The History Of Cyber Forensic Principles

Published Date: 02 Nov 2017

Digital information are not restricted to just data, but it involve the whole range of technology such as videos, voice, GPS location and information that can be store on some devices. As such, this information becomes the target of criminal activities such as spying of competitors’ business information, profitable from financial figures and retaliation.

Computer crimes are becoming more sophisticated and there is a need for Forensic detective of this kind. Computer Forensic or Information Forensic is an analysis technique to identify, retrieve and present information that were store on the digital devices. With more criminal activities and civil investigations involving computer evidence, it is therefore more new methods and tools for investigator and internal auditors are needed.

"Computer forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law." (Nardoni, 2004)

Law enforcement and agencies have identified the disturbing trends of cyber-criminal activities, fraud and illegal attack of corporate systems. It is therefore, apparent the law enforcement agencies require putting in place the Cyber Forensics Team and provides them with the appropriate tools and techniques in solving this digital crime.

In this essay, I would like discuss about the process and challenges involved in identifying, recovering, securing, examining, analysing and prepare digital evidence from a crime scene.

Digital Evidence

"… digital evidence is defined as any data stored or transmitted using a computer that support or refute a theory of how an offense occurred or that address critical elements of the offense such as intent or alibi." (Casey, Digital Evidence And Computer Crime, 2004)

Evidence is important information pertaining to a crime or clue, no matter how big or how small it is. These pieces of information involve from a normal crime case to a murder case and it determines the fate of the guilty and fate of the innocence person. Cyber evidence defines as all information in its digital form, example pictures ( jpg, bmp, tiff, png), videos, text, emails and even websites. It encompasses any and all digital data that can link between a crime and its victim or a crime and its culprit. These evidence determine the life and death of one or more person, therefore, it must be original and uncorrupted beyond reasonable doubt in order to present in court as a proof of crime (Casey, Digital Evidence And Computer Crime, 2004).

Digital forensic evidence must be: authentic, accurate, complete, convincing and conformity with the law in order to present to the court. Therefore, all digital evidence must be handling properly and need to recover from incidents rapidly to lessen the damage and losses. To certify the authentic of the evidence, it must be confirm to come from the original source. The evidence must be truthful, reliable, accurate and to prove there are no reasons for doubt. Evidence should be complete and no fabricated story so that it could convince the court. For example, program that could activate some meticulous code that cause program to behave strangely or even erase or amend certain vital evidence (James & Keith, 2003).

Metadata

Metadata or data about data, in digital evidence provide critical information relating to the crime. It provides link to allegation and it show evidence of intent, ability and opportunity leading to the commission of the crimes (Janes, 2000). Figure 1 show an example of metadata from an Forensic Software. Figure 2 show another example of metadata from Window operating system.

Figure Metadata from a file.

Figure Metadata from Window Operating System.

Cyber Forensic Principles

"Gathering and analysing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past on a system" and providing clear and objective testimony and reporting of the results of the investigation (Anthony & Jack, 2007)".

It is important there are difference between principles and procedures (methodologies). Principles are defined, based on Longman Dictionary, as the basic idea that a plan or system is based on. It is a comprehensive and fundamental law, doctrine, assumption. Whereas, procedure is a step by step way of accomplishing certain goals (Anthony & Jack, 2007).

Practice Safe Forensics

We have always been taught that safety comes first and it has never been so true. It may have little to do with technical side of the cyber forensics but it is one of the principles that should not take lightly. (Anthony & Jack, 2007)

Safety involves a component that is risk assessment. It can be a formal or informal analysis associated with forensics activities. It is a more of environment involvement such as outside of office or at office or lab.

Examples: Will there be any suspect, victim or witness is around?

What time of day that is conducting the investigation?

The investigator must take into consideration of the place and perform a risk assessment (Anthony & Jack, 2007).

Chain of Custody must be Establish and Maintain

Chain of custody is a process of validating any kind of evidence that were obtained is tracked and it should be original from the way to the courts. There should have a SOP (Standard Operating Procedure) for collecting, marking, transporting and storing evidence (Anthony & Jack, 2007) (Sarah, 2005)

Minimal Interaction with Original Evidence

It is important to stress that the original evidence is to be protected and maintain integrity throughout the case. A key point to note is that when collecting evidence, it must not be altered or changed in anyway. (Anthony & Jack, 2007)

Use Proven Tools and Learn It

The only way to do a proper job of preserve, locate, select, analyses, validate and present the evidence is through software. It is a must have for forensics investigator.

