Chapter 1
Cyber Forensics:
Its Importance, Cyber Forensics Techniques, and Tools
- Sonali Yadav
Integral University, India
ABSTRACT
Today one of the major difficulties facing all organizations is cybercrime. Cybercrime is any crime related to computers or the internet. Cybercrimes cover a vast range, from sending fake emails to downloading and distributing copyrighted material. Cyber forensics is among one of the important branches of computer science. It deals with cybercrime investigation. In this chapter, the author provides an overview of cyber forensics. The chapter focuses on its importance and some of the techniques and tools used by cyber forensic investigators.
INTRODUCTION
Day-by-day the number of internet users is increasing and so is the Cybercrime. No one realised that internet can be used to harm mankind. Whenever an organization found that there are some loopholes in their security system, it has led to a compromise in protecting their vital data. Then the questions arise: How did this happen and how early can it be prevented from happening? This is where the role of forensics comes into play. The goal of Cyber forensics is to perform crime investigations by using evidence from digital data to find who was responsible for that particular crime said by (prabhu490730, 2015). The cyber forensic investigator collects and examines all the bits and pieces of information and evidence left behind the crime scene. Then the forensic investigator is liable to answer the question of who and what.
It is important to keep in mind that the area of forensics is very broad in nature as it is related to IT. It is very broad in nature, and involves many sub-specialties. Here we will focus on Cyber forensics. Cyber Forensics, Computer Forensics or Digital forensics, more or less, mean the same. In this article, we will use the term cyber forensics and computer forensics interchangeably.
CYBER FORENSICS
Cyber is a prefix used to describe, a person, a thing or any idea related to computers and the internet. Forensics means using some sort of scientific process for the collection, analysis, and presentation of the evidence which has been collected. Forensics deals primarily with the recovery and examination of latent evidence. Latent evidence can take many forms, from fingerprints left on a window to DNA evidence recovered from blood stains to the files on a hard drive as per An Introduction to Computer Forensics-Infosec Resource. Thus, a formal definition of cyber forensics is:
Cyber Forensics is the science of examining, analysing and reporting electronic evidence collected from computers, networks, wireless communication and storage devices. or in other words We define cyber forensics as the discipline that combines elements of law and computer science to collect and analyse data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law by .
Mostly, the data collected during a cyber-forensic investigation is not easily available or seen by a common computer user. This may comprise items like fragments of data that can be found in the space allocated for existing files and deleted files from the computer system, which can only be known by a cyber-forensics expert. Special skill, practice, and tools are essential for obtaining this type of evidence. In a crime scene cyber forensics is mainly concerned with three types of data and they are as follows (as said by (New York Computer Forensics).
- 1. Active Data: Active data is the data available on the computer system. This type of data is easily noticeable and can be obtained without using any restoration process. The data or information readily accessible to users includes word files, spread sheets, images, databases, email-messages, program files, system files or files used by the operating system. This is the easiest type of data.
- 2. Archival Data: Archival data is a collection of data that has been moved to a storage media (Like cloud) for backup and storage. This type of data includes chats, a simple list of files, files organized under directory or catalogue structure, backup tapes, entire hard drives.
- 3. Latent Data: Latent data, also known as ambient data, is not easily seen or accessible upon first glance at the scene of a Cyber-crime by an expert. It takes a much deeper level of investigation by the cyber forensic experts to unearth them. Specialized software is needed to access this type of data. Obtaining latent data is time-consuming and costly compared to the other two types of data. Some example of Latent data includes:
- a) Deleted files or partially overwritten files.
- b) The information which is in computer storage but is not readily referenced in the file allocation tables;
- c) The information which cannot be viewed readily by the operating system or commonly used software applications;
- d) Data which has been purposely deleted and is now located in: Unallocated spaces in the hard drive; Swap files; Print spooler files; Memory dumps;
- e) The slack space between the existing files and the temporary cache.
Cyber forensics is all about collecting data and analysing them to prove the crime or breach of policy. It focuses on obtaining evidence of illegal misuse of computers in a way that could lead to the trial of the guilty. A Cyber Forensics investigation could involve looking at all three types of data mentioned above, depending on the circumstances. However, they are particularly interested in latent data. Software developers often build program applications to combat and capture online criminals. These applications are the heart of cyber forensics.
IMPORTANCE OF CYBER FORENSICS
The digital era in which we are living today is prone to cyber threats and it would be very difficult to extract the kind of evidence required to solve many of the cases brought forth to the court. Cyber forensic science is an enormously trustworthy and helpful recourse needed to try such cases in court. To be able to carefully examine cybercrime, cyber forensics is needed to access the type of encrypted and buried information that is stored in hard drive of computer system and other storage Medias. In the world of professional hackers and hacking techniques, it would be impossible to uncover needed evidence for cyber or non-cybercrimes, without this system of forensic science. Evidence revealed through cyber forensics is subject to the same legal guidelines as all other criminal evidence. It must be legally obtained to be admissible in court. Each country has its own set of unique guidelines for the use of cyber forensic evidence, and this science has been utilized in some major criminal court cases since the mid 1980s (Emiliogarcia, 2014).
Cyber forensics can be helpful to all types of organizations (for example corporation as well as law firms). For example, if a company has reason to believe that an employee is distributing business secrets or storing illegal contents, they might employ a forensic investigator to help build a case against that employee. Sometime employee might erase their local data and have unauthorized access to the office servers. If one has doubt that computer device contains evidence that may be important to their case, it is best to obtain that evidence through a licensed and experienced investigator who is highly qualified in cyber forensics. If one hires a skilled investigator, it means that the information collected is legally defensible and uncorrupted. All investigators must have great qualifications and extensive experience on the stand. This is important because your investigator will be called to testify about what they did; their justification for doing it, and the methods they used. A good forensic investigator not only delivers the evidence, but knows how to manage their vocal inflection. They also know how to present themselves in front of judge and jury. Small details like this can profoundly impact your case, making it crucial that you partner with investigators who know how to testify given in (News Team, 2017).