What Is Digital Forensics
In computer science, computer forensics or digital forensics is the term used to depict the process of obtaining evidence that is legal in nature, which can be found in digital media or computer storage. By the process of digital forensic investigation, the person doing the investigation can determine what happened to the digital media, like emails, logs, hard disk, computer system and even the network. In many instances, forensic investigation can determine how the crime could have happened and how we can protect ourselves from the same happening the next time.
Let us look at some reasons for conducting a forensic investigation: 1. In certain legal cases, evidence needs to be gathered so that it can be presented in court to help solve the cases. 2. To analyze the strength of the network being used and in case of security breaches, to fill the hole using patches and fixes. 3. In the event of any hardware or software failure, it can be used to recover deleted or any other files.
When conducting an investigation in computer forensics, the most important things that have to be kept in mind are:
- No alteration should be made to the original evidence and to conduct this process, a bit-stream image should be made by the forensic investigator. A bit by bit copy of the original storage medium or exact copy of the original media is known as a bit-stream image. The bit-stream image is differentiated from the normal copy of the original storage by the fact that the bit-stream image is the slack space in the storage. No slack space information will be found on a copy media.
- The legal laws of the country in which the crimes happened must be followed by all forensic processes. Each country has different law suits applicable to the IT field. In certain countries like the United Kingdom and Australia, the rules in the IT field are taken very seriously.
- The investigator has to obtain a search warrant before they can proceed with conducting the forensic processes.
Normally, forensic investigators would be looking to find out the timeline of how the crime happened. With that knowledge, they can recreate the crime scene as to what happened, how it happened, when it happened and why, the crime happened. In a multinational company or any big company, it is suggested that a Digital Forensic Team or First Responder Team be created, so that the evidence can be preserved by the company until the arrival of the forensic investigator on the crime scene.
The rules pertaining to First Response are: 1. Under no circumstances should any person other than the Forensic Analyst be allowed to make attempts to retrieve information from any computer system or device that has been used to store electronic information. 2. Any attempt made by a person other than the Forensic Analyst should be avoided at any cost as the integrity of the evidence could be compromised in which case the evidence would become inadmissible in a legal court.
Based on the rules, the importance of having a First Responder Team has already been explained. The only thing a person not qualified for this job can do is secure the perimeter so that the crime scene remains untouched by anyone until the arrival of the Forensic Analyst. They can take photos of the crime scene and also make notes about the scene and the people who were present there at the time.
When digital crimes have been committed in a professional manner, certain steps need to be taken.
- The crime scene has to be secured until the arrival of the Forensic Analyst.
- A search warrant has to be requested from the local authorities or the management of the company by the Forensic Analyst.
- In case of no photos being taken earlier, the Forensic Analyst must take pictures of the crime scene.
- The Forensic Analyst has to take care not to turn off the computer if the system is still powered on. Instead, they can use forensic tools like the Helix to obtain information that can be found only when the system is still powered on, such as the data present in the RAM and registries. Such tools have special functions so that they do not write anything back to the system so that the integrity of the system stays intact.
- Once the Forensic Analyst collects all live evidence, the system can be shut down and the hard disk taken back to the forensic lab.
- All the evidence including the chain of custody used must be properly documented. The record of evidence of who used the computer for the last time is listed in the chain of custody.
- As a formality, all the evidence must be secured in the presence of a legal officer, for example, a police officer.
- Once the evidence reaches the lab, the Forensic Analyst has to create a bit-stream image, as the original evidence should not be used. In the normal case, 2-5 bit-stream images will be created by the Forensic Analyst in case one or two of the images gets corrupted. Even at this point, chain of custody is noted to maintain records of the evidence.
- Next, hash of the original evidence obtained and its bit-stream image is created. This is proof that the bit-stream image is the exact copy of the original evidence. Hence, any alteration to the bit-stream image will result in a different hash, which in turn will result in the evidence becoming inadmissible in court.
- The Forensic Analyst then starts to find evidence by looking carefully looking at the bit-stream image. The location of the evidence corresponds with the type of crime committed. For e.g. Deleted File, Temporary Internet Files, Slack Space, Steganography Files, etc.
- Hash of each piece of evidence found is created so as to maintain the integrity of the evidence.
- A report, normally in the PDF format, is created by the Forensic Analyst.
- The report is then sent back to the company along with the fee to be received for the job done.