Digital Forensics is termed as the method of preservation, identification, extraction, and documentation of electronic evidence which can be effectively utilized at the time of presenting evidences before the competent Court. It is relating to finding or extracting evidence from Computer System or Computer resource or Computer network. There are numerous types of Digital Forensics such as Disk Forensics, Email Forensics, Computer Forensics, Network Forensics, Memory Forensics, Malware Forensics, etc.
Technologies improving digital forensics investigations have come in to the picture in the recent years such as continuously updating operating systems, mobile devices, large amount of data storage, peer-to-peer file-sharing and many more. Further, the legal and ethical obligations in consonance with confidentiality and fiduciary duties have evolved in a slow manner.
To utilize a digital forensic expert, and to manage the risks relating to civil/ criminal liability, lawyers must strictly give a caution them so that they don’t cross any ethical or professional boundaries. Digital forensic experts often gets support from people with legal background so that such experts may provide them some admissible evidence before Court provided that such experts shall show faith for the purpose of neutral fact-finding incases relating to cyber offence. Therefore, digital forensics experts and the lawyers are usually best suited to work with each other in order to prove the extracted evidence and to cater any evidentiary challenges due to changing technology now-a-days.
Features of Digital forensics
· To safeguard the Computer System’s integrity.
· It helps the Organization and/or Companies to review or extract necessary data in case of any Cyber attack or compromise of Computer Systems
· To effectively tracking the cyber offender across the world.
· Permits to process the factual digital evidence in order to prove the actions of the cyber offender before the Court.
PHASES OF FORENSICS INVESTIGATION
The National Institute of Standards and Technology, NIST categorizes any forensics investigation into four phases such as:
a) Collection: Recognise, record and extract information the Computer sources, while safeguarding the data’s integrity.
b) Examination: Utilize manual and automated processes to examine and extract suspected data.
c) Analysis: Utilize legally justifiable methods and techniques to derive useful information.
d) Reporting: Depict actions and counter measures utilized, describe the method of using the tools and procedures while saving from any vulnerabilities and updating current security controls.
Some further improvements to guidelines, procedures, tools, etc. of the forensic methods:
· Approach: Expert should create a process for the purpose of collecting untainted e-evidence.
· Preservation: The isolation, seclusion of the state of physical and e-evidence.
· Presentation: Summarize the findings that experts gather out of the forensic investigation.
· Returning Evidence: Physical and digital property is returned to proper owner after the investigation is completed.
· Interpretation: Such step includes conclusion of the investigation after re-construction of the incident.
· Documentation: Last step involves making a wholesome report and/ document on the complete investigation.
DIGITAL FORENSICS TOOLS AND TECHNIQUES
Computer forensics tools are created for providing assurance that the data gathered from Computer System is authentic and reliable for evidence before the Court of Law. There consist numerous types of Computer Forensics Tools such as:
· Disk Imaging tools;
· File viewers;
· Email analysis tools;
· Registry or Log Analysis tools;
· Mobile devices analysis tools and;
· Network forensics tools.
The major plus point of commercial tools is that they are majorly automated and have an ability to perform almost entire forensic investigations. Further, the developers of such tools did all kinds of research and development in order to ensure continuous testing and updating their current and novel products.
Ø Types of Commercial Forensics Tools/Software:
· Forensics Toolkit
· FTK Imager
Ø Open Source Forensics Tools/Software
· SIFT Workstation
Ø Windows Tools for Forensic Investigation:
· CMD Command
· Event Viewer
a) IMAGE CREATION: FTK IMAGER
· FTK Imager is a data viewer and mirroring tool that enables to give an access to the Computer System records which in turn can be termed as “electronic evidence” in the Court of law. FTK Imager has the basic function to capture mirror copies of all kinds of data in the Computer System. FTK Imager copies such data while not altering to the original piece of evidence.
· Since Autopsy does not have a feature of image creation or gathering all kinds of data from Computer System, FTK Imager may be used in such a situation. So, it can be effectively utilized for creating disk images that can be further analyzed utilizing the Autopsy/The Sleuth Kit.
· EnCase is digital investigation software that becomes fruitful for cyber forensics, cyber security and e-discovery usage. Encase is basically utilized in forensics for the purpose of recovering the evidence from seized hard drives or files.
· Encase allows the Forensic Examiner to conduct in depth analysis of user files to collect evidence such as documents, pictures, internet history, data from numerous devices, including mobile phones, and Windows Registry Information.
· Encase-forensic software has a functioning to unlock encrypted data for evidence. EnCase helps to gather wholesome reports for preserving the integrity of the digital evidence.
· The Secretive National Media Exploitation Center (NMEC) had successfully conducted an effective digital forensic investigation that followed Bin Laden’s death and EnCase played an important role. NMEC had utilized the EnCase to crack encrypted media and recover deleted documents.
