Digital Forensics: Investigation Process, Tools And Importance

Introduction to Digital Forensics

Digital forensics was a branch of the forensic science that deals with investigation and evidence collection against the cybercrime. This procedure was legally correct and has some set of rules and regulations. This practice gives huge amount of benefits for investigation. That is carried out by some set of software’s and hard wares. They are known as DF tools.

In digital forensic investigation there are four phases are followed by the investigators. Various classification of DF process

• Planning
• Detection and Analysis
• Recovery Containment of Eradication
• Post-Incident Action

Planning

In this phase investigator first plan the investigation methodologies followed by the investigator. The investigator need to plan what are the requirements of the project, and what are the available resources for this case. Because the identification of problem and construct the methodology is used for solving the problem was very important process.

Detection and Analysis

This the second stage of the DF investigation. Here the investigator should find the available digital evidences in this case and also he needs to conserve the evidence. This phase also contains the analysis phase. The conserved digital evidences must be analyzed by the use of proper tools and techniques.

Containment Eradication & Recovery

Third phase of the digital forensic investigation was very crucial. Because the proper tools are used for select the investigator in this stage. Where the evidences are analyzed and recovered from the available digital evidences. The recovered data must be stored in the readable format. And the report of the results is to be made by the investigator for the reference purpose.

Digital forensics and incident response in an organization

Each and every organization can learn cyber threats, prepare cyber threats, and also prevent the cyber threats using digital forensics. The organization use incident response planning and digital forensics for achieve the security conscious sectors. The IR and DF are used by any type or any size of organization. Different size or different types of organization can use the digital forensics and also the incident response. The digital forensic and incident response have five major key steps,

• Gather human intelligence- the time and data boundaries are clarified. And find out who is involved. Identify how many machines are affected. Finally discover what are the actions are taken by the discovery process.  
• Plan your approach- take extra care for your target. Follow only the legal statement. Allocate the required resources and also provide the skills. Finally check the balance value against the cost.  
• Obtain evidence- first we need to sign your evidence or document. Then capture all the required data. Next one is use cryptographically verified data.  
• Analyze the evidence- in this phase you need to make a timeline for each and every event. Once the time line is finished then the data’s are analyzed automatically.
• Report on your findings- the report is used for understand the defensible data. And also the non-technical peoples easily understand the concept using reports.

The scientifically proved technique like protection, assortment, authentication, identification, inquiry, understanding, making documents and staging of digital proof derived from digital bases(Tr?ek et al., 2010)(Digital-forensics.sans.org, 2018). These methods are derived for DF & IF. It examines the past data to collect the proof against the crime.(Forensic Focus – Articles, 2018).

Scientifically proven approach of Gathering& Examining, Proof, Lawful, Digital policies are deliberated when studying the DF incident. Now we are going to see about the various steps involved in the digital forensics. The investigation of the computer and digital drives enclosed with the computer are developing with the increment of cyber-crimes. There are 5 stages are involved in the digital forensics investigation. And now we are going to see about those stages.

• Policy Developing
• Valuation of the Evidences
• Acquirement of Evidences
• Investigation of Evidences
• Report Preparation

Phases of Digital Forensics Investigation

This stage was the initial stage where the guidelines for various digital forensic works are formed. The guidelines are governed by the government law enforcing agency. They give the actual working procedure for the digital forensic investigations. They state the rules and regulations like the access power of the investigator during the investigation.

For this purpose we need to assign the cyber security experts for identify the proper tools and practices involved in the digital forensic investigation. The policy gives the rights to the investigators during the investigation of the digital forensic case.

Valuation of the Evidences

The second step followed in the digital forensic investigation was recognizing the facts the case we are currently working on it. In this process investigator must identify the key area of the crime. Here the investigator must ensure all the data (Evidences) are collected for the investigation. In digital forensic investigation the investigator must concentrate on Hard disks, Network details, email account details, and external storage devices.

