Cyber Forensic Or Computer Forensic †Myassignmenthelp.com

Question: Describe about Cyber forensic or computer forensic? Answer: 1.0 Introduction Cyber forensic or computer forensic or digital forensic is an practice where scientifically proven methods are applied for gathering, processing, interpreting and using digital information as evidences in laws and cyber- crimes. Also, there are cases when in other crime activities where digital information and evidences are involved, use cyber forensic. There are support from legislation to use digital data as evidences in different crime investigation processes. Currently, cyber forensic has become a term that encompasses information technology, laws and legislation etc. This is being researched heavily. There are some fine differences between digital forensic and cyber forensic. Some scholars consider, digital forensic as the wider area and cyber forensic being a part of that. Cyber forensic is more inclined to finding evidences from digital storage devices and computers. The objective and goal of cyber forensic is checking and reviewing digital media thoroughly and forensically to identify, preserve, recover, analyze and present the facts and results from the digital data. There are techniques like data recovery etc. these techniques can also be used as a part of legal audit trail. The subject of cyber forensic investigation to about following the same practice and guidelines for the digital evidences. Gradually, computer forensic is becoming a part of government and legislation in different countries. 2.0 Digital Evidence In cyber forensic, an important part is electronic or digital evidences. These are probative information that are being transmitted or stored in digital form. These evidences can be used in court trials. Before acceptance of digital evidence at court, those are needed to be verified, authenticated and the relevancy will be checked. Sometimes, copy of evidences is needed to prove such features. (Casey, 2004) During last few years, the number of digital evidences in different types of legal cases, have been increased. Following types of digital data can be used as digital evidences. Emails Logs of ETM transactions. Digital video, photographs, Word documents Histories of instant messaging Spreadsheets Accounting and financial information and statements generated from different information systems Histories of Internet browsing Contents from storage and computer memory, backups of data Tracking information from GPS or global positioning system, Logs from automatic door locks at hotel rooms etc. Audio files and recordings. In some countries, these evidences are considered to have equal importance as traditional evidences. However, the volumes of data from these digital evidences is a consideration. These information are hard to destroy, copy etc. and there are more scope to derive conclusion from these information as these are more expressive by nature. But storage of these evidences should be done in a suitable way. However, authenticity and admissibility of these evidences are sometime questionable as these can be modified and tampered. But still, these can also be countered with more detailed information. (Casey, 2004) 2.1 Admissibility An issue with digital evidences is admissibility. This is stemmed from the reason that, the evidence does not have authentication. Thus admissibility and authentication are closely related. In most of the jurisdiction systems, it needs to have a properly seized and investigated digital evidence. There are chances that while investigating for some warrant, it found evidences for some other crime. In that case the second one needs warrant for investigation. 2.2 Authentication Just like any other kind of evidences, digital evidences also needs to have proper foundation. The evidences needs to have certain degree of reliability. There are still some questionable areas in case of usage of digital evidences. For example, it is possible to alter digital media easily. Thus it needs to establish the reliability of the digital devices and there should be certain degree of accuracy while entering the data. (Casey, 2004) There is some software and information technology based solutions that have been designed for preserving the digital evidences in the original form, thus it authenticates the admissibility of the evidences. For example, there is a digital authentication technology called OnLock Digital Authentication. This is a SaaS or Software as a Service based solution for authenticating and preserving digital evidences in some non editable format. Use and development of such applications are maximizing the applicability and importance of digital evidences at legal trials. 2.3 Rule of the best evidence The formats of the digital evidences are not human readable. Thus is needs additional steps to make those human readable before use as evidences. For example, the findings from some analysis of some digital evidence may need to be printed before use. There are arguments, that the changes of the format does not confirm to the best evidence rule and such digital documents does not qualify as digital evidences. But the counter argument with legal support says that if the data of the evidence has been acquired from some computer or other digital devices, then the print out or changes to other human readable format will be considered as a valid digital evidence reflecting the accuracy of data similar to original data. 3.0 Key Principles of Cyber Forensics The key principles of cyber forensic are, Computer Based Investigation Data Examination Analysis of evidences 3.1 Computer Based Investigation Computer based investigation processes are becoming more and more popular not in the cyber- crimes, but also from other types of crimes like from terrorism to burglaries. As technology has become an integral part of our lives, thus these kinds of crimes are also using