Computer forensics, also called digital forensics, is the practice of collecting, analyzing, and reporting on digital data. Forensics can be used for the detection and prevention of crime and in any dispute where evidence is stored digitally. Computer forensics is part of CompTIA Security+ Certification and represents a vital procedure for IT incident handling teams since it allows to analyze security incidents through a scientific approach. This article focuses on the basic concepts in computer forensics.
Origin of Forensics
Forensics is the process of using scientific knowledge to collect, analyze, and present evidence to the courts. The origin of the word forensics means “to bring to court.” Forensics deals primarily with the recovery and analysis of evidence. Evidence can take many forms. Evidence can be fingerprints left on a window to DNA evidence recovered from blood stains to the files left on a hard drive.
According to the US-CERT, “Computer forensics is the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law.”
In the digital world, organizations have used computer forensics to their benefit in several contexts, such as intellectual property theft, industrial espionage, fraud investigations, and forgeries.
Computer Forensics Process
In the last few years, several cyber incidents have increased in number and severity. When a cyber incident occurs, the incident response team responds with a set of predetermined actions. This team has responsibilities in monitoring, incident handling and reporting when a security breach is identified, or an attack has been detected — and the forensics process initiates here when the bells ring.
Applying computer forensics permits in-depth analyses of the evidence gathered by incident response team to aid in the recovery and investigation of material on digital media (such as malware) and networks. Typically, forensic analysis occurs in an advanced phase of the operation of incident response teams. It is part of long-term analysis called Post Incident Analysis.
Figure 1: Main steps of a security incident carried out by an Incident Response Team .
Computer forensics is focused on a full understanding and thorough resolution of a digital incident and represents the tip of the pyramid presented in Figure 1 which represents the life cycle of a security incident.
Within the Post Incident Analysis phase, there is a near-standard forensic process, which is described in Figure 2 below.
Figure 2: General workflow of a computer forensics process.
1. Data Collection
As with gathering of evidence in physical investigations, the technician must exercise care when collecting digital forensic data to ensure that the data being collected for analysis is as pure and undisturbed as possible. This is the process of gathering data before it can be analyzed forensically and usually begins with the taking of a “bit-level” image of the hard drive or storage media of the system.
Get search authority
Companies have the right to monitor their networks and infrastructures, as long as they respect the privacy rights of their employees. They are also free to analyze malware or other digital artifacts as long as this does not interfere with the privacy of the citizens or the victim. All these contracts must be legally defined and written. In a legal investigation, legal authority is required to conduct a search or seizure of data.
Start a chain-of-custody document
Chain-of-custody (CoC), in legal contexts, is the chronological documentation that records the sequence of custody, control, transfer, analysis, and disposition of physical or digital evidence.
Tracking the movement and handling of evidence to maintain integrity is essential for this process. It’s also essential to document other attributes of the evidence and the last person that handle it, as well as when was it collected, what state was it in, who collected it, who was the last to have possession, where was it collected and how it was handled.
Duplicate evidence and validate it using hash function
After digital evidence is found, it should be carefully duplicated and then hashed to validate the integrity of the clone.
Forensic tools such as MD5, SHA-1, and SHA256 should be used to ensure the reliability and correctness whenever possible. These functions apply a mathematical algorithm that returns a fixed-size string hash value. Any change to the data will change the hash value and invalidate the copy of the evidence.
In this field, another term should be mentioned: Anti-Computer Forensics. This is a set of techniques used by crooks to increasingly difficult the forensic analysis .
2. Examination and Analysis
After the forensics expert creates a duplicate image of the evidence and the integrity validated, analysis can start on the evidence copy. To start this process, the forensic analyst uses specific tools to uncover deleted or hidden malicious files, or modifications in the compromised device. Here, the forensics analyst also executes a set of techniques to examine the evidence that can have several origins and generate different findings, such as email, chat logs, images, hacking software, documents, and Internet history.
Select forensic tools
There are different types of tools and techniques for forensic analysis. Nmap, fiddler, Volatility, ExifTool, SAFT, Dumpzilla, Process Monitor, and Regshot are a group de tools that can be used in evidence analysis .
Analyze evidence using investigative and analytical techniques
Some of the techniques used are event correlation, cryptanalysis and steganalysis, sandboxing, network sniffing, data mining, evidence visualization, data and password recovery, string and keyword searching, and header analysis.
Repeat and reproduce forensic analysis procedures and conclusions
The procedures and conclusions of forensic analysis should be reproducible by the same or other forensic analysts to compare findings and final results.
In the end, after the analysis is complete, a report of the findings is developed with a detailed description of the steps conducted during the investigation.
Report analytical procedures and conclusions
The report can include information related to the acquisition phase — namely the person who did the examination, when it was done, what software/hardware tools were used, and what version numbers — the original data hash and the acquired data hash, photographs taken.
Present experts’ testimony about findings and conclusions
The forensic analyst will present the findings and conclusions to a court or another audience. In this way, another analyst can identify what was done and determine other actions after the report is reviewed.
Branches of Computer Forensics
Computer forensics investigation is not restricted to retrieve data from a computer. There are other devices involved in this context such as tablets, smartphones, flash drives that are extensively used by cyber attackers. Some of these devices have volatile memory while some have non-volatile memory.
Computer forensics is branched into subtypes, for instance:
- Mobile Devices Forensics
- Networks Forensics
- Forensic Data Analysis
- Data Base Forensics
Issues of Computer Forensics
The issues computer forensics analysts face can be grouped into three categories: (i) technical, (i) legal, and (iii), administrative.
Encryption: Encrypted data difficult the process of analyzing malicious activity.
Increasing storage space: Computers used need to have sufficient processing power and available storage capacity to deal with searching and analyzing large amounts of data efficiently.
New technologies: Computing field is evolving, with new hardware, software and operating systems emerging today. No single computer forensic analyst can be an expert in all areas.
Anti-forensics: Anti-forensics is the practice of difficult and block computer forensic analysis.
When a forensic analyst analyzes a Trojan keylogger, he can find sensitive and personal information about the victim. It is probably that sensitive information should be obtained. The analysts should be careful how it exposes the findings in the analysis report. This can distract the forensic analyst and divert it from the findings.
There is a group of standards and guidelines in computer forensics, which should be universally accepted.
References https://www.us-cert.gov/sites/default/files/publications/forensics.pdf  https://pt.slideshare.net/paceitonline/paceit-basic-forensic-concepts  http://resources.infosecinstitute.com/category/computerforensics/introduction/areas-of-studycomputer-forensics-investigations/incident-response-and-forensics  https://www.forensicmag.com/article/2007/01/commentary-defining-digital-forensics  https://en.wikipedia.org/wiki/Digital_forensics  https://blog.finjan.com/the-importance-of-digital-forensics  https://en.wikipedia.org/wiki/Anti-computer_forensics  http://resources.infosecinstitute.com/category/computerforensics/introduction/free-open-source-tools/more-free-open-source-computer-forensics-tools
The article was initially published by Pedro Tavares on https://resources.infosecinstitute.com/domain-risk-management/.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.