As more and more users go mobile and utilize interconnected devices, computers are often at the center of incidents and investigations. Evidence for discussion in a court of law is often gathered thanks to the skills of digital forensic experts that can extract crucial data from electronic devices belonging to the affected parties. Law officials sometime depend on the testimony of computer forensic analysts specialized in e-discovery; these experts are called to work directly with police officers and detectives to aid in identifying, preserving, analyzing and presenting digital evidence to help solve crime cases.
The aim of the article is to provide an overview of computer forensics and the methods applied in the acquisition of digital evidence from computer systems and mobile devices for analysis of information involved in criminal investigations. It also touches on the latest forensics challenges: mobile forensics, cloud forensics, and anti-forensics.
Computer Forensic Experts
The job of the forensic experts is to “help identify criminals and analyze evidence against them,” says Hall Dillon in a career outlook post for the U.S. Bureau of Labor Statistics.
Trained and skilled individuals work for public law enforcement or in the private sector to carry out tasks related to the collection and analysis of digital evidence. They are also responsible for writing meaningful reports for use in investigative and legal settings. In addition to working in labs, forensic experts apply digital investigative techniques in the field uncovering metadata that holds importance in a court of law.
Today’s computer forensic analysts are capable of recovering data that have been deleted, encrypted or are hidden in the folds of mobile devices technology; they can be called to testify in court and relate the evidence found during investigations. They can be involved in challenging cases, to include the verification of offenders’ alibis, examination of Internet abuse, misuse of computing resources and network usage in making computer-related threats. Forensic experts can be called upon to support major cases involving data breaches, intrusions, or any other type of incidents. By applying techniques and proprietary software forensic applications to examine system devices or platforms, they might be able to provide key discoveries to pin who was/were responsible for an investigated crime.
The rapidly growing discipline of computer forensics has become its own area of scientific expertise, with accompanying training and certifications (CCFE, CHFI). According to Computer Forensics World, a community of professionals involved in the digital forensics industry, the certified individuals in this field are responsible for the identification, collection, acquisition, authentication, preservation, examination, analysis, and presentation of evidence for prosecution purposes.
The Computer Forensic Process
The purpose of a computer forensic examination is to recover data from computers seized as evidence in criminal investigations. Experts use a systematic approach to examine evidence that could be presented in court during proceedings. The involvement of forensic experts needs to be early on in an investigation as they can help in properly collecting technical material in a way that allows restoring the content without any damage to its integrity.
Forensic investigation efforts can involve many (or all) of the following steps:
- Collection – search and seizing of digital evidence, and acquisition of data
- Examination – applying techniques to identify and extract data
- Analysis – using data and resources to prove a case
- Reporting – presenting the info gathered (e.g., written case report)
Bill Nelson, one of the contributing authors of the Guide to Computer Forensics and Investigations (third ed.) book, highlights the importance of the three A’s of computer Forensics: Acquire, Authenticate and Analyze. He says the computer forensic process, in fact, involves taking a systematic approach, which includes an initial assessment, obtaining evidence and analyzing it, to completing a case report (2008, pp. 32-33).
Forensic cases vary greatly; some deal with computer intruders stealing data; others involve hackers that break into web sites and launch DDoS attacks, or attempt to gain access to user names and passwords for identity theft with fraudulent intentions, says the FBI. Some cases involve cyber-stalking or wrongdoers that visit prohibited sites (e.g., child pornography websites). A forensic examiner can explore the cyber-trail left by the offender.
Whatever the reason for the investigation, the analysts follows step-by-step procedures to make sure findings are sound. Once a criminal case is open, computers, and other digital media equipment and software will be seized and/or investigated for evidence. During the retrieval process, all essential items are collected in order to give the forensic analyst what s/he needs to give testimony in court.
Then it is time to extract and analyze data. A computer forensic investigator takes into account the 5Ws (Who, What, When, Where, Why) and How a computer crime or incident occurred. Using standard evaluation criteria, the examiner can identify security-related lapses in a network environment looking for suspicious traffic and any kind of intrusions, or they can gather messages, data, pictures, and other information to be uniquely attributed to a specific user involved in a case.
The forensics process includes also report writing. Computer forensic examiners are required to create such reports for the attorney to discuss available factual evidence. It is important to prepare forensic evidence for testimony, especially when cases go to trial and the examiner is called as a technical/scientific witness or expert witness.