This is the most important stage among all other stages. Here the investigator must convert all the technical data collected and investigated by him into the non-technical data, which is easily understandable by the non-technical audiences. The collected and examined technical data must be converted in to images or charts or the simple text document.

In DF case the set of software and hardware are used to retrieve and analyze the data. The total process was constructed and practiced by Locard’s Exchange Principle. According to the Locard’s Exchange Principle “Any action of an individual, and obviously, the violent action constituting a crime, cannot occur without leaving a mark. What is admirable is the variety of these marks. Sometimes they will be prints, sometimes simple traces, and sometimes stains [….]”.

There are huge data was available for investigating digital forensic case. Among all the resources the below five are very common (Forensicsciencesimplified.org, 2018).

• Phones
• Storage devices
• Consumer electronics
• General IoT madness
• Net based equipment

The above five resources are the main source of digital forensic evidence. They give the proof in maximum of cases. Except those evidence there are some other resources are also available.

• Custom / bespoke *nix distributions
  • Kali, Helix Remnux etc.
  • Live or Installed
  • Pre-included tools
• Forensic specific tools:
  • EnCase, Autopsy, FTK
• Standard OS Tools
  • Netstat
  • WMI
  • Process monitors

Name	Platform	License	Description
Autopsy	windows, Mac OS, Linux	GPL	a digital forensics platform and GUI to the sleuth kit
Encase	windows	proprietary	the guidance software is used for create the  digital forensic suite
FTK	windows	proprietary	It is a multipurpose tool, and also it is known as court cited digital investigation platform.
WMI	windows kernel win 32 and COM layer	WinRM(WS-management implementation)	It provides a standard mechanism for describing the windows system configuration.
process monitor	windows	FileMon and RegMon	It captures the windows activity like creation, termination, file IO activity and registry activity.
netstat	windows, Mac OS, Linux, Unix	FTP and IP networking	It provides the informations and statistical details about protocols using TCP/IP network.

1. Windows

This is not available as open source software. So the editing of source code was too difficult. There are variety of logs are used for variety of purpose. A chief categorized databank used in Microsoft Windows. This helps to store evidence they are essential to construct the scheme for multiple operators, apps and devices. Since Windows 95 is a type of software, Micro soft follows the same constructional procedure. The Registry replaces configuration files that were used in MS-DOS, such as config.sys and autoexec.bat. It also replaces text-based initialization (.ini) files that were used in DOS based Windows versions. The Registry is used by kernels, user interfaces, device drivers, services and other applications. 

Importance of Digital Forensics in Incident Response

Incident response activities followed in windows based systems

1. Linux

It is open source software. You are using some additional tools, when the process running was easy.

As Linux-kernel-based OS proliferate there will be an unavoidable rise in Linux systems that law implementation agencies must process in criminal inquiries. The person who is expertise in Linux was required to recuperate proof from Windows systems do not necessarily translate to Linux.

• Ext2-Simply returns the node to the node list. So the recovery of file is easily done.
• Ext3- Clears the nodes contents (pointers to disk blocks) before returning to the free node list.

The retrieval of data from Linux was too challenging. In Linux the processes are done as instructions are performing in the terminal. So this is a highly safer OS that helps to escape from malware threads. It can track the logs so easily retrieve the safety associated material by searching its name.

In Linux based systems the DF process was carried out in the above shown five steps.

• Identification
• Information Acquirement
• Information Retrieval
• Examination
• Report making

1. Further considerations in digital forensic

The challenge in the DF science increase day to day with improvement of technology. Today we have PC’s, laptops, distributed  Client server networks, Palm tops , Supercomputers, and  PDA’s, all of which  can, and  do, provide digital evidence at times(Casey, 2004).

We have linkages that use coaxial cables, twisted couples, fiber optic cables, infrared radiation, and radio to transfer the information among the computers. So the digital data (Evidence) was accrued on a one terminal (Computer or Mobiles) was easily reachable by hackers (InfoSec Resources, 2018).

