Sources of data for digital forensics include storage media, file systems, and network equipment, among others. The data sources differ according to cases. Investigators can focus on account audits, live data systems, and intrusion detection systems to understand usage and trace intruders, until identification occurs.
Internet service provider (ISP) records, virtual machines, and network drives are also sources of data for digital forensics. This paper discusses the primary sources of digital forensic data for handling network intrusions and malware installations, as well as instances of insider file deletion.
It discusses the merits and demerits of each source, and then decides the best way for investigators to conduct investigations and deliver court-admissible evidence.
Digital forensics deals with the identification, extraction, analysis, and presentation of digital evidence present in digital devices. Appropriate tools and techniques must be used to succeed in digital forensics operations. Forensic investigations begin with data collection.
They then examine the collected data, analyze it, and report it to the relevant offices. In the first step, the investigator deals with the media that hosts the data. In the second step, examination happens to the data itself, which yields information that becomes usable for the analysis part.
Finally, the investigators come up with a report that serves as evidence. The above template on digital forensics is used in this paper to evaluate four primary sources of data that would be useful for digital forensics in network intrusion, malware installation, and insider file deletion.
The paper discusses the basic elements of each type of compromise, before considering its four primary sources of data that an investigator would find appropriate for presenting evidence.
Network intrusion happens when unauthorized persons can communicate over a network and receive feedback in the form of data that is usable. The unwanted communication can lead to loss of sensitive information from organizations or individuals. Intruders can steal, delete, or alter formation to affect its integrity.
They can issue instructions for hardware or software to operate abnormally. At the same time, network intruders may only view information and then use it as part of their strategy to attack an individual or an organization in other ways, such as blackmail.
Sources of data for network intrusion, according to priority
The primary sources of data for network intrusion forensics investigation are the intrusion detection system, account auditing, live system data, and ISP records.
Intrusion detection systems
In the first case, network administrators reconfigure intrusion detection systems specifically to monitor network vulnerabilities. The area of focus depends on prior exposures of the network to intruders.
With the dedicated monitoring, it is possible to collect adequate information about an intrusion without crippling other functionalities of the network. Thus, the attacker will be unaware of the tracking system and will intrude into the primary system to carry out a given digital crime.
The intrusion detection system can be automatic. Here, it will respond to any abnormality in network traffic by alerting administrators and increasing surveillance of a potential attack. Such a system relies on signature matching.
It actively searches the network connection and activities of users or devices on the network to identify abnormalities and provide an alert whenever an incident matches the rules of an attack.
Skilled attackers can fool the system with fake signatures to cause a false alarm and distract the network surveillance officers. The only way to cope with intruders using the method is by ensuring that it has the latest software and hardware updates.
Account auditing comes in handy when administrators want to detect an intrusion after it has happened. The post-detection capabilities make the method preferable for presentation of network intrusion evidence.
It works through the delivery of information that allows investigators to preserve evidence, reconstruct the crime, and trail an intruder. At the same time, account auditing ensures that there is a match between intruders’ profiles and then register unauthorized usage attempts on the network.
All networks should have asset control mechanisms that combine technical and administrative controls. They ensure that access is monitored through identification and authentication of users.
Given that the security of the network depends on different nodes, focus on auditing should also be on all the nodes to maintain integrity. Network resources must require users to use strong authentication to deter opportunistic intruders and to make evidence of an actual intrusion to stand out.
Live system data
Live system data provides logs that investigators use to create a map of an intruder’s activities on their network. They may then use the time-stamped map to corroborate other evidence about an intrusion.
For example, a sniffer log can offer records of backdoor intrusions and attempts to force passwords to access administrator privileges in a number of computers connected to the network.
With live system data, the aim of the investigator is to capture information concerning volatile data that may disappear when a device powers off or it is disconnected from the network. Investigators use specialized tools that automate the process to achieve their objective.
However, when logging of access and monitoring of users on computers does not accompany accurate identification of sources of the logs, then evidence captured as live system’s data may end up being invalid in court because it cannot attribute a given action to a person purported to have intruded on the network with accuracy.
Records from ISP
When investigators exhaust the data sources within the organization, such as the three identified above, they can move on to seek assistance from service providers. Many ISPs monitor network usage to enforce fair usage policies and to increase compliance with security protocols.
Therefore, ISPs can avail names, emails, mailing addresses, and specific usage records, such as the identification of devices that connect to their networks. An important challenge that investigators may face when seeking to collect data from ISPs is the need for a subpoena.
At the same time, the information captured by ISPs may be in a format that is only used by the organization. This would introduce new interpretation barriers when the information is presented as evidence in court. Moreover, some details may be lost during interpretation.
