Cyber Forensics

Forensics is the scientific tests or techniques used in connection with the detection of crime. It is a laboratory or department responsible for tests used in detection of crime. Forensic evidence is gathered through photographs and measurements taken of the crime scene. In the case of violent crimes, these are obtained along with fingerprints, footprints, tire tracks, blood and other body fluids, hairs, fibers, and fire debris.

A forensic doctor is called forensic pathologist who is a subspecialist in pathology whose area of special competence is the examination of persons who die suddenly, unexpectedly or violently. The forensic pathologist is an expert in determining cause and manner of death.?

Forensics department need to ensure that after the crime is committed, the evidences at crime scene are not altered to mislead the investigation. They have to collect evidences carefully and store and protect them properly so that they can be properly made available at the right time in the court.?

One can become forensic doctor after completing MSc in Forensic Science or any other related courses. However, to become MD in Forensic Medicine, one should have completed MBBS.

So now we will see what is this forensics doing in IT and cybersecurity field?

If you have read my article on "non-repudiation", you will understand the need of forensics in IT field. To get deep into this, you also must read my earlier articles on VAPT, CR, Hardening, Risk management and log analytics.

We know that the forensics is related to crime and evidences. So what? Aren't crimes happening in IT field? Yes, they are! There are crimes happening in cybersecurity world. Hence, to prove those crimes in court and get the accused convicted by court, digital forensics is required. Here the evidences are in the form of logs, documents or emails etc. For example, a log file shows that someone transferred money illegally, then the digital forensics department will verify and validate the authenticity of those logs. If logs are authentic, the court will consider them as valid evidences to convict the accused.

Computer forensics, also called digital or cyber forensics, is a field of technology that uses investigation techniques to help identify, collect, and store evidence from an electronic device. In other words, it is a process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable in any legal proceedings (a court of law).?

Computer crimes are not reported in most cases because they are not detected. In many cases where computer crimes are detected, enterprises hesitate to report them because they generate a large amount of negative publicity that can affect their business. In such cases, the management of the affected enterprise seeks to fix the vulnerabilities used for the crime and resume operations.?

When a computer crime happens, it is very important that proper procedures are used to collect evidences from the crime scene. If data and evidence is not collected in the proper manner, it could be damaged and, even if the actual criminal is identified, prosecution will not be successful in the absence of undamaged evidence. Therefore, after a computer crime, the environment and evidence must be left unaltered and specialist law enforcement officials must be called in. If the incident is to be handled inhouse, the enterprise must have a suitably qualified and experienced incident response team.

As per Indian Cyber Squad, the different kinds of cyber crimes are:

• Unauthorized Access and Hacking
• Web Hijacking
• Pornography
• Child Pornography
• Cyber Stalking
• Denial of service Attack
• Virus attacks
• Software Piracy
• Salami attacks
• Phishing
• Sale of illegal articles
• Online gambling
• Email spoofing
• Cyber Defamation
• Forgery
• Theft of information contained in electronic form
• Email bombing
• Data diddling
• Internet time theft
• Theft of computer system
• Physically damaging a computer system
• Breach of Privacy and Confidentiality
• Data diddling
• E-commerce/ Investment Frauds
• Cyber Terrorism

An IS auditor (Information Systems Auditor), may be required to be involved in a forensic analysis in progress to provide expert opinion or to ensure the correct interpretation of information gathered. Any electronic document or data can be used as digital evidence, provided that there is sufficient manual or electronic proof that the contents of digital evidence are in their original state and have not been tampered with or modified during the process of collection and analysis.

The evidence loses its integrity and value in court if it has not been preserved and subject to a documented chain of custody. The chain of custody is nothing but the sequential documentation or trail that accounts for the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence.?

The chain of evidence contains information regarding, who had access to the evidence (chronological manner), the procedures followed in working with the evidence (e.g., disk duplication, virtual memory dump), proving that the analysis is based on copies that are identical to the original evidence (e.g., documentation, checksums or timestamps). If the IS auditor boots a computer suspected of containing stored information that might represent evidence in a court case, the auditor cannot later deny that he/she wrote data to the hard drive because the boot sequence writes a record to the drive. This is the reason specialist tools are used to take a true copy of the drive, which is then used in the investigation.

Below are types of cyber forensics:

Disk Forensics: It deals with extracting raw data from the primary or secondary storage of the device by searching active, modified, or deleted files.

Network Forensics: It is a sub-branch of Computer Forensics that involves monitoring and analyzing the computer network traffic.

Database Forensics: It deals with the study and examination of databases and their related metadata.

Malware Forensics: It deals with the identification of suspicious code and studying viruses, worms, etc.

Email Forensics: It deals with emails and their recovery and analysis, including deleted emails, calendars, and contacts.

Memory Forensics: Deals with collecting data from system memory (system registers, cache, RAM) in raw form and then analyzing it for further investigation.

Mobile Phone Forensics: It mainly deals with the examination and analysis of phones and smartphones and helps to retrieve contacts, call logs, incoming, and outgoing SMS, etc., and other data present in it.