Computerized regulatory schemes are used in industrial units, banks, Air-traffic governor, Trade inventories, organizations, clinics, government organizations, and universities. In our cars, equipment, wire systems, apparatus, also in our body. Here all of that has a capability to store a digital data. For recovering the data from that kind of resources contains some identical ways and rules directed by the government. So there is a difficulty on retrieving the digital data from those sources.

Task 1

Incident Response Methodologies and Standards

1. IR Methodology Research
   • IR (Incident Response) means if the company undergoes to any cyber-attacks how they handle these cyber-attacks. The main goal of this process was effectively manage the incident. That ensures the damage caused by the attack as minimum as possible. The security incident response achieve monitoring and detection of security events. The computer security incident response is a type incident management.  
   • IR (Incident Response) was carried out by the flowing six stages. And they are,

• Preparation

The preparation phase is used for identify the members of our incident response. And also it has response plan, policies, call tress, and also other documents.

• Identification

In this phase is used for identify whether you are dealing with an event or an incident. So you can easily understanding your environment is critical or not.

• Containment

Containment activities are in two types one is short term and another one is long term. Containment stage is used for limit the system damages and also prevents the future damages.  

• EradicationIn this stage the system is completely reimaged or restores the system from good backup.
• Recovery

It describes the details about when the system is bringing back, and how long we monitor the system.

• Lessons Learned

Tools Used in Digital Forensics Investigation

The business moves are back into normal operations. The additional activities are incorporated by these lessons. Finally it produces the effective future outcomes and also some additional reference.   

• Methodology

There are six different types of steps are used in this methodology.

• Defining the plan
• Mapping services change
• Defining the required workforce
• Understanding workforce availability
• Planning to deliver the required workforce
• Implement, monitoring, and refresh

• System backup and recovery tool
• Incident response tool
• Data capture tool
• Asset inventory
• Web proxies
• Net flow analyzers
• Digital forensic methodology

The research about the digital forensic methodology delivered some methods related to the forensics. It had the investigation in the way of internal, civil, and criminal.

And for the methodologies it has some stages and the stages explain the process including in the digital forensics. And they are,

Evidence collection

This method is used to gather the data about the evidence and that details must be related to the evidence.

Evidence acquisition

And this method is used to evaluate the data such as details and also used to get the idea about the duplicate made in the forensics.

Evidence analysis

 In the analysis part it made on the data in the way of collection and used to rescue the data related to the evidence and for this operation it used some kind of tools such as related to the forensics in the way of digital.

Reporting

After getting the details about the data related to the forensics, these data to be translated as a simple format and this is used to the people without knowledge about this forensics.

Steps for the stages

        For each stages it has the steps to execute the process related to the digital forensics.

• Collection
• Examination
• Analysis
• Reporting

       In the first step the data need to be collected and in the second it must be evaluated and from that we can make the analysis about the methods and finally have to make the report related to the method results.

And for the digital forensics it need some tools and the tools are described below.

• Autopsy
• Sans
• Wireshark

1. DF and IF relation

 The digital forensics may related to the incident response in the kind of methodology and that vary in the form of organization and incidents. And in the both methods the data gathering and storage of data is in the kind of sound. And in the investigation side the data would be the event such as criminal and these both method provides the collection about the data related to the organization.

 And in the collection stage the sound option make the variation in between two methods.

1. Lab Setup

Digital forensic lab was a place that contains all the tools (Hardware as well as Software) under a one roof. That creates a good environment to the investigator to investigate the forensic evidences.

