Executive Summary
The rapid evolution of electronic devices such as computers and mobile phones has led to
increased criminal activities. It has become very difficult to provide sufficient and appropriate
security to the devices due to increased complexity. The digital forensic investigation method
evolved and provides a procedure to investigate computer crimes. Digital forensic investigation
process involves collection, preservation, analysis and presentation of digital evidence.
Common Goal Health Insurance (CGHI), an international health insurance company and due to
insufficient security efforts has faced a criminal attack wherein the personal health information
has been deleted and there are change in the applications used by the manager and his team
members. The systematic digital forensic investigating model carries out various stages for
collecting, preserving analyzing and presenting the digital evidence. Live Data Forensic System
(LDFS) is an effective tool to collect the evidence and using appropriate acquisition and analysis
approach to collect the evidence the investigation can be effectively carried out.
Introduction 2
Need for Digital Forensic Methodology 3
Resources required to conduct Digital Forensic Investigation 10
Approach for Data/Evidence Identification and Acquisition 11
Steps in the Analysis Phase 11
Conclusion 12
References 14
Introduction
Today, the data and information is stored in the digital format, which enables the organization
to store huge data, which is easily accessible, can be modified and data can be added to it.
But with increase use of networking technologies there is increase in criminal activity and
the attackers steal, manipulate or corrupt the digital data to such an extent that it has a severe
impact on the business. The report discusses about a criminal activity taken place in Common
Goal Health Insurance (CGHI), an international health insurance company. The attacker has
deleted customer’s personal health information as well as made changes in some applications
raising serious security issues in the company. The report discusses the application of digital
forensic in investigating the criminal activity and also discusses the various functions within the
investigation.
Need for Digital Forensic Methodology
With increasing use of computers and internet in the organizations as well as in the personal
life there are increased computer crimes severely impacting the organizational activities. Due to
rapid advancement in technology the criminals apply more sand more sophisticated technology
to avoid detection and carry out the crime with greater deception. Computer crimes involve
different types of offences such as copyright, hacking, fraud and spreading viruses (Richard III et
al., 2007). According to Icove et al. (1995) the crimes can be classified as:
• Personnel security breaches
• Physical security breaches
• Operations security breaches
• Communication and data security breaches
Digital forensic is one of the branch of forensic science, which refers to recovery and
investigation of digital devices and is related only to the computer crimes (Beckett & Slay,
2011). The technical aspect of investigation is subdivided in to computer forensic, network
forensics and mobile device forensics (Lim et al., 2012). The computer forensic refers to the
investigations of the incidents where there is electronic or computer-based evidence of a crime
(Casey, 2011). The crime might be of any type and involve computers or it can be a crime where
data has been stolen. This act is investigated by a process, which involves
• Preservation
• Identification
• Extraction
• Documentation
• Interpretation
Network forensics involves investigation and recovery of information from computer networks,
which is suspected to have been compromised or hacked by an unauthorized person. The
network forensic uses event log analysis and timelining to detect when the event occurred, what
has been accessed, from which IP address the attack has been initiated an which tools were used
(Turner, 2007). In such investigation the network is used for gathering passive information
during the investigation. Data recovery is another part of digital forensic, which involves
salvaging data from damaged or corrupted secondary storage media, which cannot be easily
accessed by a common person (Casey, 2005).
Digital forensics has a holistic approach as compared to network forensic and data recovery and
carries out investigation in three stages, which are acquisition or imaging of exhibits, analysis
and reporting (Sammons, 2012). Digital forensics focuses mainly on recovering all the objective
evidence of a criminal activity since it enables the collection of range of information from the
different digital devices, which might help to gather more details about the criminal activity (Lim
et al., 2012). In network forensics the data and information is mostly collected from the devices,
which are in the network and the data recovery allows the organization to recover data from the
secondary storage, which provides little scope for finding the source of criminal activity (Dezfoli
et al., 2013).
Systematic Digital Forensic Investigation model helps the analysts to have a holistic approach in
investigating the source of the criminal activity, its timeline as per the Country Digital forensic
law, analysis of its severity, preservation of lost data and protecting it from further damage
(Casey, 2011). The use of digital forensic investigation in CGHI would help the auditors to
identify the source of the criminal activity and to identify time and severity of the criminal
activity. Following are the phases followed in this investigation
1. Preparation
This phase refers to preparation for the actual investigation and involves initial understanding of
the nature of the criminal activity and prepare for accumulating the data required for preparing
the evidence for the criminal activity (Richard III et al., 2007). In this phase auditors would
prepare for the access they need, legal constraints and the areas, which they need to carry out the
investigation in.
