Computer Forensics
Introduction
Computer forensics is alternatively referred to as computer forensics science, which is a constituent of digital forensic science. This branch of digital forensic science is concerned with identifying, preserving, interpreting, extracting and documenting of evidence gathered from any computers, their constituent systems and digital storage. The branch has various facets and its definition is wide, and as such; it cannot find a particular procedural definition. However, basically the field entails the analysis of data in the computer or anything created by the computer with the aim of finding out how and when something happened as well as who was or is responsible.
Computer forensics is mainly associated with computer crime investigations and it is also at times applied in civil proceedings. The field mainly applies principles and techniques of recovering data. However; it also includes the application and observance of practices and guidelines incorporated for the purpose of creating an audit trail that establishes legality. Many at times computer forensics evidence is subject to guidelines that are similar to those applied in handling any other digital evidence.
Digital evidence acquired from computers has been used in various high profile cases and as such it has acquired widespread acceptance as a reliable form of evidence mostly in European and American courts (Baggili, 2011). This paper shall particularly focus on highlighting the computer forensics investigation process as well as tools. The development of the field through time shall also be reviewed within the literature review. Finally, the paper will be concluded by highlighting current trends in the field and expected future developments that may arise or are expected in the future. A computer investigation process mainly consists of the basic activities mentioned earlier i.e. preserving, interpreting, extracting and documenting of evidence gathered from any computers, their constituent systems and digital storage.
The process begins with the discussion of an imminent, present or suspected case/s of concern with an expert in the field. This should be followed by the collection of all electronic information that can be obtained from the computer. After the collection of this information concerns or violations are identified. Throughout the process and more especially after analysis, there has to be greater measures in place with regard to the protection of data. Finally, verifiable and qualified evidence should be confirmed and a report written on the same with an inclusion of the examiner’s comments. Though not governed by legislation, such processes should adhere to this protocol that is loosely defined in the field of computer forensics (Baggili, 2011).
Literature Review
In the early and mid 80’s the use of personal computers got on the rise due to the increase of accessibility to personal computers. Personal computers became more accessible to most electronic users, and subsequently the rise of computer related crimes also increased. More and more people begun using their personal computers to engage or plan crime such as using the computers to aid fraudulent acts. During this period new computer based crimes were also identified such as illegal access to computer systems, networks and other personal computers-an act famously known as hacking. As computer related crimes increased there developed a need to have expert recovery, collection and analysis of digital evidence from computers for court use. This need led to the development of computer forensics as a profession and field of study. Currently, the field has had greater advancements and it is now used to investigate various types of crime such as cyber-stalking, child pornography, fraud, rape and even murder. The field also serves civil proceedings as a means of gathering information. Expert knowledge and techniques in the field are applied in explaining the present state of any artifact of a digital nature such as electronic documents (such as images and emails), storage medium (such as CDs, flash-disks or hard disks) and computer systems.
Forensic analysis has a very wide scope and could entail simple activities such as retrieval of data or making a reconstruction of events that may have occurred. In 2002 Heiser and Kruse authored a book-Computer Forensics-which defines the field as one that is engaged in identification, preservation, retrieval, analysis and documentation of computer information for use in investigations and support of legal proceedings (Kruse & Heiser, 2002). In their description the two term the field as being more of an art rather than a science because forensic techniques are supported by an extensive and flexible domain of knowledge.
In earlier days investigations on computers were performed on live data in “live” systems. This early forensic practice was due to lack of specialized tools that could enable investigations on static data. The investigations are carried out on acquired images and not “live” systems. The investigations have to follow a standardized digital investigation process that includes acquiring, analyzing and reporting. The computer forensic analysis focuses on three types of data namely latent, archival and active data. Active data constitutes of information that can readily be seen. This may include programs, data files and any other files that used by the computer’s operating system.
This is the simplest data that can be easily obtained. Archival data is any form of data that is stored as back up, and this may be in various digital storage components such as floppies, CDs, hard drives, and back up tapes. These may be within or without the computer system. On the other hand, latent data is data that is not easily obtainable and as such the forensic expert may require specialized computer forensic tools in order to be able to obtain the latent data. Latent data is exemplified by data that has already been overwritten or deleted. Acquiring latent data is one of the most costly and time consuming exercise in forensic data. These types of data may also be classified in two broad categories namely persistent and volatile data.
Volatile data is data that can be lost whenever the computer system is shut down the volatile data may be on transit or stored within the random access memory. This kind of data resides in cache, registries and RAM. On the other hand, persistent data is the type of data that is stored in the computer’s hard drive. This data may also be stored in another medium such as a CD or flash disk. Acquiring data is the basic concern of computer forensics, however; it also has to be noted that the data has to be acquired in systematic way that will ensure its validity is maintained. Therefore, the second and most important task for any computer forensic expert is to link the data to the culprit and prove that the involved party has breeched some policy of use or committed some crime that may lead to prosecution (Kruse & Heiser, 2002).
