The Theory of Digital Forensics — Beginners Level

A friendly approach to Digital Forensics that focuses on its theory

Digital Forensics is an important aspect of Forensics that has grown popular with the increase in number of digital devices (equipment that receive, store or send digital signals).

Digital Forensics is simply preserving, identifying, extracting and documenting digital evidence with the aim of exonerating or convicting criminals using digital evidence.

Classes of Digital Forensics include:

1. Mobile Digital Forensics : In Mobile Forensics, digital evidence or data is recovered from mobile devices under forensically sound conditions(conditions that are favorable for forensics). Mobile forensics enable Text Messages, Call History, Emails, Notes, Contacts, Calender events, Images and Videos e. t. c to be copied and imaged.
2. Computer Digital Forensics : Somewhat referred to as Cyber forensics refers to analysis of information in the computer systems in order to guarantee a well structured investigation and follow-up of processes. Computer Forensic Experts help organizations to prevent incident occurrences, identify and respond to cyber crimes, provide detailed investigations of Computer systems and assist law Enforcement Agencies.
3. Cloud Digital Forensics : Cloud Forensics is simply the application of Digital Forensics in Cloud Computing. Here, identifying, recording and acquiring Forensic data from possible sources of data in the Cloud. Usually, Incident Handlers are the ones who respond to specific security incidences in the Cloud like accidental data leakage, data loss, unauthorized data access e. t. c which is very important for troubleshooting, investigating, recovery of data or systems in the Cloud
4. Network Digital Forensics : This is the monitoring and analysis of computer network traffic in order to gather information, legal evidence and so on. In network forensics, Security is key therefore, a network has to be monitored incase of anomalous traffic or attackers who want to erase all log files on a compromised network. Network based evidence might be the best Digital Forensic approach to save the day.

Digital Forensics is possible if and only if the digital devices have a memory (Sequential devices). If the digital devices do not have memories in them, then they are combinatorial and Digital Forensics will not be possible. This is simply because the memory is what makes it possible for information to be stored or retrieved.

Locard’s Exchange Principle

Says that in the physical world, when perpetrators enter or leave a crime scene, they will leave something behind and take something with them. He was referring to DNA, Latent prints, hairs and fibers and so on which can be used to trace perpetrators or culprit.

This is to say that traces of criminals at crimes scenes can easily be captured and taken to the laboratory for imaging and further analysis.

fingerprint image from unsplash.com

Steps in Digital Forensics

• Seizure
• Acquisition
• Processing
• Analysis
• Reporting

Seizure

Seizure is usually done by Law Enforcement Agencies like the Police, FBI, NDLEA(National Drug Law Enforcement Agency), etc. Here, the Law Enforcement Agents seize digital devices from the criminals at the crime scene and take them to the Digital Forensic Experts in Digital Forensic Laboratories (DFL) in order to extract information from them. The digital device(s) is not the evidence but the information gotten from the device. This information is also known as the image in Digital Forensics.

NB: It is really important to label the devices brought to the Laboratory. The type of device, the brand, color, IMEI, number of SIMS, type of SIMS and so on.

Acquisition

The Digital Forensic Experts gather the evidence by imaging. Imaging is an act of copying the data from the digital device eg hard drives, flash drives, mobile phones, e. t. c into the computer. Opensource tools like The Access Data FTK Imager, ENCASE Imager is used for imaging.

Processing

After data is acquired, it should be protected, processed and prepared for analysis because the destruction of the digital device due to natural disasters like fire, flood or careless handling becomes a minus to the Digital Forensic expert.

Analysis

This is a method of critically examining electronically stored evidence. The analysis begins with identifying who the key players are and where the electronically stored evidence is. It is usually advised that the copy of the image should be used for the analysis whereas the main image is preserved in case the copy is altered. The main aim of digital analysis is to identify patterns of fraudulent activity within the evidence and create hypothesis using methods of Explorative Data Analysis. Every piece of data is analyzed and if no evidence is found the hypothesis is scrapped and a new one is created. Analysis can be time consuming and expensive if left to inexperienced Investigators.

Reporting

The last stage of any investigation is creating reports. The final findings or substantive evidence gotten from the examination are reported in summary. It usually demands that the technical data is presented in a readable format. The parties involved should be identified which includes the names, genders, specific dates, alleged offenses and so on are accurately described.

The CIA Triad

• C : Confidentiality
• I : Integrity
• A : Availability

Some Open Source Tools used in Digital Forensics include:

• Autopsy
• Sift
• Magnet Acquire
• RAM Captural
• Volatility
• Caine
• Deft 0
• P-aladin
• FTK Imager
• Exif Tool
• Plain Sight
• Fire Eye
• USB Historian
• Windhex
• Rufus

The term tools in Digital Forensics refers to both hardware and software. Also, the usage of these tools depend on the kind of investigation to be carried out. However, Autopsy is a really powerful software for Digital Forensics. FTK Imager used for imaging of digital devices is also important. In fact, all these tools are important.

Commercial tools used in digital forensics include:

1. Cellebrite (UFED)

• UFED touch tool
• UFED Ultimate
• UFED Analytics(Desktop Analytics)
• UFED Chinex
• UFED Kiosk

2. Oxygen Forensics

3. Paraben

4. Tarantula

Note:

All hard drives, flashes or memory digital devices brought in with evidence must not be scanned so evidence is not lost. Instead, Computers or systems used for investigations must be properly scanned before or after investigations to avoid malwares (viruses, worms, e.t. c) which may have infected the Computers.

Hashing

Hashing has to do with verifying the image integrity of the evidence. Every image’s integrity must be maintained so the image is still usable even after a long period of time. The essence of Hashing is to ensure security and privacy of data.

Two common Hashing Algorithms:

• SHA(Secured Hash Algorithm) : SHA128, SHA256 — Secured Hash Algorithm are cryptographic functions that keep data secured. Hash Algorithms are used to detect data that has been tampered with by attackers. Any data that has not been tampered with retains its hash value but the one that has been tampered with will display a changed hash value.
• MD(Message Digest): MD5 — The Message Digest was designed to be used as secure cryptographic hash algorithm for authenticating digital signatures(mathematical technique that validates the integrity of an image).The MD Hash Algorithm is as important as the SHA Algorithm just that it has a little limitation which you can read more about.

Digital Forensic Standards:

• NIST : National Institute of Standard and Technology (U.S.A).
• SWGDE : Scientific Working Group for Digital Evidence.
• IOCE : International Organization on Criminal Evidence.

Benefits Of Digital Forensics:

• Efficient tracking down of Cyber Criminals.
• The knowledge can help track complicated cases.
• Capturing of important information incase Computer Systems are compromised.

Thank you for reading — image from unsplash

REFERENCES

The Basics of Digital Forensics by John Sammons

Wikipedia.com

drivesaversdata.com

link.springer.com

Researchgate.net

Searchsecurity.techtarget.com