2. Securing the scene
This stage involves securing the area where the criminal activity was carried out or has been
identified and is restricted to people besides the ones involved in the investigation, which
would help them preserve the evidence from being tampered (Lim et al., 2012). The auditors
would allow only few of the employees to access the areas, which include the manager who
identified the changes in the system and the other employees whose computers have also been
compromised.
3. Survey and Recognition
This phase involves initial survey for evaluating the criminal activity and identifying
the potential sources of the criminal activity, which would be the evidence for the entire
investigation (Beckett & Slay, 2011). This phase considers all the accessories and devices used
by the computer where the criminal activity has occurred. The phase also involves interviewing
the people who use the devices on which criminal activity has occurred (Sommer, 2012). The
auditors would survey all the devices used in the computers where the changes in the system has
been spotted (Richard III et al., 2007). Also, all the employees having an access and using those
computers would be interviewed and the systems would be checked for any unauthorized access
by any employees or any manipulations one in the recent sessions. This will enable the auditors
to recognize any unusual activity and collect various evidences for the exiting data, which can be
used for further investigation.
4. Documenting the Scene
In this stage the entire scene where the criminal activity was done or found is documented
through photographs and by documenting the devices connected the layout of all the devices
etc (Lim et al., 2012). A record of all visible data is carried out and the log of the users of the
systems before the crime was detected is done. The auditors will make a record of all the systems
where the changes in the system has been detected also the auditors will document the activities,
which the users of the computers, which has been affected carry out the devices they normally
use.
5. Communication Shielding
This phase involves blocking all the communication options of the affected computer systems
and devices and is done before collecting the evidences. All the connections to external devices
are removed and the system is not allowed to carry out any function or access any records from
any other device (Beckett & Slay, 2011). The auditors would cease the access of computers from
where the data has been deleted and the system changes have been identified and will be isolated
from all the devices connected to it, which will enable the auditors to ensure there are no further
manipulations done through remote access.
6. Evidence Collection
This phase involves collection of evidence from the digital devices, which are crucial for the
investigation of the criminal activity. The evidences can be volatile and non volatile. Volatile
evidence refers to data on ROM or from any application, which is already running on the system
and it might be lost if the system battery runs out (Agarwal et al., 2011). The non volatile
evidence is the one, which is available on external storage devices such as USB memory sticks
etc (Beckett & Slay, 2011). The auditors would collect the evidence from all the storage devices
used by the employees on the affected computers as well as from their computers, which would
enable them to identify which data has been manipulated and to what extent and when it has
been manipulated.
7. Preservation
This stage involves preserving the evidence collected by packing, storing and transporting them
to the place where it will be investigated (Altheide & Carvey, 2011). In this stage it is ensured
that the evidence is not tampered and is effectively taken to the place where it will investigated
and will be protected from the electromagnetic radiation to avoid any damage to the data in the
storage devices (Lim et al., 2012). The auditors will carry out part of the investigation onsite and
part of it in their office and the devices would be stored effectively in a place, wherein it is not
affected by any external device or radiation and a proper procedure for storing and using it will
be followed.
8. Examination
This stage involves examining of the contents of all the collected evidence by extracting and
the required information from all the devices associated with the computer where the criminal
activity had occurred. This stage involves filtering, validating and matching all the possible data,
which supports in investigating the incident and recovering as much data as possible (Dezfoli
et al., 2013). The auditors will carry out a thorough examination of all the data collected from
the computers from where data was deleted as well as from the computers where changes had
been made to the application (Beckett & Slay, 2011). The examination will provide the forensic
investigators with evidence of the changes made to the application, the time and the extent of
changes.
9. Analysis
This stage involves analyzing the collected data and identifying the significance or use of the
data. It also involves restructuring the data collected from the incident and determining the chain
of possible events and time of occurrence of the criminal activity (Sammons, 2012). The auditors
in this stage would be able to identify the important data and using it to trace the events, which
might have occurred in the entire activity.
