Principles of Cyber Forensic - Literature review Example

Cyber Forensics Student‘s Name: Institution: Table of Contents Introduction 3 Digital evidence 3 Principles for cyber forensic 4 Cyber Forensics Investigation 5 Cyber Forensic System Examination 6 Cyber forensic investigation 7 Cyber Forensic System Analysis 7 Cyber Forensic Results Preservation 7 Cyber Forensic Evidence Validation 8 Cyber Forensics Evidence Presentation 9 Computer Data Threats 9 Crime Scene Location 10 Forensics Investigation Techniques by Use of digital Forensic Tools 11 Open Source Cyber Forensic Tool 11 Importance of Cyber Crime Reconstruction Hypotheses 13 Challenges Faced by Forensics 14 Conclusion 14 Reference List 16 Appendix 1 19 Introduction The drastic growth in internet and computer technology has resulted into a tremendous raise in internet and computer crimes. The crime that is commonly experienced entails computer viruses or computer system hacking. This paper discusses cyber forensics which is a process of investigating the cyber or digital crime, collecting the data, as well as analyzing them to come up with enough tangible digital or physical evidence that can be presented into a court of law to and ensure that the suspect is justifiably judged. The paper discusses what digital evidence entails, principles of cyber forensic, and the computer data threats. The processes of investigation used to preserve, locate, select analyze, validate as well as present digital evidence are discussed. The techniques involved in investigating basic cyber forensic using forensic tools are discussed. The importance of crime reconstruction hypothesis is also look at. In conclusion the paper gives a brief summary of the discussed content Digital evidence Wang (2007) indicate that while cyber cases are being considered, the chief digital evidence may be grouped into four classes which include balance statement of the bank, express invoices delivery, electromagnetic records and other objects that are beneficial. Literature defines digital evidence as every digital data, which can give an important connection between the victim and the perpetrator. Therefore digital evidence is computer stored data, which can be utilized to prove behavior of a criminal (Bader et al., 2007). Digital evidence can be modified and copied easily, however it is hard to maintain its original condition. Therefore, source of original digital confirmation is exposed to doubt. Digital evidence integrity and source are not proved easily. Since producing an electromagnetic record is very easy, it is as well very easy for it to be modified or copied. Therefore it becomes hard to infer directly the relationship between the suspect as well as the obtained evidence (Brueckner et al., 2008). Wang (2007) argues that digital information presentation cannot be perceived well by man senses. The reason being electronic record has been recorded electromagnetically and stored in the system of a computer. Therefore it is essential for its content to be perceived without suitable tool kit help. Principles for cyber forensic Digital forensics deals with digital evidence investigation, evaluation, preservation as well as presentation. according to Arasteh et al (2007, p.82) cyber forensic plays a chief role by giving methods that are scientifically proven to collect, process, use and interpret digital evidence so as to come up with cyber crime actions conclusive description. Arasteh et al. indicates that analysis of cyber forensic can be classified into timeline analysis, analysis of common vulnerability, analysis of root cause, baseline analysis as well as analysis of semantic integrity verification (Nicholson et al., 2012). According to Bednar et al (2008) digital forensics is employed as a requirement reminder of performing analysis and investigation in such a way that the results would be permissible to the law court. Brinson et al (2006) argues that investigation of digital forensics is a digital investigation of special case where the techniques and procedures used will permit the findings to be presented into a law court. Brinson et al. also indicates that the major concern of digital forensics is to investigate, evaluate, preserve as well as present digital evidence as judicial process part. Digital forensic subject’s arena turns not only significantly overwhelming but also systematically complex even for skilled investigator. Additionally, digital forensic is systemic process which is rich of uncertainties. Cyber Forensics Investigation The main investigation objective is to reveal crimes and gather proof with a hope of determining the truth. In this case available evidence whether adverse or favorable has to be collected so as to ensure justice is done to the trial victim (Katos & Bednar, 2008). The chief features related with giving reliable evidence involves case clues provision, modus operandi study, evaluating the connection between crime scene and the suspect, testimony proofing, suspect interrogation and investigation direction provision. Principles and procedures for computer based criminal investigation have no difference with traditional investigations (Shaw, 2006). According to Hadjidj et al. (2009) cyber or digital forensic investigation is used to gather credible evidence by evaluating collections of data to prosecute cyber criminals in the law court. The author indicates that when the crime happens in emails accounts, the email analysis scope ranges from keyword simple searching to anonymous e-mail authorship attributes. An investigator in cyber forensic attempts tries to establish the writer of the disputed