Jump to content

Digital forensics

This is a good article. Click here for more information.
From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by ErrantX (talk | contribs) at 22:53, 4 February 2011 (Forms and uses: wording). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Part of a series on
Forensic science
Physiological
Social
Criminalistics
Digital forensics
Related disciplines
Related articles

Digital forensics (sometimes Digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime.[1][2] The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover all devices capable of storing digital data and is now used to describe the entire field.[1] The discipline evolved in a haphazard manner during the 1990s and it was not until the early 2000s that national policies were created.

Investigations can fall into three categories, forensic analysis, where evidence is recovered to support or oppose a hypothesis before a criminal court, eDiscovery, a form of discovery related to civil litigation, or intrusion investigation, a specialist investigation into the nature and extent of an unauthorized network intrusion. The technical side of investigations is divided into several sub-branches; computer forensics, network forensics, database forensics and mobile device forensics. Any number of the fields may be utilised in an investigation.

As well as identifying direct evidence of a crime, digital forensics can be used to attribute evidence to specific suspects, confirm alibis or statements, determine intent, identify sources (for example, in copyright cases) or authenticate documents.[3] Investigations are much broader in scope than other areas of forensic analysis (where the usual aim is to provide answers to a series of simpler questions) often involving complex time-lines or hypothesis.[4]

History

Aerial photo of FLETC, where US digital forensics standards were developed in the 80s and 90s

Prior to the 1980s crimes involving computers were dealt with using existing laws. The first computer crimes were recognized in the 1978 Florida Computer Crimes Act, which included legislation against the unauthorized modification or deletion of data on a computer system.[5][6] Over the next few years the range of computer crimes being committed increased, and laws were passed to deal with issues of copyright, privacy/harassment (e.g., cyber bullying, cyber stalking, and online predators) and child pornography.[7][8] It was not until the 1980s that federal laws began to incorporate computer offences. Canada was the first country to pass legislation in 1983.[6] This was followed by the US Federal Computer Fraud and Abuse Act in 1986, Australian amendments to their crimes acts in 1989 and the British Computer Abuse Act in 1990.[6][8] More recently, concern over cyber warfare and cyberterrorism has become an important issue. A February 2010 report by the U.S. Joint Forces Command concluded:

Through cyberspace, enemies will target industry, academia, government, as well as the military in the air, land, maritime, and space domains. In much the same way that airpower transformed the battlefield of World War II, cyberspace has fractured the physical barriers that shield a nation from attacks on its commerce and communication.[9]

1980s-1990s: Growth of the field

In response to the growth in computer crime during the 1980s and 1990s law enforcement agencies began to establish specialized investigative groups, usually at the national level. In 1984 the FBI launched a Computer Analysis and Response Team, the following year a computer crime department was set up within the British Metropolitan Police fraud squad. Many of the early members of these groups were computer hobbyists as well as law enforcement.[10][11] Throughout the 1990s there was high demand for the these basic resources, eventually leading to the creation of regional and even local level units. For example, the British National Hi-Tech Crime Unit was set up in 2001 to provide a national structure; with personnel centrally in London and the various regional police forces (the unit was folded into the Serious Organised Crime Agency (SOCA) in 2006).[11]

During this period the science of digital forensics grew out of ad-hoc tools and techniques developed by practitioners. This is in contrast to other forensics disciplines which grew out of work by the scientific community.[1][12] The first use of the term "computer forensics" in academic literature was in a 1992 paper by Collier and Spaul, aimed at justifying the new discipline to the forensic science world. Prior to this it had been used informally, both in and out of court.[13][14]

The rapid development of the discipline resulted in a lack of standardization and training. In his 1995 book, "High-Technology Crime: Investigating Cases Involving Computers", K Rosenblatt writes:[6]

Seizing, preserving, and analyzing evidence stored on a computer is the greatest forensic challenge facing law enforcement in the 1990s. Although most forensic tests, such as fingerprinting and DNA testing, are performed by specially trained experts the task of collecting and analyzing computer evidence is often assigned to patrol officers and detectives[15]

2000s: Developing standards

In 2002, in response to this need, the Scientific Working Group on Digital Evidence (SWGDE) published its "Best practices for Computer Forensics".[16] A subsequent 2005 ISO standard (ISO 17025 General requirements for the competence of testing and calibration laboratories) was created and commercial companies began to offer certification and training programs.[6][17] A European lead international treaty, the Convention on Cybercrime, came into force in 2004 with the aim of reconciling national computer crime laws and investigative techniques and to improve international co-operation. The treaty has been signed by 43 nations (including the US, Canada, Japan, South Africa, UK and other European nations) and ratified by 16. In response to the training issue digital analysis was included in the UK specialist investigator training facility, Centrex.[11]