10. Presentation
In this stage the analysis done based on the various data collected is presented to the target
audience, which include technical experts of the organization, officers from the legal department
and the management of the organization (Dezfoli et al., 2013). It will include the methodology,
data and techniques used by the forensic analysts to arrive at the stated conclusion. The auditors
in this stage would be able to provide the details on how the entire criminal activity occurred to
the management and the legal experts, which will enable them to take necessary actions.
11. Result and Review
The last stage involves review of the entire investigation and analyze if any further
improvements are required in the investigation and if any further investigations need to be
carried out (Sammons, 2012). The auditors would review if all the concerned people and devices
were analyzed to identify the source of criminal activity and if required further investigation will
be carried out to avoid such incidents in future.
Resources required to conduct Digital Forensic Investigation
Evidence gathering is one of the most important functions of the digital forensic investigation
since the analysis and identification of the source of criminal activity can be obtained from the
evidence gathered. The resource, which would be used for evidence gathering would be Live
Data Forensic System (LDFS), which includes LDFS collection tool and LDFS analysis tool
(Lim et al., 2012). This tool will enable the auditors to collect most of the evidence from the
site in a short period of time. The tool would enable the auditor to analyze and correlate the
data gathered as evidence and collect the data according to the order of volatility of the data
(Lim et al., 2012). The team, which will conduct the investigation, will include members with
certification Certified Forensic Investigation Practitioner (CFIP) and Certified Information
Systems Security Professional (CISSP) having the knowledge of working on different operating
system (Sammons, 2012). These certified members would be capable of carrying out proactive
investigation of the incident and carry out a survey with key stakeholders in the incident. The
team will also be capable of collecting, analyzing and preserving data and also recover the
deleted data.
Approach for Data/Evidence Identification and Acquisition
Evidence identification and acquisition involves preserving all the possible data from the scene
and the systems by using effective evidence gathering techniques. The acquisition should
be carried out by taking photograph of the scene where the criminal activity occurred and
then making an inventory of the evidence to be gathered (Dezfoli et al., 2013). The first step
in acquiring the evidence is to creating mirror copy of the hard disk in a safe location. The
computer should then be switched off and disconnected from all the external devices. The value
or CRC of all the contents should be created, which will enable the investigators to prove the
authenticity and accuracy of the evidence acquired. The evidence acquisition tool, which will be
used, is EnCase, a forensic product of Guidance Software Inc. since it enables the investigators
to acquire data from range of devices, provides comprehensive reports of the findings and
maintains the integrity of the evidence (Sammons, 2012). It enables the acquisition of different
types of evidences including audio, video, documents etc.
Steps in the Analysis Phase
Analysis of System Information
The first and foremost evidence would be gathered from the system, which is affected by the
criminal activity. Under this analysis all kinds of setting elements should be analyzed, which
are required to be revised to avoid any malicious program running on the system (Agarwal et
al., 2011). When system is booted list of processes are run automatically in the registry, which
might have been blocked by the attacker so that any malicious program run in the background
cannot be identified. This can be overcome by using Autorun program, which highlights all the
programs running on the system (Sammons, 2012). It also enables to gather the various type of
data stored in the system.
Analysis of network information
The next step in forensic analysis would involve analyzing the network connection information
of the system. In this analysis the investigator can analyze if the attacker communicated with the
system by opening the network port of the system and also enables the investigator to find if the
computer has been compromised (Beckett & Slay, 2011). In this stage the investigators would
be able to collect the evidence of the attacker and the techniques used by the attacker to affect
the computer. The analysis will also enable the investigator to analyze, which part of data the
attacker has been accessing and manipulating.
Analysis of the external devices
The forensic analysis involves analyzing the external devices, which contain data and might have
been used to transfer the malicious program on the system, which deleted the data of customers
(Beckett & Slay, 2011). The evidence of the programs on the external devices can be collected
through this analysis.
Conclusion
Digital forensic investigation provides a holistic approach in investigation of a criminal activity
carried out on digital devices. Using the systematic digital forensic investigation auditors
can effectively collect all the evidence in a secure manner, preserve it and use it to justify the
reason behind the criminal activity, its source and severity. Live Data Forensic System (LDFS)
is an effective tool for gathering evidence since it correlates the collected data. The evidence
acquisition is one of the important functions and is carried out by first acquiring data from the
system and then from all the external devices to which it is connected. The steps involved in
forensic analysis involve analysis of system, network and analysis of the external devices, which
would enable the investigators to collect the evidence sequentially and accurately. The collected
evidence would help in analyzing and identifying the source of criminal activity at CGHI.