Malware can emerge from a number of sources and cause damage to computer systems. Detection relies on the identification of the point of installation to the computer system before the malware makes changes (Aquilina & Malin, 2010).
With different types of malware, investigators need to be aware of the installation options that hackers and other intruders can use to fix malware and prevent detection by the computer system or its user. The use of anti-virus programs can help to detect potential intrusion and remove malware from an infected system.
The anti-malware program will vary according to the capabilities of taking out rootkits, spyware, worms, and viruses, which are all categories of malware. For malware installation, evidence can come from live system data, intrusion detection systems, virtual machines, and infected, corrupt files (Aquilina & Malin, 2010).
Sources of data for malware installation according to priority
Live system data
The live system data is helpful when an investigator wants to tell when malware was installed on a computer.
The investigator will look at all the traffic that is coming into and leaving the computer and then deduce whether it is normal or abnormal, according to previous user statistics under the same circumstances (Brand, Valli, & Woodward, 2010). Investigators may use the various vulnerability access tools to detect abnormal network traffic.
Standard tools include Nmap, which is a network mapping tool that helps one discover connections that a computer is making to a network (Aquilina & Malin, 2010).
For detailed reviews, commercial software comes handy because it is specially made to provide reports on the status of network routing tables, system drivers, and running processes on a computer.
One challenge facing live system data usage is the fact that malware evolves in its design and installation methods. Therefore, investigators must be keen on following clues presented by the data, even if they do not make sense at the initial look.
Intrusion detection system
A second source of data is an intrusion detection system installed on computers. A good example is an anti-malware program or a firewall that monitors computer activities of users and programs. It keeps logs and shares them with databases filled with information about possible intrusion pathways.
When an action or request violates the system’s policy, the user or the system administrator flags it for further review. At the same time, the administrator could make explicit instructions for the intrusion detection system to follow when dealing with actual malware installation incidences.
The data captured by the system, which can include the identity of malware and origin, is then presented as evidence. It can help to exonerate computer users from accusations of malice (Maras, 2014).
Virtual machines serve as forensic data sources when there is a need to show that a computer has been compromised, or to trap a malware and study its behavior.
Virtual machines operate like ordinary computers, but they have limitations on file access and can be installed or uninstalled with ease, without affecting current computer usage capabilities.
When investigators are interested in behavioral malware analysis, they opt for virtual machine setups that may utilize different platforms and offer customized environments without requiring the investigator to acquire actual computers (Nelson, Phillips, & Steuart, 2010).
During the observation process, investigators can use ordinary forms of collecting evidence on computers such as logging and taking screenshots that will aid in further interpretation of outcomes and help to explain malware actions when presenting evidence.
Although virtual machines are handy at collecting data, they may show signs to malware programs such that the malware stops behaving as it would in an actual computer environment. This limitation prevents investigators from finding out the real extent of exploits that malware installations pose.
Compromised or infected files
Another source of data for reporting malware installation is the compromised files that exist on the computer. Infected files do not behave like normal files, and they may consist of data that is corrupted. Investigators will use the patterns of data corruption to identify a given malware type.
However, the method is not very reliable because most data collected this way is volatile and can change when transferred to other systems.
Presenting evidence in such cases may require investigators to provide the entire computer system to maintain the integrity of proof, rather than copying data and move it to other systems using portable drives (Nelson, Phillips, & Steuart, 2010).
Insider File Deletion
Some network or database intrusions are due to insiders and detection is usually hard because insiders are already aware of the various security measures implemented by an organization to fight unauthorized access (Schwartz, 2011).
Sources of data for insider file deletion according to priority
Live system data
The first and most appropriate way to get evidence for insider file deletion is by using live system data. There is evidence left behind when there is an intrusion into a computer system, in what experts equate to broken windows in physical break-ins.
The broken window principle applies to file systems, where investigators evaluate file-access patterns on the victim’s computers. It is a fact that computer users will use a given set of files frequently and leave others untouched. Therefore, detectors can just analyze usage patterns and check for anomalies.
For example, when insiders are deleting files, they are likely to remove a whole set of files to ensure that their target data is destroyed. Meanwhile, user authorized deletion will mostly only cover a particular range of files or a single file at a time.
Investigators use probability and statistics to reconstruct timelines of computer usage to understand people’s actual behavior. Thus, an examiner will look at the directories and the subdirectories and note their time-date stamps of access to form a continuous outlook of a user authorized and unauthorized access.
The evidence presented by the timeline analysis can then serve to identify unwanted deletion, because it only relies on logs, such MAC timestamps that record recent file modification and not particular device identities (Grier, 2011).
