Live Forensic Analysis Methodology For Investigating Compromised Systems

ICT741 Digital Forensics

Computer forensic methodologies

Computer forensic methodologies are crucial part of the digital forensic systems where the digital evidences are collected and are presented by advanced forensic technologies. According to the case study, the employee Zhang has downloaded all the organization sensitive data from the company network. To identify those mass movements and track the suspect’s user activities, the Live Forensic Analysis methodology can be used. 

In this methodology, the information are gathered and then data are analysed in real-time data analysis technique. Therefore, the compromised system remains functional and tools that are used to capture the running process, are quite powerful to track the live data. Those data includes the memory dumps, open network connections and other unencrypted version of encrypted files (Mohlala et al. 2017). According case study, the network logs, and suspicious activities need to be investigated through live analysis evaluation to analyse the live data status and recover the company data without any modifications. 

To perform it, the live forensic analysis methodology uses the hash value algorithm. 

Step 1:

Once the forensic investigators create the images of evidences to analyse the data, the hash value is useful to verify the authenticity and check integrity of the image. This algorithm uses MD5 process to store the data. If any modification is done on the existing file, then a new hash value will be generated for that specific file. Thus, the live forensic method calculates possible credibility according to the memory model analysis and activates the validation. 

Step 2:

The user authenticity as well as integrity of the digital images collected through the live forensic approach. Hash value MD5 is useful to run the file metadata and store the password in the encrypted format. It introduces the digital evidence and authenticity of the file. So, this proposed network analysis approach speeds up the investigation process. In that case, the live forensic model collect live data from the system and standard user interface can be used in the virtual machine analysis (Kebande and Venter, 2018). The internet browsing history can be captured by using this digital forensic methods. 

In this way, the live digital forensic methodology can improve the investigation process by supporting the electronic and digital evidences. 

In this context, the computer forensic tools have been used to investigate compromised systems to recover the lost data. Computer forensic investigation deals with data and in this case study, the forensic data are related to the organization that are downloaded by one of their employees in an illegal way. This computer forensic collects the security evidences from the digital assets. This method is applied on disk drives to analyse the information involved in criminal investigations. 

On the other hand, the network forensics and database recovery are dynamic ways to store the network traffic where the unpredictable network data and database platform accordingly (Prayudi and Riadi, 2018). Those methods cover vast areas that includes password-protected files, email communication programs, and as well as registry entries, and data modifications in the databases. 

The approaches used in the systematic computer forensic method are stated below. 

Live Forensic Analysis methodology

Collection: The data acquisition has been done after searching and seizing the digital evidences. 

Examinations: The forensic investigation techniques have been introduced to recognize and extract the data. 

Analysis: The required data and resources are used to prove this case. 

Report: The information needs to be gathered effectively and prepare an analysis report based on systematic approaches. 

The required resources of the forensic investigation involve the software tools, analyse the digital evidences and necessary human skills to run the entire session. 

The digital forensic software tool Autospy has been used to investigate the computer system of the intruders. This Autospy tool is designed in such a way that provides effective outcome by running it in the background (Montasari, 2017). The speed of forensic data analysis is fast. This forensic tool provides essential features to perform registry analysis and web artefact analysis. Here, the evidence type is selected as video files to capture the real-time images and video data. 

To develop the forensic workstation, it is required to choose suitable hardware and software in the latest version. If the version is outdated, then the output accuracy can be minimized. Lightweight workstation needs to be selected to run this workstation (Du et al. 2017). Different peripherals are attached to form the portable devices to investigate the forensic data. However, the following components need to be involved to develop the forensic workstation. 

• A computerized system with the latest Operating System (Windows 7/8/10).
• A forensic acquisition tool and a forensic analysis tool. 
• The network interface cards (NIC). 
• Spare SATA ports and USB ports. 
• A large disk space that can receive the suspect disk data

The skills required for forensic auditing team:

The following skills will require to run the forensic tools and the forensic accountants might have those skills. 

Those skills are required to generate the forensic report by assessing the statistics of the forensic report. They might have skills to perform data analysis as well as they gave critical thinking capabilities. Both the problem-solving method and new system adaptability are essential skills for the forensic auditors (Zulkipli et al. 2017). He has to explore numerous possibilities with strong social skills and investigate the forensic data accordingly. He might aware of the ISO 27037:2012 data protection framework to run this investigation.

Adaptability and problem-solving skills are essential for forensic accountants. New information may raise lots of issues suddenly. A forensic accountant explore numerous possibilities and check the data compatibility with the original one.

The data acquisition technique is useful to gather evidence but it takes more time to perform it. In that case, logical acquisition includes data copy methods that can gather only the required files within a limited time frame (Sudyana et al. 2019). In the live data forensic investigation, the modified and hacked data must be recovered in real-time data investigation process for this case study. So, the logical acquisition technique is useful to collect the data through virtualization technology. 

In this case study, it performs the verifications on web data and collect fragments of unallocated set of data. Besides this, this method also useful to gather information from large cloud server and improve the disk reliability. Thus, the lost data can be retrieved as well as it helps to detect the presence of suspicious activities from multiple devices simultaneously. The logical acquisition process is useful gather different kind of digital evidences in binary format. Digital evidence is associated with electronic crime that can investigate the computer hard drive and laptop devices. So, the audio files, video files, and other image files are used to capture the digital evidences to mitigate the upcoming cyber threats. 

Hash value algorithm

In this section, there are various forensic analysis methods that can be used to identify the data theft issue that has been described in the given case study. 