technologies. As a result computer based investigation is becoming more essential in crime investigations around the world. Computers and information technology now plays roles in commission of crimes, for obtaining evidences of the same, even it can become the target of crimes. For computer based investigations, it is needed to understand the roles and types of the digital evidences, processing of crime scenes, urgency of responding to such crimes and analysis of evidences. Recognizing, collecting and preserving of the electronic evidences from computer based evidences in different scenarios of crimes. The responders should have clear understanding of the fragileness of the electronic evidences from computer based evidences, the associated procedures and principles to the collection and preservation of the evidences. In case of computer based investigations, evidences are the data about the results from some investigation. These data can be stored or transmitted through some computer. For example, in several cases DNA or fingerprints are considered as evidences. But the raw format of a fingerprint or DNA will not make any sense to us. We need the information about those. There are software and systems that are used to provide those information from those evidences. By nature, computer based evidences are fragile as those can be damaged or altered easily. Thus handling and preserving of these evidences is very important. Otherwise the rendering can become unusable or the results of the analysis will be erroneous. Preserving integrity of the computer based evidences is also very important. (Albert J. Marcella Guillossou, 2012) 3.2 Data Examination Examination of the data from the digital evidences follows the principles of data examination from the traditional evidences. It needs varied types of media and cases to deal with different types of data examination methods. In all possible cases, the examinations of digital forensic are carried out on copied evidences not on the original evidences. Data examination is the process of extracting digital evidences from different types of media and analysis or interpretation of the same. Here extraction refers to the process of recovery of data then analysis of the recovered data, finally placing it in a coherent, logical and usable format. The concepts, tools and techniques used in this process, are intended to help an examiner to going through these steps smoothly. The data examiner(s) will structure the evidences first then will examine the data from those evidences. An examiner can use any set of tools and techniques for examination however, the chosen ones should be useful for the examination process. (Albert J. Marcella Guillossou, 2012) Data examination process has following steps to follow, 3.2.1 Preparation In this step the files and data of the evidences are separated and stored onto different files, directories and media. All the required set up in this context are prepared. 3.2.2 Extraction There are two types of extraction process to extract data from the evidences. In the extraction step, data is identified and recovered from the physical drives without regarding to the file system. File system is the logical structure and it is required in the logical data extraction phase. During that phase, again data is identified and recovered from different file systems, operating systems and applications. During physical data extraction phase, data is extracted from the physical drives without any consideration of the file system. The techniques used in this step are, file carving, keyword searching extracting and storing the unused space and partition table on the physical drive. File carving is the technique that can assist in data recovery and extraction from the unused data across the physical drive. The data may not be accounted by the file system and operating system. Keyword search technique also does similar job across the physical drive. An examination of the structure of partition of some physical disk will help to understand the file systems. It will be easier to determine the physical size of the entire storage media under consideration. During logical data extraction phase, it considers the file system of the storage media first. Then it includes different types of files and data from the files system into consideration. For example, there are file stack, deleted files, active files and unallocated space on the storage media. One by one, the extraction phase can extract file system information like structure of the directory, file names, file attributes, data and timestamps, file location, file size etc. Then data reduction helps in identifying and eliminating known files by comparing the authenticated and calculated hash values. File extraction process may include techniques based on file header, file name and extension, file content, file location on the media etc. There may be recovery of deleted files, extraction of encrypted or password protected data etc. 3.2.3 Analysis of extracted data Analysis of extracted data helps to discover the significance of data. There may be some pre-defined time frame for analysis in some cases. The techniques used in analysis, include data hiding, time frame analysis, ownership and possession, review, investigation leads, searching, analytical leads etc. Time frame analysis helps to understand the timings of the events occurring in the computer. It also may help in understand the use of the computer. There are two methods to follow, during time frame analysis, those are, Examining the metadata of file system for date and time stamps. It helps to link the relevancy of the time frames to the files. Review of the application and system logs. There also may be other types of logs, such as security logs, installation logs, error logs, connection logs etc. Data hiding analysis helped to uncover the concealed data into the media. It helps in detection and recovery