Computer Forensic Fundamentals

What is Cybercrime?

Cybercrime is any criminal activity that involves a computer, networked device or a network. The illegal usage of any communication device to commit or facilitate in committing any illegal act.

Brief history of Digital Forensics ➢ The middle of the 1980s - Law enforcement first started to pay attention to the role that computers play in criminal. Federal Bureau of Investigation (FBI) decided to incorporate a dedicated digital and forensic investigations capability. This led to the creation of the FBI Computer Analysis and Response Team (CART)

➢ 1995-International Organization on Computer Evidence (IOCE) is formed. Goal is to develop guidelines and standards around the various phases of the digital

➢ 1998-Scientific Working Group on Digital Evidence (SWGDE) is created. Main task is to standardize digital forensic practices

➢ 2000-FBI established the first Regional Computer Forensic Laboratory(RCFL). These laboratories were established to serve law enforcement at various levels in a number of cyber-criminal investigations

---

Understand the Fundamentals of Computer Forensics

Computer forensics plays a key role in tracking, investigating, and prosecuting cybercriminals various enterprises may need to conduct a computer forensic investigation.

Understanding Computer Forensics

Computer forensics is a part of digital forensics that deals with crimes committed across computing devices such as networks, computers, and digital storage media. It refers to a set of methodological procedures and techniques to identify, gather, preserve, extract, interpret, document, and present evidence from computing equipment such that the discovered evidence is acceptable during a legal and/or administrative proceeding in a court of law.

In summary, computer forensics deals with the process of finding admissible evidence related to a digital crime to find the perpetrators and initiate legal action against them.

---

Objectives of Computer Forensics

It is essential to use computer forensics for the following: • Identify, gather, and preserve the evidence of a cybercrime • Identify and gather evidence of cybercrimes in a forensically sound manner • Track and prosecute the perpetrators in a court of law • Interpret, document, and present the evidence such that it is admissible during prosecution • Estimate the potential impact of malicious activity on the victim and assess the intent of the perpetrator • Find vulnerabilities and security loopholes that help attackers • Understand the techniques and methods used by attackers to avert prosecution and overcome them • Recover deleted files, hidden files, and temporary data that can be used as evidence • Perform incident response (IR) to prevent further loss of intellectual property, finances, and reputation during an attack • Know the laws of various regions and areas, as digital crimes are widespread and remote • Know the process of handling multiple platforms, data types, and operating systems • Learn to identify and use the appropriate tools for forensic investigations • Prepare for incidents in advance to ensure the integrity and continuity of network infrastructure • Offer ample protection to data resources and ensure regulatory compliance • Protect the organization from similar incidents in the future • Help counteract online crimes such as abuse, bullying, and reputation damage • Minimize the tangible and intangible losses to an organization or an individual • Support the prosecution of the perpetrator of a cybercrime

---

Need for Computer Forensics

An exponential increase in the number of cybercrimes and civil litigations involving large organizations has emphasized the need for computer forensics. It has become a necessity for organizations to employ the service of a computer forensics agency or to hire a computer forensics expert to solve cases involving the use of computers and related technologies. The staggering financial losses caused by cybercrimes have also contributed to renewed interest in computer forensics.

Computer forensics plays an important role in tracking cybercriminals. The main role of computer forensics is as follows:

1. Ensure the overall integrity and the continued existence of an organization’s computer system and network infrastructure

2. Extract, process, and interpret the actual evidence so that it proves the attacker’s actions and their guilt or innocence in court

3. Efficiently track down perpetrators/terrorists from different parts of the world. Terrorists who use the Internet as a communication medium can be tracked down, and their plans can be discovered. IP addresses are vital to finding the geographical location of the terrorists.

4. Save the organization’s money and valuable time.

---

When Do You Use Computer Forensics?

Computer forensics is required when a computer-based crime occurs, and as mentioned earlier, such crimes are increasing worldwide. Organizations need to employ the services of a computer forensics agency or hire a computer forensics expert to solve crimes that involve computers and related technologies. The staggering financial losses caused by cybercrimes have also contributed to a renewed interest in computer forensics.