Among them, the computer forensic investigation will be suitable to perform forensic analysis according to the evidence collection and validation approach (Kebande et al. 2018). Moreover, this technique can cover all the digital forensic investigation areas such as counter data hiding, email analysis and recover the removed files by using the email forensics, and memory forensic methods respectively. 

This technique might follow the steps below to run the entire investigation process effectively. Those standard procedures will be helpful to perform digital forensics on the given case study. 

Step 1: Data Collection Method

In this step, electronically stored data that has been stored by using the hash values will be sent under investigation. Moreover, it will involve the physically isolating devices and make sure that the data are not tampered by the intruders. The digital forensic images might be collected and in that case the device’s storage media has been locked to maintain the safe environment. To collect the forensic copies, social media data and posts are also taken into account. 

Step 2: Analysis

In the data analysis section, the digital copies of storage media have been used to gather forensic information for this case. In that case, Autopsy tool has been used to check the suspicious hard drive and data logs as well as the Wireshark network protocol analyzer has been used to run this investigation process smoothly. The email forensic analysis technique is useful to perform recovery and analysis the email data in email platforms (Xiao et al. 2019). The company data might include the employee data and related information that may be hacked through email phishing attack. So, the forensic investigators can easily detect it through computer based email forensic investigations. 

Step 3: Presentation

The forensic investigators mainly represent their findings through legal processing methods. The forensic team can easily analyse the computerized memory and database investigation tools to determine the output of this lawsuit. This phenomenon includes the data recovery system that will be useful to retrieve the lost data from the compromised system in this case study. In this case study, it has been investigated that Zhang has downloaded company data along with trade secrets. The data hiding technique by using the hash values or data encryption method, all the sensitive data can be stored in the organization devices, even to public devices in safe mode. 

Confidentiality, Integrity and Availability (CIA Triad) are the basic principles of the organizational security system. This framework guides to design the security policies for various sizes of organizations (Soltani and Seno, 2019). According to the case study, it is required to protect the organizational assets and triad policy plays a crucial role to secure them from cyber-attacks. This concept will be useful to protect the interconnected systems including Hardware and network systems. 

Confidentiality feature is used to prevent unauthorized access of sensitive information. It will secure the confidential data if it falls into intruders’ hands. Therefore, the confidential data can be stored effectively without any glitches. 

Data integrity means trustworthiness of data throughout its lifecycle. Once the data will be modified, the user needs to verify himself through biometric information each time. Thus, the data theft and illegal data modifications can be controlled easily. 

Data availability can be accessed through readily accessible data for authorized parties. It involves data encryption techniques to maintain the technical architecture of the organization. To prevent the data loss issues, the data backup system can be introduced in geographic isolated locations. 

Conclusion and Recommendations:

In this report, the forensic design has been proposed here to protect the computerized systems of the organization. The organization might take some precautions to avoid cyber security hazards in future by using the following protocols. 

• To enable the password protection activity and the passcode should be kept in encrypted format. 
• The hardware firewall might be installed in such a way that the outside attack can be prevented easily. 
• A regular maintenance of a hardware unit can improve the security feature and keep the company system secure. 

References:

Du, X., Le-Khac, N.A. and Scanlon, M., 2017. Evaluation of digital forensic process models with respect to digital forensics as a service. arXiv preprint arXiv:1708.01730.

Kebande, V.R. and Venter, H.S., 2018. Novel digital forensic readiness technique in the cloud environment. Australian Journal of Forensic Sciences, 50(5), pp.552-591.

Kebande, V.R., Karie, N.M., Michael, A., Malapane, S., Kigwana, I., Venter, H.S. and Wario, R.D., 2018, August. Towards an integrated digital forensic investigation framework for an IoT-based ecosystem. In 2018 IEEE International Conference on Smart Internet of Things (SmartIoT) (pp. 93-98). IEEE.

Mohlala, M., Ikuesan, A.R. and Venter, H.S., 2017, November. User attribution based on keystroke dynamics in digital forensic readiness process. In 2017 IEEE Conference on Application, Information and Network Security (AINS) (pp. 124-129). IEEE.

Montasari, R., 2017. A standardised data acquisition process model for digital forensic investigations. International Journal of Information and Computer Security, 9(3), pp.229-249.

Prayudi, Y. and Riadi, I., 2018. Digital Forensics Workflow as A Mapping Model for People, Evidence, and Process in Digital Investigation. International Journal of Cyber-Security and Digital Forensics, 7(3), pp.294-305.

Soltani, S. and Seno, S.A.H., 2019. A formal model for event reconstruction in digital forensic investigation. Digital Investigation, 30, pp.148-160.

Sudyana, D., Prayudi, Y. and Sugiantoro, B., 2019. Analysis and Evaluation Digital Forensic Investigation Framework Using ISO 27037: 2012. Int. J. Cyber-Security Digit. Forensics, 8(1), pp.1-14.

Xiao, J., Li, S. and Xu, Q., 2019. Video-based evidence analysis and extraction in digital forensic investigation. IEEE Access, 7, pp.55432-55442.

Zulkipli, N.H.N., Alenezi, A. and Wills, G.B., 2017, April. IoT forensic: bridging the challenges in digital forensic and the internet of things. In International Conference on Internet of Things, Big Data and Security (Vol. 2, pp. 315-324). SCITEPRESS.

Order an Essay Now & Get These Features For Free:

Turnitin Report

Formatting

Title Page

Citation

Outline

Place an Order