There are two types of data, that can be collected in a computer forensics investigation:

Persistent data: It is the data that is stored on a non-volatile memory type storage device such as a local hard drive, external storage devices like SSDs, HDDs, pen drives, CDs, etc. the data on these devices is preserved even when the computer is turned off.

Volatile data: It is the data that is stored on a volatile memory type storage such as memory, registers, cache, RAM, or it exists in transit, that will be lost once the computer is turned off or it loses power. Since volatile data is fleeting, it is crucial that an investigator knows how to reliably capture it.

There are four major considerations in the chain of events for evidence in computer forensics:

Identification, storage, analysis and presentation.

Identify refers to the identification of information that is available and might form the evidence of an incident, while storing or preservation refers to the practice of retrieving identified information and preserving it as evidence. The practice generally includes the imaging of original media in presence of an independent third party. The process also requires being able to document chain-of-custody so that it can be established in a court of law. The analysis involves extracting, processing and interpreting the evidence. Extracted data could be unintelligible binary data after it has been processed and converted into human readable format. Interpreting the data requires an in-depth knowledge of how different pieces of evidence may fit together. The analysis should be performed using an image of media and not the original. And finally, the presentation involves a presentation to the various audiences, such as management, attorneys, court, etc. Acceptance of the evidence depends on the manner of presentation (because it should be convincing), qualifications of the presenter and credibility of the process that is used to preserve and analyze the evidence. Here you can easily see it with an analogy of a lawyer in court.?

Now we will see key elements of computer/digital or cyber forensics:

Data Protection: The collected data must be prevented from being altered and all measures must be taken for the same. We have to establish specific protocols to inform appropriate parties that electronic evidence will be sought and to not destroy it by any means. Infrastructure and processes for incident response and handling should be in place to allow an effective response and forensic investigation if incident occurs.

Data Acquisition: All information and data required should be transferred into a controlled, hidden or secure location. This includes all types of electronic media, such as fixed disk drives and removable media. Each device must be checked to ensure that it is write-protected (no one can write on it). This may be achieved by using a device known as a write-blocker. It is also possible to get data and information from witnesses or related parties by recorded statements. By examining volatile data, investigators can determine what is currently happening on a system. This kind of data includes open ports, open files, active processes, user logons and other data present in RAM. This information is lost when the computer is shut down.?

Imaging: Imaging is a process that allows one to obtain a bit-for-bit copy of data to avoid damage of original data or information when multiple analyses may be performed. The imaging process is made to obtain residual data, such as deleted files, fragments of deleted files and other information present, from the disk for analysis. This is possible because imaging duplicates the disk surface, sector by sector. With appropriate tools, it is sometimes possible to recover destroyed information (erased even by reformatting) from the disk’s surface.

Extraction: This process consists of identification and selection of data from the imaged data set. This process should include standards of quality, integrity and reliability. The extraction process includes software used and media where an image was made. The extraction process could include different sources, such as system logs, firewall logs, IDS logs, audit trails and network management information.

Interrogation: Interrogation is used to obtain prior indicators or relationships, including telephone numbers, IP addresses and names of individuals, from extracted data.

Ingestion/Normalization: This process converts the information extracted to a format that can be understood by investigators. It includes conversion of hexadecimal or binary data into readable characters or a format suitable for data analysis tools. It is possible to create relationships from data by extrapolation, using techniques, such as fusion, correlation, graphing, mapping or time lining, which could be used in the construction of the investigation’s hypothesis.

Reporting: The information obtained from computer forensics has limited value when it is not collected and reported in the proper way.

Protection of evidence and chain of custody:

The evidence of a computer crime exists in the form of log files, file time stamps, contents of memory, etc. Rebooting the system or accessing files

could result in such evidence being lost, corrupted or overwritten. Therefore, one of the first steps taken should be copying one or more images of the

attacked system. Memory content should also be dumped to a file before rebooting the system. Any further analysis must be performed on an image of the system and on copies of the memory dumped—not on the original system in question. In addition to protecting the evidence, it is also important to preserve the chain of custody. Chain of custody refers to documenting, in detail, how evidence is handled and maintained, including its ownership, transfer and modification. This is necessary to satisfy legal requirements that mandate a high level of confidence regarding the integrity of evidence.

Advantages of computer forensics:

• Computer forensics offers a range of advantages, particularly in the realm of legal investigations and cybersecurity.
• Specialists in computer forensics are adept at preserving the integrity and admissibility of digital evidence in court. They use advanced techniques to retrieve information, even if it’s been deleted or corrupted.
• Computer forensics enables the swift recovery of data from digital devices, which is crucial in time-sensitive investigations.
• It helps the companies gather important information on their computer systems or networks potentially being compromised.
• The field improves the efficiency of investigations by using specialized tools and software designed for analyzing digital evidence.
• It efficiently tracks down cyber criminals from anywhere in the world.
• It allows to extract, process, and interpret the factual evidence, so it proves the cybercriminal action’s in the court.
• Forensic experts employ various methods like keyword searches, metadata examination, and timeline reconstruction to analyze data thoroughly.
• Computer forensics is instrumental in preventing cybercrime by identifying vulnerabilities and securing digital assets against future attacks.
• It plays a significant role in detecting and investigating fraud, thereby protecting organizations from financial and reputational damage.