Although digital forensics is often only utilized with those in the IT/cybersecurity field, I find more individuals are taking matters into their own hands; this is quite similar to how those in the respective fields mainly performed photo editing in the not-too-distant past. Now, any teenager with half of a working brain can Photoshop something passable in quality while simultaneously eating Pizza Rolls and chatting with their friends. In this post, I will show how relatively simple the process of computer forensics is, some tools of the trade, and how this all applies to the future of cybersecurity.
Computer forensics, also commonly referred to as digital forensics, is a division of forensic science involving information in computers and digital storage media being used as legal evidence; it is utilized when hardware or software fails, and the data needs to be recovered during legal proceedings, or when terminating an employee. By collecting, analyzing, and reporting on digital data, digital crime can be prevented and detected, as well as using the data for any dispute where the evidence is stored digitally. Digital forensics can be applied in various areas of crime and conflict, including industrial espionage, employment disputes, fraud investigations, forgeries, bankruptcy investigations, regulatory compliance, and inappropriate internet/email use in the workplace.
Let’s begin with the basics of digital forensics separated into six stages.
In this stage, the proper training, testing, and verification of those involved in the forensic process must be gained and continuously maintained. Ensuring the readiness of the forensic examiner will allow them to have the current software and equipment necessary for this procedure, familiarity with legislation, and ensuring that their data extraction (on-site acquisition) kit is complete and ready to go.
During the evaluation stage, instructions and clarification on those instructions will take place on the task at hand. The forensic examiner or law enforcement will administer a risk assessment to assess the possible risks, safety issues, and when and where this examination will take place. For example, if the digital property was stored off-site at the suspects’ house, there will need to be proper planning for the expected resistance that the examiner may encounter. Furthermore, if the material or situation is sensitive, there may be an increased risk to the accuser/suspects’ financial status or reputation. I find that a carefully written report outlining all of the possible outcomes and potential issues that may occur is ideal in most situations. Expect the best but prepare for the worst.
In this stage, acquisition of the materials, data, and evidence needed is carried out; this evidence can be acquired from making a copy of the data in question using a write blocker (software/hardware which allows the acquisition of data on a drive without the possibility of harming or damaging the drive’s contents). Additionally, a bit-by-bit/mirror-image backup can be performed (backups all areas of a drive/storage media device on a separate device). Of the many methods to collect the information needed for a case/investigation, the environment and security of the location used are vital to the entire collection phase. If possible, all procedures should be completed in a computer forensic laboratory, thoroughly regulating who does what, who enters the room, and clearly marking and bagging each separate item in the investigation. Similar to your traditional crime scene detectives you see on TV, a single error during the investigation, such as an improperly marked piece of evidence, can be used to dismantle the credibility of the results of the entire operation.
Potential Technical Issues
The amount of data that storage devices can hold is continuously increasing, making the digital forensics process more difficult. For example, if the storage device you are collecting data from has a massive amount of data and storage capability, you will need an equally significant enough duplicate storage device, as well as enough processing power to copy or process it efficiently.
Encrypted data, or data that is rendered unviewable/inaccessible without the correct key or password, can certainly put a stop to many investigations. However, there are methods to bypass encryption, including finding the key/code (they tend to be saved on the device in question, on a separate digital device, or even written down on a piece of paper). You can also attempt to guess the encryption key using an educated guess (their birthdate, their passcodes to other devices/accounts, or even use a brute force style of attack, which uses software to try millions of passwords per second automatically). Remember that you will be permanently locked out with many encryptions, or the data will be erased if too many incorrect login attempts are made. Finally, there are numerous flaws you can find in the encryption schemes, and you can sometimes access the plaintext version on the device if it is still in use by the device’s owner.
Just like in comic books, the hero of the story tends to have their exact opposite in the form of a villain. With digital forensics, there is just as much (if not more) technology and advancement behind anti-forensics as there is with digital forensics. Encryption, modifying file metadata, and file obfuscation (disguising files) are all methods that make our job more difficult.
After all of the data and evidence is collected, the next stage is analyzing everything, ensuring that the procedure is thorough, recorded, accurate, repeatable, and completed on time/within budget. There are several tools one can use to analyze the collected data. The SANS SIFT (Sans Investigative Forensic Toolkit) is an excellent free program due to having all the tools one could require for an in-depth forensic investigation. SIFT supports analysis of Expert Witness Format, RAW, AFF evidence, and the UI of the program is simple to view and use. SIFT features cross-compatibility between Linux and Windows and is filled with the latest forensic techniques and accountability methods. Whichever method you choose to analyze the data, it is always recommended to use a separate tool to duplicate the results, strengthening your case immensely.
Next, compiling all of your findings on the case and creating a structured report to be delivered needs to be accomplished. Using information from each of the previous stages, such as your initial instructions, your risks, how you collected the digital evidence, and how you processed/analyzed it, you can develop a clear and precise report. Keep in mind your reader’s technical skill level. As with any form of paper, you do not want to use unnecessarily complicated terms. Along with this report, be prepared to discuss and defend your findings in person and over the phone, as there will undoubtedly be material and events that need further clarification.
For our last step, the review stage is vital to strengthen the digital forensic process for your next case by learning from your mistakes, evolving your methods, and detailed notetaking. A simple overview of how your analysis went, what problems came up, what the total cost was, and the results of your task will allow you to fine-tune your procedures for the next time your services are in need.
Tools of the Trade
Numerous computer forensic tools help in this process, such as disk imaging software; with this software, the data on hard drives can be traced, and there are several different types of disk imaging software currently available. Data capture can be done with FTK Imager or Microsoft’s Disk2vhd. Next, hashing tools compare data between an original and a copy of a hard drive by analyzing the data. File recovery programs are another helpful tool that allows lost data to be recovered; these programs search a PC for data that isn’t deleted yet, just marked for it. Also, software and hardware write tools enable a hard drive to be rebuilt bit-by-bit; however, this doesn’t change the data; it just makes a copy. Finally, Encase is one of my favorite tools that performs several tasks like disk imaging/verification and data analysis.
Many of these tools are free to download, and some can be quite costly. However, a free version of them usually exists; it just might be made by a different company. I would personally use SANS SIFT (Sans Investigative Forensic Toolkit) because it has all the tools one could require for an in-depth forensic investigation. A free SIFT toolkit is also available that can match any modern-day tool regarding functionality. SIFT supports analysis of Expert Witness Format, RAW, and AFF evidence, and the UI of the program is easy to view and use. SIFT features cross-compatibility between Linux and Windows as well. Computer forensics tools and training are essential as computers don’t lie, and we all run into problems or conflicts every day that require help from data identification and retrieval methods.
Digital forensic procedures are quickly evolving from their previously hidden status into more of a mainstream common knowledge. What does this mean for the future of digital security? Well, for starters, having the general public informed and well-versed on digital forensic methods only strengthens their ability to cover their digital footprints effectively, correctly delete otherwise harmful data, and make our lives, those who work in IT/cybersecurity, that much harder by knowing how to prevent us from doing our jobs. I would imagine if the general population continues on its current trend of steadily coming to terms with the world of technology that we, as security professionals, will have to eventually change our best practices when it comes to retrieving deleted data, accessing protected files, and other forensic techniques. What do you think?
Law Technology Today. (2018, May 29). The What, Why, and How of Digital Forensics. Retrieved April 21, 2021, from https://www.lawtechnologytoday.org/2018/05/digital-forensics/.
Guru99. (n.d.). 15 best Computer (Digital) forensic tools & software in 2021. Retrieved April 21, 2021, from https://www.guru99.com/computer-forensics-tools.html.