Digital forensics

Digital forensics

INTRODUCTION.

Digital forensics is a discipline in forensic science that encompasses the investigation and recovery of items found from a digital device after computer attack (Årnes, 2018). The digital device contains sensitive information that needs to be protected. Hackers target this crucial information that they use to accomplish their missions. They include personal details, PINs, account information, mobile banking details and other critical things.

History of digital forensics

The creation of digital forensics is a relatively new invention. The digital forensic is complex within the field of computer crime. Until the year of the 1990s, digital forensics was computer forensics. The law enforcement officers were the first technicians of the computer forensics. The work began in the USA with the FBI Computer Analysis and Response Team (CART) in the year 1984. In the subsequent year, the UK John Austen headed the Metropolitan police in coming up with the computer crime unit called Fraud squad (Bodden, 2018).

The changes in the discipline emerged in the early 1990s. The technical support team, together with investigators within the agencies of UK law enforcement considered that the digital forensics needed procedures, standard techniques and the protocols. The formalism of the guidelines did not exit hence needed its development. In the year 1994 and 1995, a series of a conference organised by the Inland Revenue and Serious Fraud Office conducted in one of the police staff college at Bramshill. This convention resulted in the emergence of methodology from the British digital forensics.

A first version of the Good practice guide for digital forensic came into limelight from the UK in 1998. The Association of Chief Police Officers (ACPO) produced the guide. The guideline contained in details the fundamental principles that covered all digital forensics for law enforcement in the UK (William Saulsbury, 1994).

Science of the digital forensics has evolved the guidelines in place and proper practices into standards. It has been auspice by the Forensic science Regulator in the UK that ensures the procedure has adhered.

The methodology used in computer forensics investigation

Computer forensics investigations use the various methods in coming up with the evidence. This methodology is into phases (Maras, 2014). The stages include reviewing of all the single steps used in the investigation and discovering areas that need improvement. This process comprises procedural and proper data acquisitions, which is useful in computer crimes. The phases include

Development of policy and procedures

The digital evidence from the cyber attack can be sensitive. The evidence is likely to be compromised if not handled carefully. This evidence brings the need of coming up with clear guidelines that will help in the process of acquisition, storing and presenting the final digital evidence.

Evidence assessment

Assessment of cybercrime activities is essential for evidence collection. This procedure involves thorough processes of analysis of the crime and collecting the crucial evidence. The investigator uses email accounts, digital archives, hard drives and different sites in their investigation. The source and integrity have to be determined before stored as evidence.

Evidence acquisition

The investigator’s mission is to come up with a detailed plan for evidence gathering. Documentation of all the processes is taken, recorded then preserved. The policies work smart in all due process to ensure there is a transparent investigation. The evidenced acquired needs to be legally and deliberately. When pursuing the case, it is essential to authenticate the evidence chain.

Evidence examination

The data evidence is examined using various approaches and methods of analysing information. They include procedures of getting back deleted files and utilisation of software analysis to locate data for file types.

Documenting and reporting

The specs of hardware and software require documentation. Accurate records have to be kept by computer forensic investigators. Recording of all procedures for retrieving, copying and data storage is needed. This ensures that proper policies are adhered to the latter.

PROCESS AND PROCEDURES

The method of forensics follows a systematic step. These processes are as follows (L Sejean, 2009)

Acquisition

The write-blocking device is used to prevent any data alterations and isolation of evidence. A forensic image is a component of digital storage.

Identification

The activity involved in this stage is to identify the components of digitally acquired evidence. Formatting of the Process of evidence conversion into understandable follows in due process.

Evaluation

The process in this stage is to determine whether the evidence collected is useful. The evidence collected should be relevant to the case that is under investigations, which is legitimate evidence.

Admission

Both the extracted and the acquired evidence from cyber crimes are proceed to court.

Importance of these processes of acquiring data for investigation

The evidence collected is authentic. The evidence is genuine because of the systematic process of evidence acquiring that takes place. The investigator ensures that the right information is collected.

The process is useful in the determination of computer crime. The investigator works by collecting evidence from each digital evidence. This evidence will scale down to a specific detail of the cause of the attack.

The process is reliable. The process is capable of proving all aspects that are evidence related. The relevant guideline and the evidence presented is authentic (Schweitzer, 2007).

The collected digital evidence is relevant to the court. The procedures involve legal rules that are in line with the jurisdictions and policies. This process makes the digital evidence admissible to court.

