The growing sophistication of digital-crimes coupled with our fast changing digital landscape, presents a perplexing and ever-changing environment for the law-enforcers. Account hacking, insider trading, information security breaches, cyber-attacks, industrial espionage, financial fraud, and cyber-terrorism might sound like the stuffs from a Hollywood thriller, but they are real life examples of the types of digital-crime the world now faces. This new type of crimes call for a new type of crime fighting – Digital Forensics – the detection and investigation of evidence located on all things electronic with digital storage, including computers, cell phones, and networks. Digital Forensics researchers and practitioners stand at the forefront of some of the most challenging problems in computer science, including Big Data analysis, natural language processing, data visualizations, and cyber security.
Computers have had increasing roles in all aspects of human life since the personal computers became popular in the ‘80s. Consequently criminal activities also became common using computers. This has led to the rise of Digital Forensics. Digital-crimes leave behind digital ‘fingerprints’ in the form of electronic data (from computers, networks, the cloud, GPS systems, and smart-phones). Similar to DNA forensic scientists in the physical world, Digital Forensic analysts understand how to follow these ‘fingerprints’ to investigate incidents and track activities in the electronic domain.
Unlike traditional DNA forensic science, Digital Forensics poses substantial challenges. Data on a computer system can be altered without a trace. Additionally, the scale of data that must be examined is vast, and the diversity of data types is huge. Just as a traditional forensic investigator must be prepared to scan and analyze any kind of smear or fragment, a Digital Forensic investigator must be able to make sense of any data that might be found on any device anywhere, which is a very demanding proposition.
It is no longer a question if someone will be a victim of cyber-enabled crime, rather the question is when. Digital Forensics come into play after something bad inevitably happens – helping to determine the – who, what, where, when and why. Cyber incidents are serious business with huge economic consequences, and organizations rely on Digital Forensics to detect such incidents.
In many cases, computers contain evidence of a crime that took place in the physical world. Computerization has made the evidence harder for investigators to analyze than paper records. For example, financial fraudster of the Ponzi Scheme Bernard Madoff kept track of his victims’ accounts using an old IBM AS/400 from the 1980s. As only a few people on Wall Street had experience with a 25-year-old technology, it helped Madoff prolong his crime. It also created additional snags after he was arrested, because investigators did not have enough tools and skills to make sense of his data.
Nowadays computers are so pervasive that the collection and use of digital evidence has become a usual part of any criminal and civil investigation. Law enforcers routinely examine the suspects’ laptops, cell phones, tablets examined for verifying evidence. Corporate lawsuits are also dominated by electronic discovery of implicating materials.
Then there are Digital Forensics cases in which the crime was essentially involving computer systems, such as cyber-terrorism or hacking. In these instances, investigations are often hindered by the technical intricacies of the systems and the colossal amount of evidence to examine.
All digital evidence is subject to the same rules and laws that apply to documentary evidence. The principle of digital evidence may be explained thus: the onus is on the prosecution to show to the court that the evidence produced is no more and no less now than when it was first taken into the possession of law enforcement.
Electronic data are easily changed, damaged, or erased if handled improperly. Operating Systems and other programs frequently alter, add and delete the contents of electronic storage. This may happen routinely without user intervention or the user being aware that the data has been modified. Simply turning on a consumer GPS may cause the device to delete critical evidence.
Digital Forensics is powerful because computers are openings into the past. Many retain enormous quantities of information—either deliberately, in the form of log files and archives, or unintentionally, as a result of software that does not cleanly erase memory and files. Consequently, investigators can often recover old emails, chat logs, searched items, and other kinds of data that were created weeks, months or even years before. Such concomitant records can disclose an individual’s state of mind or intent at the time the crime was committed.
Asit can look into the past and unearth concealed information, Digital Forensics tools are more and more used in crime investigations. Security professionals regularly use such tools to analyze network interventions—not necessarily to convict the culprit, but to comprehend how the offender gained access and to plug the hole. Data Recovery firms trust on similar tools to restore files from storage devices that have been accidentally formatted or spoiled. Several commercial and open source tools for Digital Forensics are available. Some of the tools are EnCase, FTK, Helix, DFF, LiveView, The Sleuth Kit, etc.
