Digital Fornesics

Digital Forensics

Introduction Breaches of data, attacks through hacking, viruses, as well as insider threats, are some of the main security concerns that a majority of organizations has to face regularly. Though most of these organizations have implemented many of the standard security measures, such as firewalls and software to detect any unauthorized intrusion, the use of computer forensics has been growing in popularity, especially in regards to the internal audit industry. Yet, despite the growing popularity that exists, a significant amount of internal auditors are not aware of the benefits that the use of computer forensics can bring in terms of audit investigations. In order to understand its benefits, one has to adhere to certain evidence-gathering standards, as well as to deal with many of the issues that define most Fraud Investigation cases. Computer forensics itself is based upon applying various analytical techniques on digital media, usually when a computer security incident has been detected. The goal of computer forensics is to determine the scope of the security breach, and who the perpetrator was through an investigation, just as in a real, physical crime scene. The actual forensic investigation encompasses a multitude of areas of computer security, including internet abuse, pornographic websites, hacking, and fraud schemes. In addition, it also includes data alterations, both intentional and accidental. There are many ways in which evidence during the forensic investigation can be gathered. These include through search warrants, affidavits, expert testimony, and depositions. The important aspect though is that the computer device is examined thoroughly without accidentally destroying any evidence. Just as during a crime scene, forensic investigators are careful not to destroy any physical evidence, so too must the same mentality exist in computer forensics. This is necessary in order to preserve the credibility of the evidence and the data alterations that were discovered. If fraud is suspected by the internal auditor, then the first step is to make sure that an "incident detection" form is filled out in which the suspected fraud is stated. This document has to be very detailed. As it must include the date and time of the incident, the person reporting it, the actual nature of it, and what hardware and software was compromised. After filling out and submitting the proper form, the security consultant/IT auditor needs to make sure that the appropriate department heads, including the director of IT and human resources, are fully briefed about the situation. However, one aspect to note is that this process is often determined by the company's laid-out process for this situation. In order to ensure efficiency, a company must make sure that their policies and procedures are both clear and detailed. This preparation will allow for the reporting of the breach of security to be done both efficiently and rapidly, with a clear chain of command.

Gathering the Evidence There are three main parts in a forensic analysis, which are gathering the evidence, analyzing it, and reporting of the results of the investigation. The first part, gathering the evidence, is defined as being the process through which evidence is secured or obtained through previewing the data contained in the computer's hard drive. In order to make sure that all of the data is properly obtained, the actual hard drive must be exactly copied. All of the information contained in it, no matter how mundane it may seem, must be copied. What determines how long this process takes is the size of hard drive and the speed of the network which the organization utilizes. Oftentimes, a second hard drive is used when the first one isn't completely secured. This allows for the forensic investigator to make sure that the data isn't still being altered. After assurances that the data isn't still being comprised and that a necessary backup file is in place, a simple preview analysis of the gathered data is performed. It involves examining the current state of the compromised data through a simple software check. This will help to provide essential information about the origins of the data and who it belongs to, which will help out as the investigation process continues. Usually, the security consultant / IT auditor will simply perform a simple preview check of the data and will not require too many details. The next step in gathering the evidence is to make sure that an exact copy of the original data is complete. This process is known as "imaging." It creates an exact duplicate of the hard drive of the computer and includes "slack space." Slack space is information that is left over from an old file that has been rewritten. An example of slack space that is particularly relevant in businesses is the creation of e-mail files. E-mail files, when created, uses tiny sections in the memory. More sections are used the longer the particular e-mail is. If the e-mail is deleted, the space is available for use again. However, if the new e-mail is shorter than the e-mail that was just deleted, the hard drive will still contain bits of information about the old e-mail that can be retrieved through various extraction processes. This duplicate is in addition to the backup file of the data that was completed in the first step. The duplicated information is the one that is investigated, rather than the original or its backup, in order to avoid any altering of the data by mistake. If any of the data of the original file is altered, it becomes inadmissible in the court system. This process of "imaging" is regarded as being essential in a digital forensic investigation. The next step in the evidence-gathering process is to process and categorize the data. Every aspect of the data has to be processed, including any deleted data, overwritten data, data in the virtual memory (slack space), and data that are hidden outside of the normal parameters of storage spaces. A write-blocking software is the popular method used by forensic examiners to do this, as it provides an extra security check to make sure that there isn't any alteration of data. Computers running on Windows operating systems are particularly vulnerable to data alteration in comparison to Macs. However, Windows 7 partially addressed this problem, and Windows 8 is supposedly to going to improve it even more. The way that this process is done is by physically removing the hard drive from the affected computer and attaching it to a separate "write-blocking" machine. After this is done, the investigator than creates a "bit-stream" image of the hard drive, making sure to include the deleted space, logical files, and file slack. An alternative process instead of using a "write-blocking" machine is to use either a boot disk or a Linux live CD. This also allows the forensic investigator to be able to view the files on an external hard drive. One of the most crucial parts of the data is often in the hidden data. That is where many of the viruses are contained. In some complex cases, it's necessary to use file extraction software to be able to access them fully. Data indexes often have to be created. Once the hard drive has been completely duplicated, mirrored, and organized, the actual collection of the evidence begins. There's a plethora of digital forensic software that includes pre-programmed scripts for multiple operating systems. These scripts are able to perform crucial tasks, including encrypted registry parser, file finder, and file mounter. It's up to the IT department of the particular company to make sure that they are using the correct forensic software. The software has to be relevant to the particular computers and operating systems used by the company.

