Cyber forensics (also known as computer forensics) is a branch of science that deals with tools and techniques to investigate digital data to find evidence against a crime that can be produced in a court of law. It is a practice of preserving, extracting, analyzing, and documenting evidence from digital devices such as computers, digital storage media, smartphones, etc. so that they can be used to make expert opinions in legal/administrative matters.
The computer forensic plays a vital role in an organization as our dependency on computing devices and the internet increases day by day. It is not always easy to collect evidence as the data may be tempered, deleted, hidden, or encrypted.
Digital forensic investigation is a highly skilled task that requires exposure to various tools, techniques, and guidelines for finding and recovering the digital evidence from the crime scene or the digital equipment used in the crime. With the increasing processing capabilities and computation speed of digital equipment such as smartphones, tablets, palmtops, smart televisions, and other devices, the possibility of their use in cybercrime cannot be ruled out. A forensic investigator must have a deep understanding of the working of these devices and hands-on exposure to the tools for accurate data retrieval so that the value and integrity of the data are preserved.
A computer can be used to commit cybercrime either intentionally or unintentionally. The deliberate use is when you use your computer to send hate mails or install a cracked version of otherwise licensed software. Unintentional use occurs when the computer you’re using has a virus that spreads throughout the network and outside of it, causing a significant financial loss to someone.
A computer can also be used to commit a digital crime directly. For example, your computer may be used to gain access to sensitive or classified information, which is then sent to someone inside or outside the network who can exploit the information. The indirect use occurs when a trojan horse is installed in the computer while downloading a crack of software, thereby creating a backdoor in the network to aid hackers. Now the hacker has gained access to your computer and is using it to commit cybercrime. To distinguish between direct and indirect attacks, an experienced computer forensic investigator is required. Computer forensic experts can also help with recovering lost data, detecting industrial espionage, and counterfeiting, among other things.
In a large organization, as soon as cybercrime is detected by the incident handling team responsible for monitoring and detecting security events on a computer or computer network, initial incident management processes are followed. It is an in-house process. It follows the following steps:
- Preparation: The organization prepares guidelines for incident response and assigns roles and responsibilities of each incident response team member. Most large organizations earn a reputation in the market, and any negative sentiment may negatively affect the emotions of the shareholders. Therefore, effective communication is required to declare the incident. Hence, assigning the roles based on the skill-set of a member is important.
- Identification: based on the traits, the incident response team verifies whether an event had occurred. One of the most common procedures to verify the event is examining the logs. Once the occurrence of the event is verified, the impact of the attack is to be assessed.
- Containment: In this step, the future course of action to respond to the incident is planned based on the feedback from the assessment team.
- Eradication: This step consists of planning and executing a strategy to eradicate or mitigate the cause of the threat.
- Recovery: is the process of returning to the normal operational state after eradicating the problem.
- Lesson Learned: if a new type of incident is encountered, it is documented so that this knowledge can be used to handle such situations in the future.
The second step is a forensic investigation to find the evidence of the crime, which 3rd party companies mostly perform. The computer forensic investigation involves the following steps:
- Identify incident and evidence: In this first step, A system administrator gathers as much information as possible about the incident. Based on the information, the scope and severity of the attack are assessed. Once the evidence of the attack is discovered, the backup of the same is taken for investigation. The forensic investigation is never performed on the original machine but the restored data from the backup.
- Collect and preserve evidence: Various tools like Helix, WinHex, FKT Imager, etc., are used to capture the data. Once the data backup is obtained, the custody of the evidence and the backup is taken. Other important sources of information like system logs, network information, logs generated by Intrusion Detection Systems(IDS), port and process information are also captured.
- Investigate: The image of the disk is restored from the backup, and an investigation is conducted by reviewing the logs, system files, deleted and updated files, CPU uses and process logs, temporary files, password protected and encrypted files, images, videos and data files for a possible steganographic message, etc.
- Summarize and Presentation: The summary of the incident is presented in chronological order. Based on the investigation, conclusions are drawn, and the possible cause is explained.
While carrying out the digital forensic investigation, rules and procedures must be applied, especially while capturing the evidence. It should be ensured that the actions taken for capturing the data do not change the evidence. The data’s integrity should be preserved. It must be ensured that the devices used for capturing the backup are free from contamination.
Moreover, all the activities related to seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review. Prevention is always better than cure. It is always recommended to fine-tune your intrusion detection system like a firewall that occasionally performs penetration tests on your network to avoid praying to a hacker. Last but not least, report the crime.
Benefits of cyber forensics investigation
- The procedures used to investigate the computer do not damage, destroy, or compromise any possible evidence.
- During the analysis process, no possible computer virus is introduced to a subject computer.
- Evidence that has been extracted and may be relevant is properly handled and protected from future mechanical or electromagnetic damage.
- Establish and maintain a continuous chain of custody.
- Business operations are only disrupted for a short time, if at all.
- Any client-attorney information obtained inadvertently during a forensic investigation is treated with respect and kept confidential.