Challenges of forensic investigations

One of the difficulties incurred in the process is that the process is time-consuming. The process involves some of the steps that move to the next level. This process takes a lot of time in coming up with the final product.

The process involves a lot of documentation and reporting. Each process and procedures need documentation. It will include a lot of paperwork for each digital device and the process of each step.

The process requires qualified personnel. The forensic investigator needs to be well-equipped with the knowledge of evidence collection. Organisations can require to outsource companies to conduct the process (Matthew Pepe, 2014).

ASSOCIATION OF CHIEF POLICE OFFICERS(ACPO)

This ACPO was a private company that led to policing practices development in Northern Ireland, England and Wales. It provided a forum for CPO’s to coordinate strategies operations and to share ideas on terror-related activities. The company also advised the government on similar matters of terror (Anon., 2012).

Majorly, the ACPO coordinated major investigations, joint-law enforcing, police operations and cross-border policing.

Association of chief police officers (ACPO) Guidelines for conducting digital Forensic Investigations

The following are the principles (Anon., 2012)

Principle 1

There will be no action taken by the agencies of law enforcement. Staffs who are within the agencies or their agents are liable to change data which can rely on the court.

Principle 2

If by any chance a person is capable of accessing the original data, they ought to be well competent to handle the process. Also, they should be able to explain the relevance and involvement of their actions.

Principle 3

An audit trail has to be created and preserved. Independent auditor (third party) can be employed to yield the same results.

Principle 4

The person given mandate to tackle investigation has the responsibility to ensure that law and these guidelines are into considerations.

Guidelines set up by Scotland Yard

The Scotland yard set up an instruction mandated to give them direction. This guideline includes states that, the officer has to ensure they are acting within the search warrant (Anon., 2000).

The RISPA Act came into practice to regulate information from third parties when the subject is not aware of the gathered information.

The RISPA Act also regulates the monitoring of the persons when the intended person is not aware of the surveillance.

FBI guidelines for conducting a digital forensic investigation

The United States Federal Bureau of Investigation provides the forensics analysis, which is a solid ground for the FBI. It requires its personnel to adhere to the highest level of ethical standards. The FBI established the Computer Analysis, and Response Team were (Aric W Dutelle, 2019).

Law enforcement works as a tool for getting resources within the organisation. The forensic investigations take place within the forensic laboratories, detectives squad room or the data processing department. The assignment on the forensics activities to be conducted is relied on the expertise and guided by departmental policy. A valid and reliable outcome is achieved regardless of where analysis takes place.

Last but not least, the basic requirement of the process recognizes no jurisdiction, political technological or the bureaucratic boundaries.

LEGAL AND ETHICAL REQUIREMENTS IN DIGITAL FORENSICS INVESTIGATIONS

Legal requirements

Forensic investigations cuts across international and national legislation. Laws sometimes may bar the analysts from analysing civil investigation. Network monitoring restrictions of a person’s conversation may be restricted. The federal law can also limit the seizure of information. The PACE Act in the UK can seize evidence under the law enforcement (Imam, 2018).

The UK, in 1990, amended the Computer Misuse Act. The Act was a custodian of legislating against unlawful access to materials of a computer. The court has not yet fully decided on the right of privacy during the digital investigation.

The Electronic Communication Privacy Act established in the U.S gave some restrictions on the law enforcement ability to access and intercept evidence. The Act provided a clear distinction on the transmitted and the stored communication. It is termed as privacy invasion hence becoming challenging to get a warrant. The companies and organisation in the US are restricted by the ECPA Act to the investigator the communication and computer of their employers.

The European Convection governs the limitation on sharing of individual data both within EU and external countries on Human right article 5. It gives a similar resemblance to the ECPA Act that follows due process. The Regulation of Investigatory Power Act gives UK law enforcement power to conduct digital forensic investigations.

Ethical requirement

Ethics is a moral principle that regulates a person behaviour. There are Ethical issues that need to adhere to when conducting digital evidence. They help in achieving the outcome in a well-organised manner. It is essential for the forensic investigator to maintain the highest level of ethical behaviour.

Before starting the process of getting evidence, the forensic investigator should have legal authority. The legal authority will give the investigator an upper hand of requesting items to be investigated without fear of being labelled imposter.

The forensic investigator should maintain high objectivity. It will enable them to present a precise and accurate finding to the court. The mater needs to be truthful before the law. They need not give cooked information that will result in a wrongful conviction.

