Which of the following types of digital forensic investigations is most challenging due to the on demand nature of the analyzed assets?

The Future

Forensic investigation of embedded systems has grown out of its infancy and can now be classified as leading edge. Dedicated forensic tools are emerging, papers are being published, and an increasing number of people are getting involved in this area. There is still much work to be done. Low-level acquisition of embedded system memories can be performed by only a few highly specialized forensic laboratories, with the exception of a very limited set of devices that are currently supported by user-friendly tools. There are no standard procedures or test methods for low-level memory acquisition. The few tools for data analysis that currently exist are not good enough to rely on without case-by-case testing on reference devices. Most data analysis needs to be done with ad-hoc methods without much structural basis.

There is a high demand for cooperation with the industry because a lot of time is spent building knowledge about the working and behavior of systems that are designed and built by people who already have most of that knowledge but are not allowed to share it. Fast technological innovations and an increasing demand for more security to protect personal data stored in digital devices require an increase in the amount of resources for investigating these fascinating devices. Although research can improve forensic techniques for analyzing genetic materials like DNA, it is still possible to use existing methods on future traces because the fundamental makeup of the human race is not changing rapidly. Conversely, all current embedded systems will be replaced by different technology within a decade, and ongoing research is necessary to support forensic examination of current and future embedded systems.

Incidence Response and Forensic Investigations

Network forensic investigation is the investigation and analysis of all the packets and events generated on any given network in hope of identifying the proverbial needle in a haystack. Tightly related is incident response, which entails acting in a timely manner to an identified anomaly or attack across the system. To be successful, both network investigations and incident response rely heavily on proper event and log management techniques. Before an incident can be responded to there is the challenge of determining whether an event is a routine system event or an actual incident. This requires that there be some framework for incident classification (the process of examining a possible incident and determining whether or not it requires a reaction). Initial reports from end users, intrusion detection systems, host- and network-based malware detection software, and systems administrators are all ways to track and detect incident candidates.40

As mentioned in earlier sections, the phases of an incident usually unfold in the following order: preparation, identification (detection), containment, eradication, recovery and lessons learned. The preparation phase requires detailed understanding of information systems and the threats they face; so to perform proper planning an organization must develop predefined responses that guide users through the steps needed to properly respond to an incident. Predefining incident responses enables rapid reaction without confusion or wasted time and effort, which can be crucial for the success of an incident response. Identification occurs once an actual incident has been confirmed and properly classified as an incident that requires action. At that point the IR team moves from identification to containment. In the containment phase, a number of action steps are taken by the IR team and others. These steps to respond to an incident must occur quickly and may occur concurrently, including notification of key personnel, the assignment of tasks, and documentation of the incident. Containment strategies focus on two tasks: first, stopping the incident from getting any worse, and second, recovering control of the system if it has been hijacked.

Once the incident has been contained and system control regained, eradication can begin, and the IR team must assess the full extent of damage to determine what must be done to restore the system. Immediate determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets is called incident damage assessment. Those who document the damage must be trained to collect and preserve evidence in case the incident is part of a crime investigation or results in legal action.

At the moment that the extent of the damage has been determined, the recovery process begins to identify and resolve vulnerabilities that allowed the incident to occur in the first place. The IR team must address the issues found and determine whether they need to install and/or replace/upgrade the safeguards that failed to stop or limit the incident or were missing from system in the first place. Finally, a discussion of lessons learned should always be conducted to prevent future similar incidents from occurring and review what could have been done differently.41

Incidence Response and Forensic Investigations

Network forensic investigation is the investigation and analysis of all the packets and events generated on any given network in hope of identifying the proverbial needle in a haystack. Tightly related is incident response, which entails acting in a timely manner to an identified anomaly or attack across the system. To be successful, both network investigations and incident response rely heavily on proper event and log management techniques. Before an incident can be responded to there is the challenge of determining whether an event is a routine system event or an actual incident. This requires that there be some framework for incident classification (the process of examining a possible incident and determining whether or not it requires a reaction). Initial reports from end users, intrusion detection systems, host- and network-based malware detection software, and systems administrators are all ways to track and detect incident candidates.40

An Agenda for Action when Implementing a Critical Security Mechanism

Without a solid log management strategy, it becomes nearly impossible to have the necessary data to perform a forensic investigation; and, without monitoring tools identifying threats and responding to attacks against confidentiality, integrity, or availability, it becomes much more difficult. For a network to be compliant and an incident response or forensics investigation to be successful, it is critical that a mechanism be in place to do the following (check all tasks completed):

Securely acquire and store raw log data for as long as possible from as many disparate devices as possible while providing search and restore capabilities of these logs for analysis.

