In this digital era, many of you may have come across the word Digital Forensics before too, but what exactly does it mean? This important field is one that is growing rapidly and helps to maintain the notion of justice for all.
Until the late 1990s, what became known as digital forensics was commonly termed ‘computer forensics’. The first computer technicians were law enforcement officers who were also computer hobbyists. In the USA in 1984, work began in the FBI Computer Analysis and Response Team (CART). One year later, in the UK, the Metropolitan Police set up a computer crime unit under John Austen within what was then called the Fraud Squad.
“Every contact leaves a trace”. So the question arises, as to what kind of contact is made and how the trace is left, subsequently. The answer to this question lies in the term ‘e-crime’, without which there would be no need for digital forensics. E-crime is any crime that is electronic in nature or that utilizes electronics in some form at some point in its commission. So we have a discipline, devoted to addressing electronic crimes.
Now, there is a crime. So, digital forensic science comes into action, dealing specifically with electronic crime.
Digital forensics is the collection and examination of digital evidence residing on electronic devices and the subsequent response to threats and attacks. In other words, we may state it as the process of uncovering and interpreting electronic data. The goal of the forensic process is to preserve any evidence in its most original form while performing a structured investigation by collecting, identifying and validating the digital information for the purpose of reconstructing past events.
This science is the one that is capable of dissecting digital information and fact-finding in the digital format that no other discipline can. In essence, digital investigators are a sort of digital police.
The context is most often for usage of data in a court of law, though, digital forensics can be used in other instances too. The evidentiary nature of digital forensics requires rigorous standards to stand up to cross-examination in the Hon’ble court.
Before proceeding ahead, we must understand as to what exactly a digital evidence means?
Digital evidence or electronic evidence is “any probative information stored or transmitted in digital form that a party to a court case may use at trial”. In other words, Digital evidence is information stored or transmitted in binary form that may be relied on in court. It can be found on a computer hard drive, a mobile phone, a personal digital assistant (PDA), a CD/DVD, and a flash card in a digital camera, among other places. Digital evidence is commonly associated with electronic crime, such as child pornography or credit card fraud. However, digital evidence is now used to prosecute all types of crimes, not just e-crime. For example, suspect’s email or mobile phone files might contain critical evidence regarding their intent, their whereabouts at the time of a crime and their relationship with other suspects.
Section 79A of IT (Amendment) Act, 2008 defines electronic form evidence as “any information of probative value that is either stored or transmitted in electronic form and includes computer evidence, digital audio, digital video, cell phones, digital fax machines”.
The main characteristics of digital evidence are, it is latent as fingerprints and DNA, can transcend national borders with ease and speed, highly fragile and can be easily altered, damaged, or destroyed and also time sensitive. For this reason, special precautions should be taken to document, collect, preserve, and examine this type of evidence. When dealing with digital evidence, the principles that should be applied are, action taken to secure and collect digital evidence should not change the evidence; persons conducting the examination of digital evidence should be trained for this purpose and activity relating to the seizure, examination, storage, or transfer of digital evidence should be fully documented, preserved, and available for review.
Today, digital forensics practices have made their way to the corporate world for cybersecurity, corporate investigations, and e-discovery. Just as law enforcement agencies look for used digital evidence to convict lawbreakers, IT managers, security, and legal teams can use digital forensics to collect and preserve evidence to analyze and defend against a cyber attack, stop an insider threat, or complete an internal investigation.
Digital forensics solutions typically include the following capabilities:
- The ability to acquire data from a wide variety of devices, including traditional computers and systems, and mobile devices, etc;
- Deep visibility into processes and actions that occurred on devices and operating systems;
- The ability to complete a comprehensive, forensically sound investigation
- Comprehensive reporting feature.
Law Enforcement Agencies
The law enforcement community uses forensic software and hardware to collect, triage, investigate, and report on evidence from devices and networks. Digital forensics helps investigators find evidence related directly to a criminal investigation. It also helps confirm statements, authenticate documents, create timelines, etc.
As the number of digital devices and services explodes, so do the digital footprints, we all leave behind. Forensic tools allow investigators to examine and understand these digital footprints as they try to prove the facts of the case. Many famous criminal prosecutions include the use of digital forensics.
Every organization will face the need to conduct a digital investigation. Litigation, data breaches, fraud, insider threats, HR issues, and other cybersecurity manners are unavoidable. Litigation concerns focus more on e-Discovery.
DFIR teams use digital forensics to identify suspicious activity on their networks, determine who is creating the problem, contain the incident, and take steps to safeguard their infrastructure to prevent similar attacks in the future.
When an incident is suspected, experienced security professionals will likely have a process workflow already outlined to help guide them along with the steps needed to take to manage the problem. Typically, this begins with a discrete collection of all possible sources, such as physical hard drives, tracked the web browser and email history, file registry logs, and even off-network endpoints. Traditional corporate endpoints, such as desktop computers and laptops, are not the only devices that can be subject to forensic analysis. As smartphones and tablets increase in daily work usage, strong demand for mobile forensic capabilities has come along with it.
Nearly every action taken on a device will remain on the machine as an “artifact,” which can be examined through digital forensics. It is important to preserve all data and prevent any possible tampering to ensure the eventual outcome of the investigation can be deemed credible.
Digital forensics is becoming an important feature for many embedded devices. Modern vehicles contain a computer system that enables navigation, communication, and entertainment. Most of the in-car systems are connected to the CAN (controller area network) bus – a dedicated central network on which the various ECU (electronic control unit) components communicate. These systems in question have the potential to generate and maintain evidence that may be of digital forensic value, which can be fruitful for a criminal or civil investigation and analysis like crash investigation, insurance claims and crime investigation.
Many systems record events such as when and where a vehicle’s lights are turned on, which doors are opened and closed at specific locations, and even where the vehicle is when Bluetooth devices connect. Depending on the make and model of the vehicle, there could be any number of places which could store evidence. Vehicle infotainment and telematics systems store a vast amount of data such as recent destinations, favorite locations, call logs, contact lists, SMS messages, emails, pictures, videos, social media feeds, and the navigation history of everywhere the vehicle has been. Preserving this evidence can be difficult, as there is no extra logging hardware (due to potential extra cost or weight), and data that is stored (such as recent locations) can be volatile.
Once the information sources are gathered, technical investigators use a verifiable digital forensics tool to analyze the evidence, piecing together the mystery of the initial cause of the problem, who is to blame, what actions were taken, and what the impact is. It is crucial now that security responders are using state of the art digital forensics technology to accurately assess the incident. Since info security professionals are dealing with a high volume of possible threats, efficiency is also a valuable characteristic in a quality DFIR tool.
Justice is an important element to any civilized people, and as our world goes more and more digital, justice must find a way to occupy this realm as well. Digital forensic science provides that crucial way in.