Computer forensics can be helpful against all types of security and criminal incidents that involve computer systems and related technologies. Most organizations seek the help of computer forensics for the following:

1. Prepare for incidents by securing and strengthening the defense mechanism as well as closing the loopholes in security

2. Identify the actions needed for incident response

3. Act against copyright and intellectual property theft/misuse

4. Estimate and minimize the damage to resources in a corporate setup

5. Set a security parameter and formulate security norms for ensuring forensic readiness

---

Types of Cybercrimes

==Cybercrime refers to “any illegal act that involves a computer, its systems, or its applications.”==

Based on the line of attack, cybercrimes can be classified as internal/insider attacks and external attacks.

Internal/Insider attacks

These attacks originate from people within the organization such as disgruntled employees, current or terminated employees, business associates, contractors, and/or undertrained staff. These insiders have legitimate access to computer systems and the organization’s data and use such access negatively to harm the organization. As they occur within the organizational network and utilize authorized access, insider attacks can be quite difficult to detect. Examples of internal attacks include espionage, theft of intellectual property, manipulation of records, and Trojan horse attack.

External attacks

External attacks refer to attacks that originate from outside sources. Such attacks occur when the information security policies and procedures are inadequate. Attackers from outside the organization attempt to gain unauthorized access to the organization's computing systems, network, or informational assets. External attacks are often performed by cybercriminals and hackers who target protected corporate information by either exploiting security vulnerabilities or using other social engineering techniques.

Examples of external attacks include SQL attack, brute-force cracking, identity theft, phishing/spoofing, denial of service attack, cyber defamation etc. Cybercriminals can launch external attacks on any corporate network with various goals and objectives. They might manipulate or destroy confidential information, sabotage systems, steal credentials of trusted users, or demand ransoms. This can severely disrupt business continuity, tarnish the market reputation of the organization, and cause loss of data and financial resources.

---

Examples of Cyberatacks

1. Espionage: Corporate espionage is a central threat to organizations because competitors often attempt to secure sensitive data through open-source intelligence gathering. Through this approach, competitors can launch similar products in the market, alter prices, and generally undermine the market position of a target organization

2. Intellectual property theft: It is the process of stealing trade secrets, copyrights, or patent rights of an asset or a material belonging to individuals or entities. The stolen property is generally handed over to rivals or other competitors, resulting in huge losses to the organization that developed or owned it.

3. Data manipulation: It is a malicious activity in which attackers modify, change, or alter valuable digital content or sensitive data during transmission, instead of directly stealing the data from the company. Data-manipulation attacks can lead to the loss of trust and integrity.

4. Trojan horse attack: A computer Trojan is an apparently harmless program, which can later gain control and cause damage such s damage to the file allocation table on the hard disk. Attackers use computer Trojans to trick the victim into performing a predefined action. Trojans are activated upon users’ specific predefined actions such as the unintentional installation of malicious software and clicking on a malicious link. Upon activation, Trojans can grant attackers unrestricted access to all the data stored on the compromised information system, potentially causing severe damage.

5. Structured query language (SQL) attack: SQL injection/attack is a technique used to take advantage of unsanitized input vulnerabilities to pass SQL commands through a web application for execution by a backend database. In this technique, the attacker injects malicious SQL queries into a user input form either to gain unauthorized access to a database or to retrieve information directly from the database.

6. Brute-force attack: It is the process of using a software tool or script to guess the login credentials

7. Phishing/spoofing: Phishing is a technique in which an attacker sends an email or provides a link falsely claiming to be from a legitimate site to acquire a user’s personal or account information.

8. Privilege escalation attacks: Privileges are security roles assigned to users of specific programs, features, OSes, functions, files, codes, etc. to limit access based on the user type. If a user is assigned higher privileges, they can modify or interact with more restricted parts of the system or application than less privileged users. Attackers initially gain system access with low privilege and then attempt to gain higher privileges to perform activities restricted from less privileged users.

