The Cyber Forensics Insider

Published Date: 02 Nov 2017

Cyber forensic is a combination of computer forensic and network forensic which is the process of extracting, analysing and reporting on the digital information which are legally extracted from the computer storage media and the network logs in a way that able to provides accuracy and reliability on the digital evidence that were collected. Computer systems often store valuable corporate and personal confidential information in them which makes it often invaluable for business and personal uses, while the computer networks also provide convenient data access and other processing services which makes it becoming the natural target from the cybercriminals organisation (Kanellis, Kiountouzis, Kolokotronis & Martakos, 2006, p. 16).

According to Curley (2012), cybercriminals are individuals that abuse the Internet for their own beneficial purposes, crimes such as fraud, child pornography, pirated music, and identity theft in particular.

Cyber forensics specialists are called upon to response to these cyber crimes and to collect digital evidences that is related to the crime case. Forensics investigators uses scientifically proven methods to collect, preserve, analyze and validate the digital evidence that was collected and making it suitable to include into a criminal investigation and as well as presenting it in a manner which are acceptable in a court of law.

The purpose of my research was to discuss about the processes and challenges that involves in collecting, analysing and preparing the digital evidence from a crime scene in the cyber forensic environment. In this research, the following questions will be answered:

What is digital evidence?

What are the key principles of cyber forensics?

What is the investigation processes used to obtain evidence from the crime scene?

How important were the crime reconstruction hypotheses and alternative hypotheses?

Digital Evidence

Digital evidence comes in different forms and types, such as, audio or video file, email conversations logs, documents or internet browser history. Digital evidence that were collected will be able to provide supporting evidences to the charges against the suspects and to help assist in the investigations. However, the evidence needs to be evaluated carefully, as its reliability and accuracy are the important factors that may lead to uncertainty in the probative stages of an investigative case (Casey, 2002, p. 2).

Forensic investigators follow a standard set of procedures which physically isolate the computer to prevent contamination problems, a digital copy of the original hard drive is being copied and then the original hard drive is kept in a safe storage facility to maintain its pristine condition (Rouse, 2007, para. 2). Investigators will then do all the necessary investigation on the digital copy and it can be a very delicate process because each and every piece of evidence must be carefully recorded and retrieved in such a way that the investigator's integrity cannot be questioned and be accused of contaminating the evidence (Black, 2003, para. 3).

According to Harley (2003), the best place to find digital evidence are from the Intrusion Detection Systems, information that are collected and analyzed from variety of network sources and system will show results of misuse and intrusion (p. 2).

Digital evidence can also be fabricated to implicate other innocent parties and misdirect investigators away from the actual truth. Criminals often try to hide, encrypt and destroy evidence from the computer storage media by using a variety of sharewares and utility software. Therefore, forensic investigators needs to conduct investigations into details about the origin and time of the events, and to figure out what actually happened, when it happened, how it happened and who was actually involved (Hailey, 2003, para. 2).

The Key Principles of Cyber Forensics

Cyber forensics has become a very popular specialty that is used by most law enforcement agencies to deal with cyber crimes, as it is becoming more complex and international in nature.

"There are many people of poor and evil motivation who are seeking to disrupt business and government and exploit any vulnerability in the digital universe."

- John Ashcroft, former U.S. Attorney General, 2001

Law enforcement agencies around the world has been using cyber forensics to battle against cyber crimes to track down hackers, terrorists, stalkers and cyber fraudsters (Grahams, n.d., para. 1). Forensic specialists needs to follow their core principles to carefully identify and extract possible evidence that exist on the suspect's computer or external devices without contaminate the evidence. According to Grahams (n.d.), there are four core principles that forensics specialists have to follow:

Standardization

Law enforcement agencies often work together across national borders to track down and prosecute cyber criminals, but this poses a problem, as the legislation that cover the digital evidence differs between jurisdictions. Thus, Government from across the world collaborate together to standardize the principles and practices of cyber forensics.

