Back to Threads
Cyber forensics is a branch of science that deals with tools and techniques for the investigation of digital data to find evidence against a crime that can be produced in a court of law.
It is a practice of preserving, extracting, analyzing, and documenting evidence from digital devices such as computers, smartphones, digital storage devices, etc so that they can be used to make expert opinions in legal/administrative matters.
Computer forensics plays a vital role in an organization as our dependency on computing devices and the internet is increasing day by day. According to a survey, 93% of all information generated during 1999 was generated in digital format, on computers, and only 7% of the remaining information was generated using other sources like paper, etc.
It is not always easy to collect evidence as the data may be tempered, deleted, hidden, or encrypted. Digital forensic investigation is a highly skilled task that needs exposure to various tools, techniques, and guidelines for finding and recovering digital evidence from the crime scene or the digital equipment used in a crime.
With digital equipment like smartphones, tablets, palmtops, smart TVs, etc having increasing processing capabilities and computation speed, the possibility of use of these devices in cybercrime cannot be ruled out. A forensics investigator must not only have a deep understanding of the workings of these devices but also hands-on exposure to the tools for accurate data retrieval so that the value and integrity of the data are preserved.
A computer can be used intentionally or unintentionally for cybercrime. The intentional use is to use your computer to send hate mail or install a cracked version of an otherwise licensed software into your computer.
Unintentional use is when the computer you are using contains a virus and it is spread into the network and outside the network causing major loss to someone in financial terms.
Similarly, a computer can directly be used to commit a digital crime. For example, your computer is used to access sensitive and classified data, and the data is sent to someone inside or outside the network who can use this data for his or her benefit.
The indirect use of a computer is when while downloading a crack of software, a trojan horse is stored in the computer, which creates a backdoor in the network to facilitate the hacker. Now the hacker logs into your computer and uses it for committing cyber crime. An experienced computer forensic investigator plays a crucial role in distinguishing direct and indirect attacks. Computer forensic experts are also useful for the recovery of accidental data loss, for detecting industrial espionage, counterfeiting, etc.
In large organizations, as soon as a cyber crime is detected by the incident handling team, which is responsible for monitoring and detecting security events on a computer or computer network, initial incident management processes are followed. This is an in-house process. It follows the following steps:
The organization prepares guidelines for incident response and assigns roles and responsibilities to each member of the incident response team. Most large organizations earn a reputation in the market and any negative sentiment may negatively affect the emotions of the shareholders. Therefore, effective communication is required to declare the incident. Hence, assigning roles based on the skill set of a member is important.
Based on the traits the incident response team verifies whether an event had occurred. One of the most common procedures to verify the event is examining the logs. Once the occurrence of the event is verified, the impact of the attack is to be assessed.
Based on the feedback from the assessment team, the future course of action to respond to the incident is planned in this step.
In this step, the strategy for eradicating or mitigating the causes of the threat is planned and executed.
It is the process of returning to the normal operational state after eradication of the problem.
If a new type of incident is encountered, it is documented so that this knowledge can be used to handle such situations in the future as well.
The second step in the process is a forensic investigation for the collection of cybercrime evidence, which is mostly performed by third-party companies or bluehat hackers. The computer forensic investigation involves the following steps;
This is the first step performed by the system administrator where he tries to gather as much information as possible about the incident. Based on this information the scope and severity of the attack are assessed. Once the evidence of the attack is discovered, the backup of the same is taken for investigation purposes. The forensic investigation is never performed on the original machine but on the data that is restored from the backup.
Various tools like Helix, WinHex, FKT Imager, etc. are used to capture the data. Once the backup of the data is obtained, the custody of the evidence and the backup is taken. MD5(message digest) hash of the backup is calculated and matched with the original one to check the integrity of the data. Other important sources of information like system logs, network information, logs generated by Intrusion Detection Systems(IDS), and port and process information are also captured.
The image of the disk is restored from the backup and the investigation is performed by reviewing the logs, system files, deleted and updated files, CPU uses and process logs, temporary files, password-protected and encrypted files, images, videos, and data files for possible steganographic message, etc.
The summary of the incident is presented in chronological order. Based on the investigation, conclusions are drawn and the possible cause is explained.
While carrying out the digital forensic investigation, rules and procedures must be applied. Especially while capturing the evidence, it should be ensured that the actions that are taken for capturing the data do not change the evidence. The integrity of the data should be maintained. It must be ensured that the devices used for capturing the backup are free from contamination.
Moreover, all the activities related to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review. Prevention is always better than cure. It is always recommended to fine-tune your intrusion detection system like a firewall and occasionally perform penetration tests on your network to avoid prying on hackers. Last but not least, report the crime.
Thanks for sharing this article. It is really helpful. I also wanted to add that cyber forensics is one of the fields that make you feel like a detective or real-life hacker.
You must be logged in to leave a comment. Login here