The process and steps involved in a forensic analysis
Forensic analysis or examinations should always be a preserve for forensic analysts that can conduct a certified process of computer forensic analysis. The used equipments or tools and procedures should also be certified in order to meet the standards of validation desired for computer forensic evidence. The appropriate and recommended stapes to be followed are listed below.
Firstly, custody of all the material required for the investigation should be established and kept under safe protection to avert any potential malicious of accidental alterations that may occur.
Secondly, all information whether latent, archival or active should be catalogued. Deleted material should be recovered to the furthest extent possible. This should be followed by the identification of all encrypted and password protected information as well as any indications of bid to obfuscate or hide data. The original source of information gathered should not be changed and it should be maintained in its initial state as much as possible and this may be also helpful if the measure included imaging. Any imaging should be authenticated against the original through means such as hashing (Baggili, 2011).
Thirdly, other additional information could be obtained as the situation dictates. This may include kerbero server logs, firewall logs, and sign in sheets and proxy server logs.
Thereafter, the gathered information should be analyzed and interpretations made to determine which piece of the gathered information may be evidence. All the inculpatory and exculpatory information and evidence sought should include in the documentation and all passwords protected and encrypted files should be cracked.
After all information is gathered and analyzed and interpreted the computer forensics analyst should develop a report to be submitted to the client. This report should include comments on findings made with professional precision and supporting evidence that supports the comments made on about the findings. If need arise the forensic investigator should be available to offer expert testimony during trials, depositions or other legal activities.
Techniques used forensic investigations
There are various techniques that are applied in computer forensics and these may include live analysis, cross-drive analysis or analysis of deleted files. A live analysis involves computer examination from within its system. This can be carried out though the use of existing system administration tools or custom forensics in order to seek and retrieve evidence. This technique may be useful in cases involving encrypting file systems. In such cases the encryption keys could be collected and the logical hard drive imaged in a live acquisition prior to shutting down the computer. The use of live analysis enables evidence to be seized from a machine while it is still under use.
This is because any machine loses any information within the Random Access Memory (RAM) once it is shut down. This is could be used to recover RAM data, by for example making use of Coffee Tool from Microsoft. Cross drive type of analysis makes use of techniques that correlate information on multiple drives. This process is still under research and it is used to identify social networks and anomalies (Vacca, 2005). The recovery of deleted materials is common in forensics and current forensic software tools have the capability to recover or carve out data that has been deleted. A large number of operating files and systems do not delete physical data. Therefore, allowing the physical data to be reconstructed from the sectors of the disk. The file carving technique is used to seek for file headers that are already known within the image of the disk and making an appropriate reconstruction.
RAM may also be analyzed after power loss because the charge stored in memory cells does not instantly dissipate completely. High cell voltage and lower temperatures ensure that data can be recovered long after shut down. An un-powered RAM held under 60 Celsius may allow better recovery by helping in preserving residual data. However, this may not be possible in an actual field activity. Digital finger printing through hashing analysis of files that are supposedly similar is also another important technique that is employed in computer forensics especially, in determining the integrity of two copies of data supposedly similar. The process relies hashing on ‘cutting’ the information into bits that are later used to generate values derived by a functions or series of functions. The produced hash pattern’s similarity shows close or distant relation and thus determining integrity. Large disparities in hash patterns imply that there is very little similarity (Vacca, 2005).
Computer Forensics Tools
In the early days of computer forensics most investigations were “live analyses” which were applied in examining computers without any assistance of specialized tools. However, in the 1990s a number of freeware tools and commercial tools have been developed that can aid in conducting investigations. These tools constitute of both software and hardware. These tools are designed in such a way that they can allow analysis and data to be gathered without any media modification.
The first tool makers mainly focused on computers, but in the recent past similar tools have been developed for the mobile telephony industry as it merges with the computer world. In order to accomplish a comprehensive investigative role there is a need for tools that can enable the expert to view files that are not readily available visible in the computer system. These may include files that have been deleted, hidden, encrypted, or stored in an unallocated places or “slack” spaces (Baggili, 2011). In order to gain access to such files there is a need to gain access and retrieve the information. Additionally, there may be other computer forensic tools that may be required in order to perform other forensic tasks such as decrypting, imaging, documenting and searching. These tools are necessary for accurate and reliable analysis digital storage media.