Evidence Gathering

Forensic specialist must ensure that the extracting process of digital evidence from the original digital data cannot be altered, or damaged. In order for the digital evidence to be used in court prosecutions, the digital evidence must remain intact and unaltered. If the digital evidence is altered or deleted during the investigation, it may lead to unsuccessful prosecutions. The digital evidence that presented to the court must also be the same as the evidence from the original digital data.

Evidence Handling

Document the chain of custody of the entire process of all evidence handling is a key principle of cyber forensics. In an investigation, digital evidence is often passed through the hands of many different investigating agencies for data analysis. Thus, experts have to work together to ensure that each agency that used the digital evidence has to fully documented their handling, analysis and testing of the process.

Evidence Access

Only personnel that are deemed forensically competent should be allowed to access the original digital evidence during and after analysis. The digital evidence must be carefully stored in a secure environment, as to protect and prevent the digital evidence from tampering or unauthorised access. It is to ensure that the successful prosecution process of the cyber criminals.

Enforcement agencies deploy cyber forensics specialists to gather evidence from the suspect's computer that is seized during the police raids. The suspect's computer or device that is in custody by the police must be certain that it is protected well and cannot risk being destroyed externally, else if the original digital copy is altered in any way and will be deemed as contaminated evidence, which will not acceptable as an evidence anymore by the court of law.

Investigation Process

Cyber forensics involves investigation process to preserve, identify, extract, interpret and document the digital evidence from the computer system. Investigations normally requires a lot of time to conduct, because of the given increasing size of storage media that is being used in today's technology. The evidence that is collected during the forensics investigation is not in the state of viewable contents by normal average computer users, because there are computer files like deleted files and other fragments of data that will be found in the slack space (space allocated for existing files) requires forensics tools to retrieve these information.

Basically, it is the analysis of information from the computer systems, in the interest of figuring out what actually happened, when it happened, how it happened and who was actually involved, and with certain investigation methodology procedures to follow, such as, preserve, locate, select, analyze, validate and present.

Preserve

Digital evidence is fragile because it can be easily altered, damaged or destroyed due to improper handling or during examination process (Ashcroft, 2001, p. 2). Thus, maintaining its integrity is important as to stabilise and isolate the evidence scene to prevent contamination that will result in having its admissibility and weight voided (Carrier & Spafford, 2003). Forensics investigators needs to preserve the electronic evidence exactly as it appeared during the collection phase (Anthony, Richard, Kevin and Jim, 2007, p. 13).

The initial step was to confiscate and isolate the suspect's computer or other suspected devices, to prevent non-authorised personnel from physically access it. Then the forensics investigator will duplicate the entire computer system to make a digital copy and isolate the original hard drive in a safe storage facility that is only restricted to higher authority with proper authorization, to maintain its pristine condition and protect its integrity. The process of duplicating should be done without switching on the suspect's computer and best it is with write blocker device to prevent contamination risk. Forensics investigators must also be careful when retrieving volatile information that are stored in the Random Access Memory (RAM) without having the risk of contaminating it, therefore, it is compulsory that all investigations must be done on the digital copy. Lastly, chain of custody is also an essential part of the preservation process that cannot be broken at any point of time until the investigation is completed.

Locate

The Location stage uses various forensics tools to locate and identify the digital evidence for the crime or violation that supports or refutes the hypotheses that are related to the crime (Carrier et al, 2003). After isolating the original hard drive to the safe secure storage facility, forensics investigators will start their investigations on the digital copy that was duplicated from the original. They will search for relevant evidence that is important and related to the crime. External storage devices, such as, external hard drives or USB drives should also be considered as importance of evidence, because there might be some key evidence being stored inside and should not be neglected by the forensics investigators. Information can be identified when data is acquired from the suspect's device and this information can provide key facts about the case and will be used as evidence in the court of law (Shinder & Cross, 2008, p. 200).