Analyzing the Results The second part of a forensic analysis is known as analyzing the results. This step only takes place after the appropriate gathering of evidence is completed. Due to the variety of digital forensic cases that are present, security consultants/IT auditors need to make sure that they are well-trained in all aspects of data analysis. If they are not particularly knowledgable about a certain case, it is professional protocol to recommend someone that is. As mentioned, IT auditors need to use a copy of the electronic data. A chain of custody when handling the information is essential. The reason is that it allows them to ensure the legitimacy of the evidence that is used in court. It also creates an audit trail to showcase when the information was accessed and who accessed it. All images are hashed, which creates a digital fingerprint of the data, in order to preserve the chain of custody. In this stage, software is used that is able to shift through the main raw data and create a readable report of it. This software though is reliant on instructions from the auditor, who must inform the computer of what to search for. Text string search words are used to locate and categorize the data that are related to the actual incident that is being investigated. This requires that a word or phrase is used for each item that needs to be examined. These text strings can contain as much as five hundred words. Though often a tedious part of the process, the more words that are used to corresponds to better data. Another reason why it can be tedious isn't only because more words have to be created, but also because more false positives and useless data will show up in the results. The bigger the storage the device, the longer this process will take. IT auditors then put all of information into specific folders based upon their preferences. Usually the software will suggest folder names. Once this is done, the evidence is then recorded again and stored based upon a level of classification, such as its importance. Reporting the Results Next is the final part of the process which is reporting the results. This final part ends in the creation of a detailed report of the findings. These final reports should contain a detailed list of all of the information that was gathered, as well as a copy of any information usually placed in the appendices. An executive summary is also needed. Some cases require the creation of interim reports due to the need for search warrants or inconclusive evidence. These interim reports are then updated as the investigative process continues. These reports need to be ready to be used in courts. Thus, it is crucial that these reports are able to state the findings in a language that isn't too dependent on IT industry terms. It needs to be accessible to a wide population. Examples of language that must be clear are ones pertaining to what originally made the organization become alerted to their hard drive, how the hard drive was copied, what data was used for analysis, where the data evidence was found, and what all of this information actually translates to. Additionally, the IT auditors should be prepared to testify as an expert witness during the trial, as well as to work with the prosecution in going through all of the evidence. Lawyers, due to the fact that they aren't experts in digital technology, often need briefings on the evidence, as well as step-by-step explanations.

Additional Steps There are additional steps that must be taken both during the digital forensic investigation and in the pre-planning phase. These steps that can be taken by the IT auditors are to make sure that everything is ready to be presented in court. Before the actual forensic examination is done in terms of the raw data, the IT auditor must make sure that the system is completely secure, including taking pictures of the room that contains the computer, the computer's immediate area, and the computer itself.
Once all of the appropriate data is collected, the system then should be imaged. The computer also needs to be placed in a secure laboratory or be secured on-site with limited access in order to make sure that the chain of custody is fully followed. Details of the system must be extensive, including providing information about the actual network cables and internet connections.