Equipping oneself with validated principles is essential for forensic examiners. It enables them to follow particular standards and regulations when conducting investigations. The investigator conducting the examination should not misrepresent associated memberships. This misrepresentation will affect the quality of the firms they are working with (Imam, 2018).

Above ethics are some of the examples that are in place. It will help in bringing sanity of the work one is doing.

SOFTWARE THAT COULD BE USED TO COMPLETE A DIGITAL FORENSIC INVESTIGATION

The trend at which cybercrime is growing brings fear about the safety of the documents. Vendors have engaged in coming up with the most tools that is useful in forensic investigations (Bodden, 2018)

ProDiscover

This ProDiscover is a forensic tool that enables investigators to locate data on the storage disk of a computer and the same time gives protection of collected evidence and creating a report that is evidentiary in court.

Quick Stego

The Quick Stego is an encryption tool in computer security that aids the user to protect sensitive data from intruders. It hides text message in image format.

HARDWARE THAT COULD BE USED TO COMPLETE A DIGITAL FORENSIC INVESTIGATION

Write blocker

A write blocker is an equipment that allows information acquisition on a drive without coming up with the possibility of accidentally damaging the content of drive storage. They block commands for writing but allow read command.

File Systems of Windows

Windows has useful components of files that is useful in the forensic investigation (L Sejean, 2009).

FAT (File allocation table).

FAT is a type of file system used by the OS for locating different files in the disk. The data are into different sections. The FAT file allows easier access to files

New technology file system (NTFS)

NTFS is a type of file system that provides security of data and folder. Security of data in the NTFS is utilised by conducting permission to folders and files. Each folder and files in the list have an Access Control List that incorporates users.

FILE STRUCTURE OF LINUX BASED OPERATING SYSTEM

For the Linux OS, it has Mac OS File system. The Mac OS File system is discussed below (Årnes, 2018)

Mac OS File system

Mac OS is a type of UNIX-bases Operating system that has a FreeBSD-based subsystem and a Mach 3 microkernel. The Mac OS X gives a technique for creation of duplicates of forensic. The affected computer is in a “Target Disk Mode”. Utilising this mode, the investigator will create a copy of forensic for the affected computer using firewire cable connecting two PCs.

CONCLUSION

The cybercrime menace has been reported occasionally with institutions getting loss. Millions of sensitive information have reported missing. Vendors have come up with advanced forensic tools that are useful in retrieving lost data. The devices have been of great help to the investigators in extracting, analysing and recovering the affected data.

REFERENCES

Anon., 2000. Regulation of Investigatory Powers (Scotland) Act 2000. [Online]

Available at: https://www.legislation.gov.uk/asp/2000/11/pdfs/asp_20000011_en.pdf

[Accessed 18 June, 2019].

Anon., 2012. ACPO Good Practice Guide for Digital Evidence. [Online]

Available at: https://www.digital-detective.net/digital-forensics-documents/ACPO_Good_Practice_Guide_for_Digital_Evidence_v5.pdf

[Accessed 18 June, 2019].

Aric W Dutelle, R. F. B., 2019. Criminal investigation. 5th ed. Burlington: Jones & Barlett Learning.

Årnes, A., 2018. Digital forensics. 2nd ed. Hoboken: John Wiley & Sons.

Bodden, V., 2018. Digital forensics. 2nd ed. Mankato: Creative Education Creative Paperbacks.

Imam, F., 2018. COMPUTER FORENSICS: LEGAL AND ETHICAL PRINCIPLES. [Online]

Available at: https://resources.infosecinstitute.com/category/computerforensics/introduction/areas-of-study/legal-and-ethical-principles/#gref

[Accessed 19 June, 2019].

L Sejean, M. W., 2009. Computer forensics. 2nd ed. Geelong: Deakin University, School of Information Technology.

Maras, M.-H., 2014. Computer Forensics. 2nd ed. Sudbury: Jones & Bartlett Learning, LLC.

Matthew Pepe, J. T. L. R. K. K. M., 2014. Incident response & computer forensics. 3rd ed. New York: McGraw-Hill Education.

Schweitzer, D., 2007. Incident response: computer forensics toolkit. 2nd ed. Indianapolis: Wiley.

William Saulsbury, M. H. B. I., 1994. Using physical evidence: an examination of police decision making: a report of the Forensic Science Service and the Association of Chief Police Officers joint research project. 1st ed. Chippenham: Police Foundation.