of knowledge, intent, ownership etc. of hidden data. The techniques used in data hiding analysis includes, Correlation of the file extensions and headers for identifying the mismatches in those. A mismatch indicates that there is an attempt of hiding. Steganography HPA or host protected area supports the fact that there were some attempt to hide some data. Gaining access to such areas uncover these attempts. Accessing the compressed, password protected files. Ownership and possession analysis helps to understand information like who is the creator of the file, who has accessed the file etc. The data and timestamp of the file may help to understand the ownership of the file, files stored in some non-default location, file naming process etc. also helps in this context. Information about the passwords, hidden data etc. helps to understand attempts of hiding. (Carrier Spafford, 2003) 4.0 Cyber Forensics Examination/Investigation Process Cyber forensic investigation process follows the following sub processes or phases. 4.1 Preserving the Evidence According to local exchange principle, . . . when two objects come into contact, a mutual exchange of matter will take place between them". Thus the evidences will be preserved in a crime scene (Carrier Spafford, 2003). Investigating a crime scene in case of cyber forensic will include some computer itself as crime scene. From this computer, the clues and evidences about some crime are to be found. The investigator is also supposed to meet the obstacles here. In case of cyber-crime, the usual case is, there will be very few clues to start with the investigation. Also there are chance of transgression and without any obvious signs of clues or crime. (Stephenson, 2000) In a digital forensic investigation, the process should be very systematic, legal and formalized. The admissibility of the evidences is very much necessary. The integrity of the evidences and the investigation process should be there. During the system preservation phase, it includes following activities, Stabilization of the digital crime scene. Preventing data loss. That is minimizing the chances of data being damaged or overwritten. Isolating the system or the digital crime scene, from network Collection of volatile data. There are chances that these data will be lost after switching off the system. Identification of the suspicious processes running into the system. After collecting the evidences from the crime scene, these are to be transported to some safe and secure location. In future, further experiments with those evidences will take data from that location. One common approach is to physically transfer the seized crime scene or the computer to the safe and secure location. Or another approach is to transfer data to such location through some network. However, in any case, it should be ensured that the validity of the evidences are retained after getting transported and the integrity is not affected. ( Ciardhuin, 2004) After getting transported to some safe and secure location, these evidences and data are needed to be stored. As it has ben already said that, in most of the cases, examination are carried out on copied set of evidences. Also, there are chances that investigation will not start immediately on those data. Again there should be proper storage that retains the integrity of the evidences. ( Ciardhuin, 2004) There are chances, that cyber forensic evidences can be altered or damaged easily. As digital evidences are highly interconnected in nature, so, damage can easily propagate through and may affect all evidences. Thus, integrity of the evidences are supposed to preserved in the following ways, The structure of the evidences At bit level or physical level The application that are being used to open or view the evidences. During system preservation phase, the logged in users to the system are suspected and are highlighted. The log files from the system are copied before those are lost. If possible then the entire environment should be preserved. This is possible to create a complete backup image of the system. This is an advantage over physical world forensic. In general, the hard disks are used as main evidence but, if the network is involved with the crime scene, then the state of the network is also needed to be preserved. There are various system preservation techniques. Those are, Dead acquisition technique, that considers the processes are stopped when the system is switched off. Hence, duplicate copies are made. Also it may use write blockers so that the evidences are nor overwritten. Live acquisition technique that may kill the suspected processes, re-connect to the network, retain the network log from being dead by connecting the system to some switch or hub. It may use network filters for preventing the suspects from deleting the data from remote connections. The best practices to be followed in preserving the evidences are, Making copies of important data. Keeping the original copy in some safe and secure place. Doing all analysis on copied data sets. Use write blocking techniques. Minimize the number of creation of new files while live analysis is going on. Opening the files carefully during live analysis. It should not modify existing data. 4.2 Locating the Evidence In this phase, an investigator locates the evidences from the preserved crime scenes. There are various options for an investigator for carrying out the process. Following techniques can be followed in this process. Analysis of computer registry to carry out dead or live analysis. The data sets may be volatile or non-volatile. A live analysis will collect information from all these data sets. In the evidence searching phase, usually replica images of the digital crime scenes are considered. There may be repetition of the result in multiple instances. When evidence locating is carried out on live system then forensic images are taken. Field searching