Why using virtual box

Compare to VMware, the virtual box is done better performance. Basically virtual box is open source. The below five reasons are explain why virtual box works best for this project,

• Price- VMware workstation needs some amount of money, but virtual box is a free virtualization system. And also it releases the new features and updated versions. In virtual box you are using virtual box OSE, it means open source editor.
• Features- mostly all the work station features are present in the virtual box. In workstation only specified host can installed like windows and Linux host. But in virtual box it supports windows, Linux host, Mac OS, and Solaris operating system.
• “Teleportation “migration functionality- virtual box 3.1 released a new key feature called teleportation. If you want to move a running virtual machine from windows to Man OS host, the only way is using teleportation feature.
• Command line operation- compare to the work station, the virtual box have no of command line functionalities. It performs lot of features like build virtual machines, launch teleportation events, connect USB devices to virtual machine, managing the snapshots, and run start/stop commands.
• Virtual disk format support- the virtual box can support lot of virtual disk formats. But in VMware, only support VDMK and VHD disk formats. Using virtual box you can achieve lot of features such as physical to virtual conversion, and virtual to physical conversion.

2.1.1 Trusted binaries

     Here the analysis is made on using the tool kit on windows and also in the Linux. And for the analysis the provided command CertUtil is used.

        In the above screenshot it executes the command such as certutil and output delivered such as dump command completed successfully.

2.1.2 Local vs. remote collection

         The volatile memory contents may be collected from the machine and for the execution here involves local and remote collection. And the type of local collection it transfer the data to some medium and remote connection used to transfer the data to other devices. And for that here netcat command is used in both windows and Linux. And the netcat such as known as nmap tool and it is used the scanning purposes.

     The above screenshot shows the netcat operation using the nmap command and also the specification is displayed in the above diagram.

2.1.2 Physical memory acquisition

               This kind of tool is used capture and it run in various kind of platforms in windows and it need the RAM specification more than four Giga byte and it is used to make the file in the way of dump file.

Belkasoft live RAM capturer

The tool mentioned above is convenient with the various kind of environment in windows and also support in 32 and 64 and this tool not need the install steps and may be run in the seconds.

Non-volatile memory acquisition

      For the non-volatile memory acquisition it had some tools and techniques are described below.

• Encase forensic imager
• Dd
• Dc3dd

This tool can able to run in various environment in windows  and in the Linux it look like a raw device and it is used to the data configuration  and also it used to capture the files.

In the above diagram it explain the list of dd files and the terms of the version and it mentioned specifically.

1. Volatile data collection

The data live response is known as the data collection by the way of executing the commands. And for the analysis in forensics it provide the date and time. And the running process are described.

• It allows the peta-bytes of storage and high availability compute intense resources.
• It support the compute intense job that carried by the forensic investigators.
• It includes inbuilt hash authentications, disk images, and so on.  

Disadvantages

• The data acquisition knowing exactly where the data is acquiring. To maintain the cloud data centers are little difficult.
• It does not satisfy the ACPO principle.
• It required some additional tools like Encase, Helix, and FTK.
  • Live operating system  
• This operating system allows forensic examiners for retrieve the volatile information.
• It required only limited amount of data
• The volatile information are protected from cyber criminals.
• The installation process is little complicated
• Data modification is fully depend upon the forensic acquisition

volatile artifacts

• It allows different types of OS tools such as date, net start, arp, ect.
• And also support Sys internal tool is a type of 3^rdparty tool.
• In volatile artifacts have lot of forensic specifications they are Dd rescue, memory dumpers, promise detect.   

Local and remote volatile memories

Remote collection requirements

• The access methods are RDP, SSH, etc.
• To collect all the required data and administrative access.
• It also helps to identify the running process with elevated privileges.  

Review Windows Forensics tools for memory analysis

As already set acquisition was the process of making the perfect replica of the forensic evidence.

In the acquisition the tool such as dump kit is used to give the memory of live system. And in the screenshot it displays the destination process and also mentioned the results.

          This tool is used to the purpose of scanning and it also use to extract the data and it is used to make the work in parallel.

Volatility

        This tool is known as powerful tool and it is used in the forensics and it used to extract the data and it had various memory types.

