What is Digital Forensics?

Discuss about the Forensics Report and Science.

Forensics is the utilization of technology and science for investigation purposes to establish facts in a civil or criminal court. Digital forensics is a forensics science branch which compromises of the recovery and investigation of any material that can be found in digital devices. The information or data which is recovered is usually sourced from digital devices such as computers or the cloud. Digital forensics was a term used to refer to forensics operations that were performed on computers but it has been expanded to cover all the devices which store data. Digital forensics is usually used as evidence in civil or criminal cases. Digital forensics can also be used by the private sector while they perform intrusion investigations or internal corporate investigations. In digital forensics, the technical aspect in an investigation is usually divided into several branches. These branches include network forensics, computer forensics, mobile data forensics and forensic data analysis (Reith, Carr & Gunsch, 2002). In a typical forensics process the following procedure will occur. Seizure of the device, forensics imaging which is taking a copy of the data for analysis so that the device in question is not tampered with and finally analysis of the data with a report of the findings being presented. A digital forensics examiner is a professional who has been trained in the subject matter of digital forensics.

We shall look at how a hard disk drive is examined by a digital forensics examiner. The best kind of evidence to use for forensics is the original evidence. It needs not to have been tampered with by any parties so that it can yield accurate results on the status and data that is contained within the hard disk drive. Evidence which is being analyzed should be acted upon on a verified copy rather than the original piece of hardware. When analyzing a verified copy it will protect the original piece of hardware from any accidents that might be caused during the analysis process, any kind of normal accidents such as pouring of liquids on the hard disk drive or tampering of the hard disk drive. If there is a verified copy it will allow for analysis and also it will ensure that if the original hardware is destroyed there is a verified copy which can be admissible in any investigations or court cases. A digital forensics examiner will be supplied with a hard disk drive which is seized from a suspect or the premises of a suspect. During seizure of the hard disk drive there should be a lot of caution to ensure that the drive is not harmed or tampered with in a way that might cause the data to be inadmissible or corrupted.

The Forensics Process of a Hard Drive Examination

After seizure of the drive it is given to the digital forensics examiner who makes an exact duplicate of the media. The sector level duplicate drive which will be created is usually made through the use of a write blocking device. Duplicating of the drive is known as acquisition or imaging and it can be done with the use of a software imaging tool or a hard drive duplicator (Adams, 2012). The imaging tools may include IXimager, FTK imager or TrueBack. The image which is to be acquired is usually verified by the use of MD5 or SHA-1 hash functions. Hashing is the process of verifying the image with a hash function to ensure the media or evidence is in its original state. Data validation is the process utilized in ensuring that a computer program is operating on correct, useful and clean data. In the data validation process there are routines such as check routines, validation rules or validation constraints which are present to check and establish the security, correctness and meaningfulness of data which has been fed to a system. The rules which are used to ensure data validation is a success can be implemented by use of an explicit application program which utilizes validation logic or a data dictionary.

When the hard disk drive is acquired the image files are looked into and analyzed for the purpose of identifying evidence which can support their hypothesis or go contrary to their hypothesis. The analysis also tries to find out where there are any signs of tampering which might lead to loss or hiding of data. The digital forensics examiner can recover material which can be used as evidence in a number of ways. They first use tools which enable them to recover data from the device being investigated on. The examiners can utilize tools such as FTK and EnCase to help them recover and view data that is on a hard disk drive (Carrier, 2001). The data that is recovered during a digital forensics process can vary depending on the type of investigation which is being undertaken. The data being recovered can include emails, images, documents and internet history. A digital forensics examiner with the use of specialized tools enables them to recover data from a hard disk drive at a more in depth level. Apart from the normal saved files, they can be able to recover data from the operating system cache, metadata and even deleted data. This ensures that any kind of data even though it may have been deleted can be recovered by the examiner and used during an investigation.

The Techniques Used in Recovery of Evidence

The techniques used by digital forensic examiners for recovery of evidence usually are done through methods such as keyword searching from an image file to pinpoint any data types or relevant information that match with what you may be looking for. A file such as a graphic image contain a set of bytes which are specific to it and help in identifying the end and beginning of a file. Through the use of these bytes a deleted file can be reconstructed so that the data which had been deleted can be viewed by the examiner and can be used as evidence in an investigation. Hash signatures are usually what forensic tools utilize to identify specific types of data in digital forensics. It enables the examiner to have an easier time searching for the kind of data they wish to achieve if they know what they are looking for. Steganography is the practice or process of hiding an image, file, video or message inside another video, image, message or file. Steganography is used when an individual does not want some information to be identified by other people unless he or she wants them to.  In steganography the hidden information is disguised or placed to look as part of the original information (Fridrich, Goljan & Soukal, 2004). Steganography as compared to cryptography does not attract a lot of attention because information is displayed in plain sight to look as part of a whole. A good example of steganography is the use of invisible ink in-between the lines of a private letter which is visible. Steganography mainly is comprised of concealing a message and its content. In a hard disk drive steganography can be used to conceal information inside computer files. Media files have been identified as very key elements in the use of steganography because of their large sizes. After recovered data is analyzed conclusions are drawn from it which are recorded in the forensics report. The reports and conclusions which are presented by digital forensics examiners need to be based on the data they acquired and their expert knowledge in the field of digital forensics.