is the process of booting the computer into some trusted environment and searching for evidence into it. Network traffic analysis during the live analysis phase will analyze network traffic during the incident time frame. It may rule out some hosts and ports. If needed, the analysis may be extended to executable analysis, contact encryption, data recovery etc. In a nutshell, the process searches for an object with some characteristic in the collection of data. The process start from known locations like web browsers bookmarks, history files etc. In Linux environment, it may search for some rootkit, intrusion, new accounts etc. As the investigation will proceed, hypothesis will be developed. It is important to search for hypothesis for refuting it. 4.3 Selecting the Evidence Selection of evidence in the process of finding the piece of meaningful information from the evidences located. An investigator can use various analysis process to select the right evidence. For example there is file system analysis. Other types of analysis are, Application analysis Database analysis Memory analysis Volume analysis Network analysis Swap space analysis Physical storage media analysis File system analysis is an application level analysis process that examines a partition or data volume of a disk that is interpreted as a file system. The results may be list of directories, recovery of deleted file, display of content of the file system etc. There are different categories of data from file system. Some of the categories are file system category, content category, metadata category, file name category etc. 4.4 Analyzing the Evidence After selecting the evidences those are needed to be analyzed to understand the information from the analysis. There are several mathematical method, tools and techniques to analyze the digital evidences. From the initial larger information base, it is needed to reduce the information space to the most meaningful and optimized one. The information space includes the evidences like files etc. and the metadata information about those files. During the analysis phase, investigators process more amount of information than the evidences and image cases. While filtering the relevant data from this huge information base, care is very important to be taken. There will be iterative processes to filter out most important information, generation of additional data for the cases, and reducing the size of overall information base. The information- investigation curve takes shape depending on the following factors, Investigator The investigation tool selection and use. Quality and type of data generated during each iteration. Also there are additional variable factors like the forensic examiners, victims, offenders, secondary transfer, data rot, witness etc. Various analysis processes are, Inferential analysis Associational Analysis Social Network Analysis Network Analysis Etc. 4.5 Validating the Evidence Digital evidences are very fragile in nature. Thus it needs to be validated to ensure its integrity. But due to the difference of the digital evidences from the same of the traditional evidences, the laws and rules for validating digital elements will be a bit difference. The best practice followed while validation of computer are, To become in a safe side and without loss of generality, it is assumed that every computer is modified for destroying evidences. Delay the investigation of a suspected computer until the back of the entire system his taken. Become aware of the OS related issue of the victim computer. Typical storage areas, like database, office suite files etc. contains most of the evidences. Also there are chances of hiding evidences in some slack, removed files etc. In spite of the use of technology in the business processes, people generally do not trust computers. Also there are various security risks as, computers belongs to the interaction of physical and logical spaces. That is the information of the computer will be in digital format but the users are human beings. In laws, there is something called Daubert tests. This is a pre hearing test for the digital evidences of a case. It checks the integrity and admissibility of the digital evidences. In the validation phase, an evidence is needed to be tested for its validity. The assertions from the digital evidence are verified during this stage. It ensures that the evidence has not been altered or deleted by the user or system processes. The security measurements of some host computer are used for auditing and monitoring for the integrity of the information in that system. The whole process is iterative in nature. The examiner or investigator may need to revisit the crime scene, locate and select evidences then validate those. A series of prompt used in the candidate validation process. The questions in the validation process includes questions about the abilities to link the computer and the suspect, the events of the crime and the time frame of use of the computer etc. An incompetence scrutiny is carried out to validate the evidences during different points of time of the investigation process. The problem and prosecution cases become more complex with the increasing complexity of digital domain and challenges. The errors in any analysis method is a serious case to consider each time. There are different factors that influence the validation process of some digital evidence. The factors are, The collection tools may be missing while analysis critical digital evidence. The prosecution or the plaintiff may fail during reporting of the exculpatory data. There may be false or misleading evidences. It may fail to identify more relevant evidence. (Cohen, 2006), (Palmer, 2002) Hence, it needs some standardization and more scrutiny. Forensic readiness program also can help to some extent. (Rowlingson, 2004) 4.6 Presenting the Evidence Presentation of evidences in the human understandable