In this article we will look at cyberforensics and digital evidence. We will look at the differences between physical evidence and digital evidence. Then we will look at the guidelines for collecting digital evidence.
Cyberforensics can be divided into two domains:
- Computer forensics
- Network forensics
Network forensics is the study of network traffic to search for truth in civil, criminal, and administrative matters to protect users and resources from exploitation, invasion of privacy, and any other crime.
Digital evidence is different from physical evidence because of the following characteristics:
- Digital evidence is much easier to change/manipulate
- Perfect copies can be made without harming the original
- Different information is available at different levels of abstraction
Computer forensics experts know the techniques to retrieve data from files listed in standard directory search, hidden files, deleted files, deleted E-Mail and passwords, login ids, encrypted files, hidden partitions, etc. Computer systems have the following:
- Logical file system that consists of:
- File system
- Random Access Memory (RAM)
- Physical storage media
- Slack space: It is a space allocated to the file but is not actually used due to internal fragmentation
- Unallocated space
- User created files
- Computer created files (backups, cookies, config. Files, history files, log files, swap files, system files, temp. files, etc.)
- Computer networks
Dr. Edmond Locard is known as the father of forensic science. He is also known as the “Sherlock Holmes of France”. The famous principle given by Locard is “Every contact leaves a trace“, is known as Locard’s exchange principle.
The Rules of Evidence
According to Indian Evidence Act 1872, evidence means:
- All statements which the court permits or requires to be made before it by witnesses, in relation to matters of fact under inquiry, are called oral evidence.
- All documents that are produced for the inspection of the court are called documentary evidence.
Newly added provisions in the Indian Evidence Act 1972 through the ITA 2000, constitute the body of law applicable to electronic evidence. Digital evidence by its very nature is invisible to the eye. Digital evidence must be developed using tools other than the human eye. Acquisition of digital evidence is both a legal and technical problem. Difficulties associated with gathering digital evidence:
- Determining what piece of digital evidence is required
- Where the evidence is physically located
Different contexts involved in actually identifying a piece of digital evidence:
- Physical context
- It is definable by its physical form, that is, it should reside on a specific piece of media
- Logical context
- It must be identifiable as to its logical position, that is, where does it reside relative to the file system
- Legal context
- The evidence must be placed in the correct context to read its meaning
- This may require looking at the evidence as machine language
Guidelines for digital evidence collection phase:
- Follow site’s security policy and engage the appropriate incident handling and law enforcement personnel
- Capture a picture of the system as accurately as possible
- Keep detailed notes with dates and times
- Be prepared to testify outlining all actions you took and at what times
- Minimize changes to the data as you are collecting it
- Remove external avenues for change
- Always choose collection before analysis
- Your procedures should be implementable
- Manage the work among the team members
- Proceed from most volatile to less volatile areas while collecting evidence:
- Registers, cache
- Routing table, ARP cache, process table, kernel statistics, RAM
- Temporary file systems
- Disk
- Remote logging and monitoring data
- Physical configuration and network topology
- Archival media
- Do a bit-level copy of the media (try to avoid conducting forensics on the evidence copy)
Suryateja Pericherla, at present is a Research Scholar (full-time Ph.D.) in the Dept. of Computer Science & Systems Engineering at Andhra University, Visakhapatnam. Previously worked as an Associate Professor in the Dept. of CSE at Vishnu Institute of Technology, India.
He has 11+ years of teaching experience and is an individual researcher whose research interests are Cloud Computing, Internet of Things, Computer Security, Network Security and Blockchain.
He is a member of professional societies like IEEE, ACM, CSI and ISCA. He published several research papers which are indexed by SCIE, WoS, Scopus, Springer and others.
Leave a Reply