Toriality's Blog

COMPUTER FORENSICS - 11

created_at:

June 4, 2024 at 5:35 PM

last_updated:

July 15, 2024 at 8:11 PM

COMPUTER FORENSICS STUDY - 11 SOURCES: INFOSECINSTITUTE.COM

INCIDENT RESPONSE AND COMPUTER FORENSICS

INTRODUCTION

With the number of devices connected to the internet exploding in recent years, the incidences of security breaches have likewise become a hot and rather disturbing topic. Within this scope, it's absolutely crucial for companies to know how to respond and deal with the consequences. All organizations should have a incident response plan that includes incident detection in addition to a response. We live in a disruptive digital era. Establishing an effective security strategy results in an effective response to unexpected but inevitable contingences.
For instance, we can look at the Internet of Things (IoT) landscape, a term which describes one of the major revolutions in recent years. Everyda appliances ranging from coffe machines and digital cameras to your spartphone or table all have an IP address and are connected to the internet. From a malicious perspective, this represents a "tempting landscape" as well also a concern for everyone. 
Through incident response combined with a deep forensic analysis, the number of security issues and computer attacks can be reduced and detected at an early stage. This should be a mandatory role for all the digital ecosystems that can be audited, such as Cloud Infraestructures, mobile devices, operating systems, and so on.

RELEVANCE OF INCIDENT RESPONSE

Corporations must mandate and assemble a rapid response team to handle security incidents. It can be composed of a single person or a group of people properly trained within the organization. That team has responsibilities in monitoring, incident handling and reporting when a security breach is identified or an attack has been detected.
The immediate response typically consists of classfying the incidents: critical, normal or minor impact, and labeling the priority of these incidents into high, medium or low, as well as assigning the incidents to the teams for further investigations. A bad or a good decision directly impacts the resolution of the problem. 
During the forensic analysis, a set of considerations should be kept in mind. For example, systems with external influences should be isolated, avoiding further damage or as a means of preserving the evidence. This is not a forensic analyst task, but rather a measure that must be taken by the incident response team soon after the incident is detected. In these cases, the forensic analyst should always work with the incident response team so they can amke containment decisions, such as disconnecting network cables, the power supply of the device themselves, increasing physical security measures or even turning off the device. These decisions must be made on the basis of existing policies, these teams know the real impact of the problem and are aware of the risk of reproducing certain actions on the system.
For example, leaving a system offline for long hours makes it impossible for an organization to operate normally. Significant downtime can result in subistantial monetary loss. Therefore, care must be taken to minimize disruptions to an organization's operations. It is the responsibility of this team to protect the evidence regardless of the situation. 
These procedures should be clear and part of the incident response emergency plan. Some of these procedures can be listed as follows:
SHORT TERM: 
        
    - Detect, isolate and contain the compromised device restricting network access (in real time)
    
    - Acquire the evidence without altering or damaging the original
    
    - Verify that your recovered evidence is the same as the original seized data
    
    - Catalog the evidence indentifying your "family" and the manner how the attack was propagated.
    
    - Document the evidence
    
    - Transport evidence and ensure the integrity of the evidence
    
    - Deliver all the produced documentation during the process
    
    - Communicate the incident to the respective entity
    
LONGER TERM:

  • Analyze the data without modifying it

  • Deepen visibility into processes and actions that occurred on devices and operating systems (or where the incident occurred)

  • Mitigate gaps and vulnerabilities

  • Focus on a scientific approach

  • Extensive reporting features

    https:// mk0resourcesinfm536w.kinstacdn.com/ wp-content/uploads/1-125.png

RESPONSE VS. FORENSIC ANALYSIS

Incident Response and Forensic Analysis are two related disciplines that use similar tools. However, both hsave differences that are important to highligh:
  • Goals;
  • Data requirements;
  • Team skills;

  • Benefits.

    https://mk0resourcesinfm536w.kinstacdn.com /wp-content/uploads/2-116.png

    We can see that an Incident Response specialist holds a particularly refined set of forensic skills. The inclusion of forensic as part of an incident response plan is crucial to understanding the ture extent oof a data breach.

    ADMINISTRATIVE INVESTIGATIONS

IS AN ADMINISTRATIVE INVESTIGATION IN COMPUTER FORENSICS?

Administartive investigations use digital forensics to examine workplace employees in the event of any suspicious behaviour, corruption or illegal activity. This includes using a company network or computer system to perpretate crimes like sexual harassment, stalking, extortion, bribery, terrorism, pornography viewing, data theft, moonlighthing, or some kind of discrimination. And considering Americans spend about 30 percent of their lifetime at work, this is no small feat. Although most administrative investigation are non-criminal in nature, they can leaad to disciplinary action, suspension or even termination of an employee if certain digital evidence is revealed. The reality of these consequences means the overall forensic process must be clear, methodical and conducted with the utmost integrity. Because workplace employees use email, application and computer storage while fullfilling thier professional roles, all of these areas become possible areas for forensic analysis and information gathering. Typically, this probing is done by administrators, analysts, or even private detectives, and the police are only notified if the case assumes a more criminal nature.