Monitor interesting events coming from all important devices, systems, and applications in as near real time as possible.

Run regular vulnerability scans on your hosts and devices; and, correlate these vulnerabilities to intrusion detection alerts or other interesting events, identifying high-priority attacks as they happen, and minimizing false positives. SIEM and log management solutions in general can assist in security information monitoring (see Figure 1.21); as well as, regulatory compliance and incident response.

Aggregate and normalize event data from unrelated network devices, security devices, and application servers into usable information.

Analyze and correlate information from various sources such as vulnerability scanners, IDS/IPS, firewalls, servers, and so on, to identify attacks as soon as possible and help respond to intrusions more quickly.

Conduct network forensic analysis on historical or real-time events through visualization and replay of events.

Create customized reports for better visualization of your organizational security posture.

Increase the value and performance of existing security devices by providing a consolidated event management and analysis platform.

Improve the effectiveness and help focus IT risk management personnel on the events that are important.

Meet regulatory compliance and forensics requirements by securely storing all event data on a network for long-term retention and enabling instant accessibility to archived data.

As mentioned in earlier sections, the phases of an incident usually unfold in the following order: preparation, identification (detection), containment, eradication, recovery and lessons learned. The preparation phase requires detailed understanding of information systems and the threats they face; so to perform proper planning an organization must develop predefined responses that guide users through the steps needed to properly respond to an incident. Predefining incident responses enables rapid reaction without confusion or wasted time and effort, which can be crucial for the success of an incident response. Identification occurs once an actual incident has been confirmed and properly classified as an incident that requires action. At that point the IR team moves from identification to containment. In the containment phase, a number of action steps are taken by the IR team and others. These steps to respond to an incident must occur quickly and may occur concurrently, including notification of key personnel, the assignment of tasks, and documentation of the incident. Containment strategies focus on two tasks: first, stopping the incident from getting any worse, and second, recovering control of the system if it has been hijacked.

Once the incident has been contained and system control regained, eradication can begin, and the IR team must assess the full extent of damage to determine what must be done to restore the system. Immediate determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets is called incident damage assessment. Those who document the damage must be trained to collect and preserve evidence in case the incident is part of a crime investigation or results in legal action.

At the moment that the extent of the damage has been determined, the recovery process begins to identify and resolve vulnerabilities that allowed the incident to occur in the first place. The IR team must address the issues found and determine whether they need to install and/or replace/upgrade the safeguards that failed to stop or limit the incident or were missing from system in the first place. Finally, a discussion of lessons learned should always be conducted to prevent future similar incidents from occurring and review what could have been done differently.41

Certified Hacking Forensics Investigator

Computer hacking forensic investigation is the process of detecting hacking attacks and properly extracting evidence to report the crime and conduct audits to prevent future attacks. Computer crime in today’s cyber world is on the rise. Computer investigation techniques are being used by police, government, and corporate entities globally, and many of them turn to EC-Council for the Computer Hacking Forensic Investigator CHFI Certification Program. Computer security and computer investigations are changing terms. More tools are invented every day for conducting computer investigations, be it computer crime, digital forensics, computer investigations, or even standard computer data recovery. The tools and techniques covered in EC-Council’s CHFI program will prepare the student to conduct computer investigations using groundbreaking digital forensics technologies.

Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Evidence might be sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. CHFI investigators can draw on an array of methods for discovering data that resides in a computer system, or recovering deleted, encrypted, or damaged file information known as computer data recovery. To learn more about the CHFI and the EC-Council, visit their web site at www.ec-council.org.

Frequently Asked Questions

Q

When conducting a forensic investigation of a PDA, what is the first step in the process?

As with any forensic examination, the first step is to have permission to seize the evidence that is required for your investigation.

What sort of tools do I use to conduct a forensic examination of a PDA?

Most of the forensic tools that work with images will create an image of a PDA file system. The commercial software product EnCase has this capability, as do many others.

If I am preparing to conduct an investigation of a PDA, why must I maintain the charge to the device?

Similar to a regular PC, the PDA device has both volatile and nonvolatile information, and if the power is not maintained, there is a possibility you could lose information.

Aren't a PDA and a BlackBerry the same thing?

It is not uncommon to make this assumption, and there are similarities, but there are also many differences. The BlackBerry is an always-on device that can have information pushed to it at any time, and unlike the PDA, the BlackBerry does not require synchronization with a PC.

