Nowadays the use of computers is increasing more and more. This has allowed the development of the internet. In turn, the Internet has brought many benefits, but the internet has also contributed to the rise of cyber-crime. So, with the rise of cybercrime, it has become critical to increase and develop computer systems security.
Each time, the techniques used by cybercriminals are more sophisticated, making it more difficult to protect corporate networks. Because of this, the computer security of these companies has been violated, and it is here at this point when digital analysis forensic is needed to discover cybercriminals.
So, with the rise of cybercrime, digital forensics is increasingly gaining importance in the area of information technology. For this reason, when a crime is done, the crime information is stored digitally. Therefore, it must use appropriate mechanisms for the collection, preservation, protection, analysis and presentation of digital evidence stored in electronic devices. It is here that the need arises for digital forensics.
In this report, I am going to explain what digital forensics is. Also, I will describe some forensic software and hardware and the importance of suitable forensic labs. So, let’s start.
2.0- What is Digital Forensics?
Digital Forensics is IT (Information Technology) specialization that assumes the necessary duties related with finding exhibit (evidence) at the place where a crime has been committed (crime scene) Digital forensic duties include: identify, collect, preserve, analysis, interpret, document and present evidence. This implies that those involved in this new and necessary discipline must be professionals with high ethical standards and respect for institutions, for in them is support decisions on the events analysed (National Institute of Justice, 2010).
Forensic investigators have professional tools and techniques that help them recreate what happened with a computer or other electronic device. Thanks to these techniques’ researchers can discover how a computer was used to commit a crime. Two of these techniques are:
1- Determine who used the computer? How was used? When and why?
- The recovery of deleted files
- Elemental Decryption
- Search different types of files
- Search a certain process
2- Determine who has a remote user on the computer from someone else?
- Read log files
- Rebuild actions
- Tracing the origin
2.1- What is Digital Evidence?
Any document, file, record, data, etc. Content or electronically stored, for example:
- Office documents (Word, Excel, Power point)
- Digital Communication (E-mail)
- Digital images (photos and videos)
- File activity logs (Logs)
Digital evidence can be found in the following devices:
- Hard Drives
- Cell phones
- (PDA) Personal digital assistants
- DVDs CDs &
- Memory cards and other storage devices (National Institute of Justice, 2010).
2.2 Phases of the digital forensics process
The phases of the digital forensic process are: Protect the crime scene, collect the evidence, and establish the chain of custody and examination of the evidence.
- Secure the crime scene:
Securing the crime scene (the place where a crime has been committed) involves protecting evidence that can be found in the scene. If the scene is not properly secured, then the evidence could be contaminated. For them, basic techniques to secure the crime scene are:
- Keep out unauthorized personnel to the scene
- Look carefully all the details in the scene
- Do not touch anything. If the suspect computer is on, then do not turn it off. Do not click with the mouse or pressing any key on the keyboard. If the suspect computer is off, then, do not turn it on. (If it is necessary to turn off the computer, the power cable must be pulled off from the back of the computer)
- Take photos of all the relevant details to the case
- Write down all the details in a notebook
- Collect the evidence:
This step includes collecting physical and digital evidence. For example, we can take photos of how a suspect computer is connected and what peripherals have connected. This information can be used as physical evidence. On the other hand, extract the data stored in the hard drive disk or in the RAM memory of the computer, is collect digital evidence.
- Establish a chain of custody:
The chain of custody is the life cycle of evidence. This life cycle starts from the time of evidence collection until the final report and result of the case. The chain of custody allows ensures the integrity and protection of the specimen. Therefore, is very important to keep a record of all operations performed on the chain of custody.
- Evidence examination:
Evidence examination involves those tasks oriented to locate and extract digital evidence relevant to the investigation by applying various techniques and forensic tools that attempt to respond to the points required by the client. So, in the next chapters, I will show these necessary forensic tools to examine digital evidence (Ciampa, 2012).
3.0-Digital Forensic Software Tools
As I have before mentioned, digital forensics science has several steps required to complete an investigation. These stages are: securing the crime scene, acquisition, analysis and presentation of evidence. To perform the aforementioned is required to use professional techniques and suitable forensic tools that allow the acquisition of images of hard disks for later analysis and presentation of the results. Therefore, I will describe some digital forensic tools that permit to achieve the objectives above described.
