Digital Forensic Model for Digital Forensic Investigation

Question: Discuss about a Report on A New Approach of Digital Forensic Model for Digital Forensic Investigation? Answer: Introduction: The ability to collect data or information for the purpose of the critical analysis is considered as an essential skill in the field of Criminal Justice (Caloyannides Caloyannides, 2004). Such skills are necessary for the purpose of problem solving. The advent of computer science and technology has given rise to a new domain of criminology: the digital or computer crimes. The list of the techniques used to conduct digital crimes is growing with each passing day: needless to say that file do of criminal justice is also adapting itself to the current situation by incorporating various technologies and com putting techniques to combat such crimes (Clarke, 2010). However, it should also be kept in mind the techniques using which such crimes are being conducted are getting more and more sophisticated with time, hence the criminal justice system should incorporate newly developed and innovative techniques so as to keep up with the evolving digital crime techniques. Computer forensics or d igital forensics is one such computer technology that is currently being used in various operational activities that are essential for the purpose of investigating any digital crime (Wiles, 2007). In this paper, various aspects of the field of digital or computer forensics have been discussed so as to evaluate the importance of this technology in the society and in the field of criminal justice. Computer forensics, along with the science of digital forensic, can be defined in a specific way as that field computer studies which helps in the process of collecting and analyzing various information and/ or document from any computer systems or devices and associated storage media units that can be treated as legal evidence in any court of law (Craiger Shenoi, 2007). These computer forensics involved experts involved in any case are accountable for those operational processes that are conducted for the examination of various files, folder and other digital media that are stored on any c omputing device or on additional storage media so as to recover files of information that might be contextual to any legal situation and/ or matter (Wiles Reyes, 2007). Needless to say, computer forensics refers to that domain of computer science which deals with the inspection and analysis of the personal and private digital files of any individual or any organization, given that specific person or organization has been involved in any legal matter (Gogolin, 2013). The domain of computer forensic science is concerned with the data collection and analysis process followed by investigating while probing any digital or computer crime. While considering the investigation procedure, it can be said that this particular discipline of computer science incorporates and implements the widely known technologies and techniques that are used in the process of data discovery and recovery. Along with this features, the discipline of computer forensics also includes various guidelines, practices and methodologies that are useful in creating legal audits (Jones, Bejtlich Rose, 2006). The evidence and information that are gathered by any computer forensics team in the course of the investigation are subjected those very same protocols, guidelines and practices that any other forensic data or report are subjected to. As in the case of other forensic evidence, the information collected from of digital forensic investigation processes cannot be edited or tampered with in any way, and various constitutional guidelines should be followed to preserve them, such that they can be used in any fair legal procedure or trial (Li, 2010). Importance of digital/ computer forensics: The advent of the internet has changed the process in which crime scenes were investigated in the past: the dynamic nature of the internet is reflected in the way criminals plan and conduct crimes, thus making the task of collecting information or evidence using the traditional procedures more and more difficult with each passing day (Volonino Anzaldua, 2008). As, for example, the various websites that are used planning or conducting any crime might be accessible on the internet on one day and might be pulled down on the very next day (Nikkel, 2014). On the other hand, as the access to internet is omnipresent in most developed countries these days, criminals can gain access to the internet from various computer devices at different points in time, each tome from a different location. While traditional investigating procedures would not be able to detect o investigate any crime conducted in this process, digital or computer forensics can be used investigate such incidents (Vacca, 200 5). The Internet Protocol (IP) addresses used to conduct any cyber crime can be easily detected using digital forensics, which in turn gives away the address of the particular computer used to gain access to the internet and the exact time at which the crime was conducted: once the time and place at