StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Digital Forensic Investigation - Case Study Example

Cite this document
Summary
This paper "Digital Forensic Investigation" discusses sources of data used during the investigation of digital forensics in an effective and legal way, and prioritize discussed data sources according to three different events of network intrusion, malware installation, and insider file detection…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER91.7% of users find it useful
Digital Forensic Investigation
Read Text Preview

Extract of sample "Digital Forensic Investigation"

?Running Head: Digital Forensic Investigation Digital Forensic Investigation [Institute’s DIGITAL FORENSIC INVESTIGATION Table of Contents Table of Contents 2 INTRODUCTION 3 SOURCES OF DATA 4 General Logs 5 Time Packages 6 System Files 8 POTENTIAL USEFULNESS 9 CONCLUSION 9 REFERENCES 10 INTRODUCTION Primarily, this paper will discuss different sources of data that are used during investigation of digital forensics in an effective and legal way, will look at basic technical issues, and will endeavor to indicate references for further reading. In addition, the paper will also prioritize discussed data sources according to three different events of network intrusion, malware installation, and insider file detection. Discussion will be very beneficial for managers and individuals in their better understanding of digital forensics and processes that involve its investigation. In addition, discussion will also be helpful for network administrators in understanding different aspects of computer forensics, which will help them in ensuring greater security of their organizations strategically. Before assessing the topic, it is very essential to understand the definition of digital forensics that has been under the process of acquiring recognition due to dearth of research in the area and due to lack of awareness about importance of digital forensics in today’s competitive world. Briefly, forensics is the process in which experts utilize scientific means and skills to collect and analyze evidence that then can be submitted in the court for legal purpose (Kent, Chevaller, Grance, & Dang, 2006). In this regard, digital forensics is a newly-born discipline that is gradually acquiring its importance as a formal area of study that deals with scientific knowledge in collection of evidence from different sources of data related to computers that involve desktops, laptops, routers, CCTV, network hubs, logs, software, time packages, emails, etc (ENFSI, 2003). It is very imperative to understand that since digital forensics is a new area of study that is still under the process of standardization, therefore, discussion in this paper related to different sources of data might not be the final word. Thus, it will take further study and investigation to reach to a conclusion in terms of prioritizing these sources in terms of their utilization in different events/incidents. In addition, from a technical perspective, it is also essential to understand that besides assessing different sources of data, it is equally important to ensure fulfillment of primary goal of digital forensics that is about preservation of the identified data source. It has been an observation that investigators usually are able to identify important data sources; however, they overlook preservation of the sources that results in unacceptable of evidence in the court. SOURCES OF DATA As mentioned earlier, digital forensic investigation has been divided into different stages of preservation, collection, examination, and analysis (ENFSI, 2003). Collection stage is relevant in this paper as it involves identification and collection of information pertinent to the case under investigation. In case of usual forensics, everything is a source since investigators are able to gather information from people and acquire fingerprints from clothes, furniture, floors, etc. However, when it comes to digital forensics, information is usually available in computers of computerized equipments, such as phone logs, web traffic, packet sniffers, network records, etc (ENFSI, 2003), and therefore, it is usually not possible to take away the whole equipment, and investigators have to collect the information while ensuring complete preservation. In digital forensics, besides four stages, one can categorize the stage of collection in two parts. Firstly, investigators collect background evidence that refers to the data that is usually available and stored for usual organizational purposes (Sheldon, 2002). On the other hand, investigators also come across foreground evidence that refers to the data gathered to detect a crime. It is a belief that awareness about these categories will be helpful in better understanding of different sources of data that are discussed below: General Logs General logs are an extremely important source of data used in digital forensic investigation that allows investigators to acquire access to valuable information in the form of web traffic, transactions, user logs, access logs, and network logs. Due to non-standardization of digital forensic investigation, some experts consider general logs as primary source of data, whereas, few