anonymous e-mail who is listed as the first suspect. Yim et al. (2008) states that investigation entail gathering information about the attack. According to Yim et al. forensic can be defined as alert gathering that provide information of attacks where an attack contains a relative successful events as well as events subset. Cyber Forensic System Examination After getting the scene evidence, the evidence should be analyzed. Common sounds, pictures, documents of a computer can be examined using various number of software programs (Brinson et al., 2006). Although, the detected document is the greatest problem, sometime being evaluation of the document as the one originating from a malicious source would of great help in documenting the evidence (Brinson et al. 2006). Therefore, hard disk slack space must be scanned as well. This is primary reason for applying a method of bit-stream-copy. There must be application of a software tool to perform document rebuilding as well as string searching. According to Wang and Kao (2009) internet attack investigation is same as trailing a wild creature. After a system suffers from an attack it need step by step analysis to ensure the mess is well handle so as to avoid further difficulties. The first thing that should be done is examination of the basic performance of the system. Once an attack takes place, a sure and swift reaction should be applied; the system administrator should not gable with available time. Immediate examination would be an appropriate thing to be done before any other operation takes place (Briston et al., 2006). A machine original setting should be checked after performance examination. A number of spiteful programs are situate to start impulsively thus giving the attacker power over compromised machine (Yim et al., 2008). Thus the startup content as well as related file content of the system must be examined. Window program of any kind can document itself like a service and load automatically, when a computer is booted (Nykodgm et al., 2005). The last step involves examining the system to checking if there is a presence of malware in a system. Various malicious programs are used to attack internet based computers (Choo, 2011). Although the particular malicious behaviors of a program are irregular, it is still possible to distinguish their operation methods through searching and scanning for strange executable files. The best starting point for this kind of investigation is inspecting files that have evidence of being modified recently. Appendix one gives screen shot taken while scanning different system for threats (Yin et al, 2008). Cyber forensic investigation Cyber Forensic System Analysis After evidence analyses and examination, the connection between the suspect and forensic results must be analyses forensics results can be linked to behavior of a suspect through examination, individualization, comparison and classification of the evidence. According to Arasteh and Debbabi (2007), analysis process involves differentiating normal form abnormal operation in a system. In most attacks, the criminal leave a mark in the digital device. Therefore in analysis stage, investigator should try to identify the hackers attack packet when computer is operational (Wang, 2007) Cyber Forensic Results Preservation The most essential thing immediately after getting into the crime scene is evidence preservation. This is especially more vital in case of internet crime digital evidence. Digital evidence is fragile in nature (Yen et al., 2008). It can be altered at whatever time a mouse is clicked or keyboard is stroked. if the evidence is mishandled it could yield to evidence bleaching , data inaccessibility, inability to demonstrate that the suspect was devoted to the crime or worse lacking the evidence to show (Nikkel, 2005). For valuable analysis of data, features such as that collected the data, where and how, who possessed it, how it was stored as well as who took it out of storage are investigated. According to Wang (2007) when investigator should not shut down the computer immediately after arriving in the cyber crime scene. This is because if switched off, data and program held in memory would be lost inevitably and could also damage the evidence. Therefore before handling any information scene video or photographs have to be taken. Nikkel (2005) indicates that copying stored evidence from the computer needs unique tools and should be done bit after bit. The investigator should ensure that the evidence should not be altered or amended during the process of copying. Yen et al. (2008) indicates that there are scientific techniques created by SOPs, rationality and forensics experts that can be used in cybercrime evidence analysis, comparison, classification, recording, capturing, preservation, and identification. Cyber Forensic Evidence Validation According to Backett and Slay (2007), validation is verification by evaluation and objective evidence provision that a procedure, technique or a tool functions as intended and correctly. Validation always evaluates whether the developed product is the right product. In digital forensic validation is used to test if the used forensics tools are reliable in their testing mechanism. Every tool used in digital evidence evaluation should efficient enough to produce the best result possible (Carrier & Spafford, 2004). Evidence validation is done by use of a well design model that purposed for that task. To develop a validation model, there is a need to describe a discipline consisting of enough details so that isolated functions can be used in model development (Carrier & Spafford, 2004). A well developed model will be accurate in validating whether certain evidence fit for a specific claim. In most cases validation applies to the forensics applied in testing the evidence. If the forensic tools used passed the validation test, then we can as well consider the evidence validated. According to Beckett and Slay (2007) validation is normally a balance amid technical possibilities, risks, and cost. Cyber Forensics Evidence Presentation The finding of forensic investigation should be presented clearly. When discussing evidence source, cause as well as relationship of evidence and the suspects, any other explanation that is possible have to be put aside to confirm the last conclusion, therefore proving not guilty or guilty hypothesis (Wang, 2007). Rising of evidence suspicion may make the evidence to be doubted. Additionally, a good representation could give investigators clues to crack other pending or future cases crime cases. Thus efficiently improved forensic results as well as techniques may aid in stopping cybercrimes (Yen et al., 2008) Computer Data Threats According to Choo (2011) System security and data threats encompass artificial and natural disasters, mistakes from internal workers as well as competitors and hackers overt act. There are three types of threats that include internal acts, omission or error, and natural disasters. While the last two happens accidentally, the first one is as a result theft, embezzlement, computer fraud as well as mischief. In most cases these threats affects data integrity, availability, and confidentiality. Information is always faced by three kinds of threats that include undesirable modification or use, unauthorized access, and destruction or loss (Jung et al, 2001). According to Jung et al. (2001) Threats are classified into interruption, modification, fabrication as well as interception classes. Interruption threat takes place where the system’s asset become unavailable or it is completely destroyed. In data this takes place where file management system is disabled, data file or programs are erased, as well as OS manager failure. Interception happens when unauthorized entity gets access to the system (Nicholson et al., 2012). This entity could either be a computer, a program or a person. A good example of this is wiretapping were illegal programs or file copying, as well as traffic analysis takes place. Modification takes place when data transmission content is altered, an aspect that yield into unauthorized result or action. a good example involve altering items values, changing a program so as it can execute incorrectly, as well as incoming message modification (Narvaez et al., 2010). In fabrication, an attacker introduces counterfeit things in the system. A good example of this is spurious message insertion or file records addition. Threats on network security may be characterized by watching computer system function that is giving information (Choo, 2011). Crime Scene Location According to Carrier and Spafford (2004), a digital machine being examined can be treated as a digital scene of crime, and thus it should be examined as physical crime site subset where it is positioned. Physical evidence can be found in server area in which the employee was the attacker. Additionally, evidence of usage may be found around a personal computer which consists of contraband. Moreover, majority of digital investigation end goal is to establish an individual who is accountable and thus the digital investigation ought to be treated as physical investigation (Katos & Bednar, 2008). After the crime scene is identified, digital investigation starts and it applies five chief phases. The first phase is preservation which lowers number of data that is replaced on the system. The common process applied in the phase involves system data duplication which is followed by an investigation in particular surroundings where copies are not altered (Arasteh et al., 2007). Survey which is the second phase investigates evidence obvious location and come up with a plan on how look for extra evidence in the system. Documentation of the system is carried out and a complete search is performed (Shaw, 2006). Reconstruction phase evaluate the evidence to establish the events that took place during the crime. The phase evaluates the digital and physical evidence which was gathered and seek to establish the events which happened at the scene of crime and apply them in crime hypotheses testing. This phase is based on crime theories and hypotheses refining as well as formulation a process which is highly conceptual than a real process (Brueckner et al., 2008). Forensics Investigation Techniques by Use of digital Forensic Tools Open Source Cyber Forensic Tool This technique applies three chief phases in solving a digital crime. The initial phase is acquisition phase. This phase stores the digital system state for later analysis (Lim et al., 2011). This is equivalent to taking tire patterns, blood samples, fingerprints and photographs from the scene of crime. Since in all crimes no one knows which information will be relevant for the evidence, all possible digital evidences are considered in this phase. At least, the unallocated and allocated hard disks sections are copied. The tools used in this phase should not modify the collected data (Arsteh & Debbabi, 2007). In analysis phase, acquired data are examined to spot evidence pieces. In this investigation three evidence categories are targeted. These evidences include inculpatory evidence, an evidence that support a known theory, the next one is exculpatory evidence an