In the twenty first century mobile devices have become more widely available and have advanced beyond simple communication devices. These devices can be rich forms of information, even for crime not traditionally associated with digital forensics.[18] Despite this digital analysis of phones has lagged behind traditional computer media, largely due to problems over the proprietary nature of devices.[19]

The field still faces issues. In their 2009 paper, "Digital Forensic Research: The Good, the Bad and the Unaddressed", Peterson and Shenoi identified a bias towards Windows operating systems in digital forensics research.[20] In 2010 Simson Garfinkel identified issues facing digital investigations in the future. Including the increasing size of digital media, the wide availability of encryption to consumers, a growing variety of operating systems and file formats, individuals owning multiple devices and legal limitations on investigators. The paper also identified continued training issues, as well as the prohibitively high cost of entering the field.[21]

Investigative tools

Main article: List of digital forensics tools

During the 1980s very few specialised digital forensic tools existed and investigators often performed live analysis on media, examining computers from within the operating system using existing sysadmin tools to extract evidence. This risked modifying data on the disk (inadvertently or otherwise) leading to claims of evidence tampering. In the early 1990s a number of tools were created to allow investigations to take place without the risk of altering data.

The need for such software was first recognised in 1989 at the Federal Law Enforcement Training Center, resulting in the creation of IMDUMP (by Michael White) and in 1990, SafeBack (developed by Sydex). Similar pieces of software were produced in other countries; DIBS (a hardware and software solution) was released commercially in the UK in 1991 and Rob McKemmish released Fixed Disk Image free to Australian law enforcement.[10] These tools allowed examiners to create an exact copy of a piece of digital media to work on; leaving the original disk intact for verification. By the end of the 90s, as demand for digital evidence grew more advanced, commercial tools (EnCase, FTK, etc.) were developed that allowed analysts to examine copies of media without using any live forensics.[6]

More recently the same progression of tool development has occurred for mobile devices; initially investigators accessed data directly on the device, these were soon replaced with specialist tools (such as XRY or Radio Tactics Aceso).[6]

Notable investigations

One of the first practical (or at least publicised) examples of digital forensics was Cliff Stoll's pursuit of hacker Markus Hess in 1986. Stoll was not a specialised examiner, and his investigation made use of both computer and network forensic techniques.[21] Many of the earliest forensic examinations followed the same profile.[22]

Forms and uses

An example of an image's EXIF metadata that might be used to prove its origin

Investigations can take one of three forms. Firstly as a forensic examination, traditionally associated with criminal law, where evidence is collected to support or oppose a hypothesis. Like other areas of forensics this is often part of a wider investigation spanning a number of disciplines. In civil litigation or corporate matters the process is referred to as electronic discovery (or eDiscovery). The forensic procedure is similar to that used in criminal investigations but with different legal requirements and limitations. Finally, intrusion investigation is a specialist examination into the nature and extent of an unauthorized network intrusion. Intrusion analysis is usually performed as a damage limitation exercise after an attack, both to establish the extent of any intrusion and to try and identify the attacker.[4][3] Such attacks were commonly conducted over phone lines during the 1980s, but in the modern era are usually propagated over the internet.[23]

The main use of digital forensics is to recover objective evidence of a criminal activity (termed actus reus in legal parlance). However the diverse range of data held in digital devices can help with other areas of investigation.[3]

Attribution
Meta data and other logs can be used to attribute actions to an individual. For example, personal documents on a computer drive might identify its owner.
Alibis and statements
Information provided by those involved can be cross checked with digital evidence. For example, during the investigation into the Soham murders, the offenders alibi was disproven when mobile phone records of the person he claimed to be with showed she was out of town at the time.
Intent
As well as finding objective evidence of a crime being committed, investigations can also be used to prove the intent (known by the legal term mens rea). For example, the Internet history of convicted killer Neil Entwistle included references to a site discussing How to kill people.
Evaluation of source
File artifacts and meta-data can be used to identify the origin of a particular piece of data; for example, older versions of Microsoft Word embedded a Global Unique Identifer into files which identified the computer it had been created on. Proving whether a file was produced on the digital device being examined or obtained from elsewhere (e.g., the Internet) can be very important.[3]
Document authentication
Related to "Evaluation of Source", meta data associated with digital documents can be easily modified (for example, by changing the computer clock you can affect the created date of a file). Document authentication relates to detecting and identifying falsification of such details.

