Digital Forensic Investigation - Case Study Example

?Running Head: Digital Forensic Investigation Digital Forensic Investigation [Institute’s DIGITAL FORENSIC INVESTIGATION Table of Contents Table of Contents 2 INTRODUCTION 3 SOURCES OF DATA 4 General Logs 5 Time Packages 6 System Files 8 POTENTIAL USEFULNESS 9 CONCLUSION 9 REFERENCES 10 INTRODUCTION Primarily, this paper will discuss different sources of data that are used during investigation of digital forensics in an effective and legal way, will look at basic technical issues, and will endeavor to indicate references for further reading. In addition, the paper will also prioritize discussed data sources according to three different events of network intrusion, malware installation, and insider file detection. Discussion will be very beneficial for managers and individuals in their better understanding of digital forensics and processes that involve its investigation. In addition, discussion will also be helpful for network administrators in understanding different aspects of computer forensics, which will help them in ensuring greater security of their organizations strategically. Before assessing the topic, it is very essential to understand the definition of digital forensics that has been under the process of acquiring recognition due to dearth of research in the area and due to lack of awareness about importance of digital forensics in today’s competitive world. Briefly, forensics is the process in which experts utilize scientific means and skills to collect and analyze evidence that then can be submitted in the court for legal purpose (Kent, Chevaller, Grance, & Dang, 2006). In this regard, digital forensics is a newly-born discipline that is gradually acquiring its importance as a formal area of study that deals with scientific knowledge in collection of evidence from different sources of data related to computers that involve desktops, laptops, routers, CCTV, network hubs, logs, software, time packages, emails, etc (ENFSI, 2003). It is very imperative to understand that since digital forensics is a new area of study that is still under the process of standardization, therefore, discussion in this paper related to different sources of data might not be the final word. Thus, it will take further study and investigation to reach to a conclusion in terms of prioritizing these sources in terms of their utilization in different events/incidents. In addition, from a technical perspective, it is also essential to understand that besides assessing different sources of data, it is equally important to ensure fulfillment of primary goal of digital forensics that is about preservation of the identified data source. It has been an observation that investigators usually are able to identify important data sources; however, they overlook preservation of the sources that results in unacceptable of evidence in the court. SOURCES OF DATA As mentioned earlier, digital forensic investigation has been divided into different stages of preservation, collection, examination, and analysis (ENFSI, 2003). Collection stage is relevant in this paper as it involves identification and collection of information pertinent to the case under investigation. In case of usual forensics, everything is a source since investigators are able to gather information from people and acquire fingerprints from clothes, furniture, floors, etc. However, when it comes to digital forensics, information is usually available in computers of computerized equipments, such as phone logs, web traffic, packet sniffers, network records, etc (ENFSI, 2003), and therefore, it is usually not possible to take away the whole equipment, and investigators have to collect the information while ensuring complete preservation. In digital forensics, besides four stages, one can categorize the stage of collection in two parts. Firstly, investigators collect background evidence that refers to the data that is usually available and stored for usual organizational purposes (Sheldon, 2002). On the other hand, investigators also come across foreground evidence that refers to the data gathered to detect a crime. It is a belief that awareness about these categories will be helpful in better understanding of different sources of data that are discussed below: General Logs General logs are an extremely important source of data used in digital forensic investigation that allows investigators to acquire access to valuable information in the form of web traffic, transactions, user logs, access logs, and network logs. Due to non-standardization of digital forensic investigation, some experts consider general logs as primary source of data, whereas, few experts consider it as secondary source since it is found on systems that can be laptops, desktops, backup disks, storage media, etc (Arasteh, Debbabi, Sakha, & Saleh, 2007). Inclusion of logs in this paper indicates consideration as a primary source. Basically, every computer generates and maintains record of every event in a sequence that happens in its system, which is referred as a log file. Technically, timestamp is the basic element of the log file that enables the investigators to know about exact time of the entry, which is followed by identifier and brief description of the entry (Arasteh, Debbabi, Sakha, & Saleh, 2007). Since computers maintain record of every entry, therefore, one of the biggest challenges in collection and examination of this data source is huge number of log files that is usually present in one computer system (Arasteh, Debbabi, Sakha, & Saleh, 2007). In this regard, if investigators have to examine a single computer system then it is no issue; however, when it comes to cases involving whole organization, it becomes a hectic task for investigators to collect, preserve, and examine thousands of log files that take a long period of time for them to reach to a conclusion. As discussed earlier, logs are not of a single type and can be found in different types, such as simple system log file to encrypted internet traffic. Therefore, it becomes a challenge for investigators to get access to the files and preserve it while knowing its exact type, as every type is of a different complexity and requires different treatment. In addition, in many computers, systems do not keep record of every process but maintains record of only important or unusual happening events, which often becomes a challenge for the investigators in absence of non-recording of an event relevant and important in terms of a particular case. For instance, a TCP wrapper usually maintains log of beginning of a TCP connection, as well as generates a log file when it is ended but it does not maintain any log of in between the connection (Carrier & Spafford, 2003). If a user would have established and ended a connection hundred times, then there would be a hundred log file entries in the system. In this regard, an investigator should be aware of all the circumstances along with settings of the computer systems before collecting, preserving, and examining the data source, and/or before reaching to a conclusion in light of presence or absence of a log file entry. Although