· Autopsy is a Graphical User Interface based program that permits anyone to efficiently analyze any kind of USB or hard drives and Mobile Device. It has the feature of Multi-User Cases and it further helps to collaborate with fellow Investigators to solve any cyber crime related cases.
· Autopsy shows system events in a GUI interface to help identify any activity.
· Autopsy provides the option of “Keyword Search” in order to search or extract certain specific terms and find regular expression patterns.
Ø INITIAL STEPS:
· Firstly, the Author attempts to run Autopsy Tool and then selects the option “New Case”.
· Secondly, Author fills out all the details such as the Case Name and the directory to store the case file and click on the option “Next”.
· Thirdly, Author adds the further details such as the “Case Number” and Investigator’s details, then click on the option “Finish”.
· Lastly, the Author opts for the required data source, (i.e., Disk Image or any External Storage Device) and opts on Next, while selecting the path of the said data source and opts on the option “Next”. Autopsy tool will redirect you to the main screen as mentioned under Picture №1.
Ø EVIDENCE GATHERING USING AUTOPSY:
· Autopsy helps to look for any deleted files which the victim/Suspect might remove it from the Disk Image or any External Storage Device as enumerated in Picture №2. Some of the files can be recoverable by using the option “Extract File”. It depends whether or not the System has already overwritten that are of the Disk Image.
· Deleted files shown under Autopsy tells the “Access Time”, “Created Time”, “Location”, “Extension” and much more information regarding any certain file.
· Autopsy can extract information regarding USB Device attached (including information regarding Model Type, Device ID, etc), any Email information, encrypted files, Geo-location and camera information from JPEG files, etc as enumerated in Picture №3 & 4.
· Author can report in well documented manner. Autopsy further gives an option of “Generated Report” in HTML or Text or PDF format.
· Author can check for any viruses (such as zip bomb) on the Disk Image or any External Storage Device. To check it, one can reach to the category of “Results > Interesting Items > Possible ZipBomb > Interesting Files” (Under the Column of “Interesting Items”, it is where Autopsy shows any probable malicious files with the name of “Zip Bomb”).
· Author can check for number of Accounts that are being recorded. To check it, one can reach to the category of “Results > Extracted Content > Operating System User Account”.
d) COMMAND PROMPT FOR COMPUTER FORENSICS INVESTIGATION:
Command Prompt can be proved useful for collecting volatile Forensic evidence. First thing what the Forensic Investigator can do is to collect the RAM before it changes too much or before shutting down the computer of the Victim/Suspect.
• C: WINDOWS\SYSTEM32>Doskey/history
To check whether which commands the Host/Suspect uses before in the Command Prompt.
• C: WINDOWS\SYSTEM32>whoami
This command will tell the host name of the computer)
• C: WINDOWS\SYSTEM32>query user /server: name of the server
“Query” is the built-in Windows command. Just open a command prompt and execute:
C: WINDOWS\SYSTEM32>query user /server: “name of the server”. Replace the term “name of the server” with the name of the computer you want to remotely view who is logged on (In picture №5, the host name is shashank-pc).
• C: WINDOWS\SYSTEM32>wmic product get name
It gives the list of Softwares available in the System.
• C: WINDOWS\SYSTEM32>Tasklist /v
C: WINDOWS\SYSTEM32>Tasklist /svc
Tasklist.exe is a built-in tool to check all the available image name, PID session name, memory usage and session ID. To get detailed information about processes, you can use /v and /svc switch as enumerated in Picture №6.
• C: WINDOWS\SYSTEM32>netstat
It provides the list of active connections made to the host/ Suspect’s Computer along with the status of the connection (i.e., Established or waiting).
• C: WINDOWS\SYSTEM32>netstat –ano
“Netstat” is a built-in tool of Windows. Netstat tool depicts both the UDP and TCP connections (including information such as established, listening and time_wait). One can see a list of PID while utilizing the TCP and UDP ports. To see live network activity with netstat utility as enumerated in Picture №7.
e) WINDOWS FILE LOGS FOR FORENSIC INVESTIGATION
· Windows Event Viewer gives every bit of event that is related to the Computer System. Event logs provides audit trail that records all the events of the User(s) on a Computer. It is considered as an important source of evidence in forensic examinations conducted by the Investigators.
· It requires some experts who can successfully make use of the Windows event logs in order to gather evidences for a particular digital forensic investigation. There is some vulnerability in Event Logging as well but majority of them can be overcome which thus, makes Event Logs A viable resource for monitoring process.
· Lastly, Event Logs can be observed by utilizing numerous processes in order to find or trace any kind of malware in the Computer System.