Ways to Obtain Evidence Forensically
Traditionally, computer forensic investigations were performed on data at rest, for example, by exploring the content of hard drives. Whenever a forensic scientist required further analysis (such as to perform imaging—the copying of hard drives, flash drives, disks, etc.), it was normally done in a controlled lab environment. Dead analysis (also known as dead forensic acquisition or just static acquisition) is data possession that is performed on computers that have been powered off. In other words, it involves examinations of the system (and parts of it) at rest (dead). The live-analysis technique, instead, involves gathering data from a system before shutting it down. A dead analysis is considered necessary to have the time also to retrieve physical evidence like DNA (fingerprints on equipment); however, it is live acquisition in the field that is currently the focus of forensic experts’ attention.
Performing a “live analysis” in the field provides quick and up-front evidence; it can be performed thanks to analytical tools that are now portable and can be carried by the analysts at the crime scene to begin investigating immediately.
Even though a forensic examiner may need the crime lab for further analysis, or to perform a repetitive process (something that is not possible with live acquisitions), not all cases require it. Nonetheless, it is important for the forensic examiner to collect just enough information to determine the next appropriate step in the investigation. This approach ensures no loss or damage of digital evidence, loss of volatile data or needing a warrant for the seizing of the equipment.
Live investigations have already been performed for years. In today’s digital age and rise in computer crime, it is no surprise why there is a need to employ forensic analysts for the analysis and interpretation of digital evidence (e.g., computer systems, storage media and devices), explains Marcus K. Rogers, Computer and Information Technology Department at Purdue University. In an article about the Cyber Forensic Field Triage Process Model (CFFTPM) in 2006, he noted that “CFFTPM proposes an onsite or field approach for providing the identification, analysis and interpretation of digital evidence in a short time frame, without the requirement of having to take the system(s)/media back to the lab for an in-depth examination or acquiring a complete forensic image(s).”
A Few Computers Forensic Tools
Comprehensive forensic software tools (such as Encase Forensic Edition, X-Ways Forensic Addition, Paraben, Forensic ToolKit (FTK), Linux DD, etc.) are used by crime scene investigators to provide their collection, indexing and detailed analysis.
A forensic investigation consists of gathering computer forensic information; the process can begin by analyzing network traffic with a packet analyzer or a sniffer tool like Wireshark that is capable of intercepting traffic and logging it for further analysis. NetworkMiner, another Network Forensic Analysis Tool (NFAT), is an alternative to Wireshark to extract or recover all files. Snort, instead, is a valuable tool in tracking down network intruders in real time.
NFAT software also contains forensic capabilities by performing analysis on stored network traffic, as its name suggests. As for Incident Response and Identification, A Forensic Toolkit, or FTK, can be used to identify deleted files and recovering them; whereas, EnCase is apt for forensic, cyber-security and e-discovery use.
The Need for New Forensic Tools
The implementation and rapid growth of new technologies has created quite a few problems to forensic analysts who are now faced with the tasks of having to look for information not only on personal computers and laptops but also (and more often) on tablets and smartphones.
“Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods,” states NIST in its “Guidelines on Mobile Device Forensics.” The guide highlights how forensic analysts must have a firm understanding, today, of the uniqueness of the mobile world and understand most of the technology features behind any model and type of device that can be found at a crime scene.
The proliferation of proprietary operating systems, encryption technologies and protection tools developed by smartphone companies like Nokia, Samsung, LG, Huawei, Apple and more obliges analysts to keep up with latest developments at a faster rate than ever before. Today’s new advanced devices are produced at higher rates and extracting information from them, even after bypassing the obvious security features that protect them, offer unique challenges.
Working with stand-alone computers, an analyst knew where to look for data (RAM, BIOS, HHD…). In a mobile device storage, it is not as clear cut, and relevant information could be found in several locations, from NAND to NOR flash memory to the RAM of a SIM card, for example.