3.1- The Sleuth Kit and Autopsy:
This is a kit of commands lines for system analysis. This valuable forensic software helps us to navigate through the files from the suspect computer without altering anything on this computer. In addition, this forensic tool like many others is able to show us a detailed list of deleted files and hidden files. It also supports various types of partitions such as sun, Mac, BSD, DOS and others. This helps us to identify certain partitions in particular to find digital evidence. However, a disadvantage of this forensic tool is that you must to memorize all commands, and it is tedious but is here in this part when Autopsy can help.
Autopsy is a forensic tool with a graphical user interface and browser to analysis evidence. Autopsy can analysis different types of data format such as FAT, Ext2 / Ext3, NTFS, etc. Autopsy is Open Source and can run on UNIX platforms. Also, we can install and runs autopsy on Windows environments. Autopsy is based on HTML, So, this feature permits the connection with the server of Autopsy employing a web browser. Also, deleted files and data are shown by an interface of Autopsy called "File Manager”. For these reasons, Autopsy is a very popular forensic tool to find evidence (Autopsy, 2013-2015).
3.2- ProDiscover Basic:
ProDiscover Basic is a free digital forensic tool that like Autopsy has a graphical user interface. This forensic tool is designed to make copies of the hard disk without altering any data on this. ProDiscover Basic also permits to create images of USB flash memory, RAM memory images, BIOS image and hard drives images. Once the image is ready, we can analyse in detail the evidence found for this wonderful software. Some features of this digital forensic tool are:
- View Deleted files
- Search for contents of a disk
- Retrieve a file that was accidentally deleted
- Registry view
- Event log view
- Internet history view
- View logs
- Hashing MD5, SHA1 & SHA256
- Auto verify image Checksum
- Signature analysis
- Forensic report
I can personally say that I really like the report generated by ProDiscover Basic. This report is very comprehensive and detailed. I strongly believe that this software produces better reports that the reports made by Autopsy. In My view, the reports from Autopsy are very poor (ProDiscover Basic, 2015).
3.3- EnCase Enterprise:
According to the website of the provider, Encase contributes advanced forensic analysis tool for digital investigation. EnCase is an instinctive tool that has a useful user interface and amazing performance. EnCase forensic supplies all the necessary for vast stopover digital analysis in deep investigations with accuracy and safety. An award-triumphant software that ensures the full integrity of the information processed allowing easy manage of vast volumes of digital evidence, even deleted data, in areas of slack, paging areas and unallocated clusters files. Some features of this forensic tool are:
- Support for multiple images systems such as Linux, Windows, MAC OS, Solaris, HP UX.
- Full Support for Unicode
- The ability of multiple systems analysis
- Search tools
- Allow the use of RAID 0,1 & 5
- Support for compressed NTFS File Systems
- Gets data from disk or RAM, documents, pictures, email, web mail, Internet appliances, cache and web history, reconstruction of HTML websites, chat sessions, archives, backup files, and encrypted files.
According to the provider's website says that "due to its powerful and efficient functions, EnCase Enterprise has become the standard reliable solution for digital investigations. No other product offers the same level of functionality, acceptance and performance” (EnCase Forensic, 1997).
DEFT (Digital Evidence and Forensic Toolkit) is a distribution of Linux based on Xubuntu 9.10 with kernel 2.6.31, LXDE desktop along with a GUI for forensic applications. DEFT is designed to police, researchers, system administrators or forensic specialists. The first edition of DEFT was launched in 2005 at the University of Bologna Italy on a computer forensics competition conducted by the Faculty of Law. Since then DEFT has been gaining ground as a forensic tool kit. This Linux distribution is free and can be downloaded from the Internet and used as a Live CD or USB memory.
DEFT is a useful forensic tool because it is able to provide accurate and reliable analysis to forensic investigators, and this is because DEFT ensures the integrity of data structures and metadata in the system that is being analyzed without altering the data. When the system is booting, the partition in the system that must be analysed is not touched by DFET to make any changes. This allows the integrity of the system without alteration of the system files. DEFT has many applications, which will describe below (DEFT, 2015).
Abbildung in dieser Leseprobe nicht enthalten
3.5- Internet Evidence Finder:
Internet Evidence Finder is a software tool that enables the recovery of data that has been deleted or that are currently stored on the hard drive, as a result of communications right through the internet. This means that Internet Evidence Finder can recover all types of social networks data, such as popular web mail applications, browsing the history, chat histories instant messaging, and other online communications.