Computer Forensics: Hybrid and Emerging Technologies
In this article, we will look at emerging and hybrid technologies and how they impact forensic work. Each is met with different challenges and approaches. We will look at how forensics can be applied from the default conventional applications to the emerging and relatively new cloud and social network platforms.
What are some hybrid and emerging technologies?
Hybrid technology is an approach to enterprise computing where organizations provide and manage some information resources in-house while using cloud-based services for others. Organizations are able to maintain a centralized approach to Information Technology governance while also experimenting with cloud computing. This has led to the term “hybrid IT,” which is often used interchangeably with “hybrid cloud.”
Learn Digital Forensics
Emerging technologies can be defined as radically novel and fast-growing technologies that are persistent over time, and with the potential to exert a considerable impact on the socio-economic domain. They span a variety of industries from Agriculture, Aviation, and Entertainment to Electronics, Displays, and Information Technology. Some examples of emerging technology in the IT industry include:
- Blockchain or distributed ledger technology: Applications here include cryptocurrency and the prospects of future electronic voting.
- Artificial general intelligence: Applications may include automated recruiting functions within organizations and human-like composition of music within the arts industry.
- 5G cellular communications: This is the future of cellular communication which promises efficiency in internet speeds and signal stability.
- Li-Fi: The future promises devices that will allow high-speed transmission and communication through visible spectra of light.
- Machine Vision: The ability of computers to perform facial recognition promises a future where law enforcement agencies are able to track criminal entities through analysing their facial detail. Devices will also be available that implement computer vision to perform language translation into various dialects on the fly.
A more comprehensive list of the emerging technologies can be accessed here.
Cloud computing is a shared collection of configurable networked resources (such as networks, servers, applications, storage and services) that can be configured easily with minimal effort. A good example of how cloud computing works is where we have virtual private servers set up and running operating system versions of choice, such as Ubuntu 16.04, so that whenever we need to achieve a certain functionality, we do not have to perform a fresh install or own physical servers; instead, we SSH into the VPS and accomplish our objective.
Cloud forensics focuses on the main phases of network forensics, but with techniques tailored for cloud computing environments. Cloud forensics involves the attempts to uncover malicious activity performed by malicious actors either within the cloud servers (this can be done by assessing the logs) or the network (by capturing packets from network activity). In the event of a breach, we primarily focus on captured traffic transiting the network. The idea is normally to sift through the captured data packets making sense of what might be unusual traffic.
Cloud forensics is a multi-dimensional issue, and for us to perform a comprehensive analysis, we need to discuss the three main dimensions that encompass cloud forensics. These include the technical dimension, organizational dimension and the legal dimension.
a) Technical Dimension
This deals with the tools and procedures that are needed to perform the forensic process in a cloud computing environment. Methods such as data collection, live forensics, evidence segregation, virtualized environments, and proactive measures are emphasized. For example, with data collection, forensic experts focus on identifying, labelling, recording and acquiring forensic data. This data may include client-side artefacts which reside on client premises and provider-side artefacts which are located within the provider’s infrastructure. The collection process must ensure data integrity, with clearly defined segregation of duties between the client and provider.
b) Organizational Dimension
Cloud computing forensics involves at least two entities, the cloud service provider (CSP) and the cloud customer. The scope may widen in the event that the CSP outsources services to other parties. This may require the forensic investigation to examine every link in the chain. Lack of cooperation between the different providers may thus lead to serious problems. Service level agreements (SLAs) facilitate communication and collaboration in forensic exercises. In order to ensure a cloud forensic capability, cloud entities must provide internal staffing, provider-customer collaboration and external assistance to ensure the following roles are met:
- Investigators to ensure allegations of misconduct are examined during the forensic exercise
- IT professionals, including ethical hackers, system and network administrators to help forensic teams in collecting data and securing crime scenes
- Incident handlers to help respond to security incidents such as data leakage, breach of tenant confidentiality, etc.
- Legal advisors to help ensure that the forensic activities do not breach laws and regulations
c) Legal Dimension
Performing forensics in the cloud exacerbates the challenges brought about by multi-jurisdictional and multi-tenancy. Care has to be taken to ensure that forensic activities do not breach laws and regulations in the jurisdictions where the data resides. The confidentiality of other tenants who share the infrastructure also has to be preserved. However, the terms between a CSP and its customers are usually defined within SLAs. SLAs should be clear to define:
- The services provided, techniques supported and access granted by CSPs during the forensic investigations
- Trust boundaries, roles and responsibilities between the CSPs and customers regarding forensic investigations
- The process of conducting investigations in multi-jurisdictional environments without violating applicable laws
Social Network Forensics
Social network forensics involves forensic activities performed on social networking platforms such as Facebook, LinkedIn, WhatsApp, Telegram, etc. Forensics on these platforms is quite difficult since it is limited in its set of data sources. Obtaining server hard drives is not feasible, and leveraging on service operators’ data requires tremendous cooperation. Even so, it might still be difficult to obtain relevant data. This poses a challenge, because the evidence obtained during forensics needs to be authentic, complete and reliable. It is difficult to acquire data from social network platforms since most of them support encryption technologies that would render passive logging insufficient. Metadata is also stripped from these platforms: for example, it would not be possible/practical to obtain geographical locations from pictures uploaded, or accurate date and time stamps.