Reflection

1. Different types of memory dumps are available, they are

• Complete memory dump
• Kernel memory dump
• Small memory dump

Complete memory dump- In this type of memory dump is used for collect the entire contents from the system memory. And it also contains data from various processors. It supports windows vista, windows 7, windows server 2008, and windows server 2008 R2.

Kernel memory dump- the allows only the kernel memory, in 32 bit system the kernel memory range is 50 MB and 2 GB. Compare to complete memory dump, the kernel memory dump size is small.

Small memory dump- It providing a smallest set of useful information, and it help to identify the computer problems. The file histories are stored in a folder. It includes lot of information such as, a list of load drivers, processor context, kernel context, and kernel mode call stack.

The memory dumps are analyzed in three different ways,

• Blue screen view
• Who crashed
• Manually analyzing mini dumps

Blue screen view- it developed by nirsoft. Basically is a very small and portable tool. Using this tool you can automatically analyze the mini dump files. The blue screen view is also generating an HTML report for logging purpose.

Who crashed- who crashed is user friendly. If you want to analyze the mini dump files then you need to click the analyze button. It shows the details about bug checking process.

Manually analyze the mini dumps- using this tool you can easily debugging a program and also locate the bug. The mini dump files are analyzed by windbag, it’s a type of free debugging tool provided by Microsoft.

Windows File system Analysis

Image types and Acquisition

Logical drive was a drive has a virtual space allocated within the drive. Physical drive means the drives connected with PC (Personnel computer) like hard disk, USB, etc…

After extracting the details (data) from the image file it from the various types of disks as well as various types of various types of file systems. So the analysis of various drive system as well as various types of file system is important process in Digital forensic investigation. For analyze the file system we use a software named Autopsy will be used.

1. Loading external tools

     In that for the industrial response in Linux system the usb device is used for mounting and unmounting process.

      Here above the screenshot it shown about the process of mounting and un mounting and use the protocol such as ssh and for the protocol the appropriate command specified.

1. System artefact retrieval

       In the above screenshots it shows the kernel version, date, time and also the running process. And here the ports are shown using the netstat command.

Task 7

1. Research traffic tunneling

Domain name service

DNS is known as domain name system and it act as a database within the computer and in the system it includes the name and the address and also contains different domains.

It is known as user datagram protocol and it seems to be connection less protocol and it used to transfer the messages and it used to make fast.

It is known as transmission control protocol and it seems to be connection protocol and it used for the application in the case of complex stage ad make reliable.

This tunneling is used to make it as secured and it is done by the protocol and this kind of SSH tunnel is used to transfer the files with the security.

Open VPN

It is known as the application used to make the network such as virtual private network. And also it act as a protocol and it provide the authentication for the files.

Challenging issues in forensic analysis using cloud computing

Cloud computing means process of computing through the online resources. Where all the details (data) are shared on online server so the people who can access permission who have use the data from any place in the world. This technology gives the most economical method of computing as well as expandability of computing. So widely it is used.

Cloud computing was very big advantage for business owners as well as cyber criminals. Because there is a possibility of leaking the data stored in cloud. To overcome this problem now there are lots and lots of research was going. But the digital forensic investigations are focus on the collection of evidence against criminals as well as preventing the data theft.

A growth of new technologies and methodologies in cloud computing, the digital forensic investigation faces a variety of new issues while examining the case. The major problem we face during the investigation of cloud computing data theft case, here the information (data)  are stored in the various place so we have only limited access to collect evidences.

TPM in hypervisor was utilized and implemented t makes a multi factor authentication and uploading the cloud service provider policy to give a protected storage devices are recommended as a solution. Utilizing all the available proposed solutions makes the cloud computing was compatible to the available digital forensic investigation techniques and also it makes the investigable cloud computing environment. And gives trust to the client.

