Digital Forensics is a branch of forensic science that includes the process of investigations and recovery from the digital devices, materials and data which is usually done to find evidences in relation with the computer-related crimes.
There are numerous practices that this forensics practice makes use of in the current times.
Static digital forensics is a traditional method in which duplicates are examined to gain evidence, such as copy of the hard disk drive to extract the memory contents comprising of deleted files, login history, and likewise. The analysis of such data provides a complete or partial view of the set of tasks performed on the system of the victim. There are multiple tools that are used for the purpose of memory dumping, and sorting of evidentiary data. Many of the external devices, such as USBs, CDs, DVDs, etc. are also used in this for the purpose of investigation and analysis of the activities (Rafique, 2013).
Live forensics and analysis is a method that comprises of non-interactive analysis procedure along with data snapshots including fresh data models and designing of the user-interface. In this process, information collection is carried out followed by information analysis, generation of reports without interfering with the functioning of the compromised system or application. The process provides a clear picture of the details, such as processes running on the system, memory dumps, networks connected to the system, open connections, unencrypted versions of the files, and so on. Such information is not possible to capture in the process of static forensics. The process provides the integrity and consistency of the data sets involved and can provide a lot of evidence regarding the activities performed by the users on the system that is compromised.
As the name suggests, defensive forensics comprises of the techniques that are used to protect the cyber information and the users from the cyber-crimes. These techniques are executed to screen the possibilities of the attacks and find evidences to put a check on the same. Some of the methods under the defensive approach include email origin obfuscation, anonymizers, shell & cloud accounts, borrowing Wi-Fi connections, web browser privacy modes, and many others.
Offensive forensics is a n approach that is pro-active in nature and aims to attack the malevolent entities by identifying their attack patterns and evidences associated with the occurrences. Browser identification and IP Geolocation are some of the techniques under this forensics approach (Du, 2017).
The process of digital evidences and forensics must also adhere to the requisite legal policies and scientific validity.
The scientific validity of the process can be confirmed by determined whether the forensics tools, methods, and techniques have been tested or not. Also, it shall be identified whether the peer reviews and publications have been carried out or not. The error rates, adherence to the specified practices and standards along with the acceptance criteria shall also be evaluated to determine the scientific validity of the process (Ryan, 2015).
The forensics processes that are found to have scientific validity, are carried out by the approved experts and resources, and abide by the legal norms and principles are termed as the legal forensics.
However, there are also various occurrences wherein such norms and guidelines are not followed and complied. These are the scenarios which come under the category of illegal forensics.
Forensic investigation is a critical procedure that shall be carried out only when it is necessary and must be executed by a team of experts with appropriate tools and techniques.
There are scenarios wherein the business organizations have succeeded in gaining benefits out of the investigation procedures by identifying and collecting the evidences in a cyber-crime or a malicious activity. This has resulted in safeguarding the digital data and applications to prevent and avoid similar cases in the future. However, the commercial and social impacts of the process have been negative as well.
There are organizations that make use of unreliable forensics tools and illegal forensics techniques that have led to financial losses and obligations for the organizations. When the forensics activities and investigations are carried out, it becomes necessary to evaluate every aspect of the business. This leads to the collection and investigation of the data sets associated with all the internal and external stakeholders, customer data, and internal information of the organization (Ismail, 2014). The investigation carried out by the experts is usually not taken well by the external stakeholders and customers and the unsatisfactory outcomes may impact the trust and faith in the organization in an adverse manner. The process of forensics analysis and investigation may impact the functionality of the compromised systems and applications. The business resources and executives may be prevented from using the affected systems at the time of investigations which may impact the business continuity. This may also provide the competitors with an opportunity to perform better and gain competitive edge in the market. The brand image and corporate value may get adversely implicated as a result.
The social impacts associated with the process of forensics investigations may also be negative in nature for the organizations involved. The organizations may incur financial loss and damages as the operational and business continuity may be impacted during the process of investigations. The loss of trust and faith of the stakeholders and the customers in the organization may bring down the organizational and asset value leading to poor revenues and profits. The business resources may be prevented from using certain applications and systems during the investigation procedures that may not be taken well by the resources in the organization. The employee satisfaction levels may be poorly impacted as a result.
Information gathering and information collection is one of the most essential processes under the activity of forensics investigations. The forensics teams may not be able to identify the suitable sources of information which may lead to poor results. This may also impact the business continuity and may lead to the generation of newer vulnerabilities in the system providing the attackers with the ability to give shape to the security attacks.
