The term ” Digital Forensics “; well, Forensics as a science to investigate things has been around for decades (like, DNA Forensics, Fingerprint Forensics) and since we have entered into the era of electronic technology(digital), we have Digital Forensics(DF).DF encompasses the entire cyberspace.It could be a software( like web application, database, malware) or a hardware: a storage device (Hard Disk, USB) or network device (Router, Switch) forensics.This leads us to the various sub-branches DF has.
Scope of Digital Forensics
1) Disk Forensics(Hard Disk Drives, Solid State Drives, CDs, DVDs, USB)
2) Operating System Forensics
3) Network Forensics
4) Web Application Attacks Forensics
5) Database Forensics
6) Cloud Forensics
7) Malware Forensics
8) Email Forensics
9) Internet History Forensics
10) Mobile Forensics
Digital Forensic Investigation Process
Every investigation demands a process, here forensically sound process.Thus, the forensic process needs to be taken care of in order to keep your evidence admissible.
Anything (data, disk, pen drive, mobile) you pick from the crime/investigation scene that could prove something in favor or against the suspect.
There are few norms which mark an evidence admissible or inadmissible, this has mainly to do with the integrity of the evidence.In simple terms, has the evidence being ever tampered accidentally or purposefully by anyone throughout the investigation, right from the beginning when the evidence was acquired.
Now, given it has been tampered or not, how do we get to know? who all had the custody of the evidence? how to keep an eye on the entire process?
For this, we have a document called *Chain-of-Custody form (Very important, let’s say imperative).This document is first filled and signed right when anything is seized/acquired from the crime scene, after that whatever trajectory the evidence follows is all noted in it along with the signature of the concerned authority/personnel confirming the custodianship/handling of the evidence.
Once all the analysis has been done and the end result is out (the verdict from court or judgment from authorities), what happens next with the evidence is too noted in this form.Like, if the evidence was destructed or returned to the owner.
Types of Investigation
1) Criminal Investigation
Criminal Investigation is where some sort of Cyber Crime took place(here, I would encourage you to go through the different types of cyber crimes, if you don’t know already, it is always good to know so that you don’t commit a cybercrime unknowingly, like, Stalking?!
> Goes to Court.
2) Civil Investigation
Civil Investigation is where the offense is not of criminal nature and is governed by civil legal matters, like, claiming damages.
> Goes to court or else a settlement between the two parties can work.
3) Administrative investigation
An administrative investigation is done within an organization if management suspects an employee of stealing or trading information.
> Mainly settled within the organization.
Digital Forensic Process
The process here commends the steps you should follow during the complete investigation. Following the correct process makes your investigation foolproof, avoiding all the objections.
The 6A’s /6R’s Forensic Process
1) Assessment / Requirement Analysis
This phase requires you to identify the pieces of evidence that should be considered for investigation.We also need to determine the amount of data needed to be taken from the suspect’s system(HDD/RAM) and also the scope of data.
Mainly legally, before beginning with an investigation, we need a warrant, warrant for Search and Seizure, here, we need to specify the “scope of the search”.Example: If you say we need to search for graphics files (.jpg, .png) then searching anything else but image files like .doc or .pdf files, goes out of scope.This approach of strictly specifying scope is not recommended, we may lose a great deal of evidence.What if the offender had embedded graphics file into a text file using Steganography.It is better to loosely specify your scope, “brief persual “, looking everywhere within the system quickly. Just like the physical investigation of a suspect’s room, officer’s look around the room leaving no drawer unopened.Here, we also protect and preserve the data from tampering and also establish the Chain-of-Custody.
2) Acquisition/ Retrieval of data
In this phase, we will be actually picking up our evidence(s).For picking up evidence you could either seize a hardware like Mobile device, HDD (for static analysis) or pick up data then and there from the running system (live analysis).For acquisition primarily imaging is done, sometimes, cloning too.
Out of imaging and cloning, we get the same data but these are two different things.Imaging is when we make a bit-by-bit duplicate of the source media (media could be any HDD/USB) and that duplicate is a file (.e01, .dd).While cloning is when that bit-by-bit image is duplicated into a drive of equal capacity (this drive needs to be new or forensically sanitized).Different tools (FTK, Encase) can be used to accomplish this, all that is needed is Forensically proven tools are used.For imaging/cloning, we will need to identify the source media and destination media. The source media will be the suspect’s and destination media will be that the investigator will use to store data collected.
Tampering around with digital data, addition/deletion is not a tough task and can be done on the go too, which means, if the data gets tampered, we may never find the evidence(s), somebody could easily fool us around.To keep this is check, we need a mechanism to authenticate, that the data has not changed even a bit since acquisition.Hashing makes us accomplish this.
Hashing means creating a hash value over a given input.This input could be a file, a drive which is fed to an algorithm (MD5, SHA-1, SHA2) and the output is a hash value which is an alphanumeric string. We have tools online/offline which take out input, use the algorithm over it and gives out the hash value.
What is so special about Hashing?
1) The hash value cannot be same for given two inputs (But, there is a catch!)
2) Hashing is irreversible, we cannot trace the input from the output, i.e. from a given hash value you should not be able to determine its input.
3) The output of hashing, the Hash Value is of fixed length (differs for different algorithms, eg: MD5 hash value is 128 bits) whenever the input can be of variable lengths eg: a file of 80KB or 10MB.
To check the authenticity we create a hash of original data before imaging it and then once the image is created, we immediately compute its hash again.These two hash values are compared, there has to be a match if the image is the exact duplicate, if not then something wrong has happened while imaging and data now is unreliable.
4) Analysis / Review of Evidence
Once we have reliable data the next step is to figure out the evidentiary data from the media acquired.For Analysis, tools are used like FTK, Encase and a thorough analysis is done looking for any possible clue.The data can come from different platforms, though few things remain the same, recovering deleted files, knowledge of different operating systems and file systems is needed.
5) Articulation / Representation of Evidence
All the pieces of evidence extracted and analysis done has to be put up in a report.This report has to be written in a way that even a non-technical person, like advocates, judges can understand.Thus, the report has to be Articulate.
6) Archival / Repository of Data
After completion of the investigation, the case files and the case related important data is archived or stored if in future the case ever re-opens.
*The chain of custody form discussed above can be seen at https://www.nist.gov/document/sample-chain-custody-formdocx