PURPOSES AND LIMITAIONS OF ADMINISTRATIVE INVESTIGATIONS:

Employee misconduct in the digital age offers a whole new set of challenges because unlike the days of old, investigators may not even have a real "place" to investigate, as the scene of the crime could very well be a network or an applicaiton on a smartphone. This type of volatile, highly dynamic, and somewhat unexplored digital environment provides many challenges for investigators but may provide the only means of assessing possible misconduct. While this unstable landscape can make the process more unpredictable and difficult, it also has the power to perform actions like retrieve maliciously deleted data, trace employee identity behind certain online movements, and establish a foundation for any legal recourse.
A forensic investigation of this nature can assume many forms and address many objectives. Depending on the severity of misconduct, investigators might need only to examine an employee's phone to determine their ill-use of work time. But even this type of small forensic probing can lead to privacy-related issues and the legal need for a court-issued warrant to search throrugh sensitive data like call records and information stored on the cloud. These limitations often make suchh investigations nearly impossible especially in countries where privacy is greatly respected. 
In more serious situations, investigators may look through a worker's internet browsing history and other trace data on their computer or personal device. A fundamental principle in this field of forensics is the notion of exchange principles, which simply means that every contact made between two things (even digital ones) leaves a trace. A person leaves behind a footprint behind when she steps on the ground. And she leaves a fingerprint after touching the glass. Fibers can be left behind when her sweater brushes up against a couch. And similarly, computer forensic experts may be able to  uncover important evidence when someone makes unsanctioned contatct with parts of a network.

  • Estabilishing days and times of remote connections

  • Locating cookies dropped behind online movement

  • Following internet browser history to determine recent activity

  • Identifying recent attached storage media like USB thumb drives

  • Recovering text messages, emails, call logs, and other data stored on a personal device.

E:

To see this process more clearly, consider a classic case of employee data theft. A disgruntled worker may choose to steal of delete sensitive data from a company as a way to take revenge for a perceived injustice, sabotage overall productivity, or make off with valuable trade secrets. The reasons are varied as the individual. Say an ex-employee steals data by way of a USB zip drive, whichh are small, portable, esay to hide, and more importantly, can hold over 100 gigabytes of data. This act takes almost no time and would appear entirely undetectable. However, according to Locard's principle - which assert that a perpretator of a crime will invariably leave behind something of themselves at the scene - every action leaves behind some kind of trace.

CIVIL INVESTIGATIONS

THE ROLE OF COMPUTER FORENSICS IN CIVIL INVESTIGAATIONS

The use of Computer Forensics in civil investigations is a little different when compared to criminal cases. There are different standards for collecting data and presenting the evidence in a court of law.
Civil litigation covers everything from the violation of a contract to a lawsuit between two or more parties. The one who leses the case often has to give payment, services or property to the winning party, also known as the prevalling party. 
Civil cases do not deal with penal sanctions. The standards for evidence are not that high when compared to criminal cases. Divorce and custody cases are two of the most common civil proceedings in which computer forensics is used. As these cases often prolong for a long period of time, both parties often start gathering information on  each other even before filling for divorce. How this particular information is gathered is usually the subject of interest to the computer forensic investigator.

HOW DOES CIVIL INVESTIGATION DIFFER FROM CRIMINAL INVESTIGAITON?

In the case of investigations, law enforcement many have limited to no involvement in the proceeding. Secondly, thee is a different standard for the bunden of proof. Thirdly, the forensic investigation is administered by the order of the court of law. Because of this, the forensic techniques and procedures used for the investigations may differ from one case to another and from one jurisdiction to another.

THE COMPLEXITIES OF CIVIL INVESTIGATIONS:

For civil investigations, there is a lot of negotiation over what data can be inspected, what devices can be checked for: and where and when they can be looked at. However for criminal investigations, it is easier as the investigation is given a search warrant, and thus, he or she can seize the computer of the defendant by all means that tare deemed to be necessary.
However, this is not permissible in the case of civil investigations. For example, a request to inspect the computer has to be made first and then the computer is handed over, this can be a time-consuming task. 
During this time-frame, the defendant may destroy or hide the data before the plaintiff even gets the opportunity to inspect it. Usually in civil cases, preliminary electronic discovery is done to show the other party whether they are likely to win or if even the case even should go to trial. This data is presented in an informal format because its purpose is to make the parties agrees on a possible case settlement.
Since most of the civil cases have a financial aspect, the orders from the court to perform the computer forensic investigations have both data and time constraints. Thus, some artifacts inforamtion may be eliminated from the case by the court order. 
Here are some of the means by which the forensics information and data can be collected in civil investigations:
ON-SITE COLLECTION: 
    Data is collected from computers, servers and cellphones. The data gathered is then organized in a court-approved mannerr.
    
