What is Cyber Forensics ?
Gone are the days when crimes were only happening in the physical landscape. Today, with the advancement in technology, digital crimes have emerged tremendously, becoming one of the fastest growing crime. The upsurge of such crimes coupled with the rise in the level of sophistication of such attacks, calls for a fairly new field in the domain of forensic investigations. This urgent need has, therefore, brought about the development of what is known as cyber forensics.
Types of Cyber crimes
Cyber crime can be referred to as any illegal or criminal activity involving computer systems or networks. Although there is no single definition for cyber crime, it can be largely grouped into two types – those crimes that are committed with computer as the target and those, where a computer system serves as a tool or means to commit a conventional crime.
Hacking, spamming, computer theft, website defacement, malware, Denial of service (DoS) attack and Distributed Denial of service attack (DDoS) are some of the common examples of cyber crimes where the computer is the main target of the crime. Cyber crimes where a computer system is used as a tool to commit the crime includes financial frauds and scams, child pornography, phishing/vishing, cyber bullying and cyber espionage.
What is cyber forensics?
Cyber forensics has been defined as “the scientific processes of identification, seizure, acquisition, authentication, analysis, documentation and preservation of digital evidence.” Its main role is to collect, analyse, preserve and present the digital evidences in a forensically sound and accepted manner.
Digital evidences are comparatively more fragile in nature and easier to alter and tamper with. Therefore, there is a need to follow proper standard operating procedures to document, collect, preserve and analyse digital evidences.
Principles of Digital Evidence
The ACPO (Association of Chief Police Officers) has given a good practice guide that may be referred to as a standard guide for handling digital evidences.
Principle 1: No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.
Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3: An audit trail or other record of all processes applied to evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
Classification of Cyber Forensics
The field of cyber forensics can be further sub-categorised as follows:
Disk Forensics: deals with extracting data from storage media such as hard drives, USB devices, flash drives, etc., to retrieve not only active information and deleted data, but also data from unallocated space and slack space for the purpose of investigation.
Live Forensics: deals with the acquisition and analysis of volatile data, i.e., data which are lost when the system shuts down, in the order of their volatility, for example, data from the registry, cache, RAM (Random Access Memory), etc.
Network Forensics: deals with the monitoring and analysis of incoming and outgoing computer network traffic, for the purposes of information gathering, evidence collection, or intrusion detection.
Mobile Phone Forensics: deals with recovering and analysing digital evidences from a mobile phone, such as, call lags, text messages, multimedia, browsing history, etc., under forensically sound conditions.
Email Forensics: deals with the recovery and analysis of emails for the purpose of investigation.
Social Media Forensics: deals with the collection and analysis of data from online sources such as social media platforms.
Malware Forensics: deals with the investigation and identification of malicious codes such as viruses, worms, trojans, etc.
Processes of Cyber Forensics
Cyber forensic investigations generally involve the following processes:
- Evaluation and Identification: The process of evaluation involves having proper knowledge on the background of the case before actually working on it, obtaining any legal permits required to enter the premises and investigate the case, securing and assessing the scene of crime for digital evidences, and preparing the tools and techniques required to handle the case.
- Documentation: All evidences present at the scene of crime should be photographed and/or video-graphed before carrying out any processes to preserve its primary conditions. Every step or procedure taken and the tools used during the investigation must also be thoroughly documented along the way to preserve their integrity and maintain the chain of custody.
- Seizure and Acquisition: On identifying the evidences, it should be isolated from the network and may later be properly labeled and packaged in anti-static bags. Volatile data may be collected from the live system using appropriate softwares. In case of non-volatile data, the hard drive and other storage media should be imaged and/or cloned using write-blockers for further analysis. In every step, hash should be generated to maintain the integrity of the evidence.
- Preservation: The integrity of digital evidences must be preserved to render it admissible in the court of law. This includes preventing unauthorised persons from accessing the evidence as well as keeping the evidence away form high temperature, humidity or any kinds of magnetic devices.
- Analysis: Various tools and softwares are used to extract, process and interpret the data to answer the investigation questions raised by the Investigating Officer. In this step, all the case related files and programs including deleted data or recently used data, are examined.
- Presentation: Every tool and methodology used must be summarised along with the findings or the result in simple terms, that are easy to understand for the purpose of the court.