Technology has brought a revolution in our lives along with a number of serious threats. Computer has become a part of our lives. People use computer for their entertainment and most importantly in business. Since it has provided with bundle of benefits, threats are also increasing day by day. Cyber-crimes are not limited to computers only, but all the digital devices are under the same umbrella like mobile phones, internet tablets, everything that connects you some sort of network, broadly saying to internet. There was need to abolish these threats and make it a secure place, this gave birth to cyber forensic. It is said that every thief leaves a trace after him, the same case is cybercrimes, and however the nature of evidence is different. Cyber forensics can be defined as applying scientific methods and techniques to gather data from digital evidences. Digital forensics means to investigate fraud, theft, attacks, by examining digital evidences found at the time of investigation. Cyber forensic is meant to examine and digital evidences and present it in the court for cybercrimes. It is carried out to find out the attacker, and bring him into court with presentable digital evidences. Cyber forensics is carried out while staying within limits of legal laws. This paper includes principles and processes involved in investigation and crime reconstruction hypothesis.
- What is digital evidence?
Every digital device having data in it during investigation is digital evidence; it can be a computer, mobile phone, storage device etc. Digital evidence is fragile item that can be easily changed or destroyed. A research done by University of California in 2001 showed that 93% of information available is in digital form. Intrusion detection system helps a lot in investigation of digital evidences by looking at log files. Digital evidence should have some of the basic qualities. The digital evidence must be admissible that means the digital evidence should be able to be presented in the court. This is the most important property of digital evidence. The other property about digital evidence is that it must be authentic. It means the digital evidence should be able to prove the incident. Digital evidence must be complete and depict all the information related to the incident. Evidence should not only cover one side of the incident. Digital evidence must be reliable. Reliability of digital evidence is that it should be able to prove case.
There are two basic architectures of intrusion detection system. One is host based and the other one is network based. In host based intrusion detection system, data is analyzed that is available on the computer that we call host. The main motive of using host based intrusion detection system is that is lets you know about the attacks on computer. In this architecture, logs are accessed that lets you know about what sort of applications are used on the computer. It is like knowing about event being used for any changing or misuse on host machine. On the other hand network based intrusion detection system, network packets are observed. In network system, IP is the most important information that can easily be changed.
- Principles of Digital Forensics
While conducting cyber investigation, there are four basic principles regarding this.
Standardization means that the standards for cyber forensics differ for countries. So it is better to work according to standards set by your legislation. Countries work all around the world and they carry out some standards for cyber forensics. It is better to follow standards set for cyber forensics.
- Evidence gathering
The other principle is evidence gathering. The evidence that is gathered at the time of investigation must be intact. There should be no change in it at the time of presenting it in the court. If there is any change in digital change, like change or deletion of data can result in failure. As digital evidence is easily changeable or can be destroyed so it should be kept away from any unauthorized person. Digital evidence must be in the same condition in court as it was when collected from the incident place.
- Evidence handling
Evidence handling is an important task. During cyber forensic, digital evidence is gone through number of investigation agencies. While handling digital evidence to other person, proper documentation should be carried out. This will keep a record of all investigation through different phases, and secures digital evidence from any change in it. While depositing evidence to authorities, it must be informed to whom digital evidence is submitted.
- Evidence access
Digital evidence must be kept in a place where it is away from unauthorized persons. This ensures safety of digital evidence. Digital evidence in its original form is very important.
- Threats to Data on Computer
Data on computer is fragile it means that it is easily changeable. With wide usage of internet it is very easy to access someone’s data. There are certain factors that can cause damage to data on computer. Threats are always hovering over your data that can crash anytime. There are number of factors that can affect data security stored in a computer. Here are some major threats to data on computer.
The most basic threat to data is during the system crash. It can cause all data stored on computer to wipe out from storage memory. It is common when a computer is down. Major cause of such data crash is hard disk. If a computer faces power down then it can affect hard drive resulting in data damage.
Other threat to data on computer is because of some infected flash drives. When an infected hard drive is attached to computer, it may corrupt all data stored on hard drive. Virus is basic reason for such data lose. Infect drives often contain virus, that start functioning in computer.
Data can be altered easily; a person or employee can change data accordingly. If data changed once, then it is sometimes hard to retrieve it back in its original form.
The recent threat to data that is common these days is access of unauthorized persons. They easily access your data by hacking computer.
- Investigation Procedure
Before going into details about investigation procedure for cyber forensics, there are few steps that investigator must keep in mind. If investigator does not follow those procedures, he may lose some important data available on computer. Cyber forensic is sensitive in nature, so it is better to work with few precautions. The first thing in this regard is that, if the computer is on then it should not be turned off. This is a chance to get information from volatile memory before it is waste. Other reason may be that user has programmed computer in a way, if it goes off then it may crash data available on computer. It may cause deletion of temporary files on computer at start up, and if computer is turned off then it should not turned on. If owner of computer is with you at the time of investigation the n you should not get help from him. He may delete necessary files from computer. During getting information from computer while it is on, no application should be executed. It may cause losing of some useful information. There are programs that can change date of files. Avoid using anti-virus programs on computer you are investigating, anti-virus changes dates of files that it scans. Moreover, no files should be open as it will cause last modified date to change.