Forensics investigators should utilize forensic tools such as, OSForensics, EnCase Forensic, ProDiscover, to provide them more efficient in searching for files or data. These tools able to help in digging out hidden data that are related to the crime, and it can be evidence that able to provide great help to investigators during the investigation process. Search should also be narrow down as specific as possible in terms of the format of the files, such as, email, web browser, image file, document file, so that it is more time-efficient and effective. Another key directory to search is the Recycle Bin, because most criminal always have the intention to hide and delete their incriminating evidence, therefore, files that are deleted must be recovered and retrieved as much as possible. Investigators should focus on evidence that are inculpatory, exculpatory and evidence that are tampered.

Select

During the evidence selection stage, investigators will examine thoroughly all the possible digital evidence that were identified from the previous location stage to determine which events occurred in the system that might be related to the crime. The forensic investigators will then go through a tedious search process to filter out all the unrelated evidence that was located earlier and eliminate them, as this evidence doesn't have any value or relation to the crime. Investigators should also check the system logs for any third party software that is installed and used to change both the inculpatory and exculpatory evidence to mislead the investigator or setup to frame other innocent parties. The selection process ensures that all evidence will have its credibility and weight and its admissibility in the court of law.

Analyze

The analyze stage is to discover and recover digital evidences that are related to the crime. Those selected evidence from previous selection stage will be used to analyze to determine what happened during the crime and those data that are related to the crime will be extracted out and interpreted so as to, reconstruct the evidence by piecing them together in a logical and useful format, to determine its significance value on the crime. The hypotheses and alternative hypotheses document will then be drawn out with timeline to determine the actual facts about the crime and whether the suspect will be prosecuted in the court of law or not. Timeline provides investigators an idea on what the suspect is doing at certain period of time in a chronology way. The investigators must maintain the chain of custody and the evidence's integrity at all times by following the practices of the preservation methods.

Validate

Forensics investigators may revisit the location and selection stages during the validation stage, to determine the evidence's validity and assess any new digital evidence (Carrier et al, 2003). Digital evidence should be validated before its presentation to the court of law, because digital evidence are quite complex to comprehend by normal users and the weight and validity of the evidence often regarded less creditable compared to physical evidence. The investigators should validate all related evidence in-depth to determine whether it is related to the crime case or not, for example, a deleted email message from normal user's perspective point of view, it will not have any relations with the related crime, but if the deleted email message was investigated properly, the investigators will figure out the suspect's intention on why, when, and how the email was deleted and will probably contribute as an incriminating evidence against the suspect.

Present

Digital evidence that is presented to the court must be accurate and genuine, as it has to convince the judge and jury for those incriminating evidence against the suspect. Investigators must present the evidence in a format that is easy to comprehend and with completeness, consistency and with fully documented chain of custody, so that the defence lawyer have no chance to challenge the evidence that is being contaminated or its validity. Investigators should also not be too opinion-minded and must keep their assumptions to own self as it might influence their judgment while they documenting the evidence and it may lead to inconsistency. The evidence that is presented must be the exact same as its original state that was seized during the collection phase to ensure its integrity.

Hypotheses & Alternative Hypotheses

Hypotheses are an assumption of the conclusion of the crime by creating a plausible story to explain some otherwise unexplained happenings (Quine & Ullian, 1998). It 'guesses' the outcome of the crime by assessing all the possible evidence and creates the timeline in a chronology style to have a better view and understanding of the crime scenario.

According to Rynearson (2002), almost everything of the crime's event can be regarded as evidence, but the key is to identify and capture evidence that is relative to the crime.

The importance of crime reconstruction hypotheses allows the forensic investigators to trace back to earlier events to investigate more in-depth, as to understand more about the crime, to find additional evidence and to reconstruct for a more accurate hypotheses according to the actual event. For example, the hypotheses assumes that the suspect stole only five cars until the period of time when the suspect was arrested, but when the investigators analyze more into the case, there is evidence that shows there are more than five cars that got stolen. Thus, the investigators will then trace back to investigate further in-depth to validate the evidence. This evidence is called inculpatory evidence.

According to Carrier & Spafford (2004), to reconstruct an event requires the investigators to fully examine the evidence and must be recognized by showing its relation to the case.

