Some TV shows will make you believe that digital forensics is easy but in reality, it’s quite challenging.
Think about it:
A computer stores lots of different types of data that can be altered. Also, the data has to be analyzed.
Traditional forensic investigators were ready to analyse any type of fragment and smear, regardless of the source. Today, digital forensic investigators must go through the data on different devices and this is challenging.
Since it began to make headway, digital forensics serves two different resolves with each one having its own hitches. For example, in most scenarios, information that a crime occurred is found in the computer but to get this information, the data has to be analyzed.
The Bernard Madoff is a good case to analyze. The investigators had a tough case when analyzing the data because it was stored in an older computer and there were no tools to retrieve it.
Today, almost every case from murder to corporate litigation involves examining of digital data in computers and mobile phones.
In other cases, like the ones involving hacking, digital forensics is hampered by the sophistication of the systems and the huge amounts of data to go through.
Digital forensics is extremely powerful and with the right skills and tools, investigators can unearth huge amounts of data that have been collected over time including old emails, Google search terms, chat logs etc. This information can show the state of mind of the individual or the resolve at the time the crime took place.
Handling evidence is also a problem in digital forensics. Evidence such as written letters and photographs can be easily reproduced and used in a court of law since computer evidence demands special handling and analysis. Electronic data can be easily erased, changed or damaged due to improper handling. Critical evidence can be deleted remotely.
On the other hand, computers hold even deleted evidence. For example, by using special tools, digital investigators can show deleted files because when you delete a file on an electronic device, the memory where the data was is still available and will remain until a new file is written over it.
Other than uncovering hidden data in criminal investigations, digital forensics tools can check for network intrusions to find how an attack occurred to prevent it from happening again. The same approach is used to recover data from reformatted and damaged drives. The same tools can be used to detect whether data has been completely wiped from drives to avoid personal information leakages.
Digital evidence can also be employed to show that a situation did not take place. This was proved in May of 2006 when forensic investigators checked the files on a stolen laptop that was used to store personal information of 26.5 million veterans and military staff to show that the sensitive files were not viewed.
Of course, the files could have been viewed by a skilled individual who has the skills to view them unconventionally without changing the timestamps. The only thing that the investigators proved was that the files were not accessed by conventional means.
With these two examples, it is clear that the possibilities of digital forensics are not only bound by the technology but by the cost-effectiveness of each case. Convictions are not the only measure of success, there is a huge gap between what is possible and what is necessary. Investigators might have the want to analyse every last piece of data, but there is hardly ever a reason to do so.
For digital forensics to work properly, techniques and tools must be equally applied to suspects, bystanders and victims. For example, a mobile device on an unidentified dead body would be subject to analysis as a device dropped in a house break-in. How the analysis is done, is down to legal than technological issues.
This has led stakeholders to come up with a constant but flexible approach when carrying out investigations regardless of the policy disparities. All the digital forensic models that have been proposed have some common elements.
Before the commencement of data analysis, it has to be collected from the crime scene, stabilized and preserved to create a record. Knowing how computers store data is vital to accurate data preservation and mining. Computers are based on binary digits 0 and 1, also known as bits. The computers that are available today, do most of their work in bytes or 8 bits. A byte is a representation of sequences 00000000, 00000001, 00000010, through 11111111, and they correspond to the decimal numbers 0 through 255. The text is represented by a specific binary code. The common representation is UTF-8 that makes use of the binary sequence 00100001 for the letter A, 00100010 for letter B and so on.
When the information is stored in a drive, these bytes are kept as blocks also called sectors. They form the smallest data block and each sector has a unique identification number, also known as logical block address. A simple email message uses up 10 or 20 sectors while a video file takes hundreds of thousands of sectors.
When preserving this data on a digital device, each sector has to be copied and stored in another computer as a file called a physical or disk image. This file has all the bytes from the primary device, meaning that all the files are present. The disk image, however, includes even the hidden files and portions of deleted but not overwritten files.
The approach is the same when scanning networks because the data sent through the network is conserved.
It is also important to note that the RAM on your computer also holds data. Extracting this data is tricky because the information stored by the RAM is temporary and the data is lost when the device is turned off. The only way to recover RAM data is by using a special program called a Memory Imager, this data is then stored in a file known as a Memory Dump.
Once the investigators obtain the data, data examinations are performed.
Testing the results hasn’t been easy over the years but thanks to Hash Functions, the process has been simplified. This technique ensures that all the data is intact and then recognised each file.
Hashing was invented by Hans Peter Luhn and has been used for processing computer text since the 60s. Since every sentence in a document can be treated as a string, hashing checks whether there is a repeated paragraph in the document. The hash value for each paragraph is calculated, the hashes are then put into a list, the list is then sorted to see whether the number appears two or more times. A repeated number suggests a repeated paragraph.
