Digital Forensics Investigations Data Sources

Digital forensics investigation is a process if identifying, extracting, and preserving multiple legal data sources, such as files, meta-data, passwords, etc. in order to deal with digital crimes made with the use of IT infrastructure. Nowadays, the IT system has become more complex than ever before. Thereby, forensics investigations of digital crimes involve various primary and secondary data sources, whose prioritization depends on the type of the digital event. Hence, the current paper assesses four different sources of data that could be used in a digital forensics investigation serving as the data sources for the following events: insider file deletions, malware installations, network intrusions. This data sources include the following: Internet service provider records, network-attached storage, virtual machines, and HDD. With the purpose of gaining evidence, these data sources can be used in the process of digital forensics investigation. However, depending on the type of occurring event these data sources may have different prioritization levels, which will be further discussed.

Digital Events Description

Before assessing various data sources for digital forensics investigation, it is necessary to provide a description of events. At the same time, the way the data are prioritized depends on the type of the event that occurred. As it was mentioned before, the main events are: network intrusions, insider file deletions, and malware installations.

Network intrusion

Intrusion to a network is a process of receiving an unauthorized access to a computer network. Such illegal access usually has significant negative influence on the organization that was hacked. During such attacks, the organization’s hardware, as well as software, can be negatively affected (for example, damaged). For instance, necessary files can be deleted or altered, while hardware can be destroyed or damaged. Hence, network intrusion types can be divided into the following three groups: Denial of Service (DoS) Attack, Penetration Attack, and Scanning Attack (Bijone, 2016). DoS attack is focused on denying the legitimate access to computer network and involves a shutdown of a system operational flow. These attacks mainly affect the company’s software. Next, penetration attacks are based on gaining the unauthorized control of a system by an attacker, who further modifies or alters the current state of the system, downloads secret information, etc. In general, penetration attacks involve the installation of viruses or malware in the system. Unlike the previous two types of attacks, the scanning attack is typically considered a legal activity, which involves the identification procedures by network, vulnerability and port scanners. However, in most cases criminals use a scanning attack in order to identify the following information about the potential victim: firewall, network topology, type of the system, software, hosts, operating system and server applications that are currently running.

Malware Installations

Malware and related attack tools are referred to as a network intrusion. However, their role in many of today’s digital investigations is significant; thereby, they should be discussed separately. Malware is usually used for cybercrimes, such as financial fraud, industrial espionage, etc. It takes a form of viruses, worms, spywares, and Trojans, which are installed on the computer via the Internet or by means of a physical information carrier. For instance, malware can infect the IT system when being downloaded from an e-mail or web site. The criminals using it can capture critical information, i.e. usernames, passwords, keystrokes, etc.

Insider File Deletions

Insider file deletions can be carried out by insiders, who have an access to organization’s assets. For instance, it could be employees, visitors, vendors, or contractors. Due to their familiarity with the company’s processes and systems, these individuals can delete important files or copy secret information for their personal use.

Internet Service Provider Records

Data Source Description

Internet Service Provider records are the first type of analyzed data sources. These records can provide much information about the criminal. For instance, logs and records are preserved by the Internet service provider and could be further used for the purposes of investigating the digital crime. Some other kind of valuable information that could be used in the court includes e-mail addresses, names, paid account holders, credit card numbers, other information about banking accounts, etc. (Brown, 2015). Besides, IP addresses associated with the investigating activity can help to define the computer, which was used to make a connection.

Challenges of Collecting Data

Consequently, network intrusions, malware installations, and insider file deletions are illegal activities, and digital forensics investigators should pay attention to choosing the proper sources of data in order to ensure the highest level of evidence. There are multiple primary and secondary sources that can be analyzed in the course of digital crime investigation. However, there are several challenges associated with collecting information for this purpose. Appropriate information can be unavailable for investigators. For instance, internet service providers carry different amounts of information about their customers, and some of them may have no capacity to record network activities. As a result, some useful data may not be discovered.

Moreover, legal issues constitute common challenges for all data sources discussed in this paper. It is evident that in order to avoid civil liability and carry out successful prosecution, investigators should implement appropriate procedures of data collection and obtaining evidence from the collected information. Hence, various legal requirements may be applied to the forensics investigation process, i.e. industry-specific acts, statutory provisions, policies and procedures concerning investigations, as well as constitutional standards. For instance, there is a conflict between balancing the issues of privacy and law enforcement. Hence, in order to remain legal and ensure the appropriate information presentation in the court, forensics investigators should pay more attention to the way information is collected. Thereby, forensics investigation must be carried out in a proper manner in order to recover evidence and should not include any illegal activity related to the data collection. For this purpose, investigators are recommended to use Internet service providers before actually serving legal process. This will help to obtain the information about data and develop proper documentation, which in turn, will allow considering special circumstances and requirements.