Ø SYSTEM COMPROMISE INDICATORS
· Unusual or sudden huge Network Traffic (Outbound)
· Geographical irregularities in logins and access patterns from different locations.
· Check for multiple failed logins for the user accounts.
· Check for Windows registry alterations.
· If any data is stored in unusual or wrong places.
Ø CHECKING EVENT ID’s FOR LOG ANALYSIS
One of the pertinent works of the log analysis in the security event is to figure out who or what logs the Host’s System on or off.
On can open Security event log in the Windows Event Viewer to find out all the small to major activities that are been done with the Host’s System. There consists of numerous and different kinds of events in the Event Viewer in order to trace the activity of any User by looking up events with the following Event IDs and Login IDS as mentioned below:
· 4624: The Account was successfully logged in. (In Security Event)
· 4625: An Account failed to logged in. (In Security Event) (as enumerated in Picture №8)
· 4800: The System was locked. (In Security Event)
· 4634: Windows Shutdown/ Account was Logged off.
· 4608: System starts up.
It can be stated that the crime scene now-a-days, is not confined to only the physical location of Systems or devices utilized while committing a cybercrime. Any cybercrime basically involves devices that can contain digital evidences. The crime scene is secured when a cybercrime is observed, reported, and/or suspected via numerous cyber forensic tools.
a) Maintaining Chain of Evidence: Chain of custody includes the records in chronological order while gathering the evidence such as, details of the Forensic Investigator timestamps at the time of evidence collection, etc.
b) Limiting the evidence Interaction: As a Forensic investigator, he or she shall ensure that the extracted evidence is having a limited interaction by capturing the RAM (volatile Memory).
c) Role of Digital forensic experts and Lawyers: Digital forensic experts shall have support from people with legal background so that such experts may provide them some admissible evidence before Court to cater any evidentiary challenges due to changing technology now-a-days.
d) Well Documented Evidence: All acts in regards to the access, extraction, etc of any digital evidence shall be completely documented.
e) Providing Standards to the Forensics Tools: If the forensic tool that is being utilized for digital forensic is not as per any specified standards then the evidence might be disapproved by justice before the Court of Law.
1) BAJRAMOVIC, E. “INTERVIEW METHODOLOGY IN DIGITAL FORENSICS INVESTIGATIONS. INTERNATIONAL JOURNAL OF ECONOMICS AND LAW”(2014), 4, 33–38 (RETRIEVED 28 FEBRUARY 2021, FROM:
2) CARROLL, O. L., BRANNON, S. K., & SONG, T., “COMPUTER FORENSICS: DIGITAL FORENSIC ANALYSIS METHODOLOGY” (2008), UNITED STATES ATTORNEYS’ BULLETIN, 56(1), 1–9 (RETRIEVED 28 FEBRUARY 2021, FROM: https://heinonline.org/HOL/Page?handle=hein.journals/usab56&id=2&collection=journals&index=
3) FTK® IMAGER. (2021). RETRIEVED 13 MARCH 2021, FROM
4) HARRINGTON, S. L. “COLLABORATING WITH DIGITAL FORENSICS EXPERT: ULTIMATE TAG-TEAM OR DISASTROUS DUO”, (2011) WILLIAM MITCHELL LAW REVIEW, 38(1), 353–396 (RETRIEVED 28 FEBRUARY 2021, FROM:
5) KARSYAN, M. “EXPLORING WHO LOGGED ON THE SYSTEM”, (2016), EVENT LOG EXPLORER, (RETRIEVED 11 MARCH 2021, FROM https://eventlogxp.com/blog/exploring-who-logged-on-the-system/)
6) MITCHELL, F. “THE USE OF ARTIFICIAL INTELLIGENCE IN DIGITAL FORENSICS: AN INTRODUCTION”, (2010), DIGITAL EVIDENCE AND ELECTRONIC SIGNATURE LAW REVIEW, 7, 35–41 (RETRIEVED 28 FEBRUARY 2021, FROM:
7) NIST GUIDE DETAILS FORENSIC PRACTICES FOR DATA ANALYSIS. (2006) (RETRIEVED 15 MARCH 2021, FROM https://www.nist.gov/news-events/news/2006/09/nist-guide-details-forensic-practices-data-analysis#:~:text=The%20guide%20recommends%20a%20four,report%20the%20results%20of%20the)
8) WHITFIELD, B. “HOW ENCASE SOFTWARE HAS BEEN USED IN MAJOR CRIME CASES”, (2019) (RETRIEVED 13 MARCH 2021, FROM https://eforensicsmag.com/how-encase-software-has-been-used-major-crime-cases-plus-how-to-use-encase-forensic-imager-yourself-by-brent-whitfield/)