CHALLENGES FACED BY CYBER FORENSIC INVESTIGATOR – CONCEPTS AND TECHNIQUES
FADI ABU ZUHRI
This paper looks at the techniques and tools used by Cyber Forensic Investigators in various scenarios that prove to be quite challenging. Cyber Forensic Investigators are tasked with presenting digital evidence to the courts. The courts would only accept evidence that is based on reliable principles and methods. One therefore needs to have a way to distinguish reliable techniques from unreliable ones. For example, certain groups consider evidence from astronomy reliable while evidence from astrology is not considered reliable even though they both use the same tools – star charts, planetary positions, telescopes, etc. Cyber Forensic techniques and tools need to be evaluated for reliability before presenting to the courts.
Live forensic is mostly applied when the item under investigation is rather too large to be represented practically by imaging (Karie & Venter, 2015). Also, there are situations where the system that is to be investigated is too big to be broken down for postmortem. There also occurs a situation where the computer that is to be investigated is very far away from the Cyber Forensic Investigator. This entire situation will have required the technique of live forensics to be applied. However, the whole case does not mean that one would have to download all these details from a remote location since this will require a more sophisticated network to perform this operation (Christopher, 2006). Additionally, there are cases where the aspect of capture cannot be used for the purpose of postmortem analysis for example memory contents, open ports and other operating aspects of a running computer. In this case, it is advisable that one should use court tested methods to avoid a situation where you will be required to prove the viability of the method in question. According to Peter (2005), the most used situation where the assistance of live forensics is required is in the cases of digital forensic incidence response where it is used if one has an understanding of what is in the memory, what is being communicated out by the computer and what processes and ports are running.
There has been the migration of organization’s data to storage in the cloud at a high rate by various corporations. Many decision makers of technology have invested their businesses in the cloud services. Based on the experience of the organizations, there are three main challenges that one ought to overcome to perform sound data collection in the cloud. Firstly, it is easy to get in, but hard to get back the organization’s data out once it has been drawn to the cloud. Secondly, data protection laws are different in various countries. Thirdly, Office 365, which is seeing a growing adoption among organizations, are inadequate for large-scale collection creating a great challenge for data collection (Barocchini & Maccherola, 2017).
Reliable methods of data recovery are critical for any Forensic Investigator as the situation of losing data is sometimes inevitable during criminal investigations (Rogers & Seigfried, 2014). For any Cyber Forensic Investigator, information is key and therefore it is highly recommended that measures are put in place to ensure that information can be recovered once lost. In case the information is lost, effective methods of data recovery should be put forward. For example, when one loses a file that he or she has no extra copy of; it would really be easy for them to recover the file if the file were recent and not overwritten. The methods to be deployed in the process of data recovery depend on whether one wants to get the data in in-depth or just a copy of the file. For the case of the whole file, it is possible to recover the file by bookmarking the file as you analyze them bit by bit as you go just like in document forensics (Karie & Venter, 2015). For the case of a copy of the file, computer forensics allows one to get the file from the Image as a stand-alone file.
RECOVERING POTENTIALLY OVERWRITTEN FILES
Digital storage is designed in such a way that when one deletes a file, it stays saved in the digital memory to allow natural restoration of the file. But there is a situation, mainly as a result of disk fragmentation, which could result in this particular data being lost. Fragmentation results in the overwriting of this particular files and it would be possible to recover these files using the file table (Samy et al., 2017). The file table is what determines the way files are stored physically within that particular storage. If the data has been partially overwritten, it will be possible to recover the data by reconstruction of the file header. If the file header has been overwritten, file carving is used (Rogers & Seigfried, 2014).
Passwords are put in place to ensure data security, and there comes a time when the password itself becomes a threat to data security. For this reason, it is important that measures for password recovery should be in place. The process may be easy or hard depending on the type of password that is being recovered (Bennet, 2012). The easiest way to password recovery is the dictionary. This tool assumes that the passwords are a dictionary and through trial and error the appropriate password is found. After the dictionary attack, hash or password replacement is the next step of password recovery. This case does not apply to all situations given that other systems are complex. If the dictionary attack is not successful in password recovery, then another process called brute force can be used. This process is a widely known password recovery process but is time consuming. The time factor here is determined by the number of possible combination in order to receive the actual password that is required.
FORENSIC IMAGE ANALYSIS
Forensic Image Analysis uses search indexing and file filtering techniques. Index search technique is used in where the data has been grouped into various categories using the index. Digital devices store data using the index for the purpose of aiding people to retrieve data. The file filtering tool, on the other hand, uses hashes to gain access to the necessary files (Karie & Venter, 2015).
The general idea about forensic image analysis lies in the various tools that are used for this challenge. The most used tool is the search tool which includes two types of search. Index search is the easiest form of search that involves the search of the database. When an application is processing the disk for image analysis, it creates then indexes table in the back-end database. Searching of the image will be done through the aid of this particular index. The second technique that is applied is the file filtering. The file filtering tool uses hashes to gain access to the necessary files. This method works by eliminating the undesirable item and select those that the forensic investigator prefers (Simon & Choo, 2014).
CRYPTANALYSIS AND STEGANALYSIS
Steganalysis is the process of finding hidden data within digital objects. This is similar to cryptanalysis applied to cryptography. Information can be hidden in messages, images, or file within another message (Otair, 2015).