There is a wide range of tools and each tool performs different tasks that are specific to its operations. These tools may be dedicated to a single task within the computer forensics field and process. These tools may include drive imaging tools, data analysis tools, remote agent and control suite, report generating tools and data manipulating tools. Drive imaging forensic tools is used in computer forensics whenever there is a need to create a cleaner forensic disk image of a computer prior to conducting a forensic examination. This is important because there is a need to create and save a snapshot of the personal computer’s state prior to conducting any further investigations.
A good imaging enables the computer forensic investigator to restore the image of the disk if they deem that they have contaminated the acquired forensic data during the process of conducting the investigation. Generally, imaging as a process develops an exact and similar copy of information stored in any digital storage media. The exact copy made ensures that the original information in the disk is well protected and it could be available for review after analysis. Examples of software computer forensic tools in the market include EnCase. EnCase can allow a forensic analyst to acquire data from different types of storage media including floppy disks, zip drives, and hard drives. EnCase is particularly useful to forensic experts because it allows imaging of data from different types of media without any adaptations.
Other tools that could serve the same purpose include Vogon forensic software. Vogon has the ability to index any contents of the drive efficiently and thus increasing the ability to make very fast searching. The remote agent and control suite is made up of computer forensic software tools that can be categorized in to two. The first one is the remote control center that is used by forensic experts in analyzing and monitoring personal computers from a remote location. The forensic could set triggers or alarms that can inform or generate messages whenever a certain function occurs such as an over-use of a certain network interface. The ability to monitor a remote personal computer may occur in real-time, where an agent is used.
The agent consists of a client of light-weight nature that is installed on each server or personal computer in order to facilitate the control center’s monitoring activities on the target personal computer or server (Cromwell, 2011). This allows the center to also make real-time data capture. There also other non-remote means of establishing forensic based monitoring of activities of any computer through the use of tools such as key-loggers. These are types of software tools that can operate stealthily in the background as the user continues engaging in various activities. The software operates through various means such as recording all keys stroke or taking screen shots as the user continues using the computer. All this information is recorded and stored for retrieval and analysis at a later time. This may be regarded as a pro-active tool towards preventing any form of computer crime. These recordings could later be retrieved and produced as evidence. Advanced forms of key-loggers may even have the ability to relay information over net-works to the intended computer after making records of activities a server to personal computer.
The data analysis tools are used to analyze data that has been generated before. These tools are put to work in investigations aimed at investigating disk images previously created in the computer. This type of software allow the analysis of all the data within a disk’s image through various ways such as through file system access or bit by bit examining of the content. Mere awareness of the existence of a key-logger or other similar monitoring tools could deter computer crime, because user will know that there activities are being recorded and they will therefore be less likely to misuse a computer or commit a crime using the computer. Advancements with time in computer software developers have even had computer forensic tools and features included in common operating systems such as Windows. An example is Netstat-a tool incorporated into Windows operating system. This tool shows the connections between established between computers. The Netstat tool stores the history of all connections established during any session and these can be later retrieved for analysis in cases where one is suspected of making an unauthorized connection (Cromwell, 2011).
Another important method and type of tools employed in computer forensics are hashing tools or maresware. These tools are concerned with the verification of the integrity of information in a computer. Businesses such as banks need to validate the occurrence of certain transactions by showing the ability to authenticate the details of a transaction recording such as time and date. Companies such as software developers also need to establish whether the installed software was actually installed on the stated date and time in order to be sure about its authenticity. Hashing offers a very efficient way to verify data bits sequence and their integrity. The tool is used to make sure that the data bits sequence have not been altered inadvertently. The sequence of information may make up a directory, file or character string. It may as well be a message that denotes certain data which is stored within the computer.
The term “hash” simply denotes cutting into smaller units. The tools hashing algorithm is made up of a function or several mathematical functions which take the sequence of information bits and generate an output code. The generated information includes data bits and at times the code. If two files have exact similarity, their bit patterns are supposed to hash to one code if the same algorithm is applied. Therefore, in ascertaining the integrity of computer data using the hashing tools similar files should generate similar hash patterns. As such if the similarity is high, then there is very little probability that the concerned files have been altered. However, if the files produce hash patterns that are dissimilar, then it is highly likely that the file being checked has undergone an alteration and therefore; the two do not match. Hash values that are generated by hashing tools offer a “digital fingerprint of the documents” that helps in establishing their integrity (Cromwell, 2011).
Debuggers are also important tools in computer forensic analysis. This tool is mainly applied in making analysis of unknown or malicious binaries. The tool serves in reverse engineering executables in order to determine the purpose of the binary. Anti-virus developers have been mostly putting debuggers to use in their work, and they have also gained popularity in matters of home or corporate security. Through the use of a debugger an individual is able to control the binary execution process, by finding out which commands or instructions are undergoing execution.
