Forensic Data Analysis - Essay Example

Forensic Data Analysis Table of Contents Introduction ……………………………………………………………………………..3 Network Forensics ……………………………………………………………………….4 Database Forensics ……………………………………………………………………….6 Cloud computing forensics ………………………………………………………………7 Cyber forensics user behavior profiling…………………………………………………9 Communication Forensic Analysis ……………………………………………………..11 Conclusion…………………………………………………………………………………13 References…………………………………………………………………………………15 Bibliography……………………………………………………………………………….16 Introduction One major drawback to technological innovations is computer crime. For instance, cybercrime is very common on the internet and at the same time growing at such an exponential rate. This particular trend can be attributed to the increasing internet usage from both individuals and enterprises, whereby this particular crime is being aided with opportunities for anonymity and non-accountability when using the internet, and also the ability to easily acquire technological products that can be used to perpetrate online crime. As a result of this, online criminal rings have emerged and they are therefore broadening their exploitations on technological systems vulnerabilities by targeting both individuals and enterprises that rely on technology for their day to day business transactions. These computer related crime pose a lot of threat to the global society because they are conducted in a very sophisticated, effective, and malicious matter. For instance, spamming has transformed itself from just a resource wasting nuisance to a medium that is constantly being used to distribute malicious software programs that could be used in criminal activities such as; identity theft, and distribution of pornographic contents to under age kids. Also spamming towards computer programs, instant messaging systems, weblogs, and mobile devices, make these technological products very vulnerable to worms, viruses, and fraud. In the context of mobile device, criminals in possession of mobile phones can easily conceal their identity hence enabling impersonated messages which can facilitate; spam, fraud, and viruses or even enable these same criminals to access the mobile devices features together with its contents remotely without the user’s knowledge. These criminals may remotely log into a users systems such as a personal computer and use it to commit crime that would otherwise look as if it was perpetrated by the owner of the computer. Such kind of crime presents new challenges to forensic investigators because they are very difficult to investigate as to who actually did what. Even though currently there is ongoing work which is targeted towards cyber crime prevention, there is also need to focus on developing tools that will aid law enforcement agencies or corporate security experts to investigate the crimes that have actually been committed. Criminals across the world are therefore taking advantage of these particular loopholes from technological products and using technological system vulnerabilities to actually perpetrate crime. These crimes are either new crimes committed with and born out of new technology, or other traditional crimes committed in aid with modern technology (CISC, 2010). It is due to this background that the field of forensic data analysis has emerged whereby this particular discipline is laying significant emphasis on; Network forensics, database forensics, cloud computing forensics, cyber forensics, and communication forensics among others. This is so because these are the areas that have been cited to be grossly affected with cyber crime. Network Forensics It may be defined as the process of collecting and analyzing raw network data and tracking network traffic simultaneously so that the investigators may ascertain how a certain type of attack occurred on the network. Network forensics basically tries to reveal the crimes that were committed using certain computer networks. With network forensics, it is possible to reveal information on which ports that were used in accessing the network. When system intruders illegally access a computerized network, they usually leave behind some trail. By the forensic personnel having the ability of spotting variations in network traffic, then this becomes very crucial towards network forensic initiatives. Network forensic techniques In network forensics, evidence does not only reside on a single drive but rather on a number of drives found within the network. One of the key sources of logs is usually the Internet Service Provider (ISP). They ISPs are very useful in the sense that their dial up customers have to be authenticated before the clients call is dynamically assigned any IP address by the Dynamic Host Configuration Protocol (DHCP). This particular IP address will be associated with a DNS hence enabling reverse lookup. The authentification process is performed by the Remote Authentification Dial-In User Service (RADIUS) whereby RADIUS does not only authenticate the calls but also maintain copy of records that can be used in tracking down suspects. Some of the RADIUS information may include; login name, the telephone number used, connection time, and the assigned IP address. When a forensic investigator gets hold of this information, he may use it to track down the suspect (Joseph, 2008, p.319). Network forensics investigators may also use e-mail and new postings in conducting their investigations. This is possible because e-mail servers maintain logging information. Outgoing mails use the Simple Mail Transfer Protocol (SMTP) which does not require any sort of identification. The SMTP at the client will send email messages to SMPT server or the ISP which will also send the same email to its destination without any