The compromise of the information sets in the organization and exposure of private and confidential information to the unauthorized entities time and again leads to loss of trust of the customers and the stakeholders along with poor brand image in the market (Dimpe, 2017).
When a company faces a stringent and legal digital forensic investigation, then there are lot of implications that the company must face. These range from implications related to the total damages the company has to bear, the loss of reputation and the legal prosecution that the company would face. Each of these are enumerated below:
Cost: The organization could sometimes suffer a minor financial loss pertaining to the cost of investigation that has been carried out and the resulting effect on the day-to-day business activities. Sometimes they could be enormous depending upon how long the investigation has been undergone, the net loss in business revenue which is calculated on the basis of total loss in sales during the period and the resulting expenses that has to be borne by the company during and after the investigation and also the cost related to process, infrastructure and program changes that would follow the investigation.
Reputation: The organization could sometimes face little to no loss of reputation depending upon the seriousness of the matter and if the fault was of the organization or not. Also depending upon the fact that if the investigation was made public. Sometimes an organization may face serious implication, especially if the resulting investigation was carried out owing to one of the company’s own negligence and faults. In this case, the larger and important the organization is, the bigger the news it would make and the loss of reputation would correspond to it.
Legal: In the case of legal implications, the organization could altogether face little to no and to very serious implications depending upon the forensic investigation and the nature of the crime. Generally, crimes where employee is at fault for instance carrying out an illegal activity within the premises of the organization or stealing a data or carrying out a malicious insider attack; in these cases, the legal implication has to be borne by the employee only. This happens once the investigation proceeds has been submitted by the court of law and the court acquits the culprit. In cases where the organization as a whole is at fault, then the entire organization is represented in the court of law.
The motivation behind the security risks and attacks may come from a variety of different reasons and motives. Financial gains and benefits have been observed at the primary reason of motivation behind the occurrence of a security attack. In such cases, the malevolent entities capture the data sets with intent to gain ransom from the data owners to prevent the data misuse. The financial accounts of the victims may also be targeted directly as a result. The other motivating factor behind the occurrence of a cyber-crime may be personal interests and curiosity. These processes include the activities that aim at gaining maximum information about a particular user or business organization. Target practicing is also one of the terms that are used to describe the motivation of an attacker as the attacker may target smaller companies initially before targeting the bigger one. There are certain cyber-crimes that gain a lot of attention and popularity on social media and tele-media due to innovative approach used in the attack patterns, compromise of sensitive data sets, targeting a big brand in the market, and likewise. The popularity and fame that the attackers might achieve after giving shape to the security risks and attacks may also act as a motivating factor for them.
Revenge against a fellow resource in the organization or a rival in the market is one of the most common motivational factors behind the security risks and attacks. The occurrence of cyber-crimes is negative for the business organizations that are impacted in terms of financial loss, loss of reputation and customer trust. Such factors may act as motivation for the attackers to bring down the brand image of an entity in the market.
There may also be political factors and state-sponsored attacks that may occur involving the motivation as political gains and benefits. These are the occurrences that may have an impact on the entire nation (Asal et al., 2016).
There are a number of data manipulation methods that may be used, such as steganography, encryption, obfuscation, along with the use of automated tools. Steganography is the method which is used to hide the data in a plain view. The message is concealed in the computer files through the use of techniques as Least Significant Bits (LSB) (Attaby, Mursi Ahmed & Alsammak, 2017). Encryption on the other hand is a method in which the text is converted to its encrypted form which is known as cipher text which can be decrypted only by making use of secret keys. Data Obfuscation is another data manipulation technique in which data sets are deliberately scrambled to prevent any of the unauthorized access on the same. These may be classified as cryptographic and network security obfuscation methods. There are also automated tools and applications that have been developed to carry out the task of data manipulation.
Malware attacks are the most common forms of cyber-attacks that take place. There are a number of malicious codes that have been developed, such as viruses, worms, logic bombs, Trojan Horses, adware, spyware, ransomware, and many others. These malevolent codes may or may not be reproducible in nature and may or may not require a trigger but have the potential to cause severe impacts on the systems and applications they are injected in to. The malicious entities have also developed keyloggers and unauthorized screen recorders that capture all of the user activity. These logs are then misused to give shape to the security risks and attacks.
There are certain principles that are involved in the process of evidence gathering which have been listed below.
Record-keeping is one of the essential processes in evidence gathering and investigations. The systems logs of the infected and compromised systems and applications are one of the basic and primary evidences that shall be captured and stored in a secure manner. It must be ensured that there is no modification done in the system logs that are obtained and recorded. The operating system images also prove to be significant evidences in the occurrence of a cyber-attack. These shall also be recorded and securely stored (Gupta, 2018).