Sources Prioritization

Regarding the collection and examination of different sources, Internet service provider records can be used as a primary data source for investigating the network intrusion and malware attacks. Due to the fact that these records include information about the person’s IP address the day and time of activity, and address used to make the connection, they are of great value for the forensics investigation. In case of the outside attack, these records allow defining the origin of the attacker. Moreover, records related to the firewall logs and network traffic can help investigators to get a clear idea of the attack origin and define the source of network intrusion.

Virtual Machines

Data Source Description

The next data source includes Virtual Machines, which have been in use in the last few decades. The virtual machine is based on the concept of allocating an outside software app that acts as physical computer. The application of the Virtual Machine (“guest”) should be installed on the host computer, which is an actual machine. To put it simple, it can be described as a virtual computer, which is running inside a physical machine. Virtual Machine is stored in a set of files, such as virtual machine configuration (.vmx), snapshot of the virtual machines’ memory (.vmem), etc. (Hirwani, Pan, Stackpole, & Johnson, 2012), can be easily restored if it is destroyed. For instance, nowadays EnCase is the most popular software for computer investigation. It allows not only recovering deleted files, but also identifying the known files, making timelines of file activity, and providing graphic images. This tool allows analyzing multiple system formats, such as CD-ROMs, DVDs, FAT, NTFS, HFS+, UFS, Ext2/3, Reiser, and JFS.

Challenges of Collecting Data

Because of relocating systems and services to cloud environments the users of Virtual Machines lose direct control over their computer equipment and, thereby, become highly dependent on the outside services. The main challenge of using the virtual machines for data collection lies in their nature. As an example, the resuming process can result in changes in files that are located on the hard disk, which may become a reason of destroyed evidence. As Hirwani et al. (2012) stated there are two ways of using Virtual Machines in forensics analysis. First, it is necessary to resume the work of suspended Virtual Machines. It can be done by implementing normal procedure, which will help analyze the machine. The second way is based on the analyses of the Virtual Machines files without its resuming. However, after resuming the suspended Virtual Machine, there remains a risk of losing unsaved information, if the snapshot of the system was not created. In fact, the application programming interface of the Cloud Service Provider is not transparent, which interferes with the forensic investigations (Naaz & Siddiqui, 2016). Hence, one of the greatest challenges of investigating Cloud data is the fact that Virtual Machines are hard to identify. For instance, they may include numerous data stores situated in different parts of the world. Due to the fact that data can be dynamically stored and routed between these locations, investigator could face certain difficulties while identifying its precise location.

Next, due to the distributed nature of the Cloud computing environment, it could be impossible to analyze data on Virtual Machines that belongs to an association of criminal organizations involved in the accident. Moreover, it might also be hard to get a lawful access to Cloud-based data, since modern law does not provide a clear process for doing so. As a result, there are still no standardized criminological procedures and models that could provide the best practices for forensics investigation in the Cloud computing environments.

Sources Prioritization

In order to prevent the information loss in the case of a crime or any other incident, the administrator of the Virtual Machine should usually make a snapshot of the system to preserve data. This data can be further used for the purposes of the forensics analysis. Hence, Virtual Machines serve as a primary data source for investigating insider file deletions, network intrusions, and malware installations. Hence, in the case of insider file deletions, the success of data recovery from the Virtual Machines will depend on the severity of the fragmentation and method of deletion.

Hard Disk Drive

Data Source Description

The hard disk drive (HDD) is the third data source in digital forensics investigation. It is a non-volatile data storage device. HDD can be either external or internal for a computer. Nowadays their maximum sizes currently vary in the range of 1TB. After deleting file information about its date of creation and modification, sector, path and other elements are also erased. In its turn, Windows system is informed about the fact that there is an additional space available for recording where the previous file was kept. Hence, new files can be recorded to the available space. However, even if these files are not as large as the deleted file and thereby, do not take all the available space in the sector, this file can still be recovered with the use of forensic software. Nowadays, there are multiple types of forensic software that can be used for the detection of deleted or lost hard disk partition, recovery of data on the hard disk, etc. Among the most popular software, the following platforms should be highlighted: X-Ways Forensics, SANS Investigative Forensics Toolkit – SIFT, EnCase, CAINE, Registry Recon, and some others (Infosec Institute, 2017). There are two types of providing data acquisition from the HDD: dead acquisition and live acquisition. When using the first acquisition type, investigator just makes copies of data. In this case, the suspect operating system does not provide any assistance. On the other hand, a live acquisition uses the suspect operating system to copy data.