REMOTE COLLECTION:
    
    This is similar to on-site collection but the major difference is that is much smaller in nature. The network is accesses to gather the necessary infroamtion and data.
    
CLOUD COLLECTION:
As the name suggests, in this type of collection, data is gathered from Cloud based sources, such as Google Drive, Dropbox, Gmail, Yahoo, etc. 
    
SOCIAL MEDIA GATHERINGS:
This is the information and data which is collected from social media platforms like YouTube, Twitter, Instagram and Facebook. 
    
MOBILE DEVICE DATA COLLECTION:
Various tools are used to gather information and data from cell phones and tablets. It also involves recovering deleted text messages and calls.

CRIMINAL INVESTIGATIONS

COMPUTER FORENSICS: AN INSEPARABLE PART OF CRIMINAL INVESTIGATIONS

Computer forensics has become an increasingly important element in cyber inquiry. Its use is not just limited to monitoring the computer activities of your employees, tracking a hacker or setting the internet security of an organization.It is becoming a part of criminal investigations too. It is being used to solve murder cases, rape, fraud and kidnapping. The investigatiors dig up  computers, cell phones, chats and networks to extrat the information that was lost or deleted. The investigators can recover the web history of a computer, deleted emails, images and even attachments, keywords searched on the browser, online chats and even the instant messenger conversations. By simply analyzing a person's hard drive, all the web browsing activities can be evaluated.

HOW IS COMPUTER FORENSICS USED IN CRIMINAL INVESTIGATIONS?

The forensic investigation is conducted in 5 basic steps.

  1. VERIFICATION

    The investigation is normally conducted as parat of an incident response scenario. So, the first step is to verify an incident occurred. It is a preliminary step that helps determine the characteristics of the incident and the right approach for identifying, preserving and collecting the evidence.

  2. SYSTEM DESCRIPTION

    This step defines where to start gathering data about the incident. The operating system is outlined along with its configuration like RAM, disk format and the location of the evidence.

  3. EVIDENCE ACQUISITION

    This is crucial part of the investigation. The analysts have to identify the sources of data and verify the integrity of the data. First step is to gather all volatile data such as login sessions, content of the RAM, ARP ache and network connections. The second step is to collect non-volatile data like hard drives. Once the data is acquired and verified, then chain of custody is defined which includes how the evidence was found, how it was handled and whatever happened to it.

  4. EVIDENCE EXAMINATION

    Some procedures need to be set in place for retrieving copying and storing the evidence to investigate the evidence. A variety of methods are used for this purpose. Analysis software is one such procedure which is used to search data archives and procedures to retrieve files that were deleted. The investigators use suspicious programs to look for encrypted information. They also analyze the time and date of the data as well as the file names. They work closely with criminal investigators and lawyers to understand the nuances of the case, outline what investigation actions should be taken and what type of information should be preserved as evidence.

  5. DOCUMENTING AND REPORTING

    The computer forensic investigator have to keep an accurate record of fall the activities related to the investigation, the methods used for testing the systeme, retieving, copying and storing the data. All this information is documented to ensure the integrity of the user data. The documented data can then be presented to the court of law in the form of an evidence.

    THE FAMOUS BTK CASE

    Computer forensics was used to solve a very famous case of the BTK Serial Killer. The American police spent millions of dollars and a lot of yearas to find the identity of a man who killed 10 people in Wichita, Kansas between the year 1974 and 1991. Finally, in February 2005, Computer Forensics investigators were able to accomplishh what the police had failed to do over the course of thirty years. The computer forensics investigators succesfully managed to identify the killer whose name was Dennis Rader. It all started in January 1975 when Rader strangled 4 members of the Otero family to dath. During this murder spree, Rader sent bizarre notes to the police. He even nicknamed himself BTK short for Blind, Torture & Kill. His letter included pictures, puzzles and twisted poems. He used to mail the letters to the media, to the police directly and sometimes, he used to hide them. He them wnet completely silent for more than 10 in years. In 2004, he resumed communicaitons with the police. This time, he sent them a word document in a floppy disk. The Computer Forensic investigators were immediately able to follow his trail. By using software called EnCaseForensics they pulled metadata out of the document. It had been modified by a person named Dennis at the Christ Lutheran church. When the forensic investigators searched for the website of the church, it was revealed that Dennis Rader was the President of the congregation council of the church. The police then checked his background and examined the DNA evidence and the murder mysteryy was solved. He was linked with the BTK murders. Originally, Rader was pleaded not guilty, but then he confesses that he was responsible for all the murders.