form of authentification whatsoever. However, for such emails to have some degree of trust, certain authentification protocols such as the Secure Multipurpose Internet Mail Extension (S/MIME) have to be used on top of STMP whereby SMTP servers are known to maintain logging information which could be very crucial to the network forensic investigators (Joseph,2008 ,p.320). Also today’s internet browser saves the web browsing activity of users account on different machines. For example, Microsoft Internet Explorer stores users browsing information in a file known as index.dat and Firefox/Mozilla/Netscape store this same information in a file known as history.dat. These two files are normally hidden from ordinary computer users and in order to view them, the internet browsers have to be set up in such a way that both hidden and system files can be easily viewed. With computer forensics, this critical information can be gathered from users internet browsers by exploring on the suspects browsing history, the number of hits in a particular website, files uploaded and downloaded from a website, cookies set up, and other crucial information that may assist in the investigation process. Forensic investigators may apply the index.dat analyzer to view, examine, and delete contents of index.dat files, and also the tool can be used to automatically open files uploaded or downloaded from a website. Other forensic tool in this category may include Total Recall among others (Natarajan, Sumanth, & Loretta, 2009, p.16). Forensic investigators may also use packet sniffers to monitor and collect information about the different communications techniques that are happening across a certain network. Sniffers are also widely applied in Intrusion Detection Systems (IDS) mechanisms to match packets against some specific set of rules which are designed to notify the administrators on anything malicious or strange. Some of the widely used packet sniffing software’s include; ethereal, WinPcap, AirPcap (Natarajan, Sumanth, & Loretta, 2009, p.17). There is also the Dynamic Host Control Protocol (DHCP) database that provides a way of determining the MAC address that is associated with the computer in custody. DHCP server has the capability of maintaining list of queries along with the MAC address whereby the database can be easily queried by giving the time duration which the particular IP address accessed the server (EC-Council, 2009). Database Forensics The compromising of computer data bases has already gone mainstream because criminals have already realized that huge and valuable amount of information are usually stored within the data base systems. This has made computerized databases to be under severe attacks with increasing regularity and tenacity whereby exploits for data base vulnerabilities are becoming increasingly commonly posted every where on the information superhighway. Large enterprises which store very vital information such as client’s personal details and trade secrets are more concerned on the privacy of their databases. This forces investigators to periodically perform forensic analysis on the enterprise data base system. One of the key areas that is likely to contain potential evidence is the audit trail because it contains key information that is related to the database whereby these information may include; updates, inserts, and deletes. Other information that may form potential evidence is; Meta data from transaction logs, web logs, and deleted data. Forensic examination of databases may also relate to the time stamps which apply to the period that certain rows were updated. This will then be tested and inspected so that the actions may be verified. Transactions within the database system may also be identified on the basis of retrieving evidence for wrongdoing. Tools such as ACL, Idea and Arbutus may be used to manipulate and analyze data because these same tools provide documented proof on all the tasks and analysis that the forensic examiner performed on the data base. Cloud computing forensics Businesses across the world are rapidly adopting cloud computing whereby government agencies are also not left behind. This particular technology is being perceived as one of the most transformative piece of technology in the history of computers. With a shift towards this technology by enterprises today, criminal gangs have started exploiting loopholes and vulnerabilities associated with the new technology. This has therefore forced cloud organizations providers together with their clients to establish well defined forensic procedures in order to ensure that robustness and suitability of their services support investigations which are related to criminal activities. With cloud computing it is very difficult to obtain digital evidence because the amount of information that is available to the investigators strongly diverges between the various cloud service providers and deployment models. According to Dominik (2011) there are three components that can assist in providing potential evidence which are: Virtual cloud Instance: This is where processes are handled and data are stored. It is usually the main place that incidents happened and may act as a good starting point for any forensic investigation. Network Layer: The various ISO/OSI network layers will provide a number of information and protocols and communication between instances within the cloud as well as instances outside the cloud. Client system: The internet browser on the client system is usually the only application that communicates with the cloud hence the evidence gathered from the browsers history files should not be discarded. Also in the context of cloud computing, three models are mainly used, these are; Infrastructure as a service (Iaas), Platform as a service (PaaS), and Software as a Service (SaaS). Forensics in SaaS Environment Here the client is under no control whatsoever with the underlying infrastructure such as ; operating systems, servers, and networks. This implies that no deeper view of the system is provided to the customer which will force the investigator to rely on high level logs that can only be provided by the Cloud Service Provider (CSP). Going by the fact that CSP do not run login application, the client cannot establish evidence personally which also cannot allow valid forensic investigations. In addition, the evidence derived has to be properly interpreted by the investigator in a sound manner which is very difficult due to the inability to access circumstantial information. Forensics in PaaS Environment Its key advantage is that the core application is under the clients control because the customer can indicate how the application interacts with dependencies such as storage and databases. The login mechanism can also be easily implemented which will sign in the information automatically and transfer it to third party storage. Because the customer can interact with the platform over an Application Protocol Interface (API) then specific application logs can be retrieved which could therefore be used in retrieving evidence for forensic investigations (Dominik, 2011, p.3). Forensics in IaaS Environment The IaaS instance provides more information that is crucial in a forensic investigation. Previously forensic experts depended on computers to be switched off so that they could retrieve forensic evidence, but with new technology such as snapshot supported by popular hypervisors such as the Xen, VMware, and Hyper V, virtual machines can be clocked by just the click of a mouse. It is very advantageous in the sense that systems which hold sensitive information do not have to be switched off to retrieve evidence from them which might be related to logged users, open ports, running processes, and system & registry information among others. This log data can then be transferred to an external system because improperly shutting down of the system, might destroy the already gathered evidence (Dominik, 2011, p.4). Other techniques that could be applied in cloud forensics may include; Sniffers may be deployed within virtual machines so that they may capture traffic flowing between virtual systems which are communicating across the hardware backplane. The cloud provider forensic work station can be used in gaining quick access to both the static and live systems, the cloud administrators may also be relied upon to provide backing and imaging tasks (Jennifer, 2010,p.25). Cyber forensics user behavior profiling Criminal profiling in a traditional investigation scenario is being estimated in some studies to be as high as 77% and there is no empirical reason that this will force cyber forensic investigators into believing that this particular technique cannot be equally effective in computer related investigations. This is so because cyber forensics incorporates a number of stages identical to a regular criminal investigation (Tommie & Aaron, 2010, p.186). With digital evidence being volatile and easy to contaminate, then reliable, accurate, and a true representation of the logs and audit trails have to be properly established and validated. This is so because at the end of the day the forensic investigators would like the trail of the evidence to identify the offender, and with computer systems being used as evidence, or tools to gather evidence, it becomes somehow tricky to place a suspect behind the keyboard of the system in question (Panagiotis, 2006, p.139). Computer forensic investigations may be separated into two, one whereby there is some incident and the identity of the offender is unknown, and secondly, where both the offender and incident are known. By having a profile, an investigation strategy may be developed and used to narrow list of potential suspect. The forensic investigator during the profiling process will be forced to focus on specific evidence and any indication of suspicious activity such as the key word searches and internet browsing history and also during this process all the information which are related to the offenders signature behaviors and motivation should act as piece of evidence. It has also been found that criminals tend to have their own unique style of operation which is usually developed over a period of time and these may include; running attack scripts, and writing and compiling codes among others. The criminal is also likely to leave artifacts that are relevant and can assist the investigator to understand their signature behaviors which are more personalized and they involve singing files or codes with personalized nicknames. The forensic investigator being armed with a better understanding of the criminal, he/she can therefore derive some specific search criterion to be used in their criminal analysis whereby this may include; history files, possible location of residue, and the key words to be used in the search. There should also be a search of the allocated, unallocated, and ambient data areas such as the deleted files, slack space, and swap space which provides to the forensic investigator a much clearer picture on the areas where to focus the search on, together with the chronology of events (e.g. modification of files, time of accessing files, and the files that were accessed) (Marc, 2003). With offender profiling the forensic investigator can now focus on certain suspects (e.g. cyber terrorist, hackers, and virus writers) whereby at the most basic level the suspects profile should identify them as either skilled or unskilled, and even the motivation behind