evidence that contradict a known theory and finally, tampering evidence an evidence that cannot be associated with any known theory but indicates that the scheme was interfered with to shun identification (Carrier, 2003). Additionally, the phase examines contents directories and files getting back deleted content. Evidence conclusion is drawn in this phase by use of scientific method (Lim et al., 2011). This phase contains tools which are applied in analyzing a system of files to catalog deleted files names and contents of directories. Additionally, the tools aids in recovering the deleted files as well as in presenting data in a very useful format (Navaez et al., 2010). The phase must apply an exact original copy that can be established by manipulating a checksum of MD5. It is essential that the tools indicate every data existing in an image (Kent et al., 2006). There is no specific procedure sets for presentation as there is in the other two phases. Presentation phase is entirely based on law and policy that differ in every setting. Additionally, the phase presents investigation conclusion as well as the matching evidence (Serra & Venter, 2011). In a business examination, the audience characteristically includes executives, human resources, and general counsel. In this case what to be presented is dictated by corporate policies as well as privacy laws. In a legal environment, audience are normally jury and a judge, however evidence must first be evaluated by lawyers before it is handled over to them (Arasteh et al., 2007). Digital evidence in United States must pass Daubert test before they are considered in a court of law. The test recognizes four general sections that era applied as principles when a procedure is being assessed. The four sections include testing where it is evaluated if a process has been tested or not. This is followed by error rate section where it is established if the process contains any error and if yes to what rate (Katos & Bedar, 2008). Then publication is done where it is evaluated if the processes have been published as well as if it has been focus to peer appraisal. The last step is acceptance evaluation where it is established whether the process is accepted in the scientific community that is relevant (Katos & Bednar, 2008). Importance of Cyber Crime Reconstruction Hypotheses In digital forensic crime five reconstruction phases discussed by Carrier et al. hypotheses are created in the third phase, tested in the fourth and reconstruction takes place in the last phase. Hypotheses are constructed after the survey analysis of protected crime scene (Katos & Bednar, 2008). Hypotheses are important in reconstructing the crime since they give the investigator possible route toward the solution. Since they are constructed after the survey, it means they are well evaluated depending on the crime that has taken place. Hypotheses testing also ensure that the set hypotheses lean more toward the subject of investigation thus the created hypotheses act as a base of reconstructing a crime (Carrier & Spaffford, 2004). While testing the hypotheses in regard to a certain incident, in the reconstruction procedure, we will contain chains of event as well as a unit or more hypotheses concerning the proceedings without any found evidence. Hypotheses are mostly set for the missing proceeding. Each set hypotheses contains a level of confidence attached to it (Carrier, 2003). Testing phase examines all hypotheses to evaluate the one that is mostly likely as well as the hypothesis that can be contested by the available evidence. Therefore, hypotheses assist in reformulating the events that do not have any supporting evidence as long as they cannot be contested by the evidence (Katos & Bednar, 2008). In the phase of role classification which is found in crime reconstruction process, each identities and objects are examined on the kind of information they contain. Using the information of the object, hypotheses are generated based on events caused by the object as well as events that affected the object. These created hypotheses make it easier to investigate and to analyze object’s event, especially where there is no tangible evidence to support the event (Nikkel, 2007). Challenges Faced by Forensics One of the major challenges faced in internet and cyber criminal crime involves the means of getting digital evidence. Digital evidence plays a supplementary role in cyber crime investigation. In most cases digital evidence has been employed in strengthening facts of evidence for a committed crime (Geers, 2010). The major difference of physical and digital evidence is that every examining act would be handled as access in digital evidence collection because the digital evidence content can be changed easily and therefore disqualifying the facts of criminal. The only solution to this problem would involve freezing the contented related to devices based on computer at the original scene of crime (Bednar et al., 2008). Conclusion Digital evidence is defined as every digital data, which can give an important connection between the victim and the perpetrator. Digital evidence can be modified and copied easily, however it is hard to maintain its original condition. Digital forensics deals with digital evidence investigation, evaluation, preservation as well as presentation. It is employed as a requirement reminder of performing analysis and investigation. The main investigation objective is to reveal crimes and gather proof with a hope of determining the truth. Cyber or digital forensic investigation is used to gather credible evidence by evaluating collections