9. Denial-of-service (DoS) attack: A DoS attack is an attack on a computer or network that reduces, restricts, or prevents access to system resources for legitimate users.

10. Cyber defamation: It an offensive activity wherein a computer or device connected to the web is employed as a tool or source point to damage the reputation of an organization or individual.

11. Cyberterrorism: It involves the use of the Internet or web resources for threatening, intimidating, or performing violent activities to gain ideological or political advantages over individuals or groups. It can be performed using computer worms, viruses, malicious scripts...

12. Cyberwarfare: Libicki defines cyber warfare as the use of information systems against the virtual personas of individuals or groups. It is the broadest of all types of information warfare. It includes information terrorism, semantic attacks (similar to hacker warfare, but instead of harming a system, it takes over the system while maintaining the perception that it is operating correctly), and simula-warfare (war simulated by, for example, acquiring weapons for mere demonstration rather than actual use).

---

Impact of Cybercrimes at the Organizational Level

Most businesses are reliant on the Internet and digital economy today, which has also led to their phenomenal growth on a global scale. However, such complete digitalization of business processes also poses new cybersecurity risks and threats. New methods of cyberattacks and inadequate cybersecurity protocols have resulted in massive data breaches in organizations in recent times. The major consequences of cybercrimes in organizations include theft of sensitive information, disruption of normal business operations, and substantial reputational damage. These breaches further lead to the loss of confidentiality, integrity, and availability of information stored in organizational systems as well as the loss of customer and stakeholder trust.

---

---

Understand Digital Evidence

Digital evidence refers to probative information stored on or transmitted through an electronic device. Digital evidence should be acquired and examined in a forensically sound manner while investigating cybercrimes.

Introduction to Digital Evidence

Digital devices used in cyberattacks and other security breaches may store some data about the session, such as login user, time, type of connection, and IP addresses, which can offer evidence for prosecuting the attacker. Digital evidence includes all such information that is either stored or transmitted in digital form and has probative value, thus helping investigators find the perpetrator.

Digital evidence can be found across computing devices, servers, routers, etc. It is revealed during forensics investigation while examining digital storage media, monitoring the network traffic, or making duplicate copies of digital data.

According to Locard's Exchange Principle, “anyone or anything entering a crime scene takes something of the scene with them and leaves something of themselves behind when they leave.”

---

Types of Digital Evidence

Cybercriminals directly depend on technology and digital devices to engage with the targeted system or network. Therefore, most of the evidence is present on the devices used by an attacker to connect to a network or the computing devices of the victim. Digital evidence can be any type of file stored on a device including a text file, image, document, executable file, and application data. Most such evidence is located in the storage media of the devices.

Based on the storage style and lifespan, digital evidence is categorized into two types: volatile data and non-volatile data.

Volatile Data

This refers to the temporary information on a digital device that requires a constant power supply and is deleted if the power supply is interrupted. For example, the Random-Access Memory stores the most volatile data and discards it when the device is switched off.

Non-Volatile Data

This refers to the permanent data stored on secondary storage devices, such as hard disks and memory cards. Non-volatile data do not depend on the power supply and remain intact even when the device is switched off. Examples include hidden files, slack space, swap file, index.dat files, unallocated clusters, unused partitions, hidden partitions, registry settings, and event logs.

---

Roles of Digital Evidence

Examples of cases where digital evidence may assist the forensic investigator in the prosecution or defense of a suspect:

• Identity theft

• Malicious attacks on the computer systems themselves

• Information leakage

• Unauthorized transmission of information

• Theft of commercial secrets

• Use/abuse of the Internet

• Production of false documents and accounts

• Unauthorized encryption/ password protection of documents

• Abuse of systems

• Email communication between suspects/conspirators

---

Sources of Potential Evidence

Investigators can collect digital evidence from multiple sources. Apart from standalone computing systems, digital evidence can be acquired from storage, peripheral and network and handheld devices that are found on the crime scene.

