. It usually happens when an employee is suspected of using company’s computer to perform actions which violated the company policies. (Cross et al, 2008). According to Cosic J., Cosic Z., and Baca (2011), in 2002, most cases that FBI opened involved a computer. As such, it is very important to have good frameworks and models for cyber crime investigation.

In addition, cyber forensic investigator plays an important role in a full forensic investigation. He or she must be competent in cyber forensic methodology, tools and techniques. Otherwise, it is highly possible that the collection of digital evidence will fail and eventually lead to a failed prosecution. Furthermore, it is very crucial for investigators to understand the complexity of the crime suspects and digital evidence. These investigators must be able to apply additional counter-measures to prevent digital evidence from getting damaged or tampered; else, the recovery of such data will be expensive and time-consuming. (Saboohi, n.d)

The following are the necessary process required to compete a full investigation:

Preserve

In this phase, investigators need to secure and preserve any digital evidence or environment that could possibly change.

Preserving the environment: To preserve the digital environment, the system is first isolated from the network. Investigators should then collect any volatile data that might be lost once the system is being turned off. During this phase, it is important to identify any suspicious processes operating on the system. Also, investigators should take note of suspicious users that are logged on to the system and further investigate on these users. In the context of cyber forensics, log files can be regarded as eyewitness to the crime. And these should be secured to prevent them from losing. (Carrier & Spafford, 2003)

Preserving the digital evidence: To prevent the evidence of being contaminated, the best way of preserving it, is to clone the contents of the original computer’s hard disk to target computer by bit level imaging. The image will consist of all the information stored on the original computer with slack space included. Examples of programs used by law enforcement agencies and investigators are: EnCase, Symantec’s Ghost, and etc. (Shinder, 2005)

Preserving the chain of custody: Chain of custody is the most important part throughout the whole investigation process. Items found at the crime scene are to be properly documented with details such as case number, date, time, investigator name, and etc. The chain of custody should be protected from the start where evidence is collected till the end where it is presented to the court to prevent anyone from tampering or contaminating the evidence. In any circumstances where chain of custody is broken, evidence might not be valid in court. (Sheila, n.d)

Locate

After the preserving phase, investigators are to locate or identify any incriminating or exculpatory evidence that are relevant to the crime case. Investigators should have a clear understanding of their purpose and objectives. For example, in a server intrusion, investigator should look out for signs such as a rootkit installation, analyze configuration files, logs files and etc. (Carrier and Spafford, 2003)

Some of the common places to locate evidence are documents, files, e-mails, images, user access logs, rootkit files, records of unauthorized access and hacker’s intrusions. (Casey, 2000). As raw data is often difficult to use as evidence, meta-data such as the file’s creation and modification date and time can be useful. It may act as a source of evidence which relates with other forms of evidence. However, there might be system time change which might lead to inaccuracy in the evidence. Therefore, further analysis is required. (Rowlingson, 2004)

Other evidence may also be found in the deleted files, unallocated space and file slack. (Clifford, Nelson, & Steuart, n.d) Although it may be seemed as deleted on the computer, it may still be recovered with special forensic tools such as OSForensics (refer to Error: Reference source not found). Investigators should also search for hidden data via Alternate Data Stream (ADS) within NSTF volumes. (Kent, Chevalier, Grance, & Dang, 2006) Furthermore, investigators should also look out for suspicious files that are encrypted. Professional forensic tools like EnCase may be used to detect encrypted files (refer to Error: Reference source not found).

In the locating phase, the main objective of a cyber forensic investigator is to locate and collect all the evidence that support or refute the hypothesis.

Select

After locating all the incriminating or exculpatory evidence, investigators are required to inspect and examine the selected evidence to conclude on the events that happened in the system and their significance to the crime case. (Boddington, Hobbs, & Mann, 2008)

However, some investigators might resort to "cherry picking" in the evidence phase such as selecting evidence to suits their hypothesis or at their convenience. This should be avoided as selection of evidence should be done without bias. (Reith, Carr, & Gunsch, 2002)

Analyze

This phase is where investigators examine and looked deeper into the data that was being collected. The main objective is to draw conclusions based on the evidence collected. (Gladyshev, 2004) According to (McKemmish, 1999), the analysis of digital evidence is the process of extracting, processing and interpretation of electronic data. It is considered as the key element of forensic computing. When evidence is first extracted, it should be processed before it can be read by human. However, investigative work such as analysis and research must not be done on actual data. All investigative work should be performed on a cloned forensic image instead. (Hassan, Choudhry, & Shahzad, n.d)

In this phase there are a couple of analysis activities to be done. One example is the analysis of data communication. Investigators should look out for data interception, network intrusion and etc. (McKemmish, 1999). Another example is the temporal analysis which is the process where events are marked with digital date and time stamps. The output is an event timeline related to the computer activity. An important point for investigators to take note will be the consideration of differences in time zones. Investigator would normally use Greenwich Mean Time (GMT) or follow their policies standard. (Gerald, 2006)

While analyzing evidence, investigator should be completely objective without being bias. Both incriminating and exculpatory evidence should be weighed equally. Evidences found should not posses any uncertainty. (Hassan et al, n.d)

Validate

In validation phase, evidence that has been analyzed must be crosscheck to tests its validity before presenting it to the court. For example if an email was claimed or suspected to be deleted, there should be a confirmation on the existence of the deleted file, the date and time it was deleted and that such information has not been modified by any system processes. (Boddington et al, 2008)

Some common factors in which the validity and reliability of the evidence can be affected includes: false or misleading evidence, evidence misinterpreted, failure to locate and identify relevant evidence, failure to report exculpatory evidence, and etc. (Palmer, 2002) Very often, prosecution cases fail due to complexity of digital domain as there is incompetency in reconstructing the case with validation issues. (Cohen, 2006)

According to Carrier (2002), The Daubert Test is an approach to test for the admissibility of the evidence to determine if the technique and methodology used was accurate and sound to identify the evidence. It consists of 4 processes namely:

Testing: The procedure can be or has been tested?