of data to prosecute cyber criminals in the law court Once the evidence is collected, analysis of the evidence should be carried out so as to establish a clear picture of the clime. Common sounds, pictures, documents of a computer can be examined using various number of software programs. After evidence analyses and examination, the connection between the suspect and forensic results must be analyses forensics results can be linked to behavior of a suspect through examination, individualization, comparison and classification of the evidence. The most essential thing immediately after getting into the crime scene is evidence preservation. This is especially more vital in case of internet crime digital evidence since digital evidence is fragile in nature During investigation, investigators are advised not shut down the computer immediately after arriving in the cyber crime scene. Finding of forensic investigation should be presented clearly System security and data threats encompass artificial and natural disasters, mistakes from internal workers as well as competitors and hacker’s overt act Modification takes place when data transmission content is altered, an aspect that yield into unauthorized result or action. A digital machine being examined can be treated as a digital scene of crime, and thus it should be examined as physical crime site subset where it is positioned. It has been established that one of the major challenges faced in internet and cyber criminal crime involves the means of getting digital evidence. Reference List Arasteh, A. R., & Debbabi, M. (2007). Forensic memory analysis: From stack and code to execution history. Digital Investigation, 4(1), 114–125. Beckett, J., & Slay, J. (2008). Digital forensics: Validation and verification in a dynamicwork environment. Proceeding from HICSS '07. The 40th Annual Hawaii International Conference on System Sciences. Waikoloa, HI: I EEE Computer Society. Bednar, P.M., Katos, V., & Hennell, C. (2008). Cyber-Crime Investigations: Complex Collaborative Decision Making. Proceeding from WDFIA '08. The Third International Annual Workshop on Digital Forensics and Incident Analysis. Malaga: Spain. Brinson, A., Robinson, A. & Rogers, M. (2006). A cyber forensics ontology: Creating a new approach to studying cyber forensics. Digital Investigation, 3(supplement), 37-43. Brueckner, S., Guaspari, D., Adelstein, F., & Weeks, J. (2008). Automated computer forensics training in a virtualized environment. Digital Investigation, 5(supplement), 105-111. Carrier, B. (2003). Defining digital forensics examination and analysis tools using abstraction layers. International Journal of Digital Evidence, 1(4), 1-11. Carrier, B. D., & Spafford, H. E. (2004). Defining event reconstruction of digital crime scenes. Journal of Forensic Sciences, 49(6), 1291-1298. Choo, K. R. (2011). The cyber threat landscape: Challenges and future research directions. Computers & Security, 30(8), 719-731. Geers, K. (2010). The challenge of cyber attack deterrence. Computer Law & Security Review, 26(3), 298-303. Hadjidj, R., Debbabi, M., Lounis, H., Iqbal, F., Szporer, A., & Benredjem, D. (2009). Towards an integrated e-mail forensic analysis framework. Digital Investigation, 5(3–4), 124-137. Jung, B., Han, I., & Lee, S. (2001). Security threats to internet: a Korean multi-industry investigation. Information & Management, 38(8), 487-498. Katos, V., & Bednar, P. M. (2008). A cyber-crime investigation framework. Computer Standards & Interfaces, 30(4), 223–228. Lim, K., Lee, G. D., & Han, W. J. (2011). A new proposal for a digital evidence container for security convergence. Proceedings from Computing and Engineering (ICCSCE). The 2011 IEEE International Conference on Control System. Penang, Malaysia: IEEE. Narvaez, J., Aval, C., Barbara, E., Christian, S., Ashish, M., & Doug, N. (2010). Assessment of Virtualization as a Sensor Technique. Proceedings from SADFE ’10. The Fifth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE). Washington, DC, USA: IEEE Computer Society. Nicholson, A., Webber, S., Dyer, S., Patel, T., & Janicke, H. (2012). SCADA security in the light of Cyber-Warfare. Computers & Security, 31(4), 418-436. Nikkel, B. J. (2005). Generalizing sources of live network evidence. Digital investigation, 2(3), 193-200. Nykodym, N., Taylor, R., & Vilela, J. (2005). Criminal profiling and insider cybercrime. Digital Investigation, 2(4), 261-267. Serra, S.M., & Venter, H.S. (2011). Mobile cyber-bullying: A proposal for a pre-emptive approach to risk mitigation by employing digital forensic readiness. Proceedings from ISSA ’11. The 2011 Information Security South Africa (ISSA), Johannesburg: IEEE. Shaw, E. D. (2006). The role of behavioral research and profiling in malicious cyber insider investigations. Digital Investigation, 3(1), 20-31. Wang, S. (2007). Measures of retaining digital evidence to prosecute computer-based cyber-crimes. Computer Standards & Interfaces, 29(2), 216-223. Wang, S., & Kao, D. (2007). Internet forensics on the basis of evidence gathering with Peep attacks. Computer Standards & Interfaces, 29(4), 423-429. Yen, Y., Lin, I., & Wu, B. (2011). A study on the forensic mechanisms of VoIP attacks: Analysis and digital evidence. Digital investigation, 8(1), 56-67. Yim, d., Lim, J., Yun, S., Lim, S., Yi, O., & Lim, J. (2008). The Evidence Collection of DoS Attack in WLAN by Using WLAN Forensic Profiling System. Proceedings from ICISS ’08. International Conference on Information Science and Security. Seoul: IEEE. Appendix 1 Screen short 1: the collected forensic evidence Screen short 2: VM WARE Evidence Tracing Read More