which the crime was initiated becomes available to the investigators, a little more probing would surely reveal the person of group of persons who had conducted the evil (Marshall, 2008). However, digital forensics can be used to collect data or evidence in a wide range of cases other than that of cyber crimes. It has been noticed that many offenders who are involved in crimes like sexual assault, drug dealing, espionage, extortion, auto theft, murder, kidnapping, economic crimes, criminal hacking and even in terrorism, tend to have stored some such incriminating data on their computing machines that are more than enough to prove their association with such crimes (Solomon, Barrett Broom, 2005). In such cases, the data or evidence collected from their computing devices, as revealed by digital forensic experts, are used as legal evidence in all courts of law (Mohay, 2003). Effect of the digital/ computer forensics on society: Let us consider one of the very first cases that were solved by investigating processes that utilized the help of digital or computer forensics. In 1998, a small town in Vermont, known as the Fair Haven, witnessed a murder in which a piece of pipe bomb was used as a weapon. In this particular case, Chris Marquis, who was a 17 year old teenager at that time, had reportedly announced on a forum on the internet that he would be selling some CB radios on the Internet (Nelson, Phillips Steuart, 2010). However, in reality he was aimed at scamming the buyers since he had no such radio device to sell. A 35years old person named Chris Dean became one of his victims. This person was from Pierceton in Indiana, and Marquis had conned him for some hundred dollars. When Dean realized that he had been scammed, he made several futile attempts to communicate with Marquis and had reportedly sent some threatening emails to him. However, on the 19th of March 1998, a pipe bomb was delivered by the UPS t o Marquis' house: Marquis was killed as the bomb exploded, leaving his mother severely injured (Kessler, 2005). The shipping label used by UPS led the local authorities to Dean, and the FBI found the threatening emails found on his computer. These two pieces of evidence were used as the key evidence using which Deans involvement in Marquis' death was proved and Dean was convicted in a court of law. At present, Chris Dean is serving a life sentence in one of the federal prisons of the country. The impact of digital or computer forensics on the society can also be demonstrated using the case that has been discussed in the following section. In March 2005, a serial killer, widely known as the BTK killer was arrested from Wichita in Kansas, based on the information provided by a single digital document (Kessler, 2005). The killer had been involved in a series of murders for the past 30 years: however, a small mistake conducted was finally utilized by the authorities to end his killing spree. The killer had a habit of sending letters to the local television centre at Wichita so as to inform the general mass about the killing he had made: in one such case the killer had used the information about his exploits to the local television station. The local police got a hold of this email, from which the first name of the author was easily found out. The metadata properties of the mail also revealed the name of the organization to which the devices belonged using which these emails w ere being sent. The emails revealed that the killer was using one of the computing devices of a church, and checking the database of the church provided the investigating team with the information that the killer whom they were looking for was the president of this particular church. A search at the church premises provided many such pieces of evidence to the police: the investigators found out a floppy disk that contained a document in which an agenda for a next council meeting was discussed, along with the letter that was sent to the local television channel via the electronic mail. Until this stage, Dennis Rade was never being considered as a suspect for the murders; however a single of electronic mail was enough to reveal the true characteristics of Pastor Dennis Rade, the president of the church. Thus, it can be said that the importance of digital or computer forensics is the same as that of other procedures that are used to maintain peace and a level of security in the society (Solomon, 2011). Importance of digital/ computer forensics to the field of Information Technology: The advent of technology is being helpful in the process of developing new and innovative technologies that can be used in detecting various cyber crimes, besides collecting information against such crimes and analysing this information so as to find out such evidences which can be accepted as legal evidences in any court of law (Olivier Shenoi, 2006). Extensive researches are being conducted all over the world that aims at developing innovative methods and techniques that can be used to gather and analyze digital evidence in the case of any cyber crime. A wide range of readily existing literary articles has been reviewed while writing