References
Agarwal, A, Gupta, M, Gupta S & Gupta, S (2011), Systematic Digital Forensic Investigation
Model, International Journal of Computer Science and Security , Volume 5, Issue 1, pp. 118-131
Altheide, C & Carvey, H (2011), Digital Forensics with Open Source Tools, Syngress; 1 edition
Beckett, J & Slay, J (2011), Scientific underpinnings and background to standards and
accreditation in digital forensics, Digital Investigation 8 (2012) , pp. 114-121
Casey, E (2005), Handbook of Digital Forensics and Investigation, Academic Press; 1 edition
Casey, E (2011), Digital Evidence and Computer Crime, Academic Press; 3 edition
Dezfoli, F, Dehghantanha, A, Mahmoud, R, Binti, N, Sani, M & Daryabar, F (2013), Digital
Forensic Trends and Future, International Journal of Cyber-Security and Digital Forensics
(IJCSDF) 2(2): pp 48-76
Lim, K, Savoldi, A, Lee, C & Lee, S (2012), On-the-spot digital investigation by means of
LDFS: Live Data Forensic System, Mathematical and Computer Modeling 55 (2012) 223–240
Nelson, B, Phillips, A & Steuart, C (2009), Guide to Computer Forensics and Investigations,
Cengage Learning; 4 edition
Richard III, G, Roussev, V & Marziale, L (2007), Forensic discovery auditing of digital evidence
containers, Digital Investigation 4 (2007), pp. 88-97
Sommer, P (2012), Digital Evidence, Digital Investigation and E-Disclosure: A Guide to
Forensic Readiness, IAAC
Sammons, J (2012), The Basics of Digital Forensics: The Primer for Getting Started in Digital
Forensics, Syngress; 1 edition
Turner, P (2007), Applying a forensic approach to incident response, network investigation and
system administration using Digital Evidence Bags, Digital Investigation 4 (2007), pp. 30-35
The rapid evolution of electronic devices such as computers and mobile phones has led to
increased criminal activities. It has become very difficult to provide sufficient and appropriate
security to the devices due to increased complexity. The digital forensic investigation method
evolved and provides a procedure to investigate computer crimes. Digital forensic investigation
process involves collection, preservation, analysis and presentation of digital evidence.
Common Goal Health Insurance (CGHI), an international health insurance company and due to
insufficient security efforts has faced a criminal attack wherein the personal health information
has been deleted and there are change in the applications used by the manager and his team
members. The systematic digital forensic investigating model carries out various stages for
collecting, preserving analyzing and presenting the digital evidence. Live Data Forensic System
(LDFS) is an effective tool to collect the evidence and using appropriate acquisition and analysis
approach to collect the evidence the investigation can be effectively carried out.
Introduction 2
Need for Digital Forensic Methodology 3
Resources required to conduct Digital Forensic Investigation 10
Approach for Data/Evidence Identification and Acquisition 11
Steps in the Analysis Phase 11
Conclusion 12
References 14
Introduction
Today, the data and information is stored in the digital format, which enables the organization
to store huge data, which is easily accessible, can be modified and data can be added to it.
But with increase use of networking technologies there is increase in criminal activity and
the attackers steal, manipulate or corrupt the digital data to such an extent that it has a severe
impact on the business. The report discusses about a criminal activity taken place in Common
Goal Health Insurance (CGHI), an international health insurance company. The attacker has
deleted customer’s personal health information as well as made changes in some applications
raising serious security issues in the company. The report discusses the application of digital
forensic in investigating the criminal activity and also discusses the various functions within the
investigation.
