Computer Forensics in Today’s World
- February 27, 2021
The term forensic refers to the method of solving crimes with the help of scientific knowledge and some tools. For this method, we seek the help of professionally trained personals who are labeled as forensic investigators. They have some specific skill sets which include analysis, extraction, deduction, and recovery. But these just scratch the surface definition of what a forensic investigator is. Here are some duties that a forensic investigator does when he’s under an investigation.
- Identify, gather and preserve the evidence of a cybercrime.
- Track and prosecute the perpetrators in court of law.
- Interpret, document, and present the evidence to be admissible during prosecution.
- Find vulnerabilities and security loopholes that help attackers.
- Perform incident response to prevent further loss of intellectual property, finances, and reputation during an attack.
- Recovery of deleted files if possible
Mainly there are two types Internal and External. If an employee of a company steals and sells confidential data of his own company, that is called an internal cybercrime. These types of attacks are much harder to defend against External attacks are those which happened remotely. That is when a hacker tries to break into your network. Some common techniques of both internal and external cyber crime include SQL attacks, Denial Of Service, Brute force
How to defend?
In the world of cybersecurity, there is not a thing called 100% security. There is no 99.9 like in disinfectant commercials. The only way to defend is to provide multiple layers of security and pray that we don’t get a target painted on our back.
Why is it difficult?
The main reason is that as a cybersecurity professional we have to consider and close every known and possible loophole which an attacker can exploit. But for an attacker, he has to make that one thing right in order to infiltrate. For example, in the field of cybersecurity, there are a vast number of things that we should cover, to maintain everything up-to-date 24×7 is physically impossible. Consider the fact that we have provided the necessary security for that company, still one vulnerability remains and those are humans
How they infiltrate.
For every webpage and remote network connection, certain ports are required. These virtual ports are used to transfer a specific type of data. Hackers scan for the open ports in a network and insert malicious programs to those ports whose software contains bugs.
Type of cyber-crime investigations
This describes the type of cases that we present to the court of justice. Mainly three types.
Civil cases: -These cases happen between an individual against a company, company against an individual or in between two companies. In these types of cases, the final verdict will be a settlement that interests both parties rather than putting someone in prison.
Criminal cases: -These types of cases occur in between the civilians or norms of the society. Here one will be proven guilty and he/she has to accept and proceed through their charges which vary from fine, settlement to hanging.
Administrative: – If a crime occurs inside a company or a business firm, they try to solve that inside their circle by hiring a forensic investigator or by using their own forensic division. These are done in order to secure their integrity and confidentiality to their clients. These types of Investigations are commonly known as administrative investigations.
What happens when things escalate?!
By the term “Escalate” what we meant was the situation where the crime is not just tied to one person but an entire organization behind the scene. Sometimes when investigators run across some crimes which they could not point out the motive of the culprit, in these cases they tend to look out for the bigger picture by involving criminal organizations or terrorist groups. If something like that is found, the mode of investigation will be changed. The “Enterprise Theory of Investigation” is applied.
Enterprise Theory of Investigation.
This is what we call the A-game for an investigator. These types of investigation methods require lots of approvals from government authorities because it’s a time and resource-consuming process. Because of that, we need special approvals from the governing bodies of different countries. This process is required in order to gain full access and cooperation of different sectors of other countries and its sectors so that the investigators could perform a thorough research and kill the cause from its root. The end result will be taking down the organization itself and stopping its influence across the globe.
What is considered digital evidence?
Digital evidence should be something that could prove as a valid source that links to the culprit and his crime. This evidence should be Believable, Reliable, and Authentic in nature. An evidence that has no complete scope (it should either prove the culprit is guilty or not guilty) will be ruled out. “Best Evidence Rule” describes how a piece of evidence should be and if not, it will not be taken under consideration.
Nature of Digital Evidence.
If we speak in the terms of data as digital evidence it is of two types, volatile and non-volatile. Volatile or Live data are those which erase themselves when the power turns off. These come under the memories such as cache memory, Ram, and some Registry keys. These are crucial for an investigator because from live data we could collect more evidence compared to static ones.
Priority towards live data as evidence.
The main reason is that it’s fresh and contains the current system configuration and settings which could possibly tell what our culprit intends to do so.
In the case of Non-volatile or static data, we cover those which will not change or alter when the power is cut off. Things like BIOS settings, data stored in Hard disks, Date and time etc. Nowadays people use Virtual machines for malicious purposes which covers the track of most static data but it’s still there is always something that a criminal left behind or taken from a crime scene.
As an investigator we should be aware of modern technologies and crime patterns as well as rules and regulations. It’s not an easy job to clean up the mess that someone else created but it’s our job to prevent it from happening again in the future. In most cases, the problem occurs in the lack of knowledge. People nowadays use a lot of modern technologies but don’t know how to secure their dates and confidential assets. The solution for this is to grow a culture that provides information regarding the security of devices and how to handle them.