As a malware analysis process the user may be able to prevent any malicious binary execution meant to cause some harm to the computer. Write blockers also provide important computer forensic tools that can be applied in acquiring forensic information from any drive whilst eliminating the chances of accidentally causing damage to the drive contents when conducting a forensic analysis. Write blockers rely on blocking of commands. The write blockers normally allow exclusive passing or read commands while blocking write commands and thus their name. Examples of commercial write blockers in use within the computer forensics field include SAFE Block XP.
Steganalysis tools are also important in computer forensics. Tools used in steganalysis mostly employ the use of statistical analysis to detect any form of alteration that may be in a message or file. The technique of steganalysis is employed in hiding important information in seemingly harmless messages such as JPEG or GIF files which may go undetected if an analysis is not performed on the messages or contents of a file. Image and audio files are the most carriers of hidden messages that may pose a threat or be a cover up of some criminal activity (Gary, 2010).
Computer Forensics Legal Aspects
Computer forensic investigators and network administrators need to be aware of legal implications tied to computer forensics mainly for two purposes-to ensure that they can offer valid support in the eyes of the legal structure and to make sure that they do not land themselves on the wrong side of the law by causing breaches. Therefore, there is a need for them to evaluate their technical actions and policies in accordance to the existing laws. For example a computer forensic expert should seek legal authorization prior to making any information collection. Using security monitoring tools such as key-loggers may also breach other people’s right and cause serious legal problems which could result into legal suits. This forensic field is however relatively young and as such the laws governing its activities are not yet clearly defined and formulated. However, it currently runs under the existing framework that loosely defines its operations. Most of the laws and their re-evaluation are still in flux and future better and comprehensive laws are expected at a later date.
There are new rulings and laws issued each day and all these affect issues related to computer forensics. Therefore, any investigator has to stay a breast with the dynamic changes. This can be possible by always seeking informational updates from the U.S department of Justice on their cyber crime site postings. This site presents recent rulings on computer crimes within America and it also guides investigators on how present and introduce computer based evidence in the handling of court cases, by adhering to the appropriate standards. The most important factor to be upheld is the use of proper channels of evidence collection that will ensure the evidence is admissible. There are computer security laws that are getting implemented daily and as such organizations have to first of all ensure that organizations have met the compliance standards required by these laws with regard to safety, information protection, privacy and confidentiality. Adding computer forensics capability to an organizations system’s arsenal may offer it greater compliance to data protection and security policies and thus avoid law suits that may be brought against the company on such legal grounds in cases of lose of information.
The most relevant identifiable laws related to computer forensics include the 4th amendment concerned with search and seizure. The Fifth Amendment that seeks to protect individuals against self-incrimination is also relevant to the field. These amendments may have been written prior the increase of cyber crime, but they have principles that are related and relevant to the field. Statutory laws such as the “Wire tap act,” “stored wired and electronic communication device act” and “pen registers and trap and trace devices statute.” Any violations of these statutes during forensics may constitute felony which can be punishable by fines and/or imprisonment. Therefore, it is advisable to consult some legal counsel before conducting any forensic investigation on any organization or individuals’ computers. The United States’ federal rules on evidence about reliability, authentication, best evidence and hearsay should adhere to while conducting any forensic work.
The Future of Computer Forensics
Computer forensics has a virtually limitless extent of advancements that come with new technological developments each year. The field continues to expand and advance. New developments in computer software and hardware call for newer security measures and options of safeguarding an organization and oneself from computer crime. Organizations have had to hire and rely on computer forensic professionals in cases of cyber crime and this field has become an integral part in most law enforcing departments as computer usage penetrates every corner of the globe.
Forensic audits on computers and systems have become a mandatory requirement under electronic usage standards. In the near future it will not be strange for employees to have their computers systems checked as they live or sign up for employment. Techniques used in forensic investigation are now being adopted for other applications in other fields in non-investigative activities. These may include activities such as data mapping which is used in enhancing data privacy and security. The same methods also work for protection of intellectual property. The future is likely to adopt a more proactive approach rather than a reactive approach and forensic investigation will be more focused on compliance and prevention.
References
Baggili, I. (2011),. Digital Forensics and Cyber Crime: Second International ICST Conference, ICDF2C 2010, Abu Dhabi, United Arab Emirates, October 4-6, 2010, Revised Selected Papers, Springer publishers
April, 2011 from http://www.cromwell-intl.com/security/security-forensics.html
April, 2011 from http://www.highbeam.com/doc/1G1-137863452.html
Kruse, G. W. and Heiser, G. J. (2002),. Computer Forensics: Incident Response Essentials Addison-Wesley Professional
Vacca, R. J. (2005),.Computer forensics: computer crime scene investigation, Volume 1, 2nd edition, Cengage learning publishers
Is this your assignment or some part of it?
We can do it for you! Click to Order!