Limitations

One major limitation to a forensic investigation is the use of encryption; this disrupts initial examination where pertinent evidence might be located using keywords. In addition laws to compel individuals to disclose encryption keys] are still relatively new and controversial.[21]

The examination of digital media is covered by a number of national and international laws. For civil investigations in particular laws may restrict the abilities of analysts to undertake examinations. Restrictions against network monitoring, or reading of personal communications often exist.[24] For criminal investigation, national laws restrict how much information can be seized.[24]

The "International Organization on Computer Evidence" (IOCE) is one agency that works to establish compatible international standards for the seizure of evidence.[25]

Legality of investigation

In the UK the same laws covering computer crime can also affect forensic investigators. The 1990 computer misuse act legislates against unauthorised access to computer material; this is a particular concern for civil investigators.

Digital evidence

Digital evidence can come in a number of forms
Main article: Digital evidence

Where it will be used in a court of law, digital evidence falls under the same legal guidelines as other forms of evidence, courts do not usually require more stringent guidelines.[6][26] In the United States the Federal Rules of Evidence are used to evaluate the admissibility of digital evidence, the United Kingdom PACE and Civil Evidence acts have similar guidelines and many other countries have their own laws. US federal laws restrict seizures to items with only obvious evidential value. This is acknowledged as not always being possible to establish with digital media prior to an examination.[24]

Laws dealing with digital evidence refer to two considerations; integrity and authenticity. Integrity is ensuring that the act of seizing and acquiring digital media does not modify the evidence (either the original or the copy). Authenticity refers to the ability to confirm the integrity of information; for example that the imaged media matches the original evidence.[24] The ease with which digital media can be modified means that documenting the chain of custody from the crime scene, through analysis and, ultimately, to the court, (a form of audit trail) is important to establish the authenticity of evidence.[6]

Attorneys have argued that because digital evidence can theoretically be altered it undermines the reliability of the evidence. US judges are beginning to reject this theory, in the case US v. Bonallo the court ruled that "the fact that it is possible to alter data contained in a computer is plainly insufficient to establish untrustworthiness".[6][27] In the United Kingdom guidelines such as those issued by ACPO are followed to help document the authenticity and integrity of evidence.

Digital investigators, particularly in criminal investigations, have to ensure that conclusions are based upon factual evidence and their own expert knowledge.[6] In the US, for example, Federal Rules of Evidence state that a qualified expert may testify “in the form of an opinion or otherwise” so long as:

(1) the testimony is based upon sufficient facts or data, (2) the testimony is the product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case.[28]

Many of the sub-branches of digital forensics have their own specific guidelines for handling and investigating evidence. For example, mobile phones are often acquired inside a Faraday shield to stop radio traffic to the device. Or, in the UK forensic examination of computers in criminal matters is subject to ACPO guidelines.[6]

Forensic Process

A portable Tableau write-blocker attached to a Hard Drive
Main article: Digital forensic process

A digital forensic investigation commonly consists of 3 stages; acquisition or imaging of exhibits, analysis and reporting.[6][29]

The first stage, acquisition, involves creating an exact sector level duplicate (or "forensic duplicate") of the media, often using a write blocking device to prevent modification. Both acquired image and original media are hashed (using SHA-1 or MD5) and the values compared to verify the image is accurate.[30]

During the analysis phase an investigator usually recovers evidence material using a number of different methodologies (and tools). In 2002 the International Journal of Digital Evidence referred to this stage as "an in-depth systematic search of evidence related to the suspected crime".[1] In 2006, forensics researcher Brian Carrie described a more "intuitive procedure" in which obvious evidence is first identified after which "exhaustive searches are conducted to start filling in the holes"[4]

Once evidence is recovered the information is analysed to reconstruct events or actions and to reach conclusions, work that can often be performed by less specialist staff.[1] When an investigation is complete the investigator presents his data, usually in the form of a written report, in lay persons terms.[1]

Branches

Digital forensics includes several sub-branches relating to the investigation of various types of devices, media or artefacts.