Steps to Avoid There are some aspects though that need to be avoided during the pre-data collection phase. The first is that an IT auditor should not modify either the time or the date stamps of the hard drive that contains the tampered data before the the duplication process is completed. The second is that no executable files that are on the computer should be run, especially non-verified binaries. For example, .exe files could be programs installed by the hacker in order to wipe out all of the evidence. The third thing that must to avoid is in regards to terminating the rogue process. This specifically refers to pressing Ctrl + Alt + Delete. Pressing this command can wipe parts of the drive, log file, as well as possibly let the hacking perpetrator know that it has been discovered. Fourth, there must be no updating of the operating system until the forensic investigation is complete. Once again, this is a problem that often pertains to Windows, as their updates are sometimes automatic. The fifth thing to avoid is not recoding executed commands. Every step of the process must be well-documented. The sixth and final thing to avoid is installing software on the computer.
Live Analysis During the evidence collection, one option that the IT auditor has is to perform either a live or an offline analysis. A live analysis is done when the forensic investigation is performed on a system that hasn't been shut down. There must not even be any security patch software or any other fixes performed at this stage so that all of the steps aren't compromised. If there are any windows open, there should be pictures captured of it for evidence purposes. A live analysis isn't without its potential risks though. The first risk is that there can be alterations and possible deletion of the digital evidence by the IT auditor. Computer files are only overwritten when new data needs to replace it on the hard drive, either as a space-saving measure or due to insufficient current space. This means that simply clicking on a file can cause old data to be written over. This is virtually impossible to avoid during a live analysis, which is one of the reasons a duplicate files of the whole hard drive is made. The IT auditor must make sure that every action is written down, no matter how trivial it may seem. The second risk is in regards to logic bombs and slag code. The definition of these terms is based upon a program or line of code that reacts based on a reaction. An example would be wiping software, which will erase the whole hard drive either during the startup or shutdown of the computer, as a measure of protection to destroy the evidence by the hacker. One way to prevent such a program from operating is to disconnect the computer from its power outlet. With a laptop, it can be manually shutdown by holding onto the power button. The third risk is the risk of encountering trojan binaries and root kits. These are both put in place by the hacker. When they are active, they send data to the hacker about particular actions that are taking place on the operating system. Torjans is so sophisticated that they can even allow the attacker to see the computer screen that the forensic investigator is viewing in real time. One of the alternatives to shutting the computer down is to disable the internet connection on it, including company networking connections. The fourth risk is not having access to slack space, transaction logs, and hibernation files, amongst others. Though these files may same insignificant, they can often contain the sufficient amount of evidence needed to solve a case. An example would be locating what files were printed in order to solve a forgery case. Not accessing these files early on in the investigation means that these potentially-crucial files can be written over.