the attack. With the profile information, the investigator can also know which other areas they should focus on when searching for further evidence. The suspects systems can further on be examined to see if there is anything that makes it more attractive whereby indicators such as the type of data that is stored in it, operating system being used, applications deployed on the system, network interconnections, and internet sites that were frequently visited, all these needs to be taken into consideration in order to have a successful criminal prosecution. If the offense in question is related to personal attack such as pornography or defamation, then individual habits of the system owner should be analyzed in order to come up with a more reliable profile (Marc, 2003). Intelligent agents can also be used in criminal profiling whereby they can be used in making independent choices based on certain rules. Tasks can therefore be automated such as sorting out e-mails according to certain preferences, assembling customized news reports which are instrumental in investigating criminal activities. These predictive agents may carry on tasks such as monitoring and surveillance on information systems and may be useful in tracking the company inventory, and also following patterns pertaining to behaviors of stock manipulation by insider trading and rumors (Panagiotis, 2006, p.275). Communication Forensic Analysis Mobile phones and other hand held devices are becoming increasingly popular whereby it is being estimated that there are approximately 5 billion mobile phone subscribers across the world (CNET reviews, 2010). With technology transforming very rapidly, these devices processing speed are rivaling laptop computers and their storage capacity is also becoming increasingly high. This has in return led into these devices replacing traditional PC and Laptop computers because these devices encompass various features that enable their users to perform a number of functions such as; storing personal data, browsing the internet, sending Text messages, checking e-mails, making audio or video calls, and taking pictures among others. These devices include; cell phones, I-Pods, I-Pads, and Blackberries among others. It is with this increasing popularity of these devices that forensic investigators have been presented with new sets of challenges in conducting their day to day activities. This is so because data recovered from these devices is crucial in solving incidents which are related to criminal activities. There are quite a number of information that are present in mobile digital devices that may be used as evidence, these include Devices memory A lot of forensic related information can be obtained from the memory and these may include; voice mail, videos, telecommunication settings, T9 dictionaries, system firmware information, text messages, pictures stored, multimedia messages, memos, Instant Messaging chat, internet history, e-mail, contacts, call history, calendar entries, and audio files among others (Jansen & Ayers, 2007, P.57). Potential evidence may also be obtained from these devices internal/embedded memory such as the NAND memory. There are certain devices such as HP IPaq and Palm Pilots that are known to lose data whenever the devices battery becomes exhausted, in such scenario, prudent measures should be taken to ensure that potential forensic information is obtained before the devices power is exhausted. These devices also come with compact hard drives less than 1 inch that have a very high storage capacity which may go up to 40 GB. The forensic investigator may therefore use some traditional forensic investigation tools and techniques to analyze such type of memory in these devices (Shafik & Richard, 2008, p.3). Cellular SIM Cards The SIM is usually Electronic Erasable Programmable Read Only Memory which is assigned a unique cell phone number from the network and tied to the devices IMEI number of the handset. The suspect may use his SIM to store information such as text messages and contact details. If forensic investigators discover cell phone in any scene of crime, he may use the phones IMEI number in collaboration with the Telkom operators to find out which SIM cards have so far been used with the phone. After having information on SIM cards, he may be able to retrieve owner information and possibly his identification details which could later on be used to trace suspects (Michael & Debra, 2008, p.366). Memory Cards These are widely used with handheld digital gadgets such as cell phones, I-Pads, and video game consoles among others. Some of the potential evidence that may be found on memory cards may include; pictures, movies, audio files, and documents among others. Most of the memory cards use windows based FAT file systems which makes the recovery of deleted files very viable by using some common forensic tools such as the FTK or Encase (Shafik & Richard, 2008, p.4). Network Service Provider There is quite a number of potential forensic evidence that can be derived from Telkom operators provided that the forensic investigator has consent from relevant authority. These may include; Subscriber location: This is basically the geographic location of the physical device which in return could assist to trace where the owner is currently located. Call data records: These are the calls made together with the text messages sent. Subscriber information: These include Identity such as driver’s license and occupation. Conclusion Digital forensics is aggressively increasing in scope and size due to the prevalence and proliferation of technological products. With increasing popularity on these products, substantial potential evidence and information which are important to investigations