There are several information investigation processes that are executed so that the evidences gathered are sufficient in the forensics and resolution of the cyber-attacks. One of the significant processes adopted in information investigations is interviews. There are many interviewers that may be involved in the panel and the comments and inputs by all the co-interviewers shall be recorded and stored. The interview process shall be carried out in a series of steps that shall involve the detection of the interviewees, preparation of the schedule and interview questions, conduction of the interview, along with the analysis of the responses. A corporate personnel management representative shall also be kept involved in the entire procedure for disciplinary management and observations. The background checks of the interviewers and interviewees shall also be included as a mandatory process. There may be various criminal proceeding and civil actions that may be given shape ahead of the interviews which must be done while maintaining adherence to all the regulations and policies.
Some of the best practices that may be followed in the process of digital evidence gathering have been listed below.
The evidence that is gathered from the crime scene shall be stored and kept secured and protected by applying the security tools and methods. There may be a number of legislative policies and rules that may apply on the evidence gathered and the same shall be complied with at all times. The international legislations and jurisdictions shall also be followed. There may be data sets that may be obtained belonging to the data owners from several parts of the globe. These data sets shall be handled as per the applicable international jurisdiction on the same (Divakaran, Fok, Nevat & Thing, 2017).
There may be a few challenges that may be associated with the process of evidence gathering.
These challenges may bring in commercial, social, legal and ethical impacts. The process of evidence gathering and analysis may impact the functionality of the compromised systems and applications. The business resources and executives may be prevented from using the affected systems at the time of investigations which may impact the business continuity. This may also provide the competitors with an opportunity to perform better and gain competitive edge in the market.
Before starting a forensic investigation it is imperative to have a proper plan outlined so that the investigation can be conducted effectively. This is regarded as a proactive measure of investigation. In order to plan the forensic investigation effectively, the following steps needs to be taken;
Forensic tool comparison
The forensic tools being compared below are among the most popular and renowned tools being used in the forensic investigation domain today. These three tools are Encase by Guidance Software, Forensics/XWF by X-Ways and Autopsy. The last one is however not a tool but a combination of a multitude forensic tools. Encase is known for it’s easy to use interface that has a small learning curve. Encase is also perhaps the most popular tool among forensic investigators and is accepted in the court of law. Encase features easier and full-fledged reporting capabilities as well as a built-in image acquisition tool for making a bit-by-bit copy. Encase supports an in-built support for Bitlocker and has an extra ordinary feature called ‘Review package’ allows the investigator to send the evidence to a requestor for reviewing the evidence. However on the down-side it is rather expensive and its evidence processing is slow and cumbersome. The next tool in question is the XWF. XWF strong points are its extremely customizable evidence processing capabilities. One can select precisely exactly what ones want’s to process such as emails or registry etc. It is highly flexible and has granular options for filtration. A forensic tool must have a good searching capability and this is also where XWF shines because of its highly customizable search functions. XWF can also run multiple instances of itself all working on different parts of the investigation such as one instance can be doing ‘processing’, while other could just be ‘searching’ or performing ‘live preview’. Another least talk about feature of XWF is the frequency of updates. However with such great features and extensive customizability, XWF loses on the simplicity. XWF is a rather complicated tool to begin with a complicated interface. This is why it has a much steeper learning curve. Sometimes, XWF can be too overwhelming and gets confusing. XWF also does not feature a ‘Review Package’ and does not also support Bitlocker. Lastly, Autopsy is not a singular forensic tool in a complete sense rather a VMWare instance with a multitude forensic tools. Autopsy’s greatest strength is that it’s free for commercial use. The tools in Autopsy for analysis of browser history or internet based activities are quite fast and easy to use. However on the flip side, the overall capabilities of Autopsy is that it is limited and it also does not support bitlocker, neither it supports the ‘Review Package’.
Forensic investigation is a sensitive, critical and law-bounded process. This means that it is imperative that any and all pre and post investigation issues must be considered before starting the actual investigation.
Issues to be considered before investigation includes:
At the same time, the issues to be considered after the investigation includes:
The actual forensic investigation is a multi-step process wherein each steps begins after the completion of the previous step. Each step needs to be well-planned in advance so as to carry out the investigation effectively. The first and foremost step in the investigation is the collection phase.