SCOVERY

INTRODUCTION

E-Discovery is the procedure by which parties involved in a legal case collect, preserve, review and exchange information in electronic format to use it as an evidence in that case. The parties involved in the case are required to exchange information and evidence in State or Federal courts, coming in the form of either recorded or interrogations or testimony. Whether emails, spreadsheets, documents or any other electronic file of potential evidentiary value for investigatons or attorneys the court has identified it as admissible-evidence.
E-Discovery also involves sifting through a large anmount of data to reduce redundancy and useless information. The data is brought to a single location so that it can be viewed by investigators and lawyers. This particular step in the process does not recover hidden or deleted data. 
Typically an E-Discovery process includes the following steps:

  1. The process begins by creating gand retaining ESI (Electronically Stored Information) according to ERM (Electronic Records Managment) program and enforceable electronic records retention policy

  2. Relevant ESI is identified and then preserved so that the gathered data cannot be destroyed or altered.

  3. Now, the ESI is further processes and filtered so that useless information and duplicates are reduced. When the volume of the ESI is reduced, it also reduces the cost.

  4. The filtered ESI is reviewed and analyzed for the privilege

  5. The remaining ESI is produced after excluding irrelevant, duplicate and privileged data. The ESI is produced in a specific format.

  6. This step involves a clawback agreement of the ESI and getting it approved by the court. Clawback agreement is an integral part of any production that involves ESI. Incorporating this agreement is a part of the court order. This agreement requires the parties to agree that unintended prroduction of privileged inforamtion will not automatically constitute a waiver of privilege

  7. If the case hasn't been settled, then the E-Discovery is taken to trial.

    COMPUTER FORENSICS VS. E-DISCOVERY

    Since both involve electronically stored information, many people think they are one and the same. The primary purpose of E-discovery is to collect active data and metadata from hard drives and other forms of storage media. This data, however, is limited. Computer forensics is then used to perform a deeper recovery. Computer forensics autopsies the hard drive and looks for hidden folders or unallocated disk spaace for identifying who, what, where, why from a computer. If there is not enough basic evidence accesible from a computer, then Computer Forensics is performed. The techniques used in forensics to gather legal evidence require specialized training. It is a more specific discipline that involves the analysis of electronic devices and computers to produce legal evidence for a crime. It involves technical procedures like data carving. Computer Forensics is used in fraud investigations, employment cases, civil ligations, criminal prosecutions, white collar crimes and even divorce crimes.

    WHAT TYPE OF DATA IS GATHERED BY COMPUTER FORENSICS?

    • Automatically stored data, for instance, a file that was purged from the server and its copy still exist on the hard drive of the user

    • Files that were deleted by the user and not destroyed. These files stays on the hard drive until they are wiped or overwritten

    • Ghost data which is not readly accesbile but recoverable

    • System data which gives an electronic trail of all te activities performed on the computer or the network

    • If wiping software was used on the computer to wipe data, then it can be detected using computer forensic software

    HOW DID E-DISCOVERY HELP GOOGLE WIN OVER ORACLE

    Remember when Oracle sued Google for infringing its copyrights by using its Java code in its Android OS? Google won this six-year battle through the E-discovery process. The company gathered multiple emails and presented it to the jury. Among the evidence was an email from the Chief Engineer of Google who suggested negotiating the license from Java. Another email revealed that Google bigwigs requested an alternative OS similar to Java to be researched.

    COMMON CHALLENGES FACING E-DISCOVERY:

    E-discovery is a remarkable way of gathering legal evidences but there are some challenges associated with it too. A good thing is that technological progress is here to mitigate them too. Some of the common ones are:

    LARGE VOLUME OF DATA

    It is not easy to filter data when there are too many files to go through. What to pick and what not to pick can affect the quality of the evidence.

    IT'S EXPENSIVE

    E-discovery process can be complicated, expensive and time consuming. When dealing with complex transactions, fraud or dealing with a long history of communications along parties, the cost of e-discovery goes up. Processing ESI can be expensive because of the degree of accuracy required and there is a lot work to be done that too quickly. Certain tools and software are used to extract data which are costly themselves. Plus, experts are required to perform data recovery who are specially trained for this puprose.

    CLOUD E-DISCOVERY IS NOT EASY

    A number of challenges arise with cloud e-discovery starting from identifying the physical location of the server to determining the ownership of these servers which further leads to third party data discovery challenges. There is a widespread assumption that the information stored on the cloud is easy for an organization to extract but it is not always the case. There are a number of fplaces on the cloud where ESI can live. As per the Federal rules of a Civil Procedure, the party to litigation has to preserve and produce ESI which is in its custody, possession or control. When it comes to cloud, these duties are split. The ESI might not be in your possession or control. Depending on the relationship a company has with the cloud vendor, it may not know where exactly the data is stored. Even if it does, it is extremely difficult to access the information in time and in the right format.