Then pictures should be captured of room having computer or other digital evidences. Plug off computer and disassemble it. It lets the investigator know about hardware in computer. Document all digital devices, and retrieve CMOS details like date and time of computer.
Before going into investigation procedure, a master copy of digital evidence should be created. This will let investigator work on copy created and original evidence will remain intact. It is important to keep digital evidence in its original shape, which may lead to success of your investigation. Investigation must be done on master copy created from digital evidence. There is a reason behind this, reason is that keeping digital evidence safe will not cause any change in log file. Log files can be altered if any program is executed. While collecting digital evidence, an image should be captured. The suspect’s computer should be write protected before creating capturing image of evidence. It is necessary that the person who collected evidences should be at hearing. This will help in verification of digital evidences found. If the person will not be present then evidence will become inadmissible at court. Be sure about tasks being performed on evidence are reversible. It is necessary to take data in its original state. During investigation, swiftness is important. While conducting investigation, it is better to work fast as it will not let data change.
- Preservation of digital evidence
First step in investigation process is preserving evidence. As data can be changed or deleted easily, so it is better to preserver and make it useful for investigation. There are several reasons which impose to preserve digital evidence. It is easy to change data during transferring files or investigation process. The data in evidence can go several changes during different phases like collection or presentation. It is better to preserve it in a way that no changes are made before being presented in court. Data can be discarded if brought into contact with magnetic field. In preservation the best way is to make a digital image of original evidence. All the information or data on digital evidence will remain in its original form and investigation is performed on copy of data. If something wrong happens while creating a digital image of data, then this should be documented as well along with reasons.
- Locate information
After preserving digital evidence, comes the turn of locating data stored in it. If there is plenty of time for investigation then you should collect all data. It is not an easy task as there are number of digital media available like (USB, printer, scanner). For this purpose, investigator must have knowledge of different operating systems, at least two most used operating systems, Windows and Linux. All electronic devices found at location should be collected and packed in bags for investigation. They will be passed through the process of collecting data out of them.
- Selection of information
When all data is gathered from all digital evidences, they need to go through the process of selection. By selection it means which information can be used for investigation purposes. This is a long process which involves sorting of data. Selection of information can be classified in a number of ways, like keeping different files in separate folders. After sorting out all the information, only relevant information is kept and remaining is deleted. This step is very sensitive as you may have to go through all information for getting close to find out real reason.
The most important procedure in investigation is to analyze data extracted from the above steps. Data can be analyzed in a number of ways. Some of data analysis steps involve, timeframes, hidden data, and application possession i.e.
- Timeframe analysis
Timeframe analysis is useful in determining times and dates of files in computer. This helps in deciding the usage of computer when the event occurred. Time frame analysis is done by two methods.
One is by looking at time and date from metadata files (which contains, time date and other information about file) helps in tracking time and date when file was last modified.
Other way of analysis by using timeframe is that by looking at logs about installation and system, it tells about usage of computer and application, considering security log will tell us about username and passwords used for logging into computer. Looking at time and date, if there is difference between log time and BIOS time then it should be noted.
- Hidden Data
Other method used for analysis of data is by hidden data analysis. It is easy to hide data on computer to keep it away from unauthorized persons. In this regard file header should be matched with extension of file. If there is mismatch in file header and extension then it is obvious that file has been hidden intentionally.
To get access to hidden or protected files is by getting password. Sometimes getting access to passwords of files it may reveal some information stored in files. Access to protected files will show information stored in files.
The third process in analysis step is analyzing file and application on computer. This helps in extraction of files and operating systems used on computer. Files can be analyzed for information stored in it, relating files with application installed on computer. The example in this regard is that comparing internet history to cache or relating emails available on computer to attachments of emails.
Validation is process of confirmation following some principles and procedures, which verifies either the process carried out is right or not. After analysis of information, validation is used to verify information extracted from above steps. Validation means to verify either data extracted is relevant to case or not. This step moves towards closure of investigation process. Validation process is carried out using different sorts of software, that are acceptable by different law enforcement authorities. The last step validation of information; is key to successful investigation results.
- Documentation and reporting
Documentation is concluding step in investigation process. It is responsibility of investigator to document each and step while conducting investigation. Documentation should be detailed and comprising of all steps. A proper documentation in this regard should have following points. Documentation must have search authority letters. There should be dates and time of all investigation process. If there is any irregularity during investigation, that should be noted down and reason to those irregularities must be mentioned as well. Moreover, there should be list of all usernames and passwords, names of authorized persons as well. Operating system information and software installed on computer are also to be mentioned. Report should have name of investigator, dates, list of digital evidences; and names of every persons included in this process.