this report, some of which have been mentioned in the following section (Pollitt Shenoi, 2006). In the article titled as 1 A New Approach to Digital Forensic Model for Digital Forensic Investigation , the authors have made a detailed discussion on the various digital or computer forensic models that are currently being used in the process of forensic investigations of cyber crimes (Barske, Stander Jordaan, 2010). The proceedings of The Digital Forensic Research Workshops or the DFRWS, that was held in 2001 in Utica in New York b has been provided in this article: in this workshop a newly formed community of people, who belonged to fields of Information Technology and academics, shared the findings of their researchers in the field of digital forensics with a target audience in which civilians were present along with military experts and law enforcement officials (Prosise Mandia, 2003). The article also provides detailed description of some of the widely used digital forensic methodologies, namely The Forensic Process Model which was introduced by the U.S National Institute of Justice, the Abstract Digital Forensic Model which was introduced in 2002, the Integrated Digital Investigation Process Model or the IDIP, the Enhanced Digital Investigation Process, the Extended model of cyber crime investigation and many more (Ray Shenoi, 2008). The application of data mining tools as a prospective approach towards the collection and analysis of data as to find evidence in the case of cyber crimes has been discussed in the second article that has been referenced (Nirkh Dharaskar, 2012). The third article that has been reviewed provides an insight into the various processes that are used in digital or computer forensics (Dawar, Gupta Kishore, 2014). The authors have classified digital forensics into the following types: Device Forensics: This particular domain of digital forensics is associated with the recovery of evidence or information from various devices, like that of computers, digital cameras, mobile phones, etc (Sammons, 2012). Disk Forensics: This particular domain of digital forensics is associated with the recovery of evidence or information from various primary and secondary storage devices like that of Hard Disc, Flash Drive, CD, Floppy drives and so on and so forth. Network Forensics: As the digital world demands the interconnectivity of computer machines for the purpose of sharing of digital contents, most of the evidence or information regarding cyber crimes are present or embedded within the very same network that connects these devices. This particular domain of digital forensics aims at collecting information from networks, to analyze them and to use them as evidence in courts of laws. Such a type of digital forensics is generally used to track or find information about defamation cases, data theft, software piracy, espionage, etc. This particular paper also provides detailed information on such digital forensic model using which the investigating team at first decides on using one or more than one of the computer forensic domains in order to perform an investigation. The fourth paper that has been reviewed provides an insight into the frame using that digital forensic experts collect evidence of various incidents. The definition of forensic investigation has been provided; along with the classification of digital analysis types have been discussed. The authors are of the opinion that digital forensic evidence is of the following kinds (Reith, Carr Gunsch, 2002): 1. Media Analysis: It refers to the collection and analysis of evidence or information stored on any device. This kind of analysis can only be used to collect evidence from media sectors of a fixed size. 2. Management Analysis: The collection of data or evidence using management systems that are used to organize data. It includes data collection from RAID system and might also include the process of volume management. 3. File System Analysis: This method is used to collect information or evidence from file systems that reside inside a disk or partition. The process of extracting the contents of a file and/ or recovering any deleted file includes these particular types of digital forensic analysis. 4. Application Analysis: through this process, the data content of any file can be accessed, collected and analyzed. 5. Network Analysis: The process using which data, information or evidence can be collected from any communication network. Effects of digital/ computer forensics on individuals or organizations: The next literary article that has been reviewed discusses about the digital forensics readiness framework that should be implemented in the small and medium sized enterprises of South Africa. The author at first provide a detailed description of those situations in which an organization can be asked to provide details of the Information technology and communications systems that have been incorporated in its organizational activities. In order to provide the information or data about such systems, it is essential to include certain framework, using which the data from all organizational activities can