Cyber forensic is a branch of science which deals with tools and techniques for investigation of digital data to find evidences against a crime which can be produced in the court of law. It is a practice of preserving, extracting, analyzing and documenting evidance from digital devices such as computers, digital storage media, smartphones, etc. so that they can be used to make expert opinion in legal/administrative matters.
The computer forensic plays a vital role in an organization as the our dependency on computing devices and internet is increasing day-by-day. According to a survey conducted by University of California7, 93% of all the informaiton generated during 1999 was generated in digital form, on computers, only 7% of the remaining information was generated using other sources like paper etc. It not always easy to collect evidences as the data may be temperd, deleted, hidden or encrypted. Digital foransic investigation is a highly skilled task which needs the expose of various tools, techniques and guidelines for fininding and recovering the digital evidances from the crime scene or the digital equipments used in the crime. With digital equipments like smartphone, tablets, palmtops, smart tv, etc having increasing processing capabilities and computation speed, the possibility of use of these devices in cyber crime cannot be ruled out. A forancis investigator must not only have deep understanding of the working of these devices and also hands-on exposure to the tools for accurate data retrival so that the value and intrigity of the data is preserved.
7 http://www.isfs.org.hk/publications/ComputerForensics_part1.pdf
A computer can be used intentionally or unintentionally to cyber crime. The intentional use is to use your computer to send hate mails or installing cracked version of an otherwise licenced software into your computer. Unintentional use is the computer you are using contains virus and it is spread into the network and outside the network causing major loss to someone in financial terms. Simillerly a computer can be directly used to commit a digital crime. For example, your computer is used to access the sensitive and classified data and the data is sent someone inside/outside the network who can use this data for him own benefit. The indirect use of computer is when while downloading a crack of a software, a trozan horse is stored in the computer, while creates a backdoor in the network to facilitate hacker. Now the hacker logs into your computer and use it for committing cyber crime. An experienced computer forensic investigator plays a crucial role in distinguishing direct and indirect attack. Computer forensic experts are also useful for recovery of accidental data loss, to detect industrial espionage, counterfeiting, etc.
In large organization, as soon as a cyber crime is detected by the incident handling team, which is responsible for monitoring and detection of security event on a computer or computer network, initial incident management processes are followed8. This is an in-house process. It follows following steps:
Preparation: The organization prepares guidelines for incident response and assigns roles and the responsibilities of each member of the incident response team. Most of the large organizations earn a reputation in the market and any negative sentiment may negatively affect the emotions of the shareholders. Therefore, an effective communication is required to declare the incident. Hence, assigning the roles based on the skill-set of a member is important.
Identification: based on the traits the incident response team verifies whether an event had actually occurred. One of the most common procedures to verify the event is examining the logs. Once the occurrence of the event is verified, the impact of the attack is to be assessed.
Containment: based on the feedback from the assessment team, the future course of action to respond to the incident is planned in this step.
8 http://countuponsecurity.com/2012/12/21/computer-security-incident-handling-6-steps/
Eradication:In this step, the strategy for the eradication or mitigate of the cause of the threat is planned and executed.
Recovery:it is the process of returning to the normal operational state after eradication of the problem.
Lesson Learned: if a new type of incident is encounter, it is documented so that this knowledge can be used to handle such situations in future.
The second step in the process is forensic investigation is carried out to find the evidence of the crime, which is mostly performed by 3rd party companies. The computer forensic investigation involves following steps:
Identify incident and evidence: this is the first step performed by the system administrator where he tries to gather as much information as possible about the incident. Based on this information the scope and severity of the attack is assessed. Once the evidence of the attack is discovered, the backup of the same is taken for the investigation purpose. The forensic investigation is never performed on the original machine but on the data that is restored from the backup.
Collect and preserve evidence: Various tools like Helix, WinHex, FKT Imager, etc. are used to capture the data. Once the backup of the data is obtained, the custody of the evidence and the backup is taken. MD5(message digest) hash of the backup is calculated and matched with the original one to check the integrity of the data. Other important sources of information like system log, network information, logs generated by Intrusion Detection Systems(IDS), port and process information are also captured.
Investigate: The image of the disk is restored from the backup and the investigation is performed by reviewing the logs, system files, deleted and updates files, CPU uses and process logs, temporary files, password protected and encrypted files, images, videos and data files for possible stegnographic message, etc.
Summarize and Presentation: The summery of the incident is presented in chronological order. Based on the investigation, conclusions are drawn and possible cause is explained.
While carrying out the digital forensic investigation, rules and procedure must be applied. Specially while capturing the evidence. It should be ensured that the actions that are taken for capturing the data do not change the evidence. The integrity of the data should be maintained. It must be ensured that the devices used for capturing the backup are free from contamination.
Moreover, all the activities related to seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review9. Prevention is always better than cure. It is always recommended to fine tune your intrusion detection system like firewall occasionally perform penetration tests on your network to avoid pray to hacker. Last but not the least, report the crime.