can be derived from these products whereby ignoring these products would be negligent and may lead to incomplete investigations. Forensics toolkit manufacturers are also having a difficult time developing products that can seamlessly interface with each and every product in the market. It is therefore advantageous for the forensic investigators to have a number of selection tools at their disposal so that they may cover as many gadgets as possible during their investigation process. Forensic examiners have also to take prudent steps that will aid them in documenting their extraction techniques while cross validating results across multiple toolkits. These actions in the end will enable the forensic examiner in understanding the data types that need to be extracted by the toolkit in hand as well as validating and confirming the accuracy of the data extraction. Forensic investigators need to consult widely and in case there are any doubts with certain technology, they should not hesitate to seek consultation, this is so because most digital evidence are so fragile such that any slight distortion on them, may render the case inadmissible in a court of law hence making the entity that the case is being investigated on their behalf loose substantially. This is likely to dent the credibility of the investigative authority and the company being protected. With digital forensics being extremely wide, technology transforming rapidly, and criminals also learning new tricks by the day, forensics experts are forced into devising new investigative techniques. This requires the forensic investigators to have a thorough understanding of how electronic crimes are usually conducted, the investigators should constantly be involved in research work through reading internet materials, forensic & technological related books, and attending seminars & webinars among others. The investigators should also periodically place themselves in the shoes of these criminals assuming that they are the ones who are perpetrating the crimes. It is only by understanding the criminal mindset together with how the technology works that forensic investigators may be in a position of deriving sound and credible forensic evidence that they may later on be presented in a court of law. References CNET (2010). Cell Phone Subscriptions to hit 5 Billion Globally, retrieved 11th May 2011 from http://reviews.cnet.com/8301-13970_7-10454065-78.html Criminal Intelligence Service Canada (CISC) (2010). Technology and Crime, retrieved 5th May 2011 from http://www.cisc.gc.ca/annual_reports/annual_report_2005/technology_and_crime_2005_e.html Dominik Birk (2011). Technical Challenges of Forensic Investigation in Cloud Computing Environments, retrieved 9th May 2011 from http://www.zurich.ibm.com/~cca/csc2011/submissions/birk.pdf EC-Council (2009). Computer Forensics: Investigating Network Intrusions and Cybercrime. Cengage Learning. February 20, 2008, from HTTP://CSRC.NIST.GOV/PUBLICATIONS/NISTPUBS/800-101/SP800-101.PDF Jansen, W., Ayers, R. (2007). “Guidelines on Cell Phone Forensics.” Retrieved Jennifer Bayuk (2010). Cyber Forensics: Understanding Information Security Investigations, Springer Publishers. Joseph Migga Kizza (2008). A Guide to Computer Network Security: Computer Communications and Networks, 2nd Edition, Springer Publishers. Marc Rogers (2003). The role of criminal Profiling in the computer forensics process. Center for education and Research in Information Assurance and Security, Purdue University. Retrieved 10th May 2011 from http://www2.tech.purdue.edu/cit/Courses/cit556/readings/Profile-Rogers.pdf Michael Cross, Debra Littlejohn Shinder (2008). Scene of the Cybercrime. 2nd Edition, Syngress publishers. Natarajan Meghanathan, Sumanth Reddy Allam, & Loretta A. Moore (2009). Tools and Techniques for Network Forensics, Department of Computer Science Jackson State University. International Journal of Network Security & its applications, Vol. 1, No 1, April 2009, retrieved 9th May 2011 from http://airccse.org/journal/nsa/0409s2.pdf Panagiotis Kanellis (2006). Digital crime and forensic science in Cyberspace. Idea Group Inc. Panagiotis Kanellis (2006). Digital crime and forensic science in cyberspace. Idea group Inc. Shafik G. Punja & Richard P. Mislan (2008). Mobile Device Analysis. Small Scale Digital Device Forensics Journal, Vol, 2, No. 1. June 2008. Tommie W. Singleton, Aaron J. Singleton (2010). Fraud Auditing and Forensic Accounting. 4th Edition, John Wiley and Sons. Bibliography Angela Orebaugh, Jeremy Allnutt (2009). Classification of Instant Messaging Communications for Forensics Analysis. The International Journal of Forensic Computer Science. Cesar Cerrudo. SQL Server Anti_Forensics: Techniques and Countermeasures, retrieved 9th May 2011 from https://www.blackhat.com/presentations/bh-dc-09/Cerrudo/BlackHat-dc-09-Cerrudo-SQL-Anti-Forensics.pdf Ibrahim Baggili (2011). Digital Forensics and Cyber Crime: Second International ICST Conference, ICDF2C 2010, Abu Dhabi, United Arab Emirates, October 4-6, 2010, Volume 53 of Lecture Notes of the Institute for Computer Sciences, Social, Springer Publishers. Joel Weise & Brad Powell (2005). Using Computer Forensics When Investigating System Attacks, retrieved 9th May 2011 from http://www.sun.com/blueprints/0405/819-2262.pdf Miroslav Ponec, Paul Giura, Herve Bronimann, Joel Wein (2007). Highly techniques for Network Forensics. Department of Computer and Information Science, Polytechnic University, Brooklyn, New York. Retrieved 9th May 2011 from http://isis.poly.edu/~fornet/docs/pubs/ccs097-ponec.pdf Xinwen Fu, Zhen Ling, Wei Yu, Junzhou Luo. Cyber Crime Scene Investigation through cloud computing. Retrieved 9th May 2011 from http://www.cs.uml.edu/~xinwenfu/paper/SPCC10_Fu.pdf Read More