Collection
Collection phase is the first phase in the process to identify, record, label and acquire the data from different sources. (CJCSM 6510.01B, 2012). There are two different types of data to be collected here, first one being volatile data and second one being non-volatile data. Volatile data is contained within the RAM, caches and temporary registry files and are cleared when the system is shutdown. They are also peridocially deleted even when the system is running. On the other hand Volatile data remains in the system permanently unless deleted such as documents on an HDD. Volatile data such as System data and time, running process, logged users, network connections and open ports needs to be collected. Apart from this, local and remote memory needs to be acquired together with IP configuration and services and drivers being executed. At last, the clipboard content needs to be collected too. These data can be acquired using both Encase and XWF. Once the volatile data has been captured, the investigator would then move on to the Non-volatile data. Using any of the forensic tool and a write blocker, the entire image of the target system’s hard disk drives can be captured. This will be done in a bit-by-but format so that the entire volume of the original system can be captured including the deleted data. An important thing to note here is that they should be validated with Hash values so as to ensure the integrity of the data.
Once all the evidence has been collected, the next step is to examine the collected data. A detailed examination would be done for Windows Registry, Network, File system and database.
File System
The team would use the following commands for the same
C:echo text_mess > file1.txt:file2.txt
The file is retrieved afterwards with the below mentioned command:
C:more < file1.txt:file2.txt
Registry
Windows registry is a collection of databases to store a user’s application as well as hardware’s configuration. It is used a reference point during the execution of a program. The common structure for hives includes the following: HKEY_CLASSES_ROOT for executive required programs, whereas HKEY_CURRENT_USERS contains the general information of the current user, and HKEY_LOCAL_MACHINE contains the information about the hardware of the system, whereas contains the information of all users of the system and finally HKEY_CURRENT_CONFIG stores the information about the current configuration. Windows registry contains both volatile and non-volatile data therefore the investigation here must be very careful and the investigator must be aware about the clear difference between them. Apart from the traditional registry values, the investigator must also consider the auto start location for all applications that get started during the booting of the system as well as user activity and most recent used (MRU) list. Lastly, the investigator should also collect the UserAssist registries, along with the details of connected USB removable storage and the Wireless SSIDs.
The acquiring, collection as well as analysis of events that happens in the network is known as the network forensics. In order to capture network related data, a bootable USB flash drive containing Encase or XWF must be used in order to collect both volatile and non-volatile data. Some critical information that needs to be covered here includes Process Listing, System Information, Service Listing, Network connection, Binary dump of memory, registry information and logged on registered users.
Database of an online retailer would typically consists of sensitive details involving customer’s personal details, the sales and revenue details of the company among a host of other information that is crucial to the company. In order to access the database, the investigators needs to get authorization and/or authentication based permissions for the database Khanuja, H.K., and Adane, D.S., (2011). The team needs to look into the audit logs of the database so as to understand who had the permissions to access the data. Both Encase and XWF has database forensic tools in order to gather data enough to prove intrusion or disapprove the intrusion.
To begin with, the evidences needs to be analysed and examined. Accordingly, the data would be thoroughly investigation to look for any unusual or hidden files. Simultaneously, any unusual process and / or any opened sockets would corroborated with any unusual account. Also, OS level patching would be checked. After all of this, an outcome can be obtained which wil help in understanding whether or not any malicious activities are present. Going forward we will develop a strategy for forensic investigation in order to analysis of memory, analysis of file systems, timeline analysis and event correlation (Nelson, B., et. al., 2008)
In order to perform a Malware analysis an audit of recorded hash values must be done along with signature validation, collision logs verification and also the analysis of system restore points and pagefile. Simultaneously, the event logs and file system would be done to figure when the malware had affected the system. Also, keyword hunts needs to be performed so as to understand references to malware and their association with bargained hosts. Traditional attack vectors are also recognized together with email attachments, unauthorized login and web browsing history. Altogether, the following elements must be reviewed : Searching for known malware, examing of windows prefetch, reviewing of installed programs, reviewing of Autostart and executables, examing of logs and file systems, reviewing of user accounts, registry and restore points. Also, the investigation must include keyword searching. In order to perform malware analysis Norton Ghost would be used.
Dynamic Analysis would help understand the presence and activity of Malware, if at all present by understanding the behaviour of Malware. This is not a safe process and thereby it involves sacrificing of the malware analysis environment. The tools used in this case involves Wireshark or Processmonitor by Sysinternals.
