Basics of Cyber Forensics.

Introduction

In today’s world, almost everything we do is related to or supported by technology in some way. We don’t pay postage in order to send birthday cards and wish someone we love. We simply wish them by sending them a text on messaging apps or sometimes even send them an email. In a similar way, we shop online, we read online, we communicate online, we do our banking and transactions online. All the aspects of our lives are somehow connected to the internet.

Sure, technology has given us great luxury and easy-going lives for the most part. But, where it is good, there is always an evil shadow lurking in the back. In our case, it is cyber crimes. Earlier, criminals used to use knives, guns, and all sorts of tools to perform their thefts and robberies. Now, in the digital age, the mouse and keyboard they own are their greatest weapons which have immense potential to cause damage to life and property. Thus, arises the need for a system to catch the hands behind these crimes. This system, in the cyber world, is known as Cyber Forensics. And in this blog, it’s all about forensics. Keeping in mind that this post will be read by readers of all knowledge levels, I will keep this post short, concise, and basic.

What is Cyber Forensics?

Computer forensics is the use of scientifically derived and proven methods towards the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources for the purpose of facilitating the reconstruction of events found to be criminal or helping to anticipate unauthorized actions shown to be disruptive to planned operations.

It involves the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law.

Importance of Cyber Forensics

Over 90% of the world’s data is in digital form. Over 56% of cybercrime cases are not being reported, due to lack of awareness. Obtaining electronic evidence can be difficult and there can be issues of authenticity, digital evidence has to be provided in such a way that it is admissible in the court of law.

Computer forensics’s main advantage is its ability to search and analyze a vast amount of information quickly and efficiently and identify the crucial pieces of data that can be used to assist in the formation of a legal case. A recognized forensics expert is able to produce the data in cour by way of a report that was previously impossible. A forensics examiner can carry our searches on a hard drive using different languages and is beneficial as cybercrime can easily cross borders through the internet.

Cyber Forensics Investigative Process

1. Securing the crime scene: Secure the area containing the equipment or the crime scene. Secure the entrances and exits to the digital scene. Move people away from the computer and power supply as it may lead to contamination if anyone touches anything. Preventing changes in potential digital evidence, including network isolation, collecting volatile data, and copying the entire digital environment is the goal of this phase.
2. Identifying the evidence sources: Generating a plan of action to conduct an effective digital investigation, and obtaining supporting resources and materials is a part of this phase. Recognizing an incident from indicators and determining its type, which entails the preparations of tools, techniques, search warrants, and monitoring authorizations, and management support. Sources can be anything from a hard disk to a monitor, power supply units, modems, etc.
3. Document the crime scene: Photographs and videos of digital evidence are taken individually as well as a crime scene and individuated descriptions of digital pieces of evidence are to be made. Each piece of digital evidence that is found during the analysis of the image must be clearly documented. A proper chain of custody has to be maintained. A chain of custody is a form that documents the movement from its source to when it is presented in court.
4. Acquisition of the evidence: Analysis should never be done on the original evidence. A copy or image of the seized data is rather used than the original data itself. The storage device is first connected to a “write blocker” which prevents any binary code from being altered or modified during the process. The clone of the drive is created on a separate storage device to be examined later. A hash is generated that allows the analyst to later confirm that the image and its contents are accurate and unaltered.
5. Preservation and Transportation: The evidence must be stored at normal room temperature, without being subject to any extremes of humidity and free from magnetic influence. Transportation, until if done in a car, place upright where it will not receive physical shocks. These are places in anti-static bags or in tough paper bags.
6. Examination and Analysis of evidence: Data of significance is not available easily. Evidence is left behind in unallocated space left behind by deleted files, hidden partitions, slack spaces, and even registry entries are capable of hiding large quantities of data. Steganography can hide documents inside of an image or music file. It is up to the investigator to determine what constitutes evidence and what constitutes clutter. A variety of tools exists that assist in identifying and locating specific types of files. The technique is critical as the selection of the tool. For example, when searching an email archive for messages related to a specific case, string searches can bring up all those that contain specific keywords. A lot of data is created unintentionally which has to be analyzed as they may provide significant information.
7. Report Generation: Finally, at the end of a successful forensic investigation, a report is generated that describes the case in detail, contains the list of the pieces of evidence that lead to the report, the chain of custody, and the all other details that might be of importance the particular case. This report is submissive in the court of law.

Final Words…

Please keep in mind that the information provided in this blog is 100% authentic and is used in real-life forensics investigations. This was all about the basic post on cyber forensics. I will be coming up with another blog that will contain all the nitty-gritty details of the investigatory process that I have mentioned here. Till then, I wish you a very safe and secure journey on the Internet!