Conduct Objective Analysis and Reporting

When gathering evidence, we must objective present the evidence and that no bias to any party involve. With the report from the investigator, the evidence is present to court (Anthony & Jack, 2007).

Cyber Forensics Processes

"It is a capital mistake to theorize before one has data. Insensibly, one begins to twist facts to suit theories, instead of theories to suit facts."

Sherlock Holmes

Sir Arthur Conan Doyle’s "A Scandal in Bohemia", 1891

Cyber Forensic may be categorize to 2 main processes (Richard, Valerie, & Graham Mann, Validating Digital Evidence for Legal argument, 2008).

1. Investigating – consists of preserving, locating, selecting and validating of evidence.

2. Legal – consists of construction and presentation of evidence to court.

Preservation

"This is the process of preserving the integrity of the digital evidence, ensuring the chain of custody is not broken. The data needs to be preserved (copied) on stable media such as CD-ROM, using reproducible methodologies." (Ryder).

Almost all evidence is fragile and prone to be altered and damage. Mishandling is one of the culprits. Therefore it is important to preserve and during acquisition we need to tactfully retrieve and maintain the integrity of the evidence. The key parts of preservation are: collection, Chain of custody on the evidence, authentication, recovery and verifiability (Richard, Cyber Forensics, 2013).

The process of retrieving forensic information bit by bit is refer as forensic acquisition. It is this information that will be used in civil or criminal court proceeding (Kornblum, 2004).

In this phase, preserving of original items must be in a way that is reliable, complete, accurate and verifiable. Documentation is necessary to reflect any changes, change of custody must be approached methodically, such as handling of artifacts and any changes made must properly recorded and justifiable. The ultimate of whether the evidence should be present in court will depend on the investigator (Christopher, 2006).

Locating (Examination)

To locating is the search for evidence and examine it. In this process, it involves the searching of data in a systematical way and to extract, analyses the digital evidence. It consists of many of techniques to recover and examine. The recovery process consists of data recovery, metadata checks, etc. (Anthony R. , 2007)

Here show the various stage of examination

Figure Digital forensic investigation data flow diagram

There are two types of process for capturing evidence "Live System" analysis and "Offline (or dead) analysis" (Volonino, Linda, Anzaldua, & Godwin, 2007).

The process of extraction may consist of 2 type’s physical and logical extraction.

Physical extraction: file carving, partition table analyses.

Logical extraction: system information extraction, password extraction and recovery of deleted files.

In order to locate the necessary evidence, certain tools are necessary such as hashes filter, malware scanner and tools with certain features for processing huge files so as to speed up processing huge amount of data (Anthony & Jack, 2007).

Selection (Analysis)

Once we have found the evidence, we need to analyze and scrutinizing the evidence to understand what had occur in the system and the value to the case. (Brian & Eugene, 2006)

Performing selection analysis could include timeline, data discovery, application of program and ownership possession.

Timeline Analysis

Timeline can be used to determining when an events occurred on a system, not limited by the computer but could be in mobile phone etc. any digital device. It is let us have a good view of what are going on that lead to the final events.

Data Discovery

It is to detect and recover concealed information in the computer system and also in other means such as picture, wave format files and example Steganography and encrypted files.

Application of programs

Certain program is specific build for special purpose example QuickStegano, or TrueCrypt. These programs are used for hiding information.

Ownership possession

The owner of the file may have some value of who create, modified, or accessed the file. Especially hidden files and files relating to the crime such as picture of the stolen items. Etc.

Validation

This is one of the processes that are important; to validate a piece of information is to confirm the integrity of the information. By examine and provision of objective evidence that a tool, technique or procedure functions correctly as intended (Beckett & Slay, 2007).

It is therefore the tools are important that we rely on to analyze the evidence. We base on the tools for digital evidence and rely on it, should the application and usage of the tools gone wrong, the evidence would be questionable and may deem not valid to use in courts. Therefore, the investigator or the organization must validate and verify the correct use of the application for preserving, collecting and analyzing digital evidences (Beckett & Slay, 2007).

