Digital Forensic Investigation in Organisations

In today’s technical world there is an increasing need for evidence in organizations. Good digital evidence is becoming a business enabler. Very few organizations have the structures in area to enable them to conduct cost effective, low-impact and efficient digital investigations. When a digital incident occurs there are generally three courses of actions that are taken, generally dependant on the type of organisation within which the incident occurs, or which is responding the event. Digital Investigation is a medium to organizations which are use to provide good and trustworthy evidence and processes. Traditional investigative models follow the general process of: identify the incident, secure the evidence, analyse the evidence, generate a report on the findings and present the outcome. In the case of an organization infrastructure the primary goal becomes one of risk identification and elimination, followed by recovery and possible offensive measures.

The digital revolution has created the need of new laws, digital forensic investigators, forensic methods, forensic tools and techniques to enable the digital evidence presentable in court of law. Digital forensics and cyber crime investigation is bases on the current legal system and supporting laws available. The infrastructure to investigate cyber and electronic crimes is based on the prevailing cyber and electronic laws. So it is very difficult to adopt specific forensic models to carry out forensics and prepare court admissible reports. Many digital forensics practitioners simply follow technical procedures and forget about the actual purpose and core concept of digital forensic investigation.

Literature Review:

In IT Security field, there are a lot of technological aspects, as access control, biometrics, encryption, network security, security algorithm, etc. Each of them has its specific methodology and school of thoughts, but they all rely on one set of fundamental principles. That is, the core IT Security fundamentals – Confidentiality, Integrity and Availability. AS the growth of number of security incidents and the sophistication of intrusion techniques, it is highly important for business organisations to safeguard, detect and protect from various computer attacks. Among the various security measures employed by organisations, Digital Investigation is able to catch the attention of various organisations for preventing, detecting and responding to various computer security incidents. Every organisation which is making use of Digital Investigation need to have a framework and set of tools for carrying out investigations as well as protecting from security incidents. It is necessary for organisations to recover as early as possible so that they minimise the costs to the organisation which occur during the downtime. So, typically Digital Investigation is used as a way for responding and safeguarding security incidents. So, typically this research focuses on Digital Investigation and its practices in Business organisations.

Traditional investigative models are linear in nature and require the affected systems to be taken offline during the investigation; subsequently the organisation can potentially loose revenue. The system is typically taken offline until the investigation is complete. A digital investigation can take several months to complete, particularly in a law enforcement context. This research mainly focuses on how Digital investigation is practised across the business organisations. The research aims to find out the kind of framework that is required or employed for Digital Investigation across business organisations, which is achieved through studying one or two organisations and understanding how they practice digital investigation and what kind of framework is required. Further, the challenging aspects that business organisations face with respect to the Digital Investigation are studied. And finally, the open source tools that are available to carry out the digital investigation is further explored.

Computer forensics has appeared as a merger of the disciplines of computer science and the laws which is was as “the utilize of methodically imitative and verified methodology towards the protection, compilation, justification, recognition, investigation, explanation, certification, and production of the digital facts that are imitative from digital basis for the principle of facilitation or auxiliary renovation of the events established to be illegal, or ration to expect the unlawful performance exposed to be disruptive to intended operations”(1). This definition covers the broad aspects of digital forensics from data acquisition to legal actions, while the term digital sources in the definition refers to any resource that can be used in modern communication systems including computer systems, networks, communication streams (wireless) and storage media. An investigator should possess sufficient skills and have enough knowledge about the legal framework or the Internal security policies. Unless evidences are collected using procedures that will be court admissible, the term forensic is not used and the response process is simply denoted digital investigation instead of digital forensic investigation.

During investigation, an investigator is challenged to prove the malice of intruder actions, which can be described in terms of properties over system states that intruders want to masquerade or to make their computation more difficult to perform. Moreover, an investigator represents a third party regarding intruders and has only limited observation of their executed attacks. An IDS alerts file, for instance, only gives an idea on the set of remotely executed commands and does not show how the system behaved with the attack. Before we describe the investigation process, we need to define the basic and fundamental concepts. There are few agreed upon definitions in the area of digital forensic research, so we will clearly state the definitions we are using, even the most basic ones. Digital data are data represented in a numerical form. With modern computers, it is common for the data to be internally represented in a binary encoding, but this is not a requirement. A digital object is a discrete collection of digital data, such as a file, a hard disk sector, a network packet, a memory page, or a process.

In addition to its numerical representation, digital data has a physical representation. For example, the bits in a hard disk are magnetic impulses on platters that can be read with analog sensors. Network wires contain electric signals that represent network packets and keyboard cables contain electric signals that represent which keys were pressed. A computer converts the electric signals to a digital representation. Digital photography and video are a digital representation of the light associated with physical objects. Digital data can be stored on many mediums and each has different properties that determine how long the data will reside. For example, data will reside on a keyboard cable for a fraction of a second, but it may reside on a hard disk for a hard disk for years. After the occurrence of security incident, an investigator starts collecting the set of left evidence on the system. We classify the latter in three forms: history-based, actions-based, and predicate based evidences. We suppose within this work that all these collected evidence are trusted, meaning that the intruder has the ability to notice altered evidences before collecting them for analysis.

Some environments have developed policies and laws that forbid certain events from occurring. An incident is an event or sequence of events that violate a policy and more specifically, a crime is an event or sequence or events that violate a law. In particular, a digital incident is one or more digital events that violate a policy. In response to an incident or crime, an investigation may begin. An investigation is a process that develops and tests hypotheses to answer questions about events that occurred. Example questions include “what caused the incident to occur”, “when did the incident occur”, and “where did the incident occur”. For the framework, the following definitions of evidence, which are a little more general and do not focus on the cause and effect relationship, are used. Physical evidence of an incident is any physical object that contains reliable information that supports or refutes a hypothesis about the incident and digital evidence of an incident is any digital data that contain reliable information that supports or refutes a hypothesis about the incident. It is understood that an object has information about the incident because it was a cause or effect in an event related to the incident. Note that because digital data has a physical form, then physical evidence can contain digital evidence.

In framework, the collection of the hard disk is the collection of physical evidence and the collection of a digital object from the hard disk is the collection of digital evidence. Also note that the difference between physical and digital evidence is in their format and has nothing to do with the type of incident. Therefore, we can have digital evidence for a physical incident or crime. For example, a digital video camera will create a digital representation of a physical event and the resulting file will be digital evidence of the event. We can also have physical evidence for a digital crime.

The Digital Forensics Research Working Group (DFRW) developed a framework with the following steps: classification, conservation, compilation, inspection, analysis, production, and conclusion [2]. This framework puts in place an important foundation for future work and includes two crucial stages of the investigation. Components of an investigation stage as well as presentation stage are present. Reith proposed a framework which will include number of mechanisms which are not stated in the above frameworks. The full listed components are: identification, preparation, approach, strategy, preservation, collection, examination, analysis, presentation, and returning evidence [3]. This comprehensive process offers a number of advantages, as listed by the authors. For example, a number of the components can be included in other stages of an investigation, as will be shown later. The model proposed by Ciardhuáin is probably the most complete to date. The steps or phases are also called ‘activities’. The model includes the following activities: awareness, authorization, planning and notification, search for and identify evidence, collection transportation, storage, examination, hypothesis, presentation, proof/ defence, and dissemination [4].

Cite This Work

To export a reference to this article please select a referencing stye below:


Leave a Reply