Another source of information is hard drives, where investigators are interested in non-volatile system data. The first step is to come up with an exact copy of a hard drive picked from a computer or networks that had the insider file deletion.
Without making a copy of the hard disk, the investigator may end up interfering with the only source of evidence and make it invalid. At the same time, the collection of information from hard drives will only be possible when the information in question is non-volatile.
Third-party applications are capable of reconstructing master file tables on the hard disk to make it possible to recover deleted files. The option is only available when the old file is not overwritten entirely by a new file.
However, it is easy to infringe the technology; a smart computer user may use sophisticated software to delete files and its evidence by overwriting data immediately after the initial deletion.
In addition to the computer hard drives, investigators may use network drives as additional sources of evidence. Network drives allow users to access the same files simultaneously and share the same files. Some network drives may contain copies of files that are located on all the computers connected to a network.
In such situations, the investigator will verify the integrity of a folder on a user’s computer by checking whether it corresponds to the folder stored on the network drive. In other cases, network drives have unique information logs that are stored as non-volatile data for every computer connected to the network.
This can be another source of digital evidence. Most importantly, investigators can use file recovery tools to reconstruct the pathways and find deleted files. However, the same shortcomings highlighted when discussing hard drives will be present when analyzing network drives.
In many cases, the hardware is the same; it is only the deployment architecture that differs between the two. Additionally, the same principles applied to the network or computer hard drives would apply to any storage media installed in systems or used as a periphery device.
First, the media has to be cloned to avoid tampering with evidence, which would make it unusable (Al-Hajri & Williams, 2007).
Audit records offer a fourth source of data for insider file deletion. The records are created by operating systems installed in computers. An administrator with enough privileges sets up the audit component in the operating system and then safeguards it against manipulation by non-authorized users.
Together with audits, it is possible to monitor user physical activities on computers, such as keystroke and video surveillance. The collected information will show the identity of the user and the particular activity that was going on at the time of data deletion.
Unfortunately, the use of auditing and physical monitoring is only effective when the subjects are subordinate staffs. Managers in organizations may have privileges that allow them to shut down the audit and surveillance systems when they want to delete files.
However, even in such cases, the loss of evidence in this way will offer investigators new evidence to show that administrators were involved in data deletion. One of the shortcomings in physical monitoring is that it may be a violation of personal privacy, thereby causing the evidence collected to be useless in court (Capshaw, 2011).
The integrity of the data collected by investigators relies on the procedure used to extract data from the sources identified in this paper. Investigators should evaluate the likely value of data and then use the evaluation to determine the right procedure for collection.
Another important consideration is the volatility of the data, which relates to whether data would be lost when a live system powers down. In such cases, the priority would be to acquire the volatile data before it disappears and then move on to handle non-volatile data.
In many instances, digital forensics requires multiple evidence sources to incriminate a person. The use of multiple data sources and procedures helps the investigator to reach the goal of getting tangible evidence.
However, different sources, such as accounting audit, live system data, intrusion detection systems, and computer storage media pose varied hardships for the investigator when collecting data. Dealing with an ISP may involve a legal process that takes time and effort, yet getting logs from a computer or network router would be easier.
While collecting data from various sources, investigators must be aware of the ability of intruders or insider wrong doers to cover their tracks.
For example, intruders using malware installations may program the malware to interfere with logging parameters on an infected computer, thereby compromising data that investigators would collect from the infected computer. Therefore, it is important for forensic investigators to verify the integrity of the data they collect.
Al-Hajri, H., & Williams, P. (2007). The effectiveness of investigative tools for secure digital (SD) memory card forensics. 5th Australian Digital Forensics Conference. Perth: Edith Cowan University – Research Online.
Aquilina, J. M., & Malin, C. H. (2010). Malware forensic field guide for windows systems, digital forensics field guides. New York, NY: Syngress.
Brand, M., Valli, C., & Woodward, A. (2010). Malware forensics: Discovery of the intent of deception. Proceedings of 8th Australian digital forensics conference, (pp. 1-5). Perth.
Capshaw, J. (2011, April 1). Computer forensics: Why your erased data is at risk. Web.
Grier, J. (2011). Detecting data theft using stochastic forensics. Digital Investigation, 8, s71-s77.
Maras, M.-H. (2014). Computer forensics cyber criminals, laws and evidence. Burlington, MA: Jons & Barlett.
Nelson, B., Phillips, A., & Steuart, C. (2010). Computer forensics and investigations (3rd ed.). Boston, MA: Cengage Learning.
Schwartz, M. J. (2011, December 13). How digital forensics detects insider theft. Web.