Investigators should use valid and reliable forensic tools and techniques while acquiring digital evidence to prevent data alterations. Below are listed some sources of potential evidence that record user activities and can provide useful information during forensic investigation:

---

Rules of Digital Evidence

the evidence to be presented in court must comply with five basic rules of evidence.

1. Understandable: Not everyone is and IT person, so the evidence must be clear and understandable to the judges

2. Admissible: Evidence must be relied on the fact of being proved

3. Authentic: Evidence must be real

4. Reliable: There must be no doubt about the authenticity

5. Complete: The evidence must prove attackers actions or defendants innocence

---

Best Evidence Rule

The best evidence rule states that the court only allows the original evidence. However, the duplicate may be accepted as evidence, if the court finds the party’s reasons for submitting the duplicate to be genuine.

---

Scientific Working Group on Digital Evidence (SWGDE)

Principle 1 “In order to ensure that digital evidence is collected, preserved, examined, or transferred in a manner that safeguards the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective quality system.”

Standard Operating Procedures (SOPs) “Standard Operating Procedures (SOPs) are documented quality-control guidelines that must be supported by proper case records and broadly accepted procedures, equipment, and materials.” Implementation of SOPs allows you to operate company compliant policies and plans.

Standards and Criteria 1.1 All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document. All elements of an agency’s policies and procedures concerning digital evidence must be clearly set forth in this SOP document, which must be issued under the agency’s management authority.

Standards and Criteria 1.2 Agency management must review the SOPs on an annual basis to ensure their continued suitability and effectiveness.

Standards and Criteria 1.3 Procedures used must be generally accepted in the field or supported by data gathered and recorded scientifically.

Standards and Criteria 1.4 The agency must maintain written copies of appropriate technical procedures.

Standards and Criteria 1.5 The agency must use hardware and software that are appropriate and effective for the seizure or examination procedure.

Standards and Criteria 1.6 All activity related to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and be available for review and testimony.

Standards and Criteria 1.7 Any action that has the potential to alter, damage, or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound manner

---

The Association of Chief Police Officers (ACPO) Principles of Digital Evidence

Principle 1 “No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data, which may subsequently be relied upon in court.

Principle 2 In circumstances where a person finds it necessary to access original data held on a computer, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Principle 3 An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

Principle 4 The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.”

---

Understand Forensic Readiness

Concepts such as forensic readiness and incident response play a very important part in an organization’s ability to handle a security incident when it occurs.

Forensic readiness refers to an organization’s ability to optimally use digital evidence in a limited time and with minimal investigation costs.

Incidents can impact and damage web servers, applications, systems, accounts, and networks critical for providing services to clients and customers, thus disrupting business. Forensic readiness helps maintain business continuity by enabling the quick and easy identification of the impacted components and making it possible to replace them such that services and business can continue uninterrupted.

---

Forensic Readiness Planning

Forensics readiness planning refers to a set of processes to be followed for achieving forensics readiness.

1. Identify the potential evidence required for an incident

2. Determine the sources of evidence

3. Define a policy that determines the pathway to legally extract electronic evidence with minimal disruption

4. Establish a policy for securely handling and storing the collected evidence

5. Identify if the incident requires full or formal investigation

6. Create a process for documenting the procedure

7. Establish a legal advisory board to guide the investigation process

8. Keep an incident response team ready to review the incident and preserve the evidence

---

Identify the Roles and Responsibilities of a Forensic Investigator

By using their skills and experience, a computer forensic investigator helps organizations and law enforcement agencies identify, investigate, and prosecute the perpetrators of cybercrimes. Upon arrival on the scene, the investigator inspects the suspect's systems/devices, extracts and acquires data of evidentiary value, and analyzes it with the right forensic tools to determine the root cause of the security incident.

---

Understand Legal Compliance in Computer Forensics

Computer forensic investigations must be conducted according to organizational policies and as per the applicable laws and regulations of the local jurisdiction. Legal compliance in computer forensics ensures that any digital evidence collected and analyzed is admissible in a court of law.