Need for Digital Forensic Methodology
With increasing use of computers and internet in the organizations as well as in the personal
life there are increased computer crimes severely impacting the organizational activities. Due to
rapid advancement in technology the criminals apply more sand more sophisticated technology
to avoid detection and carry out the crime with greater deception. Computer crimes involve
different types of offences such as copyright, hacking, fraud and spreading viruses (Richard III et
al., 2007). According to Icove et al. (1995) the crimes can be classified as:
• Personnel security breaches
• Physical security breaches
• Operations security breaches
• Communication and data security breaches
Digital forensic is one of the branch of forensic science, which refers to recovery and
investigation of digital devices and is related only to the computer crimes (Beckett & Slay,
2011). The technical aspect of investigation is subdivided in to computer forensic, network
forensics and mobile device forensics (Lim et al., 2012). The computer forensic refers to the
investigations of the incidents where there is electronic or computer-based evidence of a crime
(Casey, 2011). The crime might be of any type and involve computers or it can be a crime where
data has been stolen. This act is investigated by a process, which involves
• Preservation
• Identification
• Extraction
• Documentation
• Interpretation
Network forensics involves investigation and recovery of information from computer networks,
which is suspected to have been compromised or hacked by an unauthorized person. The
network forensic uses event log analysis and timelining to detect when the event occurred, what
has been accessed, from which IP address the attack has been initiated an which tools were used
(Turner, 2007). In such investigation the network is used for gathering passive information
during the investigation. Data recovery is another part of digital forensic, which involves
salvaging data from damaged or corrupted secondary storage media, which cannot be easily
accessed by a common person (Casey, 2005).
Digital forensics has a holistic approach as compared to network forensic and data recovery and
carries out investigation in three stages, which are acquisition or imaging of exhibits, analysis
and reporting (Sammons, 2012). Digital forensics focuses mainly on recovering all the objective
evidence of a criminal activity since it enables the collection of range of information from the
different digital devices, which might help to gather more details about the criminal activity (Lim
et al., 2012). In network forensics the data and information is mostly collected from the devices,
which are in the network and the data recovery allows the organization to recover data from the
secondary storage, which provides little scope for finding the source of criminal activity (Dezfoli
et al., 2013).
Systematic Digital Forensic Investigation model helps the analysts to have a holistic approach in
investigating the source of the criminal activity, its timeline as per the Country Digital forensic
law, analysis of its severity, preservation of lost data and protecting it from further damage
(Casey, 2011). The use of digital forensic investigation in CGHI would help the auditors to
identify the source of the criminal activity and to identify time and severity of the criminal
activity. Following are the phases followed in this investigation
1. Preparation
This phase refers to preparation for the actual investigation and involves initial understanding of
the nature of the criminal activity and prepare for accumulating the data required for preparing
the evidence for the criminal activity (Richard III et al., 2007). In this phase auditors would
prepare for the access they need, legal constraints and the areas, which they need to carry out the
investigation in.
2. Securing the scene
This stage involves securing the area where the criminal activity was carried out or has been
identified and is restricted to people besides the ones involved in the investigation, which
would help them preserve the evidence from being tampered (Lim et al., 2012). The auditors
would allow only few of the employees to access the areas, which include the manager who
identified the changes in the system and the other employees whose computers have also been
compromised.
3. Survey and Recognition
This phase involves initial survey for evaluating the criminal activity and identifying
the potential sources of the criminal activity, which would be the evidence for the entire
investigation (Beckett & Slay, 2011). This phase considers all the accessories and devices used
by the computer where the criminal activity has occurred. The phase also involves interviewing
the people who use the devices on which criminal activity has occurred (Sommer, 2012). The
auditors would survey all the devices used in the computers where the changes in the system has
been spotted (Richard III et al., 2007). Also, all the employees having an access and using those
computers would be interviewed and the systems would be checked for any unauthorized access
by any employees or any manipulations one in the recent sessions. This will enable the auditors
to recognize any unusual activity and collect various evidences for the exiting data, which can be
used for further investigation.
4. Documenting the Scene
In this stage the entire scene where the criminal activity was done or found is documented
through photographs and by documenting the devices connected the layout of all the devices
etc (Lim et al., 2012). A record of all visible data is carried out and the log of the users of the
systems before the crime was detected is done. The auditors will make a record of all the systems
where the changes in the system has been detected also the auditors will document the activities,
which the users of the computers, which has been affected carry out the devices they normally
use.
5. Communication Shielding
This phase involves blocking all the communication options of the affected computer systems
and devices and is done before collecting the evidences. All the connections to external devices
are removed and the system is not allowed to carry out any function or access any records from
any other device (Beckett & Slay, 2011). The auditors would cease the access of computers from
where the data has been deleted and the system changes have been identified and will be isolated
from all the devices connected to it, which will enable the auditors to ensure there are no further
manipulations done through remote access.