experts consider it as secondary source since it is found on systems that can be laptops, desktops, backup disks, storage media, etc (Arasteh, Debbabi, Sakha, & Saleh, 2007). Inclusion of logs in this paper indicates consideration as a primary source. Basically, every computer generates and maintains record of every event in a sequence that happens in its system, which is referred as a log file. Technically, timestamp is the basic element of the log file that enables the investigators to know about exact time of the entry, which is followed by identifier and brief description of the entry (Arasteh, Debbabi, Sakha, & Saleh, 2007). Since computers maintain record of every entry, therefore, one of the biggest challenges in collection and examination of this data source is huge number of log files that is usually present in one computer system (Arasteh, Debbabi, Sakha, & Saleh, 2007). In this regard, if investigators have to examine a single computer system then it is no issue; however, when it comes to cases involving whole organization, it becomes a hectic task for investigators to collect, preserve, and examine thousands of log files that take a long period of time for them to reach to a conclusion. As discussed earlier, logs are not of a single type and can be found in different types, such as simple system log file to encrypted internet traffic. Therefore, it becomes a challenge for investigators to get access to the files and preserve it while knowing its exact type, as every type is of a different complexity and requires different treatment. In addition, in many computers, systems do not keep record of every process but maintains record of only important or unusual happening events, which often becomes a challenge for the investigators in absence of non-recording of an event relevant and important in terms of a particular case. For instance, a TCP wrapper usually maintains log of beginning of a TCP connection, as well as generates a log file when it is ended but it does not maintain any log of in between the connection (Carrier & Spafford, 2003). If a user would have established and ended a connection hundred times, then there would be a hundred log file entries in the system. In this regard, an investigator should be aware of all the circumstances along with settings of the computer systems before collecting, preserving, and examining the data source, and/or before reaching to a conclusion in light of presence or absence of a log file entry. Although general logs are easy to access and simple for analysis, however, this simplicity of general logs is itself a biggest challenge for the investigators since timestamp is one of the basic elements of a log file and due to its simplicity, it is very to tamper the timestamp, which may affect forensic investigation adversely. Nowadays, there are tools available to check integrity of the data; however, easy tampering remains one of the drawbacks of depending on general logs in a digital forensic investigation (Carrier & Spafford, 2003). Apart from tampering, another challenge that investigators face is of system clocks that can also be running on a different clock. In that case, timestamp on a log file may contradict with system clocks on the system, which results in complications during examination and analysis stages. Time Packages As discussed earlier that general logs are easily accessible but they bring with them challenges such as possibility of easy forgery, therefore, the paper will now include discussion on another important source of data that is time packages. They are similar to timestamp in terms that they also allow investigators to know about time of an event or an entry; however, they are difficult to forge and thus, digital forensic experts have been putting efforts to determine time of event during an investigation with the help of time packages (Carrier & Spafford, 2003). In order to understand this data source, the paper will include description of two methods that are used to access the data source that will make it easier to understand challenges that investigators confront while collecting information from it. First method is known as the time bounding method. Usually, timestamps allow determining of temporal order of events. However, when it comes to time packages, time bounding method allows investigators to determine inverse of the temporal order of events; in other words, exact time of events that is usually not possible to determine with time stamps. For instance, assume that three events X, Y, Z happened in a system, and investigators are aware of the fact that all the three events occurred in a sequence that is Z happened after Y, and Y happened after X. As the result, this method allows the experts to determine bounded time of event Y. Although this seems complicated, however, digital forensic investigators have been using this method and this data source to complement or support or challenge conclusions made from the other sources of data (Carrier & Spafford, 2003). Another method used during digital forensic investigation to use the data source of time packages is dynamic time analysis (Carrier & Spafford, 2003). In a network or on the internet, web servers usually have the control to add timestamps