The cloud investigators face lot of challenges, and these challenges are different from traditional digital forensic. Digital forensic is also known as computer forensic. The digital forensic process contains identification, collection, analysis, and presentation. Appling the digital forensics in cloud computing is known as cloud forensics. In cloud forensics the identification phase mainly used for define the investigation process. And also it face lot of challenges such as accessing the evidence in logs, volatile data, lack of control, and lack of customer awareness. Next phase is evidence collection. This phase is used for collect the evidence from the identification phase. The evidence collection phase is also phasing some challenges. The challenges are data integrity, cloud instance isolation, digital provenance, and chain of custody. Third phase of cloud forensic is examination and analysis.  In this phase use two major tools, one is FTK and another one is Encase. These two tools are also known as commercial forensic tools. Using this tool you can perform the filtering and pattern matching problem. It faces the challenges like lack of availability cloud forensic tools, evidence correlation across multiple sources, and crime scene reconstruction.    

Conclusion

DF is a developing area with much variety in the tools in which a skilled persons can work. Digital forensic scheme is an enormous achievement for identify the criminals in the digital world. The rate of abusing systems in crime purpose is marginally improved in the today scenario. In DF they are used to catch the lawbreakers simply from the net by authenticating their storage devices and the recent history of them are used as a key to reach them. It needs more awareness about how criminalities are devoted with the use of computers, and how they are fine-tuned the forensic tools to collect proof more professionally and combat the criminality against the technology. Based the above study the, we get a knowledge about various tools and methods used in digital forensic investigation. From the above study we learn the procedures of various digital forensic tools. And we know how to carry a digital forensic investigation, how to retrieve the evidences from the digital drives like computer hard disk, USB, CD, and Cloud storage.

In this assessment we carried out the critical research to evaluate malware beaconing outbound to control channel via forensics, command, and registry analysis. In this assessment we apply the knowledge to solve the digital forensic problem. This assessment gives the practical understanding of the various technologies used for tracking the client as well as attacker’s (cyber thief) real time activity through the in depth analysis. From the conceptual understanding of Digital Forensic Investigation Report (DFIR) we can able to find the future remedial action for the future problem can be identified.

References

A?rnes, A. (n.d.). Digital forensics.

Casey, E. (2004). Digital evidence and computer crime. London: Academic Press.

Digital-forensics.sans.org. (2018). SANS Digital Forensics and Incident Response Blog | Best Practices In Digital Evidence Collection | SANS Institute. [online] Available at: https://digital-forensics.sans.org/blog/2009/09/12/best-practices-in-digital-evidence-collection [Accessed 6 May 2018].

Forensic Focus – Articles. (2018). Focused Digital Forensic Methodology. [online] Available at: https://articles.forensicfocus.com/2017/10/13/focused-digital-forensic-methodology [Accessed 6 May 2018].

Forensicsciencesimplified.org. (2018). Digital Evidence: How It’s Done. [online] Available at: https://www.forensicsciencesimplified.org/digital/how.html [Accessed 6 May 2018].

InfoSec Resources. (2018). 22 Popular Computer Forensics Tools [Updated for 2018]. [online] Available at: https://resources.infosecinstitute.com/computer-forensics-tools/#gref [Accessed 6 May 2018].

Ovie L. Carroll, T. (2018). Computer Forensics: Digital Forensic Analysis Methodology. [online] Crime-scene-investigator.net. Available at: https://www.crime-scene-investigator.net/computer-forensics-digital-forensic-analysis-methodology.html [Accessed 6 May 2018].

Packtpub.com. (2018). {{metadataController.pageTitle}}. [online] Available at: https://www.packtpub.com/mapt/book/networking_and_servers/9781784390495/1/ch01lvl1sec13/challenges-of-acquiring-digital-evidence-from-windows-systems [Accessed 6 May 2018].

Roussev, V. (n.d.). Digital forensic science.

Tr?ek, D., Abie, H., Skomedal, Å. and Starc, I. (2010). Advanced Framework for Digital Forensic Technologies and Procedures*. Journal of Forensic Sciences, 55(6), pp.1471-1480.