6. Evidence Collection
This phase involves collection of evidence from the digital devices, which are crucial for the
investigation of the criminal activity. The evidences can be volatile and non volatile. Volatile
evidence refers to data on ROM or from any application, which is already running on the system
and it might be lost if the system battery runs out (Agarwal et al., 2011). The non volatile
evidence is the one, which is available on external storage devices such as USB memory sticks
etc (Beckett & Slay, 2011). The auditors would collect the evidence from all the storage devices
used by the employees on the affected computers as well as from their computers, which would
enable them to identify which data has been manipulated and to what extent and when it has
been manipulated.
7. Preservation
This stage involves preserving the evidence collected by packing, storing and transporting them
to the place where it will be investigated (Altheide & Carvey, 2011). In this stage it is ensured
that the evidence is not tampered and is effectively taken to the place where it will investigated
and will be protected from the electromagnetic radiation to avoid any damage to the data in the
storage devices (Lim et al., 2012). The auditors will carry out part of the investigation onsite and
part of it in their office and the devices would be stored effectively in a place, wherein it is not
affected by any external device or radiation and a proper procedure for storing and using it will
be followed.
8. Examination
This stage involves examining of the contents of all the collected evidence by extracting and
the required information from all the devices associated with the computer where the criminal
activity had occurred. This stage involves filtering, validating and matching all the possible data,
which supports in investigating the incident and recovering as much data as possible (Dezfoli
et al., 2013). The auditors will carry out a thorough examination of all the data collected from
the computers from where data was deleted as well as from the computers where changes had
been made to the application (Beckett & Slay, 2011). The examination will provide the forensic
investigators with evidence of the changes made to the application, the time and the extent of
changes.
9. Analysis
This stage involves analyzing the collected data and identifying the significance or use of the
data. It also involves restructuring the data collected from the incident and determining the chain
of possible events and time of occurrence of the criminal activity (Sammons, 2012). The auditors
in this stage would be able to identify the important data and using it to trace the events, which
might have occurred in the entire activity.
10. Presentation
In this stage the analysis done based on the various data collected is presented to the target
audience, which include technical experts of the organization, officers from the legal department
and the management of the organization (Dezfoli et al., 2013). It will include the methodology,
data and techniques used by the forensic analysts to arrive at the stated conclusion. The auditors
in this stage would be able to provide the details on how the entire criminal activity occurred to
the management and the legal experts, which will enable them to take necessary actions.
11. Result and Review
The last stage involves review of the entire investigation and analyze if any further
improvements are required in the investigation and if any further investigations need to be
carried out (Sammons, 2012). The auditors would review if all the concerned people and devices
were analyzed to identify the source of criminal activity and if required further investigation will
be carried out to avoid such incidents in future.
Resources required to conduct Digital Forensic Investigation
Evidence gathering is one of the most important functions of the digital forensic investigation
since the analysis and identification of the source of criminal activity can be obtained from the
evidence gathered. The resource, which would be used for evidence gathering would be Live
Data Forensic System (LDFS), which includes LDFS collection tool and LDFS analysis tool
(Lim et al., 2012). This tool will enable the auditors to collect most of the evidence from the
site in a short period of time. The tool would enable the auditor to analyze and correlate the
data gathered as evidence and collect the data according to the order of volatility of the data
(Lim et al., 2012). The team, which will conduct the investigation, will include members with
certification Certified Forensic Investigation Practitioner (CFIP) and Certified Information
Systems Security Professional (CISSP) having the knowledge of working on different operating
system (Sammons, 2012). These certified members would be capable of carrying out proactive
investigation of the incident and carry out a survey with key stakeholders in the incident. The
team will also be capable of collecting, analyzing and preserving data and also recover the
deleted data.
Approach for Data/Evidence Identification and Acquisition
Evidence identification and acquisition involves preserving all the possible data from the scene
and the systems by using effective evidence gathering techniques. The acquisition should
be carried out by taking photograph of the scene where the criminal activity occurred and
then making an inventory of the evidence to be gathered (Dezfoli et al., 2013). The first step
in acquiring the evidence is to creating mirror copy of the hard disk in a safe location. The
computer should then be switched off and disconnected from all the external devices. The value
or CRC of all the contents should be created, which will enable the investigators to prove the
authenticity and accuracy of the evidence acquired. The evidence acquisition tool, which will be
used, is EnCase, a forensic product of Guidance Software Inc. since it enables the investigators
to acquire data from range of devices, provides comprehensive reports of the findings and
maintains the integrity of the evidence (Sammons, 2012). It enables the acquisition of different
types of evidences including audio, video, documents etc.