In 1979, Ralph Merkle, a doctoral student at Stanford University, came up with a way to use hashing for computer security. His idea was to make use of a hash function that formed 100 plus bits of output and includes the property of being one way. Today, Merkle’s research is being used as the basis of many cybersecurity systems for protecting credit card numbers sent over the internet, certify the reliability and legitimacy of codes that run on iPhones and also authenticate the keys used to play digital music.
Hashing is now widely used in forensics especially to establish a chain of custody for forensic data. In forensics, the entire disk image is subjected to hashing. For example, hashing is run on two disk images and the hash of each is calculated. If the values are a match, they are the true copy of the data on the drive.
Hashing is also used to recognize files by reading through the file properties of each file because they have diverse hash values.
Today’s databases have hashes for identifying known goods such as the programs dispersed as part of operating systems or stolen documents, computer viruses, stolen documents etc.
Sector and file identification with hashing makes it easy for a hard drive holding millions of files to be searched against a database with the hashes of the millions of files in a matter of hours. This process can be carried out without human intervention.
Finding Lost Files
When carrying out investigations on a computer, the investigator checks the files that belong to the person under investigation.
The files that are normally accessible are known as allocated files or files that haven’t been overwritten by the OS. Allocated means to the disk sectors in which the file(s) is stored, or space that cannot be allocated to other files. There are digital forensic tools that an examiner can use to go through the contents of the file in a disk image without using the operating system (OS). By using the tools, the examiner does not tamper with the evidence.
Digital forensics allow a file to be recovered even after permanent deletion i.e. removed from the “trash can” or “recycle bin”. In most cases, a deleted file remains in the storage space as memory, even if the file’s metadata are lost. Recovering these files uses a method known as file carving, developed by Dan Farmer, an independent security researcher in 1999.
This method makes use of a file’s headers and footers, these are byte sequences at the beginning and end of every file. The application searches for the headers and footers and once they are located, the headers and footers and the data in between is saved as a new file. The newer carvers can identify the file type.
Recovering a damaged compressed file or one that is partially missing has been a stumbling block over the years but thanks to technological advances, progress has been made in this area. In 2009, Husrev Senca and Nasir Memon came up with a recovery technique that can show a part of a JPEG image even when the beginning and end of the file are missing. Later in 2011, Ralf Brown also came up with an approach for getting back data from file fragments compressed with DEFLATE or ZIP algorithms, even when crucial information is missing.
Recovering files from the temporary computer memory have been an issue over the years but techniques such as memory parsing can get and scrutinize the contents of a running computer system. Today, open source programs that can record the system time when a memory dump was captured, show the running processes and show the information on the computer’s screen and clipboard. These tools are widely used to reverse the damages caused by malware i.e. worms and viruses and get a better understanding of the actions of a hacker. Memory parsing is a recovery process that easily recovers video and digital photographs.
After the recovery of files, the investigator can do a system analysis.
Images and video can be recovered but the main question is whether they are real or not. Photographs have been doctored since the days of Soviet Russia and with Photoshop and computer animation, g image manipulation has been taken to a whole new level.
In comes image processing, this method can check images and prove tampering or wholesale synthesis by factoring in light reflections, shadows and highlights.
Digital forensic tools help investigators to find evidence automatically. Such details show the need for deeper investigations.
Even with the advances made in the field of digital forensics, challenges are still present and will keep growing. Today’s computers have more storage space and run faster than those of the 90s, this means that there is less computing power for every memory byte.
Many cases that require the intervention of digital forensics are on the rise and there are not that many forensic investigators to do the work. The police have also joined in after realizing that digital evidence can be employed to solve crimes. In the past, digital evidence was used as a way of helping to make convictions.
What about the self-destructing phone apps that clearly all data after receiving a specific text? When gathering evidence, phones should be kept in a Faraday Cage or radio wave blocking cages. It’s important to note that mobile phones can lose the memory if kept for a long time. A Faraday Cage must, therefore, have power strips and charge the phones.
Cloud computing also means that a cell phone might not have any data at all as it could be held in the “cloud”. Investigators may not have the authority to look into remotely stored data and in worst cases, the data might be easily accessed and deleted by the suspect’s collaborators.
The biggest stumbling block of all is the lack of qualified practitioners and researchers. People who understand today's and past computer systems, data formats and applications are needed. This field requires more generalists that specialization.
How do we address this training issue?
One way is to look for chances to break down the problem in digital forensics into modular pieces so that experts can make significant contributions.
Another way is to clearly show how the basic principles and tools of digital forensics can be used in the society.
Digital forensics can be extensively used for privacy auditing. Instead of unearthing personal information to close a case, the tools can be used to unearth any personal info left by bugs or oversight.
More generally, everything around us is being computerized and digital forensics will be the only way to understand the systems when they malfunction.
With this increase in system complexity and the expanding data size, forensic experts have a daunting task to handle these computer systems and deal with the criminals.
There are many major convictions that have been facilitated by digital forensics.