It is necessary to go thru the evidence at location and selection stage a few times so to verify the validity issues and is possible to look for new evidence. Failure to do so may cause insufficient examination of the evidence and may undermine the investigation process. (Carrier & Spafford, 2003) (Cohen, 2006)

Different factors and circumstance can undermine the evidence, chain of custody broken, missing tools collected, exculpatory data evidence not reported, evidence taken out of context and misinterpreting it, relevant evidence not identify properly and application processing errors and this could be endless if the investigator did not take care of the risk involve and did not analyses it. (Palmer, 2002) (Cohen, 2006)

Presentation

With all the necessary evidence that are conclusive and related to the crime and base on entirely the local policy and law. Investigator would need to present the evidence to the court. The process will need the investigator to construct a hypothesis of the event with the help of timeline and necessary documents gather (O Ciardhuain, 2004).

The risk element in this process must be ensuring:

Chain of custody of the evidence should be handled properly with accordance to the procedures.

Damage to the evidence or loss to evidence result in grave consequences.

Digital data must be highly secure and protected from exposer to viruses and malware.

Documents gather must be complete, comprehensive and accurate (Nationcal Institute of Justice, April 2004).

The defending and the prosecuting lawyers would defend and attacking the finding under furious challenge. Therefore presenting the evidence to be understandable and in an effective manger would require. (Cory & Harlan, 2011)

Investigator will have the chance of proving his finding and validity of his hypothesis and alternate hypothesis and should defend against criticism (O Ciardhuain, 2004).

Forensic Tools

Forensic Tools must able to meet the requirements of Usability, Comprehensive, Accuracy, Deterministic, and Verifiable (Carrier & Spafford, 2003).

Methods that are commonly use include (Anthony R. , 2007):

Data craving

Retrieving and extracting data that may be not entire deleted.

Deleted Items Analysis

Recover of deleted files and analysis the metadata of the files. These type of files may indicate the suspect trying to delete away some critical information.

Malware Analysis

Determination of traps such as malware that could potential harm the evidence.

Types of Forensic Tools

Some of tools include the following:

ProDiscover

DeftWin

PhotoMe

FTKimager

Truecrypt

UsbDeview

Trojan Revealer

Quick Crypto

Hypotheses and Alternate Hypotheses

Generally speaking, there is always two side of a coin. Digital forensic hold the same truth, there is the hypothesis and by thorough investigating, we may develop alternate hypotheses. Greater understanding to the case such as backtracking is commonly in examination activity (O Ciardhuain, 2004).

Hypothesis must be able to be support by the evidence gather and different techniques used would be based on the type of cases. Once the hypothesis is presented, it must be able to withheld challenges in order to prove the correctness (Popper, Hollinger, & Wyss, 1998) (Carrier & Spafford, 2003)

Crime is not as straight forward as it seems, there are professional criminal around and some may even set digital traps, install false evidence or misdirection build into the evidence. Therefore, it is necessary to formulate alternate hypotheses based on experience and skillset

(Carrier & Spafford, 2003).

Hypothesis must be tested on the events that occurred and must not contradict with the evidence found. When certain information could not be found, therefore, an alternate hypothesis may be formed base on the information (Brian & Eugene, 2004).

For example, ICT 248 Cyber Forensic Assignment 1, relating to the case of Ken Sibanda. The hypothesis was that Ken, regular car thief and burglar, would have kill Peter Bole because Peter did not pay Ken the money. But the whole events got complicated because the chain of custody was broken, information should be made available were not given. Therefore, could we present the hypothesis to the court? I would not think so. Alternate hypothesis, so also reflected the situation.

Conclusion

Appropriate prevention to tackle cybercrimes is a necessity, without it more serious crimes will immerge. Procedure must follow strictly and the 5 principles of practice safe forensic, chain of custody must be establish and maintain at all time, minimal interaction with original evidence, use proven tools and conduct objective analysis and reporting must engrave in the back of our mind.

Process of preservation, locating, selection, validation and presentation has its part to play and should not be too lazy to avoid any of it. We should not be too contented, technology is ever changing. Based on the famous saying,

"... number of transistors on a given chip can be doubled every two years…"

Moore’s Law

I believe cybercrime related activity will almost increase proportionate with the technology. Therefore, cyber forensic investigator must have a thorough understanding of the law; the rules of evidence and also the computer technology know how and be on their toe at all time.

Cyber forensic must be kept to high standard. Frequently debate and review are needed to maintain the procedure updated. Reviewing the tools and techniques, to keep to the latest trend is also advisable.