Electronic discovery which is also known as e discovery is the process of finding information in legal proceedings which include government investigations, Freedom of Information Act or litigation requests where information is searched for and presented in an electronic format. Information which is in an electrical format is deemed as different when compared to paper or hard copy information because of its persistence, intangible form, transience and volume. Electronic information usually has metadata which is an attribute that is not present in paper information. Metadata can be a key factor especially in digital forensics because it provides the time and date in which a document was created. This kind of information is very hard to get from paper information unless it is specifically included. Paper information can also include a time and date but it might be present to deter a case or proceedings in a case. Metadata is more accurate and reliable because it will always be recorded and input from a systems or computers time and date which is usually accurate and automatically updated. Preserving of metadata which is present in electronic documents prevents spoilage by creating special challenges.  Electronic discovery plays a key role in cases or investigations which rely on digital forensics in providing crucial evidence.  When data is discovered it can be presented as valid evidence in a case which can be crucial in ensuring a win or lose in the case proceedings. E- discovery should be treated as a crucial element in digital forensics as it plays a big role in ensuring the needed information from the investigations is achieved.

The Use of Steganography in Digital Forensics

Reporting and presentation is usually the last step in any digital forensics process. It is the process in which the digital examiner presents his or her findings and explains them to the needed individuals in a very simple manner as to what they found. Digital forensics can be a complex procedure and the terms used by technical professionals can easily be confusing or misunderstood. It is therefore very important that the report presented by the digital forensics examiner be very clear and concise for the purpose of ensuring that individuals who read it understand what exactly the digital forensics examiner discovered. Reports from a digital forensics investigation need to be presented in a form which is easily understood by non-technical persons. Reports from digital forensics investigations may also include meta documentation and audit information (Horenbeeck, 2006). The report usually details all the steps and procedures in which the digital forensics examiner took during the analysis of the hard disk drive. The procedures need to be appropriate and evaluated to ensure that the whole process was done professionally for it to yield credible results which can be used in court. The digital forensics report is usually presented to the people in charge of the case or the individuals who commissioned the forensics examiner to perform their job. The individuals who receive the report such as lawyers in court will examine it and determine whether it can be critical and viable evidence to use in court. The evidence can be presented in court through a written report and accompanying digital media which can give the court more information on the digital examiners findings. The report is very important because it will contain the information needed to be used in court or in an investigation as evidence. It should therefore reflect the findings from the digital forensics examiner and should be written in a professional format.

From the analysis and undertaking of commencing a digital forensics investigation on a hard disk drive we can identify that the process requires a skilled individual in the field for it to be effective and achieve viable results which can be used in court. The digital examiner needs to be someone who is experienced and non-bias to ensure that the report in which he or she comes up with is viable and can be relied upon as concrete evidence. With technology being used in more fields every day even in causing crimes it is deemed fit to have digital forensics experts who are able to derive information from digital media for the purpose of presenting it as evidence in a case (Eoghan, 2004). The tools and equipment utilized in digital forensics vary depending on the case and hardware in question. It is therefore important for the digital forensics examiner to always have the necessary equipment which will place them in a strategic position to accurately perform their task and retrieve the required data during a forensics investigation. It is therefore very important to ensure the whole digital forensics process is carried out by a professional and that the report which is prepared is accurate based on the investigations and can be easily understood by non-technical individuals.

References

Adams R. (2012). The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice.

Carrier B. (2001). Defining digital forensic examination and analysis tools. Digital Research Workshop II.

Eoghan C. (2004). Digital Evidence and Computer Crime. Second Edition. Elsevier.

Fridrich J., Goljan M. & Soukal D. (2004). Searching for the Stego Key. Proc. SPIE, Electronic Imaging, Security, Steganography and Watermarking of Multimedia Contents. VI. 5306: 70 – 82.

Horenbeeck M. (2006). Technology Crime Investigation.

Reith M., Carr C. & Gunsch G. (2002). An examination of digital forensic models. International Journal of Digital Evidence.