It is important to work in ways that preserve data considering, for example, issues like the effects of power drainage on the volatile memory of the device that could reveal important information on program executions on the device. In addition, “Closed operating systems make interpreting their associated file system and structure difficult. Many mobile devices with the same operating system may also vary widely in their implementation, resulting in a myriad of file system and structure permutations. These permutations create significant challenges for mobile forensic tool manufacturers and examiners.” (NIST Special Publication 800-101, Revision 1)
As the National Institute of Standards and Technology (NIST) explains, many are the techniques that analysts can employ in order to gather forensic data from mobile devices, from the less intrusive manual extraction to the invasive, sophisticated and expensive micro read. Manual extraction means obtaining information by simply using the device user interface and display. The second step is still basic and involves logical extraction. The third level involves Hex Dumping/JTAG Extraction methods; it requires a more difficult data gathering approach – performed though the physical acquisition of the device memory. The fourth level is the chip-off method that involves the actual removal of the memory and the fifth, the most difficult and sophisticated method is the Micro Read technique in which analysts use a sophisticated microscope to view the physical state of all gates.
NIST is not only working on a common approach to mobile forensics, but also in providing a forum to gather ideas on cloud forensics. Cloud computing is a fast growing technology now used by most mobile device users and many companies. Its flexibility and scalability make it an appealing choice for most users, but also poses unique forensic challenges.
In addition to technical challenges, in fact, cloud computing poses jurisdiction and legal problems. Data, in fact, can be stored and accessed anywhere and it might be problematic for investigators to access data in different countries or in ways that preserve the privacy rights of other cloud users.
In addition, it is hard sometimes to attribute data and actions to a particular user. The recovery of data could also be problematic because of the overwriting and reuse of space in a cloud environment.
Investigators need also to be aware of anti-forensics techniques, tools, and practices that can make forensic analysis inconclusive especially in a cloud environment. Certain types of malware and obfuscation techniques can compromise the integrity of collected evidence and can make conclusions hard to present in court.
As InfoSec Institute explains on its website, “Computer Forensics Specialists are needed by today’s companies to determine the root cause of a hacker attack, collect evidence legally admissible in court, and protect corporate assets and reputation.”
With cybercrimes (i.e., any criminal act dealing with computers and networks) on the rise and threatening organizational data, as well as the increased use of digital devises by the general population, the analysis of digital evidence becomes a crucial element at many crime scenes.
Forensic computing is now an exciting profession that places emphasis on the human element but also poses challenges due to the need of uncovering digital evidence in an ever-changing environment. Technology advances and the shift to networked and cloud environments where anti-forensic methods can easily come into play, obliges professionals in the fields to keep up to date and revise continuously standard operating procedures.
Rebecca T. Mercuri, founder of Notable Software, Inc., noted in a scholarly article on Challenges in Forensic Computing that “the continuing maturity of this field will invariably bring some stabilization in best practices, training, certification, and toolsets, but new challenges will always emerge because of the dynamic nature of the technology at its root.” Nonetheless, as FBI states on its web site, “this emerging forensic discipline is to remain an effective and reliable tool in the criminal justice system.”
Ayers, R., Brothers S., & Jansen, W. (2014, May). Guidelines on Mobile Device Forensics. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf
Ashish. (2015, February 27). Carving out the Difference between Computer Forensics and E-Discovery. Retrieved from http://articles.forensicfocus.com/2015/02/27/difference-between-computer-forensics-and-e-discovery/
Barbara, J. (2015, February 17). Streamlining the Digital Forensic Workflow: Part 3. Retrieved from http://www.forensicmag.com/articles/2015/02/streamlining-digital-forensic-workflow-part-3
Jones, R. (2007). Safer Live Forensic Acquisition. Retrieved from http://www.cs.kent.ac.uk/pubs/ug/2007/co620-projects/forensic/report.pdf
Mercuri, R. (2005). Security Watch – Challenges in Forensic Computing. Retrieved from http://www.notablesoftware.com/Papers/ForensicComp.html
Nelson, B., Phillips, A., Enfinger, F., & Steuart, C. (2008). Guide to Computer Forensics and Investigations. (3rd ed.). Boston, MA; Course Technology, Cengage Learning
Rogers, M. (2006). Computer Forensics Field Triage Process Model. Retrieved from http://www.macforensicslab.com/ProductsAndServices/index.php?main_page=document_general_info&cPath=11&products_id=228
Zirnstein, R. (2009, September 4). Innovations Blog: The Push for Live Forensics. Retrieved from http://www.fid3.com/blog/2009/09/04/the-push-for-live-forensics/
Zoltanszabodfw. (2012, July 3). Digital Forensics is not just HOW but WHY. Retrieved from http://articles.forensicfocus.com/2012/07/03/digital-forensics-is-not-just-how-but-why/