be collected. The authors have also provided with an outline using which such small and medium sized enterprises could implement such a framework in their organizational systems (Barske, Stander Jordaan, 2010). Legislation: When scenarios occur that can cause the destruction of valuable digital assets, intellectual capital on an organizational system and networks, organization have to deal with the unfavourable situation and embarrassment even some time market value also drops due to the negative image of weak security mechanism. When an organization build a new intrusion detection system and a particular application loaded on a system as an interface to detect the audit log to trace the intrusions. Next to this law enforcement is notified and the intruder is charged for the feloniously altering computer data, illegal use of computer data and causing the computer to malfunction (Balon, Stovall Scaria, 2015). The lawyers for the suspected hackers mount their attack based on the evidence on application generated activity log. It is obvious that each of the evidence need to be correct and admissible to the court. On the other hand the digital evidence must survive the Daubert challenge to by overcoming several hurdles to collect, store and to process and to present the evidence. Computers today provide an enormous amount of data storage to process a large volume of data. There are several disk drives are in use to store and process the data though seizing and freezing them do not take place only by burning single CD-ROM. Sometimes being unable or forget to freeze the files prior to access them may lead the evidences to the invalidate state. In addition to this in todays modern distributed system architecture digital evidences reside in several server and clients deployed in an organization (L. Garfinkel, 2015). Even the problem gets more critical when an IT infrastructure gets connected to the internet and all the digital evidences get spread over the several geographic regions. To secure the digital evidence, it is required- To implement such mechanism upon seizing evidence; action should not change the evidence. On the other hand a person who forensically competent can only be the competent one to handle those digital evidence. An individual is responsible for the entire actions taken with respect digital evidence, if the evidence is in the possession of that particular person. An agency is responsible or can be charged for the seizing, accessing the digital evidences can be charged for compliance with these principles. Seizure of data traffic is considered as spying and it is a smart way to collect information on the other hand the privacy become obsolete. On the other hand the wiretapping helps to gather evidence when social concerns are there or maybe there are numbers problems in the legal system. Collection of electronic evidence with the help of telephone wiretap can be carefully controlled by the legal system following the wiretap Act. The U.S. district court of New Hampshire in Basil had a rule that having access of email stored on a hard drive was not inception as per the wiretap act, at the recipient end (J.Ryan Shpantzer, 2015). On the other hand there are numbers of administrative considerations are there, namely proper training, resource commitment, software licensing. Recommendations: Computer crime is arising due to the misuse of resources by allowing the anomalous behaviour. Although, there is a continuous improvement in the computer operating system, the future of computer system security is not good enough for the further detection and of anomalous behaviour pattern generated from the system user. Detection of intrusion take place using standard logs, audit trails, information gathered from the switches, routers to detect the intrusion into a computer system (Ashcroft, J. Daniels V. Hart, 2015). There are numbers of class based approaches are there, namely, anomaly based IDS that uses a statistical profile of activity to understand whether the occurrence of a particular incident is normal or anomalous. The normal activities are considered as the legitimate and harmless. On the other hand the unauthorized or harmful incidents fall under the anomalous incident type (J.Ryan Shpantzer, 2015). Signature-based IDS tries to match a sequence of observed events with a known or previously learned pattern of events, which can predict attacks of unusual events that can take place. If there is no signature is matching then with the suspicious activities are known as legitimate or harmless. Signature based IDS are not able to identify the previously unknown or new type of attack and beside this, anomaly based ISD cannot separately identify a sequence of attacks or unwanted events. The basic intrusion detection system have been discussed above which is a beginning that is in use by the computer forensics investigator. In addition to this phase of basic intrusion detection, the computer forensics can be considered to conduct further analysis into investigation. There are three main steps are there involved in computer forensics data preservation, recovery, and examination. For