format or documentation of the analysis and validation results is the final and important step. It helps to repeat the whole examination process even if the court challenge the evidences. Crime scene reconstruction is a part of presenting the evidences. Based on the law and policies for different setting, the presentation phase, presents all evidences, conclusions etc. derived from the investigation. There may be different classes of audience based on the type of cases. For example, general counsel is the audience for corporate cases. The corporate policies and privacy laws are the dictators of the presentation. In usual legal setting, the judge or jury is the audience. Thus, validation of the evidences is required. The outcome of the examination of the evidences determine the construction of hypothesis based on the evidences. Also, depending on the type of investigation, the degree of formality of the presentation is decided. The hypothesis is intended for the persons rather than the investigators. There are two types of testimony to be used in a trial. An investigator can choose the more suitable one. The testimonies are technical or scientific witness and expert witness. Chain of custody and the timelines for those events, helps to uncover the crime and reach to conclusion. Also there are chain of evidences methods. 5.0 Importance of Crime Reconstruction Hypotheses and Alternative Hypotheses The importance of crime reconstruction hypothesis and alternative hypothesis are given as, 5.1 Crime Reconstruction Hypotheses (CRH) CRH or Crime Reconstruction Hypotheses are the results from an observation of the actions. Then the postulate of the causes behind the result are considered. During this process a theory or hypothesis about the crime is formed. Then the theory or hypothesis is tested against all environmental evidences from the crime scene. There will be extensive testing process. If there is some contradiction between the theory and the evidences from the crime scene then the hypothesis or the theory is abandoned and a new one is adopted. The process continues until a suitable hypothesis is found that is coherent to the evidences. 5.2 Crime Reconstruction Alternative Hypotheses (CRAH) In case of CRH, the investigator may overlook new evidences and the hypothesis may be found as only one possibility and that may be misleading. To check the hypotheses against a wider range of evidences, Crime Reconstruction Alternative Hypotheses or CRAH can be used. It helps to uncover several alternative hypothesis and the result is more conclusive. It covers evidences from different aspects of the crime scene. 5.3 Importance of CRH and CRAH Crime scene reconstruction helps to understand the circumstances and the root of the crime. Thus it helps in better judgment. Also the process of crime reconstruction opens up new viewpoints towards the crime scene and covers different possibilities behind the crime. 6.0 Conclusion In this report, cyber forensic has been discussed in details. There are details about the concept of cyber forensic, the principles of cyber forensic, the details and phases of cyber forensic examination, the crime reconstruction process and its importance. 6.1 Self-reflection on Assignment 1 This assignment has helped to understand and study cyber forensic. The subject is vast and it was very difficult to put it down in this report. There are various aspects of cyber forensic. The field is very dynamic. Other than technology there are applications of statistics, mathematics, forensic science etc. The assignment has given an in depth idea about the topic. References Albert J. Marcella, J., Guillossou, F. (2012). Cyber Forensics. John Wiley Sons. Ashcroft, J. (2001). Electronic crime scene investigation: A guide for first responders. Washington: U.S. Department of Justice. Bejtlich, R. (2005) The Tao of network security: monitoring: beyond intrusion detection.Boston: Addison Wesley. Berk, R. A. (1983). An introduction to sample selection bias in sociological data. American Sociological Review, 48, 386 - 398. Burdach, M. (2006). Finding digital evidence In physical memory. Paper presented at the Black Hat Briefings, Arlington, Virginia. Carrier, B., Spafford, E. H. (2003). Getting physical with the digital investigation process. International Journal of Digital Evidence. Caloyannides, M. A. (2004). Privacy protection and computer forensics (2nd ed.). Boston: Artech House. Carrier, B. (2005). File System Forensic Analysis. Upper Saddle River, New Jersey: Addison-Wesley. Casey, E. (2004). Digital evidence and computer crime. London: Academic Press. Cohen, F. (2006). Challenges to digital forensic evidence. Retrieved February 8, 2015, from https://all.net/Talks/CyberCrimeSummit06.pdf Enfinger, F., Nelson, B., Phillips, A., and Steuart, C. (2006). Guide to computer forensics and investigations (2nd. ed.). Boston, Massachusetts: Course Technology. Jones, K. J., Bejtlich, R., and Rose, C. W. . (2006). Real digital forensics: Computer security and incident response. Upper Saddle River, New Jersey: Addison-Wesley. Kruse, W and Heiser, J. (2002). Computer forensics. Boston: Addison Wesley. Leiwo, J. (1999). Observations on information security crisis. Bangkok: King Mongkut's Institute of Technology. Mocas, S. (2004). Building theoretical underpinnings for digital forensics research. Digital Investigation, 1(1), 61 - 68. Ciardhuin, S. (2004). An extended model of cybercrime investigations. International Journal of Digital Evidence. Palmer, G. L. (2002). Forensic analysis in the digital world. International Journal of Digital Evidence, 1(1). Rowlingson, R. (2004). A ten step process for forensic readiness. International Journal of Digital Evidence, 2(3). Stephenson, P. (2000). Investigating computer-related crime. Boca Raton: CRC PRESS. Yadav, Seema. (2011). Analysis of Digital Forensic and Investigation. VSRD International Journal of CS IT Vol. 1 (3).