general logs are easy to access and simple for analysis, however, this simplicity of general logs is itself a biggest challenge for the investigators since timestamp is one of the basic elements of a log file and due to its simplicity, it is very to tamper the timestamp, which may affect forensic investigation adversely. Nowadays, there are tools available to check integrity of the data; however, easy tampering remains one of the drawbacks of depending on general logs in a digital forensic investigation (Carrier & Spafford, 2003). Apart from tampering, another challenge that investigators face is of system clocks that can also be running on a different clock. In that case, timestamp on a log file may contradict with system clocks on the system, which results in complications during examination and analysis stages. Time Packages As discussed earlier that general logs are easily accessible but they bring with them challenges such as possibility of easy forgery, therefore, the paper will now include discussion on another important source of data that is time packages. They are similar to timestamp in terms that they also allow investigators to know about time of an event or an entry; however, they are difficult to forge and thus, digital forensic experts have been putting efforts to determine time of event during an investigation with the help of time packages (Carrier & Spafford, 2003). In order to understand this data source, the paper will include description of two methods that are used to access the data source that will make it easier to understand challenges that investigators confront while collecting information from it. First method is known as the time bounding method. Usually, timestamps allow determining of temporal order of events. However, when it comes to time packages, time bounding method allows investigators to determine inverse of the temporal order of events; in other words, exact time of events that is usually not possible to determine with time stamps. For instance, assume that three events X, Y, Z happened in a system, and investigators are aware of the fact that all the three events occurred in a sequence that is Z happened after Y, and Y happened after X. As the result, this method allows the experts to determine bounded time of event Y. Although this seems complicated, however, digital forensic investigators have been using this method and this data source to complement or support or challenge conclusions made from the other sources of data (Carrier & Spafford, 2003). Another method used during digital forensic investigation to use the data source of time packages is dynamic time analysis (Carrier & Spafford, 2003). In a network or on the internet, web servers usually have the control to add timestamps into web pages that are then transferred to computers of web page’s users. In this regard, timestamp on the log file can be compared with timestamp acquired from dynamic time analysis from the web server, which allows better precision during the investigation (Casey, 2004). Although acquisition of this data source is more complicated in comparison to general logs, and there is a greater possibility of presence of this data source in an encrypted environment; however, time packages are not easy to forge. Thus, it is better when it comes to incidents, such as network intrusion, which usually cannot be analyzed with help of general logs only. System Files In digital forensic investigation, forensic scientists come across many sources of data and use them to reconstruct an event; however, the most common is the system files or files created and maintained by users of the system (Carrier, 2005). Experts have divided system files into two basic types. One type is the persistent data that is preserved automatically by the computer on a hard drive or a storage media when it was turned off. This type of data is easy to access; however, another type is volatile data that is usually stored in memory of the system; however, gets lost in the transition (Carrier, 2005). Trained digital investigators are able to access information from volatile data by accessing registries, cache, and RAM that usually have presence of volatile data in them. However, one of the major challenges in this data source is that volatile data is temporary, and thus, it really tests skills and capability of investigators since sometimes collection results in damage of the hard drive or storage media, and thus, in data source of system files, persistent data is easy but volatile data calls for a complicated investigation. Besides challenges, system files enjoy a very high priority when it comes to incidents, such as insider file deletion or insider theft, as well as give beneficial results in incidents such as malware installation (Carrier, 2005). In most of the operating systems, there are usually two groups: one for user files and other one for structural information of the system. In this regard, investigators can easily access information from this data source using different methods and tools according to different operating systems. POTENTIAL USEFULNESS General Logs System Files Time Packages Network Intrusion 2 3 1 Malware Installation 1 2 3 Insider File Deletion 3 1 2 * 1 = Highest priority, 2 = normal priority, 3 = lowest priority Based on the discussion, above table indicates priority given to different sources of data according to their potential usefulness in terms of three different events that usually come across in a digital forensic investigation. In network intrusion, time packages enjoys the highest priority as they are able to give closest estimation of the time of event that are very important during analysis of such an incident. In malware installation, general logs are an important source of data, whereas, in the incident of insider file deletion, system files can be the best source of data that can allow recovery of the deleted file while ensuring complete preservation. CONCLUSION Conclusively, the paper discussed some of the different sources of data that come under utilization during digital forensic investigation. It is anticipation that discussion of these sources will be beneficial in better understanding of the topic. REFERENCES Arasteh, A. R., Debbabi, M., Sakha A. and Saleh, M. (2007). Analyzing Multiple Logs for Forensic Evidence. Digital Investigation, 4S, pp. S82-S91. Carrier, B. (2005). File System Forensic Analysis. Addison Wesley Professional. Carrier, B. and Spafford, E. (2003). Getting Physical with the Digital Investigation Process. International Journal of Digital Evidence, 2(2). Casey, E. (2004). Network Traffic as a Source of Evidence: Tool Strengths, Weaknesses, and Future Needs. Journal of Digital Investigation, 1(1), pp. 28-43. ENFSI. (2003). Guidelines for Best Practice in the Forensic Examination of Digital Technology. European Network of Forensic Science Institutes. Kent, K., Chevaller, S., Grance, T., and Dang, H. (2006). Guide to Integrating Forensic Techniques into Incident Response. NIST SP. Sheldon, B. (2002). Forensic Analysis of Windows Systems. Handbook of Computer Crime Investigation: Forensic Tools and Technology. Academic Press. Read More