Computer forensics

Main article: Computer forensics

The goal of computer forensics is to explain the current state of a digital artifact; such as a computer system, storage medium or electronic document.[31] The discipline usually covers computers, embedded systems (digital devices with rudimentary computing power and onboard memory) and static memory (such as USB pen drives).

Computer forensics can deal with a broad range of information; from logs (such as internet history) through to the actual files on the drive. In 2007 prosecutors used a spreadsheet recovered from the computer of Joseph E. Duncan III to show premeditation and secure the death penalty.[3] Sharon Lopatka's killer was identified in 2006 after email messages from him detailing torture and death fantasies were found on her computer.[6]

Mobile phones in a UK Evidence bag

Mobile device forensics

Main article: Mobile device forensics

Mobile device forensics is a sub-branch of digital forensics relating to recovery of digital evidence or data from a mobile device. It differs from Computer forensics in that a mobile device will have an inbuilt communication system (e.g. GSM) and, usually, proprietary storage mechanisms. Investigations usually focus on simple data such as call data and communications (SMS/Email) rather than in-depth recovery of deleted data.[6][32] SMS data from a mobile device investigation helped to exonerate Patrick Lumumba in the murder of Meredith Kercher.[3]

Mobile devices are also useful for providing location information; either from inbuilt gps/location tracking or via cell site logs (which track the devices within their range). Such information was used to track down the kidnappers of Thomas Onofri in 2006.[3]

Network forensics

Main article: Network forensics

Network forensics relates to the monitoring and analysis of computer network (both local network and WAN/internet) traffic for the purposes of information gathering, legal evidence or intrusion detection.[33] Traffic is intercepted (usually at the packet level) and either stored for later analysis with specialist tools or filtered in real time for relevant information. Unlike other areas of digital forensics, network data is often volatile and seldom logged, making the discipline often reactionary.

In 2000, the FBI lured computer hackers Aleksey Ivanov and Gorshkov to the United States for a fake job interview. By monitoring network traffic from the pair's computers, the FBI identified passwords that let it collect evidence directly from Russia-based computers.[6][34]

Database forensics

Main article: Database forensics

Database forensics is a branch of digital forensics relating to the forensic study of databases and their metadata.[35] Investigations use database contents, log files and in-RAM data in order to build a time-line or recover relevant information.