To combat these challenges, we must find new ways to identify data sources. These include:
- The social footprint: Here we analyse the social graph of the target. We analyse the target’s friends and their communication patterns.
- Pictures and videos: What are the videos uploaded by the target, and who are the individuals tagged in them? What are the locations in which the videos have been taken?
- Periods of Activity: We take a look at the patterns of appearing online and of posts being published, and when an activity of interest took place.
- Applications: We assess the applications used for social networking. What information can be inferred in a social context by the particular applications used?
Most of this information can be obtained through the cooperation of the target and without the need to involve the social network operator. Due to the large amount of data involved, automated tools are normally used to create a more comprehensive view of the picture.
Big Data Forensics
The largest problems with big data forensics are volume, complex interdependence across content, and heterogeneity. In addition, when multiple tools are implemented in the examination, it becomes difficult to cross-correlate findings, which often leads to inefficiencies in processing and identifying evidence. However, there are some methods that are in use that simplify the process of big data forensics.
Map-Reduce is a framework that can be used for massive parallel tasks. This can be extremely effective in situations where the data sets do not involve a lot of internal correlation. Although this might not always be the case for digital evidence in general, a task like fragment classification can be modelled through the Map-Reduce framework.
Decision trees and random forests find their applications in fraud detection software, where the objective is to find in a large data set the statistical outliers (for example, anomalous transactions, or anomalous browsing behavior).
Neural networks are also suitable for big data forensics and are mostly suited for complex pattern recognition. Snapshots of the file system are used to train the network to understand normal behavior of an application. Neural networks have also been used in analyzing network traffic; however, the results still do not present a high level of accuracy.
In the ICT world, the main concern has always been security; this differs a bit from the ICS world, in which safety is the biggest concern. In ICT, security and safety would mean antivirus solutions to prevent malware from infecting systems and firewalls to prevent hackers from gaining unauthorised access into systems and organizations. In ICS, security and safety would mean protecting the system against dangerous issues, such as wrong values in PLCs and voltage or flow control in some kind of machinery.
The purpose of our goal when talking about ICS forensics becomes the safeguarding of the ICS data and information. We therefore split up the source of this data into two categories:
- Network data/information
- Device data/information
Network data acquisition
Network investigation requires that we define the level at which we need to perform the data collection. A typical distributed ICS system has at least three different levels of network types:
i) Device level such as sensors, programmable logic controllers (PLCs), actuators, etc.
ii) Cell level that is responsible to control device controllers
iii) Plant level that is responsible to control the cell controllers
Network data can also provide historical information, for example backup files, logging databases, etc.
Sources of network data can therefore be listed as:
i) Live network data (raw network data, arp tables, flow records, etc.)
ii) Historical network data (host-based logs, database queries, firewall logs, etc.)
iii) Other log files (backup archives, access point logs, historians, etc.)
It should be noted that not all tools are safe to use within ICS environments. For example, scanning for open ports should generally be avoided.
Device data acquisition
Device forensic tools do not exist for most ICS devices. Product specific service tools for programming PLCs, saving the program, and servicing log files from a PLC to a service computer do not exist.
What are the steps in electronic data discovery?
The Electronic Discovery Reference Model (EDRM) features nine distinct stages that are involved in electronic discovery. In this section we discuss each of the nine stages in brief.
Information Governance (IG)
IG refers to the set of multi-structures, policies, procedures, processes, and controls implemented to manage a company's information. It's a bit misleading that information governance (IG) is included as an individual stage in the e-discovery process.
Here, E-Discovery teams use a variety of methods to identify sources of potentially relevant ESI, including reviewing case facts, interviewing key players, and assessing the data environment.
After relevant ESI is identified, it needs to be protected from "spoliation" – the fancy legal term for any destruction or alteration of evidence. While there are different ways to preserve ESI, the most common is through a legal hold process.
Relevant ESI ultimately must be gathered and centralized. We won't get into the host of collection methods and technologies here, but the important thing to know is that whatever approach is taken must be legally defensible, meaning it must ensure that the contents and metadata (key attributes of the data such as date created and file size) weren't altered as a result of the collection process.
The processing phase involves preparing collected ESI for attorney analysis and review.
By far the most expensive of the e-discovery stages, review involves evaluating ESI for relevance and attorney/client privilege. Organizations typically outsource review to law firms.
At the highest level, analysis deals with evaluating ESI for content and context, including key patterns, topics, people, and discussion.
ESI determined to be relevant must be produced for use as potential evidence. E-Discovery rules address how documents must be produced
This involves how electronic evidence is ultimately displayed as evidence. The whole presentation process has changed dramatically since the shift from paper to predominantly electronic evidence.
In this article, we have looked at how forensics can be performed at different levels on certain infrastructure. We have also taken a look at the steps of electronic discovery. For more detailed information on each topic, please refer to the specialized topics linked in the left column of this page.
Learn Digital Forensics