Challenges of Collecting Data

In comparison with other data sources, hard drivers are the most stable storage devices in the computer system. The main challenge of using hard drivers for data recovery is that after a certain period of time required files can be entirely overwritten. Besides, malware attacks can also involve the installation of viruses on the hard disk, which will delete important information and, thereby, make the file recovery impossible. Further, they are also vulnerable to insider file deletion. For instance, criminals can also use special software, which can overwrite data immediately, and make it impossible for forensics experts to access the data storage. Consequently, there are two methods of gaining access to data available on the hard disk. The first method is based on accessing the HDD directly via the software of the operating system. The second method is based on  Basic Input/Output System (BIOS). Such system allows the operating system software accessing the hard disk. In this case, method involving BIOS seems to be more appropriate, even though it has some drawbacks. For instance, BIOS might bring back the incorrect information about the disk and as a result, provide access to a smaller data set than the HDD really has.

Sources Prioritization

Hard drivers can be used as a primary source for malware detection due to the features of malware infection process. For instance, in order to influence the computer system, a virus must write an executable file into it and alter other system files, which will allow it to persist and proliferate. As a result of these manipulation changes to the registry, file allocation tables and other data can be retrieved from the hard disk. Similarly, hard drivers are the primary source for insider file deletion, since the use of special software allows recovering the deleted files. However, in many cases a backup is the only available data, since investigators are not able to recover all data or gain access to all the temporal data. For instance, the last system backups can provide information about the last person who accessed the system and whether this person was an attacker. On the other hand, in case of the network intrusion, hard drivers can be physically damaged, which will not allow retrieving any appropriate information from them.

Network-Attached Storage

Data Source Description           

The network-attached storage (NAS) is the final data source described in this paper. It transfers data between computers and other storage components (Tate, Beck, Ibarra, Kumaravel, & Miklas, 2016) and includes two layers. The first layer is the communication infrastructure providing physical connections, and the second layer includes management, which is responsible for organizing the connections between computer systems and storage components. This ensures that the process of data transfer is secure and robust. NAS is mainly manufactured as a computer appliance, which stores and serves files for the network (CTI Reviews, 2016). Network can include different devices. Some of them are routers, laptops, PCs, access points, printers, etc. It is based on the use of special devices such as Network Attached Storage (NAS), Windows File Server, and Storage Area Network (SAN), which include communication infrastructure providing physical connections, computer systems, and other storage components responsible for connecting processes. These data-storage systems provide shared data to the computer network. Hence, because in many cases considerable part of information is shared among people, it could be further be retrieved for the forensics purposes from the network storage.  In turn, storage devices are also connected through a special storage area network, which provides an access to consolidated data storage (CTI Reviews, 2016). These storage devices are not accessible via local area networks, thus investigators need to gain additional level access.

Challenges of Collecting Data

Using NAS storage is also challenging as it is an insecure data source for data forensics. Since NAS storage systems run operating systems of their own, it is impossible to get a low-level outside access to the HDD used in a NAS unit. Hereby, forensics investigators should take these HDD out and perform low-level acquisition.

For instance, a file located on the network storage device may be too large and too difficult to analyze, making it impossible to recover appropriate data from the network storage. Moreover, insiders, who aim to interfere with the outside information flow, may even destroy network storage volumes or permanently delete files. Besides, despite the fact that deleted files can be recovered with the use of forensic software, there are instances when such procedures are limited. Thereby, storage area networks can become a major target for insider file deletions.

Network storage is a primary data source in the case of insider file deletions, since in this case, deleted files can be recovered from a network storage device. For example, after recognizing that a file was deleted from a folder in the network, it is necessary to select a snapshot of the previous version of the system. In this case, all files will be retrieved and available for further investigation. Additionally, in regard to the digital forensics investigation practice, it should be noted that investigators require receiving a permit from network storage owners in order to gain access to the data storage. On the other hand, if data access is not profitable for them, they could forbid it. In this case, forensics investigation should receive a court order that will require network storage owners to provide data access. However, this step is likely to take a lot of time, so that all important information might be deleted or altered before investigators gain access to it.

Conclusion

Consequently, digital forensics investigators can use multiple data sources in order to investigate cyber crimes. This document described such important processes as network intrusions, insider file deletion, and malware installations. All of them are responsible for providing both primary and secondary data sources necessary in the process of forensic investigations. Thus, network intrusions can be examined with the use of the data provided by Virtual Machines and Internet Service Provider records. Malware installation can be examined by hard drives, Internet service provider records and Virtual Machines. Finally, deleted files recovery belongs to the network storage and hard drivers. A common challenge for all data sources lies in legal requirements, since investigators should balance the private information and the need to investigate the crime.

Related Free Technology Essays

• Attitude, Involvement, and Entertainment: Layar Mobile Application
• Success Factors in Agile Project Management
• Areas of Need
• Technology