these above mentioned steps it is required to have the access of hard drives, system logs, memory, and network traffic seizing, intrusion detection system (Ashcroft, J. Daniels V. Hart, 2015). The major and current problem with the anomaly detection, it is quite complicated to define the normal user behaviour. In this case, rule-based detection, it only detects highly accurate known attack patterns. In a dynamic environment, it is not possible to understand the normal behaviour. Hence, as a recommendation, it is required to introduce such intrusion detection system that is able to observe the behaviour of the processes rather than the user. In future, it will consider as beneficial if the intrusion detection tools are able to deal with encrypted network traffic and detection of evasion technique. On the other hand, the detection system to detect anomalous behaviour can help to alleviate some of the extra work from the Security administration (Balon, Stovall Scaria, 2015). An organization adopts a new intrusion detection system loaded with particular application on system as an interface to detect the audit log to trace the intrusions. Next to this law enforcement is notif ied and the intruder is charged for the feloniously altering computer data, illegal use of computer data and causing the computer to malfunction (Ashcroft, J. Daniels V. Hart, 2015). References: Ademu, Imafidon, Preston,. (2011). A New Approach of Digital Forensic Model for Digital Forensic Investigation. (IJACSA) International Journal Of Advanced Computer Science And Applications,, 2(12). Ashcroft, J., J. Daniels, D., V. Hart, S. (2015). Forensic Examination of Digital Evidence: A Guide for Law Enforcement (1st ed.). Retrieved from https://www.ncjrs.gov/pdffiles1/nij/199408.pdf Balon, N., Stovall, R., Scaria, T. (2015). Computer Intrusion Forensics Research Paper (1st ed.). Retrieved from https://nathanbalon.com/projects/cis544/ForensicsResearchPaper.pdf Barske, Stander, Jordaan,. (2010). A Digital Forensic Readiness Framework for South African SMEs. CONFERENCE PAPER SEPTEMBER 2010. Retrieved from https://www.researchgate.net/publication/224178601 Caloyannides, M., Caloyannides, M. (2004). Privacy protection and computer forensics. Boston: Artech House. Clarke, N. (2010). Computer forensics. Ely: IT Governance Pub. Craiger, P., Shenoi, S. (2007). Advances in digital forensics III. New York, NY: Springer. Dawar, Gupta, Kishore,. (2014). An Insight View of Digital Forensics. International Journal On Computational Sciences Applications (IJCSA), 4(6). Fbijobs.gov,. (2015). FBI - Cyber Team. Retrieved 1 August 2015, from https://www.fbijobs.gov/cybercareers/index.html Gogolin, G. (2013). Digital forensics explained. Boca Raton, FL: CRC Press. J. Ryan, D., Shpantzer, G. (2015). Legal Aspects of Digital Forensics (1st ed.). Retrieved from https://euro.ecom.cmu.edu/program/law/08-732/Evidence/RyanShpantzer.pdf Jones, K., Bejtlich, R., Rose, C. (2006). Real digital forensics. Upper Saddle River, NJ: Addison-Wesley. Kessler,. (2005). The Role of Computer Forensics in Law Enforcement. Journal Of Digital Forensic Practice. L. Garfinkel, S. (2015). Digital forensics research: The next 10 years (1st ed.). Retrieved from https://dfrws.org/2010/proceedings/2010-308.pdf Li, C. (2010). Handbook of research on computational forensics, digital crime, and investigation. Hershey, PA: Information Science Reference. Marshall, A. (2008). Digital forensics. Chichester, UK: Wiley-Blackwell. Mohay, G. (2003). Computer and intrusion forensics. Boston: Artech House. Nelson, B., Phillips, A., Steuart, C. (2010). Guide to computer forensics and investigations. Boston, MA: Course Technology Cengage Learning. Nikkel,. (2014). Fostering Incident Response and Digital Forensics Research. International Journal Of Digital Evidence. Nirkh, Dharaskar,. (2012). DATA MINING : A PROSPECTIVE APPROACH FOR DIGITAL FORENSICS. International Journal Of Data Mining Knowledge Management Process (IJDKP), 2(6). Olivier, M., Shenoi, S. (2006). Advances in digital forensics II. New York: Springer. Pollitt, M., Shenoi, S. (2006). Advances in digital forensics. New York: Springer. Prosise, C., Mandia, K. (2003). Incident response computer forensics. New York: McGraw-Hill/Osborne. Ray, I., Shenoi, S. (2008). Advances in Digital Forensics IV. [S.l.]: International Federation for Information Processing. Reith, Carr, Gunsch,. (2002). An Examination of Digital Forensic Models. International Journal Of Digital Evidence, 1(3). Sammons, J. (2012). The basics of digital forensics. Waltham, MA: Syngress. Solomon, M. (2011). Computer forensics jumpstart. Indianopolis, Ind.: Wiley Pub. Solomon, M., Barrett, D., Broom, N. (2005). Computer forensics jumpstart. San Francisco, Calif.: SYBEX. Vacca, J. (2005). Computer forensics. Hingham, Mass.: Charles River Media. Volonino, L., Anzaldua, R. (2008). Computer forensics for dummies. Hoboken, N.J.: Wiley. Wiles, J. (2007). Techno security's guide to e-discovery and digital forensics. Burlington, MA: Syngress Pub. Wiles, J., Reyes, A. (2007). The best damn cybercrime and digital forensics book period. Rockland, Mass.: Syngress.