Error Rate: Does the procedure have a known error rate?

Publication: Does the procedure subject to any peers review and published?

Acceptance: Will relevant scientific community accept such procedure?

If there are questions or doubts about the validity of the evidence, investigators may wish to revisit the location and selection phases to verify the validity issues and rebuild new investigations. (Boddington et al, 2008).

Present

Presentation phase is the last and most important stage in cyber forensic investigation. The main objective in this phase is to be able to support or refute the hypothesis with regards to the crime case. Each result of the previous phases might be insufficient to derive a proper conclusion. Thus, examination and analysis results must always be reviewed thoroughly to get the complete picture. A report is then generated with summary of investigation process and the conclusions drawn upon the crime case. (Agarwal, Gupta M.M, & Gupta M.S, 2011)

Before evidence is presented to court, investigators are required to document the digital evidence when it was found in the documentation phase. Every single piece of digital evidence that was collected needs to be carefully and clearly documented. The final incident report is then generated in the presentation phase. (Carrier & Spafford, 2003)

In most cases, forensic specialist might have to provide an expert testimony in court, where complex terms can be explained in layman’s terminology. However, the competency and expertise of the forensic investigators along with the methodology and tools used might be challenged before a jury. Finally, documents such as report, supporting materials, chain of custody document, printouts of evidence and etc must also be submitted to the court. (Agarwal et al, 2011)

IMPORTANCE OF HYPOTHESIS AND ALTERNATE HYPOTHESIS

To understand the importance of hypothesis and alternative hypothesis, we must first understand the term "crime scene reconstruction". It is the process where investigators determine the criminal activities, the flow of events, and logical analysis about the incident that happed before, during and after the crime event. (FSC, 2005) Reconstruction of crime scene usually begins with inductive reasoning, deductive reasoning, and finally entails the sound analysis of facts that relates to the case. Crime scene reconstruction is very critical in helping investigator to develop the hypothesis. (USLegal, 2001)

In the context of cyber forensic, hypothesis is formulated based on the detailed analysis and examination of a computer system which consists of indentifying suspicious events or objects. (Peisert, Bishop & Marzullo, 2008) In an investigation, it is necessary to build up and test hypothesis by asking questions related to the events that happened. Questions may include: "when and where did the incident occurred" and "what might have caused it to happen". If the evidence of such event existed, then it is proven that the event has really occurred and further examination can be performed to retrieve more information about the causes or effects of the event. (Carrier & Spafford, 2004)

According to Mohay and Ebooks Corporation (2003), digital evidence can support or refute a hypothesis such that its integrity and reliability is the key to its weight and admissibility in the court. Due to the complex nature of digital evidence’ characteristics such that it involves computer systems, network and etc, there are several challenges in interpreting the evidence collected.

Some of the characteristics include:

There are too many potential suspects and too much potential evidence.

The evidence collected might get contamination easily which affects the reliability.

Some evidences that are contaminated might ruined the whole hypothesis.

In addition, investigators also face the challenges of the ambiguity in constructing their reasoning when some evidential events of hypothesis are found uncertain or missing. Thus, cyber forensic investigators may encounter difficulties in evaluating the remaining evidential events. (Kwan, Chow, Law, & Lai, n.d)

The opposite of hypothesis is alternative hypothesis. Hypothesis is formulated by incriminating evidence that support a given theory while alternative hypothesis is formulated based on the exculpatory evidence that challenged the theory. During initial discovery investigation and the whole process of cyber forensic investigation, law enforcement agencies such as investigator and lawyer are supposed to locate as much evidence as possible, regardless of incriminating or exculpatory. After collecting the evidence, the investigator constructs it into either a hypothesis that supports their theory or an alternative hypothesis that contradicts the same theory.

Thus, we can see the weight of alternative hypothesis and hypothesis is equivalent in the court of law.

CONCLUSION

This paper outlines the critical topics that are closely related to the environment of cyber forensic, especially digital evidence. It is the key solution to the crime case. With the advancement of IT, more crimes are associated with technology and electronics devices. Information and data can easily be stored and retrievable via such devices. There are many ways in which people can use such information to commit crimes. These information are then treated as digital evidence which may help forensic investigators to indentify crime suspect(s) and eventually them use as evidence in court.

In the context of cyber-forensic, it is important to understand the different theories, methodologies, tools and techniques that are used for an investigation. In addition, law enforcement agencies or cyber forensic investigators must be well-trained and follow closely to the key principles or measures when conducting a full forensic investigation. In most cases, a complete full investigation should include: preserve, locate, select, analyze, validate, and present. To lessen the investigator’s workload during the locating of evidence, forensic tools such as EnCase can be used.

It is the responsibility of the investigator to secure and preserve any digital evidence or environment that could possibly change. Being the most important part in the investigation process, the chain of custody should be protected from the beginning till the end where it is presented to the court. In any event that chain of custody is broken or digital evidence is contaminated, evidence might lose its validity in court.

After evaluating and analyzing the evidence, forensic investigator are able to reconstruct the whole crime scene through a series of events and criminal activities to develop the hypothesis and alternative hypothesis. Digital evidence plays an important role in crime scene reconstruction as it can support or refute a given theory, which eventually affects the result of the prosecution. In addition, investigators are often challenged with issues such as misinterpretation, uncertainties, admissibility of the evidence. Therefore, forensic investigators must follow strictly to the key principles and measures that are readily available. Otherwise, his or her investigation might be worthless if even a small mistake is found in any part of the investigation process.