See also

References

  1. ^ a b c d e f M Reith, C Carr, G Gunsch (2002). "An examination of digital forensic models". International Journal of Digital Evidence. Retrieved 2 August 2010.{{cite web}}: CS1 maint: multiple names: authors list (link)
  2. ^ Carrier, B (2001). "Defining digital forensic examination and analysis tools". Digital Research Workshop II. Retrieved 2 August 2010.
  3. ^ a b c d e f g Various (2009). Eoghan Casey (ed.). Handbook of Digital Forensics and Investigation. Academic Press. p. 567. ISBN 0123742676. Retrieved 27 August 2010.
  4. ^ a b c Carrier, Brian D (07). "Basic Digital Forensic Investigation Concepts". {{cite web}}: Check date values in: |date= and |year= / |date= mismatch (help); Unknown parameter |month= ignored (help)
  5. ^ "Florida Computer Crimes Act". Retrieved 31 August 2010.
  6. ^ a b c d e f g h i j k l m n o p Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4.
  7. ^ Aaron Phillip (2009). Hacking Exposed: Computer Forensics. McGraw Hill Professional. p. 544. ISBN 0071626778. Retrieved 27 August 2010. {{cite book}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)
  8. ^ a b M, M. E. "A Brief History of Computer Crime: A" (PDF). Norwich University. Retrieved 30 August 2010.
  9. ^ "The Joint Operating Environment", Report released, Feb. 18, 2010, pp. 34–36
  10. ^ a b Mohay, George M. (2003). Computer and intrusion forensics. Artechhouse. p. 395. ISBN 1580533698.
  11. ^ a b c Peter Sommer (2004). "The future for the policing of cybercrime". Computer Fraud & Security. 2004 (1): 8–12. doi:10.1016/S1361-3723(04)00017-X. ISSN 1361-3723. {{cite journal}}: Unknown parameter |month= ignored (help)
  12. ^ GL Palmer, I Scientist, H View (2002). "Forensic analysis in the digital world". International Journal of Digital Evidence. Retrieved 2 August 2010.{{cite web}}: CS1 maint: multiple names: authors list (link)
  13. ^ Wilding, E. (1997). Computer Evidence: a Forensic Investigations Handbook. London: Sweet & Maxwell. p. 236. ISBN 0421579900.
  14. ^ Collier, P.A. and Spaul, B.J. (1992). "A forensic methodology for countering computer crime". Computers and Law. Intellect Books.{{cite journal}}: CS1 maint: multiple names: authors list (link)
  15. ^ K S Rosenblatt (1995). High-Technology Crime: Investigating Cases Involving Computers. KSK Publications. ISBN 0-9648171-0-1. Retrieved 4 August 2010.
  16. ^ "Best practices for Computer Forensics" (PDF). SWGDE. Archived from the original (PDF) on 3 October 2010. Retrieved 4 August 2010.
  17. ^ "ISO/IEC 17025:2005". ISO. Retrieved 20 August 2010.
  18. ^ SG Punja (2008). "Mobile device analysis" (PDF). Small Scale Digital Device Forensics Journal.
  19. ^ R Ahmed (2008). "Mobile forensics: an overview, tools, future trends and challenges from law enforcement perspective" (PDF). 6th International Conference on E-Governance.
  20. ^ Peterson, Gilbert & Shenoi, Sujeet (2009). "Digital Forensic Research: The Good, the Bad and the Unaddressed". Advances in Digital Forensics V. 306. Springer Boston: 17–36. doi:10.1007/978-3-642-04155-6_2.{{cite journal}}: CS1 maint: multiple names: authors list (link)
  21. ^ a b c Simson L. Garfinkel (2010). "Digital forensics research: The next 10 years". Digital Investigation. 7: S64-S73. doi:10.1016/j.diin.2010.05.009. ISSN 1742-2876. {{cite journal}}: Unknown parameter |month= ignored (help)
  22. ^ Linda Volonino, Reynaldo Anzaldua (2008). Computer forensics for dummies. For Dummies. p. 384. ISBN 0470371919.
  23. ^ Warren G. Kruse, Jay G. Heiser (2002). Computer forensics: incident response essentials. Addison-Wesley. p. 392. ISBN 0201707195. {{cite book}}: |access-date= requires |url= (help)
  24. ^ a b c d Sarah Mocas (2004). "Building theoretical underpinnings for digital forensics research". Digital Investigation. 1 (1): 61–68. doi:10.1016/j.diin.2003.12.004. ISSN 1742-2876. {{cite journal}}: Unknown parameter |month= ignored (help)
  25. ^ Kanellis, Panagiotis (2006). Digital crime and forensic science in cyberspace. Idea Group Inc (IGI). p. 357. ISBN 1591408733.
  26. ^ US v. Bonallo, 858 F. 2d 1427 (9th Cir. 1988).
  27. ^ "Federal Rules of Evidence #702". Retrieved 23 August 2010.
  28. ^ "'Electronic Crime Scene Investigation Guide: A Guide for First Responders" (PDF). National Institute of Justice. 2001.
  29. ^ Maarten Van Horenbeeck (24). "Technology Crime Investigation". Archived from the original on 17 May 2008. Retrieved 17 August 2010. {{cite web}}: Check date values in: |date= and |year= / |date= mismatch (help); Unknown parameter |month= ignored (help)
  30. ^ A Yasinsac (2003). "Computer forensics education" (PDF). IEEE Security & Privacy. Retrieved 26 July 2010. {{cite web}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)
  31. ^ "Technology Crime Investigation :: Mobile forensics". Archived from the original on 17 May 2008. Retrieved 18 August 2010.
  32. ^ Gary Palmer, A Road Map for Digital Forensic Research, Report from DFRWS 2001, First Digital Forensic Research Workshop, Utica, New York, August 7 – 8, 2001, Page(s) 27–30
  33. ^ "2 Russians Face Hacking Charges". Moscow Times. 24. Retrieved 3 September 2010. {{cite web}}: Check date values in: |date= and |year= / |date= mismatch (help); Unknown parameter |month= ignored (help)
  34. ^ Olivier, Martin S. (2009). "On metadata context in Database Forensics". Science Direct. doi:10.1016/j.diin.2008.10.001. Retrieved 2 August 2010. {{cite web}}: Check |doi= value (help); Unknown parameter |month= ignored (help)

Further reading

Look up digital forensics in Wiktionary, the free dictionary.
Wikibooks has more on the topic of: Digital forensics

Retrieved from "https://en.wikipedia.org/w/index.php?title=Digital_forensics&oldid=412059128"