The idea of encryption has always been a major obstacle to most of the Cyber Forensic Investigators since they are very hard to break and also due to the fact that not all encryption is the same. The process of encryption is usually done by an application which most of the time leave trails of plaintext behind. These plain texts are hard to find, yet they provide all the necessary requirements to break encryption. The first step towards breaking encryption is to identify the type of application that has been used. Some applications are good in deleting all traces of plain text, but it would be still possible to break the encryption if the plaintext was saved elsewhere of even in another version. The next step is you identify the weakness of the application that has been used for encryption then you exploit the weakness then you can finally access the file if you know the file name (Quick & Choo, 2016).
FORENSIC NETWORK ANALYSIS
Sniffing is the process of analyzing all the data that passes through a given network. Sniffers are available as open-source, commercial and more sophisticated ones (Dykstra & Sherman, 2013). For sniffers to work in a particular network, it must be configured in promiscuous mode allowing them to receive network traffic even if not addressed to this particular Network Interface Cards (NICs) (Gordon, 2016).
The challenge of big data is to try to isolate the useful data from the vast amounts of data available. In forensics, big data is randomly distributed as compared to simple data, which is stratified, and its analysis requires just simple methods of data mining. After separation of the data, cluster analysis is the step that follows. Cluster analysis involves using a given criteria to try to group the data in an orderly manner depending on the attributes of the data (Rogers & Seigfried, 2014).
The criteria that will be used in the grouping will be up to the efforts of the Cyber Forensic Investigator. Another method that is very vital here is detection, which looks at the data in a perspective which is different from that of the Cyber Forensic Investigator. The last approach is independencies which use some rule to try to find the various relationships of the data that interest the Cyber Forensic Investigator (Gordon, 2016).
SAFE ANALYSIS OF MALWARE
Cyber Forensic Investigators need to identify and if possible, eliminate all imminent dangers posed by malware before analyzing digital evidence. The most common method used for this particular challenge is sandboxing. Sandboxing involves creating a virtual machine on the physical computer that can be operated in the computer as a separate entity (Rogers & Seigfried, 2014).
Which this approach, it will be possible for one to undertake high-risk activities using the virtual machine and deal will eliminate the malware that pose a threat to the work being done by the Cyber Forensic Investigator. According to Samy et al. (2017), the sandboxing tools also have the capability of encapsulating a computer in web-browsing thus providing security from drive-by malware.
A common tool for data visualization in Cyber Forensics is link analysis. This particular tool includes the use of graphs, pie charts, and crosstabs, among others to try to create a visual impression. This is a more practical approach in the field of forensic analysis where it is more interactive and literarily visual (Bennet, 2012).
Ruan et al. (2011) indicate that data visualization entirely depends on the visualization tools possess by Cyber Forensic Investigator meaning that there are many open-source and commercial visualization tools present in the market. The basic idea of data visualization is to aid people to understand the data by seeing the data. (Ruan, Carthy, Kechadi, & Crosbie, 2011).
A national workshop found that the most important challenges in Cyber Forensics were education, training and funding, the size of memory, data volume, and understanding of technology (Baggili & Breitinger, 2017). Cyber forensic investigators are very vital in various cases today given that there has been a rapid change in technology over the years. This knowledge is very crucial today especially in court cases where the use of this kind of technology has seen into it that there has been a change in the way various cases that proved hard to make a conclusion be easy.
- Baggili, I., & Breitinger, F. (2017, June 22). NSF National Workshop on Redefining Cyber Forensics. Retrieved 2017, from https://www.youtube.com/watch?v=RBHWVclGmmk&feature=youtu.be
- Barocchini, A., & Maccherola, S. (2017, May 31). 3 Challenges to Data Collection in the Cloud. Retrieved 2017, from http://accessdata.com/blog/3-challenges-to-data-collection-in-the-cloud
- Bennet, D. W. (2012). The Challenges Facing Computer Forensics Investigators in Obtaining Information from Mobile Devices for Use in Criminal Investigations. Information Security Journal: A Global Perspective , 21 (3), 159-168.
- Brown, C. L. (2006). Computer Evidence Collection & Preservation. Massachusetts: Charles River Media, Inc.
- Dykstra, J., & Sherman, A. T. (2013). Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform. Digital Investigation , 10, 87-95.
- Karie, N. M., & Venter, H. S. (2015). Taxonomy of challenges for digital forensics. Journal of forensic sciences , 60 (4), 885-893.
- Quick, D., & Choo, K. (2016). Big forensic data reduction: digital forensic images and electronic evidence. Cluster Computing , 19 (2), 723-740.
- Rogers, M. K., & Seigfried, K. (2014). The future of computer forensics: a needs analysis survey. Computers & Security , 23 (1), 12-16.
- Ruan, K., Carthy, J., Kechadi, T., & Crosbie, M. (2011). Cloud forensics. IFIP International Conference on Digital Forensics (pp. 35-46). Berlin: Springer.
- Samy, G. N., Shanmugam, B., Maarop, N., Magalingam, P., Perumal, S., & Albakri, S. H. (2017). Digital Forensic Challenges in the Cloud Computing Environment. International Conference of Reliable Information and Communication Technology , 669-676.
- Simon, M., & Choo, K. (2014). Digital forensics: challenges and future research directions. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2421339. In I.-S. Kim, & J. Liu, Contemporary Trends in Asian Criminal Justice: Paving the Way for the Future (pp. 105-146). Seoul, South Korea: Korean Institute of Criminology.
- Stephenson, P. (n.d.). (ISC)² Guide to the CCFP CBK.