Digital evidence can even be inspected and analyzed to determine that something did not happen at all. Such as, a hacker might have gotten into the computer network, but could not read sensitive information. One way to make such a deduction is by inspecting the access and alteration times associated with each file on the storage. But, someone taking advantage of the same forensic techniques could have viewed the files without altering those timestamps; so the investigators actually determined only that the files had not been opened by conventional means.
Before data can be examined, they are gathered from the crime scene, stabilized, and conserved to create a permanent record. Understanding the inner workings of how computers store data is key to precise extraction and retention. A Digital Forensic analyst has to explore for information that might be pertinent to the investigation. Most analyses are performed with tools that can excerpt data files from the storage disk image, search for files that contain a specific word or phrase, and even detect the existence of encoded data. Related data are then extracted from the preserved system so they are easier to examine.
A hash function is used to map a sequence of characters to sna binary number of fixed size. The values returned by a hash function are called hash values, hash codes, hash sums, or simply hashes. In 1979, Ralph Merkle invented a way to use hashing for computer security. Merkle’s idea was to use a hash function that produced more than 100 bits of output and additionally had the property of being one-way. That is, it was somewhat easy to compute the hash of a string, but it was nearly impossible to find a corresponding string. Today digital signatures applied to hashes are the basis of many cyber security systems. They protect credit card numbers sent over the Internet, certify the authenticity and integrity of code run on the systems, and validate keys used to play digital music.
Digital Forensics uses hashing techniques extensively. Hashing is used to establish chain of custody for forensic data. Instead of hashing a file, the hash function is applied to the entire disk image. Investigators create two images of a storage device and then compute the hash values of each image. If they match, then the copies are assumed to be a true copy of the data that were on the device. Any investigator with a later copy of the data can compute the hash sums and check if it matches the original reported value.
Hashing is also used to identify specific files. This method takes advantage of the fact that it is extremely improbable for two files to have the same hash sum, so they can tag files in much the same way a people can be identified by their fingerprints.
A major technical innovation for Digital Forensics is the technique for recovering a file after it is deleted. These files are not simply in a computer’s ‘Recycle Bin’, but have been ‘permanently’ removed by emptying it. The filename can be hidden and the storage associated with the file is deallocated, but a file’s contents sometimes can remain on the storage device even though the metadata that could be used to locate it are lost. Recovering these kinds of data requires a method called file carving that scans the disk image for file headers and footers (characteristic sequences of bytes). Once they are found, the two sequences of bytes and all of the data between them are saved in a new file. Carving tools can authenticate the data and can reassemble files that are broken into multiple pieces.
A process called Memory Parsing is used for obtaining and examining the contents of a running computer system. Parsing tools can be used to report when a memory dump was captured, display the running processes, and can even show the contents of the computer’s clipboard and screen. Such tools are widely used for reverse-engineering malware, such as computer viruses and worms, as well as understanding an attacker’s actions in computer intrusion cases. Memory parsing can be combined with file carving to recover digital photographs and videos.
As software and hardware developers usually do not provide with details of how their systems work because of confidentiality of their intellectual property, Reverse Engineering is used as an important method in Digital Forensics. Substantial effort is required to backtrack through systems code and understand how data are handled and stored in the particular system. Techniques to extract allocated files from disk images are largely developed through this method.
At the forefront of Digital Forensics are systems that attempt to assist an analyst’s rationale—to find evidence that is unusual, peculiar, or erratic. Such details can point out that there is a deeper, concealed story. Discrepancies and inconsistencies can also show that evidence has been meddled with, forged or fabricated. Eventually such reasoning systems are likely the only way that today’s Digital Forensics analysts will be able to keep up with the massive quantities and growing range of data in the coming years.
Syed Almas Kabir
CEO, MetroNet Bangladesh Limited
President, Bangladesh Association of Software & Information Services (BASIS)