into web pages that are then transferred to computers of web page’s users. In this regard, timestamp on the log file can be compared with timestamp acquired from dynamic time analysis from the web server, which allows better precision during the investigation (Casey, 2004). Although acquisition of this data source is more complicated in comparison to general logs, and there is a greater possibility of presence of this data source in an encrypted environment; however, time packages are not easy to forge. Thus, it is better when it comes to incidents, such as network intrusion, which usually cannot be analyzed with help of general logs only. System Files In digital forensic investigation, forensic scientists come across many sources of data and use them to reconstruct an event; however, the most common is the system files or files created and maintained by users of the system (Carrier, 2005). Experts have divided system files into two basic types. One type is the persistent data that is preserved automatically by the computer on a hard drive or a storage media when it was turned off. This type of data is easy to access; however, another type is volatile data that is usually stored in memory of the system; however, gets lost in the transition (Carrier, 2005). Trained digital investigators are able to access information from volatile data by accessing registries, cache, and RAM that usually have presence of volatile data in them. However, one of the major challenges in this data source is that volatile data is temporary, and thus, it really tests skills and capability of investigators since sometimes collection results in damage of the hard drive or storage media, and thus, in data source of system files, persistent data is easy but volatile data calls for a complicated investigation. Besides challenges, system files enjoy a very high priority when it comes to incidents, such as insider file deletion or insider theft, as well as give beneficial results in incidents such as malware installation (Carrier, 2005). In most of the operating systems, there are usually two groups: one for user files and other one for structural information of the system. In this regard, investigators can easily access information from this data source using different methods and tools according to different operating systems. POTENTIAL USEFULNESS General Logs System Files Time Packages Network Intrusion 2 3 1 Malware Installation 1 2 3 Insider File Deletion 3 1 2 * 1 = Highest priority, 2 = normal priority, 3 = lowest priority Based on the discussion, above table indicates priority given to different sources of data according to their potential usefulness in terms of three different events that usually come across in a digital forensic investigation. In network intrusion, time packages enjoys the highest priority as they are able to give closest estimation of the time of event that are very important during analysis of such an incident. In malware installation, general logs are an important source of data, whereas, in the incident of insider file deletion, system files can be the best source of data that can allow recovery of the deleted file while ensuring complete preservation. CONCLUSION Conclusively, the paper discussed some of the different sources of data that come under utilization during digital forensic investigation. It is anticipation that discussion of these sources will be beneficial in better understanding of the topic. REFERENCES Arasteh, A. R., Debbabi, M., Sakha A. and Saleh, M. (2007). Analyzing Multiple Logs for Forensic Evidence. Digital Investigation, 4S, pp. S82-S91. Carrier, B. (2005). File System Forensic Analysis. Addison Wesley Professional. Carrier, B. and Spafford, E. (2003). Getting Physical with the Digital Investigation Process. International Journal of Digital Evidence, 2(2). Casey, E. (2004). Network Traffic as a Source of Evidence: Tool Strengths, Weaknesses, and Future Needs. Journal of Digital Investigation, 1(1), pp. 28-43. ENFSI. (2003). Guidelines for Best Practice in the Forensic Examination of Digital Technology. European Network of Forensic Science Institutes. Kent, K., Chevaller, S., Grance, T., and Dang, H. (2006). Guide to Integrating Forensic Techniques into Incident Response. NIST SP. Sheldon, B. (2002). Forensic Analysis of Windows Systems. Handbook of Computer Crime Investigation: Forensic Tools and Technology. Academic Press. Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(“Assess at least four different sources of data that could be used in a Research Paper”, n.d.)
Assess at least four different sources of data that could be used in a Research Paper. Retrieved from https://studentshare.org/information-technology/1487965-assess-at-least-four-different-sources-of-data
(Assess at Least Four Different Sources of Data That Could Be Used in a Research Paper)
Assess at Least Four Different Sources of Data That Could Be Used in a Research Paper. https://studentshare.org/information-technology/1487965-assess-at-least-four-different-sources-of-data.
“Assess at Least Four Different Sources of Data That Could Be Used in a Research Paper”, n.d. https://studentshare.org/information-technology/1487965-assess-at-least-four-different-sources-of-data.
  • Cited: 0 times

