Generally, the definition of digital forensics is “…the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.” Following this definition, digital forensics has been in the popular mainstream for some time, and has matured into an information-technology capability that is very common among modern information security programs. The goal of digital forensics is to support the elements of troubleshooting, monitoring, recovery, and the protection of sensitive data. Moreover, in the event of a crime being committed, cyber forensics is also the approach to collecting, analyzing, and archiving data as evidence in a court of law.
In the past forensics analysis consisted of the following steps:
According to NIST, over the last decade the number of crimes that involve digital evidence has grown, spurring an increase in companies and products that aim to assist law enforcement in using computer-based evidence to determine the who, what, where, when, and how for crimes. As a result, Digital Forensics (cyber forensics) has evolved to assure proper presentation of computer crime evidentiary data into court. Compounded by a wide variety of proprietary technologies and protocols, as well as critical system technologies with no capability to store significant amounts of event information, the task of creating a ubiquitous and unified strategy for technical digital forensics is far from trivial. To date, no direction regarding digital forensics as it has been produced other than what might be privately available from commercial vendors. Current materials have been designed to support event recreation (event-based), and although important, these requirements do not always satisfy the needs associated with incident response or forensics that are driven by cyber incidents.
To make a long story short the current situation for the digital forensics domain is the following:
Electronic record: Any data that is recorded or preserved on any medium in or by a computer system or other similar device, that can be read or perceived by a person or a computer system or other similar device. It includes a display, printout or other output of that data.
Computer Forensics: The scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.
Chain of custody: Evidence is accounted for at all times
Passage from one party to another is fully documented
Passage of evidence from one location to another is fully documented
The critical note: Requests for forensic data (inputs for the forensics investigation) should be considered something like a shopping list. Thus, the focus will be on the definition of the format (structure) of the supplied information rather than the tools that are used to collect the info.
Digital evidence is:
any data stored or transmitted using a computer that supports or refutes a theory of how an offense occurred or that addresses critical elements of the offense such as intent or alibi. (Casey, Eoghan. Digital Evidence and Computer Crime, p12).
extremely fragile, similar to a fingerprint.
is “Latent” which means it cannot be seen in it’s natural state, much like DNA. Any actions that can alter, damage or destroy digital evidence will be scrutinized by the courts.
often constantly changing and can be very time sensitive.
data that can transcend borders with ease and speed.
There are three types of digital investigation:
Internal: no search warrant or subpoena needed, quickest investigation
Corporate investigation that involves IT administrator reviewing documents that they should not be viewed.
Civil: other side may own the data, may need subpoena
One party sues another over ownership of intellectual property, must acquire and authenticate digital evidence so it can be submitted in court.
Criminal: highest stakes, accuracy and documentation must be of highest quality, slowest moving
Child porn investigation that involves possession and distribution of contraband.
The most well-known types of incidents a forensics process can be utilized for are the following:
According to NIST, digital forensics process consists of four phases:
Figure 1. Digital Forensics Methodology.
Data acquisition is distinguished between “Live system analysis” and “Dead analysis”. The dead analysis is more common to acquire data and one of the most important processes during a forensic investigation. For both processes the critical aspect is the way the data are collected. It must be done in a way that will not reduce expressiveness. During data acquisition an exact (typically bitwise) copy of storage media is created.
Two methods to access data on a storage medium:
An acquisition tool must be able to handle read errors.
Figure 2. General error handling of acquisition tools.