Static analysis would allow the investigator to conduct analysis without running the malware program. This is therefore a safer alternative to dynamic analysis as no files are potentially quarantined / deleted by the malware program. A multitude of options are at the disposal of investigator such as file fingerprinting, packet detection, string detection, virus sannning among others (Kendall, K., 2007)
|
Date and Time |
Activity |
PC ID |
|
March 24, 10 am |
Retrieval of original evidence devices |
PC ID 1 – 6 and DB 1, WB 1 |
|
11 am |
Examination of physical evidence for any tampering and understanding physical configuration |
PC ID 1 – 6 and DBS 1, WBS 1 |
|
12 Pm |
Acquisition of data |
PC ID 1 |
|
12:20 Pm |
Acquisition of data |
PC ID 2 |
|
12:30 Pm |
Acquisition of data |
PC ID 3 |
|
12:35 Pm |
Acquisition of data |
PC ID 4 |
|
12:40 Pm |
Acquisition of data |
PC ID 5 |
|
12:50 Pm |
Acquisition of data |
PC ID 6 |
|
12:55 Pm |
Acquisition of data |
DBS 1 |
|
1 Pm |
Acquisition of data |
WBS 1 |
|
2 Pm |
Logical Analysis of all data using XWF |
N/A |
|
3 Pm |
Examination of all data types using XWF |
N/A |
|
Mar 25, 10 am |
Keyword text search string |
N/A |
|
11 am |
Continued examination of search results |
N/A |
|
Mar 26 10 am |
File-by-file examination of evidence files |
N/A |
|
Mar 27 10 am |
Network Forensic Investigation |
N/A |
|
4 Pm |
Malware Analysis |
N/A |
|
Mar 28 10 am |
Preparation of findings |
N/A |
|
5 Pm |
Preparation of Remedial Actions |
N/A |
It can be observed that the entire incident was caused because of one or multiple internal employees. The said attackers began by compromising the system as they were aware of the system’s vulnerabilities and loopholes. They began by installing the malware into the system. Through this malware they gained access to the privilege data and records which they didn’t have the access to. The attackers were gathering Intellectual Property of the company along with sensitive transactional data both physically being in the office environment as well as remotely through the means of malware. Owing to insufficient state of security such as Intrusion Detection System, Firewalls, Encrypted databases and weak network security they had managed to steal data that could significantly affect the organization. Below is the recommendation of certain remedial action that could prevent or at least help strengthen the current state of security within the organization.
The following remedial actions have been suggested.
As per the research and analysis carried out by Shiner, D.L.D., and Cross, M., (2002), malware attacks can be prevented by the following controls:
In this case the most successful measures have been the ones described below.
The following sections are used to classify the practical rules.
References
Asal, V., Mauslein, J., Murdie, A., Young, J., Cousins, K., & Bronk, C. (2016). Repression, Education, and Politically Motivated Cyberattacks. Retrieved 27 March 2018, from https://doi.org/10.1093/jogss/ogw006
Attaby, A., Mursi Ahmed, M., & Alsammak, A. (2017). Data hiding inside JPEG images with high resistance to steganalysis using a novel technique: DCT-M3. Ain Shams Engineering Journal. https://dx.doi.org/10.1016/j.asej.2017.02.003
Dimpe, P. (2017). Impact of Using Unreliable Digital Forensic Tools. Iaeng.org. Retrieved 27 March 2018, from https://www.iaeng.org/publication/WCECS2017/WCECS2017_pp118-125.pdf
Divakaran, D., Fok, K., Nevat, I., & Thing, V. (2017). Evidence gathering for network security and forensics. Digital Investigation, 20, S56-S65. https://dx.doi.org/10.1016/j.diin.2017.02.001
Du, X. (2017). Evaluation of Digital Forensic Process Models with Respect to Digital Forensics as a Service. Arxiv.org. Retrieved 27 March 2018, from https://arxiv.org/ftp/arxiv/papers/1708/1708.01730.pdf
Gupta, P. (2018). Capturing Ephemeral Evidence Using Live Forensics. Iosrjournals.org. Retrieved 27 March 2018, from https://www.iosrjournals.org/iosr-jece/papers/NCNS/109-113.pdf
Ismail, A. (2014). Cybercrimes, Computer Forensics and their Impact in Business Climate: Bahrain Status. Research Journal Of Business Management, 8(3), 139-156. https://dx.doi.org/10.3923/rjbm.2014.139.156
Rafique, M. (2013). Exploring Static and Live Digital Forensics: Methods, Practices and Tools. Retrieved 27 March 2018, from https://www.ijser.org/researchpaper/Exploring-Static-and-Live-Digital-Forensic-Methods-Practices-and-Tools.pdf
Ryan, D. (2015). Legal Aspects of Digital Forensics. Euro.ecom.cmu.edu. Retrieved 27 March 2018, from https://euro.ecom.cmu.edu/program/law/08-732/Evidence/RyanShpantzer.pdf
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download