CHECK THESE SAMPLES OF Digital Forensic Investigation

Digital investigation in the organization

The law enforcement perspective of the Digital Forensic Investigation tends to disregard what happens to the object or the device before the decision is made whether to be accepted as evidence or not.... In this context the evidence required is presented by the Digital Forensic Investigation or not presented and therefore the suspect can neither be charged nor prosecuted.... In the paper “Digital investigation in the organization” the author focuses on digital investigations as a continuous basis that ensures data and information to be always safe and secure and the processes that are employed to present this information....
5 Pages (1250 words) Essay

Digital Forensics Investigation of Child Pornography

Different elements justify the adequacy of digital forensics investigation. The United States v Lynn of… The case followed the search and arrest of Ryan Christopher Lynn who lived in California for the charges of receipt and possession of child pornography videos.... Federal agents seized Lynn's Toshiba Laptop This investigation discovered one hundred and eighty four video files and fifty-three still images of child pornography in Lynn's computer hard drive (Watson & Jones, 2013)....
4 Pages (1000 words) Research Paper

Skype Forensics

So, digital forensic has become very essential and in fact a part of the overall security perspective of any computer-based industry, in spite of various challenges associated with the Digital Forensic Investigation process.... This report will discuss the various available tools that will aid the Digital Forensic Investigation process, document the steps involved in the investigation process along with the challenges that have to be faced during the course of the investigation process....
6 Pages (1500 words) Case Study

Digital Forensic: Skype

This case study "Digital Forensic: Skype" discusses various available tools that will aid the Digital Forensic Investigation process, document the steps involved in the investigation process along with the challenges that have to be faced during the course of the investigation process.... So, digital forensic has become very essential and in fact a part of the overall security perspective of any computer-based industry, in spite of various challenges associated with the Digital Forensic Investigation process....
5 Pages (1250 words) Case Study

Interview Methodology for a Digital Forensic Examination

Developing the Forensic Interview Methodology Developing the interview methodology is very critical in a Digital Forensic Investigation.... The interview preparation will help in breaking the forensic investigation process in such a way that any problematic circumstances are alleviated or exacerbated.... To ensure an effective interview preparation, the forensic examiner needs to choose the forensic investigation setting.... This choice of forensic investigation setting will ensure that the examination is done within a feasible context....
6 Pages (1500 words) Research Proposal

Digital Forensic Incident Response for American Marketing Systems

Digital Forensic Investigation is important for the productive prosecution of criminals who engage in digital crimes.... l (2008), Digital Forensic Investigation is distinct from the digital investigation in that the techniques and procedures that the investigator will use allow the output to be applied in a court of law.... In this regard, the researcher ought to consider significant steps to carry out a successful forensic investigation.... The paper "digital forensic Incident Response for American Marketing Systems" gives reveal the existence of skimming culprits and the skimming procedure....
13 Pages (3250 words) Case Study

Virtual Machine Forensics and Network Forensics

etwork forensics involves: 1) Identifying and responding to attacks against computer systems 2) The utilisation of security devices in gathering evidence data 3) utilising the networks for passive information collection during an investigation VM examintion Typical Digital Forensic Investigation is divided into four main stages namely; access, acquire, analyze and report.... Then makes copies of all data from the running system and generate the forensic image of all storage media a process known as acquisition....
2 Pages (500 words) Article

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers by Carrier

The paper "Defining digital forensic Examination and Analysis Tools Using Abstraction Layers" will seek to establish whether the research offered new understanding and reliable information regarding the field of digital forensic examination.... nbsp; Introduction Carrier's (2003) paper addresses a number of problems in the research; for instance, they utilize abstraction layers to identify where digital forensic tools can bring in errors and offer requirements that the tools have to follow....
8 Pages (2000 words) Literature review
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us