Offline Analysis The offline analysis can also be done by the IT auditor, either in conjunction or as the only method of investigation. This takes place on the imaged files of the hard drive. In order to begin this process, the IT auditor must first make sure that the computer is shutdown properly. This is entirely dependent on the system, as some can be shutdown simply by unplugging it from the electrical outlet, while others need to be shutdown manually, such as laptops. The computer has to be unplugged from the back of the computer and not from the wall. Many outlets have power supplies that are uninterruptible. IT auditors need to make sure that their duplication procedures and software that they use is legal in the country that they reside in. Violating any of these digital laws can make the evidence inadmissible in court. In the United States, as an example, the NIST, which stands for the National Institute of Standards and Technology, makes it a requirement that all of the disk-imaging tools that are used adhere to a certain set of guidelines. These guidelines include not changing the original hard drive disk, as well as recording every input and output error. Forensic investigations can be performed on anything that stores electronic data. Though the computer's hard drive is the most common target of an investigation, in modern times, the hard drives of tablets and smartphones can also be examined. IT auditors play a major role in gathering and reporting about computer evidence that can solve a variety of cases that have wide implications. These cases include complicated embezzlement schemes, data theft of the company's consumers, and financial fraud cases. The most important thing to note when conducting a forensic investigation is that the evidence must be handled with absolute care. A forensic examination, despite being an often grueling process, can be worth it in the end, as it will allow companies to improve upon any IT weaknesses that they have and can bolster their image if the forensic investigation properly solves and prosecutes the hackers. Chain of Custody Chain of custody is an extremely challenging process to maintain in data collection, especially in regards to electronic data. From the moment of the discovery of the data until its actual presentation in a court case, its authenticity must be proved at every step. Ironically, sometimes as much evidence must be presented to show that there wasn't any tampering or alterations done as the amount of actual evidence that the IT auditors originally set out to show to prove that a crime had been committed. Before electronic data existed, chain of custody only involved filling out hand-written log forms in order to keep track of actual evidence. For example, in a criminal investigation, all physical items, such as clothing with blood on it and murder weapons, were collected, identified, bagged, tagged, and stored in an evidence room until they were needed for a trial. A handwritten log had to be continuously updated every single time the evidence changed hands. This was a straightforward process that became much more complex once electronic data became relevant. Though physical data collection in criminal cases still exists, the chain of custody in those cases doesn't usually cause issues anymore due to the build-up of experience that police departments have had in handling it. However, in modern law, electronic data can affect many different cases, both of the criminal and of the civil nature. In electronic form, chain of custody changes into a two-dimension situation in dealing with actual physically tangible objects and intangible objects. The tangible items are the laptops, computers, hard drives, digital cameras, thumb drives, flash drives, etc... These items are tracked much the same way that traditional police forensics are tracked in crime scenes. However, it gets a bit more complicated when dealing with intangible items, such as documents, files, folders, e-mails, and other various minute meta-data. In addition, there are often multiple versions of all of this data that exists in the hard drive of a computer. Oftentimes, the largest violation of electronic data chain of custody occurs right at the inception of the investigation, when the computer is turned on by the IT auditor or another employee. Simply turning the computer on can either delete or overwrite much of the data present. This simple action often leads the defense to claim that the data had been tampered with and is thus inadmissible in court.
The only way to get around this is to make mirror copies of the hard drive before it's turned on. When the computer is actually turned on, the IT auditor has to document every single step that he or she completes. All of the log files that electronic data require doesn't necessarily mean that it'll be admissible in court, but it will help the IT auditor in providing explanations for any questions that may be asked by the defense. Another mistake that is often made is in the actual copying of the electronic files. One misconception is that it is merely sufficient to just mirror the hard drive. These files though must be forensically sound, which means it has to be a bit-by-bit copy in order to create a digital footprint. Simple just copying the files doesn't copy all of the various metadata and deleted files. Some of the popular forensic software that is used is EnCase or Forensic Toolkit. Creating an algorithm that can be added to the digital copy and creating a custom hash value for every piece of data will make sure that the files and their copies are the same.
A third mistake that is common is letting the forensic investigation be completed by the company's IT group. Oftentimes, the internal IT of a company isn't always aware of the latest development in the chain of custody requirements and practices. The best solution to this problem is to bring in a third-party who specializes in this very practice. There are companies whose sole job is to assist clients in forensic investigations. Thus, they are able to devote more resources in keeping up-to-date on the subject, as well as have a great deal more experience, than the IT teams of companies. The viability of these third parties is entirely dependent on performing the chain of custody to perfection, which means that they are extra careful in the process. This whole process of chain of custody and data security can be particularly expensive and grueling, especially when one considers that this is still a relatively new field. As more and more work is done in this sector, the process will get easier. The Federal Government is continuing to work with various experts in order to make sure that e-discovery rules are efficient and modern. Various states, such as New Jersey and New York, have followed suit. Soon, all fifty states will have e-discovery laws that are clearly defined.

Bauchner, E. (2006). Computer Investigation. Philadelphia: Mason Crest Publishers. Casey, E. (2010). Handbook of Digital Forensics and Investigation. London: Academic. Gallegos, F. (2004). Information Technology Control and Audit (2nd ed.). Boca Raton, Fla.: Auerbach Publications. Lawrence, G. W. (2000). Risk Management of Digital Information: A File Format Investigation. Washington, D.C.: Council on Library and Information Resources. Marshall, A. M. (2008). Digital Forensics: Digital Evidence in Criminal Investigation. Chichester, UK: Wiley-Blackwell. Moeller, R. R. (2010). IT Audit, Control, and Security. Hoboken, N.J.: Wiley. Moore, R. (2005). Search and Seizure of Digital Evidence. New York: LFB Scholarly Pub..