Alternative hypotheses are the exact opposite of hypotheses, meaning that, it is constructed to refute the hypotheses against the accused suspect. Since hypotheses consisted of all the incriminating evidence that were found against the suspect, alternative hypotheses will look for exonerating evidence that able to prove the suspect innocence, because there might be circumstances where the suspect is being framed. For example, the suspect's laptop shows evidence that the suspect downloaded child pornography videos, but upon further investigation, the forensics investigators found that the suspect's laptop contains root kits hidden inside the system, and according to the time event when the video was downloaded, the root kit opened a backdoor port to allow the hacker to bypass the security firewall and control the system. Thus, the video may be downloaded by the hacker when the suspect is away from his laptop during the period of time. This evidence is called exculpatory evidence.

Conclusion

With the rising popularity of technology globally, the future of the Internet cannot be ignored by the current on-going increasing rate of cyber crimes, which these cyber criminals of poor and evil motivation who abuse the Internet for their own beneficial gains should be arrested and dealt with.

Upon investigation for cyber crimes, forensics investigators should stick to their investigation's methodology to handle the evidence with caution as not to contaminate the evidence, and with the proper chain of custody procedures. Investigators should also draft out the hypotheses and alternative hypotheses to help them to understand and support their existing evidence better.

Lastly, the digital evidence must be collected in a way that is accurate, genuine and its integrity cannot be questioned so that it can be admissible in the court of law as legit evidence to prosecute the accused suspect.

References

Ashcroft, J. (2001). Electronic crime scene investigation: A guide for first responders. Washington, U.S. Department of Justice.

Anthony R, Richard B, Kevin O. and Jim S. (2007). Cyber Crime Investigations : Bridging the Gaps Between Security Professionals, LawEnforcement, and Prosecutors. Rockland, MA: Syngress Publishing

Black, K. (2003). What Is Digital Evidence?

Retrieved February 5, 2013, from

http://www.wisegeek.com/what-is-digital-evidence.htm

Carrier, B. D., & Spafford, E. H. (2005b). Automated digital evidence target definition using outlier analysis and existing evidence. Digital Forensic Research Workshop. New Orleans.

Carrier, B. D., & Spafford, E. H. (2003). Getting physical with the digital investigation process. International Journal of Digital Evidence.

Carrier, B. D., & Spafford, E. H. (2004). Defining Event Reconstruction of

Digital Crime Scenes.

Retrieved February 12, 2013, from http://www2.tech.purdue.edu/cit/Courses/cit556/readings/EventReconstruction.pdf

Casey, E. (2002). Error, Uncertainty, and Loss in Digital Evidence.

Retrieved February 5, 2013, from

https://utica.edu/academic/institutes/ecii/publications/articles/A0472DF7-ADC9- 7FDE-C80B5E5B306A85C4.pdf

Curly R. (2012). Issues in Cyberspace: From Privacy to Piracy. Chicago: Britannica

Educational Publishing

Grahams, A. (n.d.). What Are the Four Principles of Computer Forensics?

Retrieved February 11, 2013, from

http://www.ehow.com/info_8035487_four-principles-computer-forensics.html

Kanellis, P., Kiountouzis, E., Kolokotronis, N. & Martakos, D. (2006). Digital Crime and Forensic Science in Cyberspace. Hershey PA, U.S.: Idea Group Inc.

Hailey, S. (2003). What is Computer Forensics?

Retrieved February 5, 2013, from http://www.csisite.net/forensics.htm

Harley K. (2003). Digital Evidence.

Retrieved February 5, 2013, from http://infohost.nmt.edu/~sfs/Students/HarleyKozushko/Papers/DigitalEvidencePaper. pdf

Rouse, M. (2007). computer forensics (cyberforensics).

Retrieved February 5, 2013, from http://searchsecurity.techtarget.com/definition/computer-forensics

Rynearson, J. (2002). Evidence and Crime Scene Reconstruction. National Crime Investigation and Training, Sixth Edition.

Shinder D. L., Cross M. (2008). Scene of the Cybercrime. Burlington, MA: Academic Press

Willard V. Quine and Joseph S. Ullian. (1998). Introductory Readings in the Philosophy of Science. Third Edition, Prometheus Books.