- Forensics investigation techniques
While going through cyber forensics, there is need to extract information from files that have information hidden in them. Mostly information is hidden by encryption or other methods. Forensics techniques and software tools are used to extract hidden information. These techniques are different for computer systems and computer networks.
- Computer system
First we will discuss about techniques used for computer systems. Techniques used for computer systems are file structure, storage media, steganography and prints.
- File structure
First technique used for computer system is analyzing file structure to find out files placed at different places in computer. Those scattered files are gathered and then decrypted for extracting information out of them. This decryption is done by utilizing some automated tools. Decryption can also be done manually as well.
- Storage media
Data can be found in different storage media like disk drive, memory card i.e. in most of the cases data is usually erased from these storage media by formatting it. There are tool that are used to retrieve formatted data from storage media device. There is no assurance about the exact form of material; retrieved data can be in corrupt form. However that data is also including in investigation as an important part.
Data can be hidden in various forms in a computer system; one of the ways to hide data is to store data in images or sound files. It is not easy to extract data from such files; however tools are available to extract data from these files.
Print outs from a printer are also used for hiding data in it. Most of the times there are something hidden in images that are microscopic and need special magnification to look hidden things in them. During collection of evidence, these prints out can be helpful for investigation.
- Computer Network
Most commonly techniques for this purpose are packet sniffing, IP address tracing and email address tracing.
- Packet Sniffing
Packet sniffing is a methodology used for getting information moving through network. As the name suggests, packet sniffing gets some data packets from network that can reveal some information regarding username and password, emails or other important information.
- IP address tracing
Internet protocol address is helpful in finding out real destination of other computer. This technique involves reverse tracking which give information about servers included between source and destination known as hops. We can get ISP following IP address that leads to owner of IP.
- Email address tracing
There are times when it is important to know source of email coming from. In this regard, header of email is taken into consideration because it includes email server of source along with time and date.
- Tools used for computer forensics
It is mentioned above that computer forensics techniques are carried out by using different tools and software. Here are some most commonly tools used for this purpose.
Hex Editor, Disassembler, Disk Analyzer, Decryptor, packet sniffers, DNS tools.
There are other tools as well being used for this purpose.
- Digital crime reconstruction hypothesis
Digital crime reconstruction means to create a hypothesis about series of events that may have happened at the time of crime scene. This step is based on hypothesis that can lead you to investigate further to reach a proper conclusion. Five steps are included in digital crime reconstruction procedure.
- Evidence examination
- Role classification
- Event construction and testing
- Event sequencing
- Hypothesis testing
- Evidence examination
The first thing to do examination with all evidences collected during investigation process. This involves examination of every digital pieces; that is identified and then individualized. That brings about the class and individual characteristics of evidence. Classification includes the header name of the file along with its extension. Other evidence to be examined; are data packets through a network. In this examination process, it is examined either the file is modified or not. It also looks for some deleted data or files from computer.
- Role classification
After evidence examination; comes role classification of all the files and data. This process classifies files based on information stored in them. Looking at information stored on these objects it is carried out what have cause this information at the time of incident and what was effect. In computer data being created is an effect of kernel. There two parts of computer interacting with each other, one is hardware and the other one is operating system. If hardware of computer is used then it will have effect on kernel and operating system follows keystrokes. But if a hacker will be accessing computer then there will be difference in kernel files. Simply we can say that if data is read from a file then it is an event is called cause, and if data is written to a file then it is event and called effect.
- Event construction and testing
Event construction is done on the basis of joining of cause and event files. But it is not as easy as it seems to be, reason behind this is that not process and kernel information is always received from evidence because when computer turns off then these information is erased from computer. Mostly hypothesis is made on the events that took part on the processes of incident. But executable application can play a role in this process.
- Event sequencing
After event construction comes event sequencing; that can be done by taking timestamp into consideration. Time can be found in log file, but there may be time may change by some events in file. If the execution flow of a file is known then it can be used to sequence the events.
- Hypothesis testing
Hypothesis testing is also important after sequencing events and examining them. It helps to know the missing events and why this event has happened. There must be no confusion in hypothesis and should depict crime reconstruction as the investigation done show.
This paper provides information about cyber forensics, digital evidence and methods and procedures involved in it. Digital evidence is the most important part of cyber investigation as the whole story revolves around it. Before going into investigation the examiner must know principles of investigation. If examiner is not about what his actions may cause, then he may lose some very necessary information. Cyber forensics must be carried by following the procedures as they are mentioned otherwise they will be of no use. Preserving digital evidence is highly preferable while conducting investigation, it can be considered as root to cyber forensics. Other processes have their own importance as well. Forensics investigation techniques are applied to extract data in its original form from digital media. Hypothesis can also be generated regarding crime scene. It will help to know how the event happened.