Steps in the Analysis Phase
Analysis of System Information
The first and foremost evidence would be gathered from the system, which is affected by the
criminal activity. Under this analysis all kinds of setting elements should be analyzed, which
are required to be revised to avoid any malicious program running on the system (Agarwal et
al., 2011). When system is booted list of processes are run automatically in the registry, which
might have been blocked by the attacker so that any malicious program run in the background
cannot be identified. This can be overcome by using Autorun program, which highlights all the
programs running on the system (Sammons, 2012). It also enables to gather the various type of
data stored in the system.
Analysis of network information
The next step in forensic analysis would involve analyzing the network connection information
of the system. In this analysis the investigator can analyze if the attacker communicated with the
system by opening the network port of the system and also enables the investigator to find if the
computer has been compromised (Beckett & Slay, 2011). In this stage the investigators would
be able to collect the evidence of the attacker and the techniques used by the attacker to affect
the computer. The analysis will also enable the investigator to analyze, which part of data the
attacker has been accessing and manipulating.
Analysis of the external devices
The forensic analysis involves analyzing the external devices, which contain data and might have
been used to transfer the malicious program on the system, which deleted the data of customers
(Beckett & Slay, 2011). The evidence of the programs on the external devices can be collected
through this analysis.
Conclusion
Digital forensic investigation provides a holistic approach in investigation of a criminal activity
carried out on digital devices. Using the systematic digital forensic investigation auditors
can effectively collect all the evidence in a secure manner, preserve it and use it to justify the
reason behind the criminal activity, its source and severity. Live Data Forensic System (LDFS)
is an effective tool for gathering evidence since it correlates the collected data. The evidence
acquisition is one of the important functions and is carried out by first acquiring data from the
system and then from all the external devices to which it is connected. The steps involved in
forensic analysis involve analysis of system, network and analysis of the external devices, which
would enable the investigators to collect the evidence sequentially and accurately. The collected
evidence would help in analyzing and identifying the source of criminal activity at CGHI.
References
Agarwal, A, Gupta, M, Gupta S & Gupta, S (2011), Systematic Digital Forensic Investigation
Model, International Journal of Computer Science and Security , Volume 5, Issue 1, pp. 118-131
Altheide, C & Carvey, H (2011), Digital Forensics with Open Source Tools, Syngress; 1 edition
Beckett, J & Slay, J (2011), Scientific underpinnings and background to standards and
accreditation in digital forensics, Digital Investigation 8 (2012) , pp. 114-121
Casey, E (2005), Handbook of Digital Forensics and Investigation, Academic Press; 1 edition
Casey, E (2011), Digital Evidence and Computer Crime, Academic Press; 3 edition
Dezfoli, F, Dehghantanha, A, Mahmoud, R, Binti, N, Sani, M & Daryabar, F (2013), Digital
Forensic Trends and Future, International Journal of Cyber-Security and Digital Forensics
(IJCSDF) 2(2): pp 48-76
Lim, K, Savoldi, A, Lee, C & Lee, S (2012), On-the-spot digital investigation by means of
LDFS: Live Data Forensic System, Mathematical and Computer Modeling 55 (2012) 223–240
Nelson, B, Phillips, A & Steuart, C (2009), Guide to Computer Forensics and Investigations,
Cengage Learning; 4 edition
Richard III, G, Roussev, V & Marziale, L (2007), Forensic discovery auditing of digital evidence
containers, Digital Investigation 4 (2007), pp. 88-97
Sommer, P (2012), Digital Evidence, Digital Investigation and E-Disclosure: A Guide to
Forensic Readiness, IAAC
Sammons, J (2012), The Basics of Digital Forensics: The Primer for Getting Started in Digital
Forensics, Syngress; 1 edition
Turner, P (2007), Applying a forensic approach to incident response, network investigation and
system administration using Digital Evidence Bags, Digital Investigation 4 (2007), pp. 30-35
No comments:
Post a Comment