How would I get access to log files on a BlackBerry?

Some of the best tools for conducting an investigation of a BlackBerry come from the BlackBerry itself. There is an SDK that can access and collect log files and other information.

Employees

The purpose of conducting a forensic investigation is not to find fault or blame in the actions of an employee. However, where an investigation reveals credible facts about the involvement of an employee, based on the nature of the employee’s actions a decision must be made on the most appropriate course of action to deal with the employee. Through consultation with the legal team, organizations can ensure that when it comes time to taking action and dealing with the employee, they do not go beyond the boundaries of their authority or violate any legal rights that could result in unwanted liabilities.

Step 3: Collection

During this part of the forensic investigation, it is imperative you collect data and potential evidence from the memory devices that are a part of, or suspected to be a part of, the mobile device being investigated. Over 1,500 types of mobile devices are available today and many types of memory devices work with them. The main types that are likely to be encountered include SD (SanDisk), MMC (Multi-Media Card) semiconductor cards, micro-drives, and universal serial bus (USB) tokens.

SD cards range in size from a few megabytes (MB) to several gigabytes (GB), and a USB token can range from a few MBs to multiple GBs. In addition to seizing and collecting the memory devices, you also have to collect the power leads, cables, and any cradles that exist for the device. Extending the investigation process further, it is imperative that you collect all types of information, consisting of both volatile and dynamic information. Consequently, it is imperative you give the volatile information priority while you collect evidence. The reason for giving this information priority is because anything that is classified as volatile information will not survive if the machine is powered off or reset. Once the information has been captured, it is imperative that the mobile device be placed into an evidence bag and maintained at stable power support throughout. The evidence bag should be one that restricts radio emissions; otherwise, a radio blocker should be used.

Correlation and Association

Digital evidence gathered during a forensic investigation, which is traditionally considered the primary records or indication of an event, is used to indicate the details about what happened during an incident; including, but not limited to, system, audit, and application logs, network traffic captures, or metadata.

For quite some time, the scope of a digital crime scene was somewhat limited to only the computer system(s) directly involved in the incident itself. However, today most organizations have environments that are made up of interconnected and distributed resources where events on one system are frequently related to events on other systems. This requires that the scope of an event be broadened outwards to include all systems that would be—in some form or another—involved in the incident.

With the expansion of the investigative scope, establishing a link between the primary evidence sources is needed so investigators can determine how, when, where, and by whom events occurred. To provide this additional layer of details, consideration needs to be given to other supporting data sources that can be used to establish the links between the content and context of digital evidence.

Under the chain-of-evidence model methodology, illustrated in Figure 7.1 below, each set of discrete actions performed by a subject6 is placed into a group separate from each other based on the level of authority required to execute them. However, it is important that each group of actions in the different sources of digital evidence is linked to the adjacent action group in order to complete the entire chain of evidence link.

The ability to create a link between the various data sources is crucial for organizations to establish a complete chain of evidence and enhance their analytical capabilities by getting a better overall understanding of the incident. Using a chain-of-evidence model allows organizations to better plan for a complete trail of evidence across their entire environment. Following this model requires thinking in terms of gathering digital evidence in support of the entire chain of evidence instead of as individual data sources that may or may not be useful during the processing phase of the forensic investigations.

Collection

One of the basic tenets of a digital forensic investigation is the ability to conduct analysis on a forensic copy, rather than interacting with or altering the original source (ACPO, 2006, NIJ, 2004, 2008). For this research, a forensic copy was made of each virtual hard drive (vmdk file) using AccessData FTK Imager CLI 2.9.0 in the E01 container format. A forensic copy of each memory file (vmem) and network capture (pcap) file was made in the AccessData Logical Image (AD1) format, and an MD5 hash value for each original file was calculated and verified with each forensic copy.

Introduction

Evidence is a critical component of every digital forensic investigation. Whether it is physical or digital, the methodologies and techniques used to gather, process, and handle evidence ultimately affect its meaningfulness, relevancy, and admissibility. Appropriate safeguards must be present during all investigative work to provide an acceptable level of assurance that the life cycle of evidence is forensically sound1.

Following the high-level digital forensic process model outlined in chapter “Investigative Process Models,” each phase of the investigative workflow will be examined to determine and establish the requirements for managing evidence through its lifetime.

Similar to how the CIA triad (confidentiality, integrity, and availability) outlines the most critical components for implementing information security program; the APT triad (administrative, physical, and technical) describes the most critical components for implementing information security controls in support of digital forensic investigations.