Digital forensic

DIGITAL FORENSIC A BRANCH OF FORENSIC SCIENCE. BY C.N. OKONTA. CrFA.

Digital forensic is a branch of forensic science that recovers and investigates the information found in digital devices often in relation to computer crime.

 

What Is Digital Forensics?

Digital forensics is the act of assisting an investigation by accumulating evidence from digital artifacts. These digital artifacts include computers, network, cloud, hard drive, server, phone, or any endpoint system connected to the infrastructure. The activity also includes collecting information from emails, SMSs, images, deleted files, and much more. In short, the responsibility of digital forensic investigator is a threefold process:

  1. Preserving or recording the state of a digital device
  • Analyzing the state of digital device
  • Reporting retrieved information

In the case of a cybercrime, a digital forensic examiner analyzes digital devices and digital data to gather enough evidence to help track the attacker. As data are abundant due to digital dependencies, the role of a digital forensic investigator is gaining prominence everywhere.

THE GOALS OF DIGITAL FORENSIC

The following are the goals of digital forensics- to examine digital media, to identify, analyze, preserve, recover, and present facts and opinions about digital information.

FORENSIC INVESTIGATION PROCESS

The following are the forensic investigation process known.

*Identification

* Preservation

* Collection

* Examination

*Analysis

* Presentation

* Decision,

The goal of digital forensic detector is to preserve any evidence in its original form while performing structured investigation by collection , identifying and validating forensic evidence via structured best practices, with a purpose of reconstructing past events.

STRUCTURED BEST PRACTICE

  • The original image is captured, i.e. capture deleted files, slacks, spaces, and unallocated clusters through original image.
  • The original evidence is the primary image in library
  • The investigator should be asked to work with secondary image
  • The should be timestamp  to show when the evidence was collected
  • Note that before collection of the new evidence to new media make sure the destination is sanitized

INVESTIGATION PROCESS TYPES

  • Network analysis- to investigate network, do traffic analysis, log analysis, path analysis, to uncover required information traffic, paths, log etc.
  • Media analysis- to perform media analysis look at disk increase, do timeline analysis.
  • Software analysis –look at reversed engineering, malicious code review.
  • Hardware/embed device review- analyze the fire ware, destination appliances, dedicated memory review etc.

DIGITAL EVIDENCE

Is an information and data that adds value to an investigation that stored or recovered transmitted electronic device. This evidence can be acquired by electronic, by seize and secured for examination

*digital evidence is stored and transmitted in a binary form may be reliable in court.

* common forms of digital devices are as follows- CDs,PDAs,digital cameras, flash, hard drive, phone, computer documents, texts, emails, etc.

  • Digital evidence are associated with electronic crime, e-crime, e.g. . . . credit card crime,
  • Digital evidence now use to persecute all types of crime, not just e-crime etc.

THE DIGITAL EVIDENCE ADMISSABLE IN COURT

For digital evidence to be admissible in court, the evidence must be-

  • Relevant → reasonable, sensible to the findings.
  •  Complete   the evidence must tell the whole truth of issue
  • Sufficient  persuasive with facts
  • Reliable → consistent, be factual, not circumstantial to the case at hand.

EVIDENCE LIFE CYCLE

The life cycle of evidence starts with –

Collection and identification of evidence

                             ↓

Storage, prevention and transportation (this is the chain of critical main evidence)

                            

Presentation of evidence in court

                            ↓

Finally, return of evidence to the owner

CHAIN OF CUSTODY OF EVIDENCE

This is when information is gathered from the crime scene is used to create a chain of custody show, for instance, what was a scene location and condition, it is important because it can be used during a criminal court trial. (It is a chronological documentation developed from information gathered from the scene)

  • it is history that show how the evidence was collected, analyzed, transported and preserved in order to be presented in court
  • it should follow the evidence through its entire life cycle
  • the copies created should be independently verified and must be temper proof
  • Chain of evidence must be labelled with information indicating who secured and validated.

Some digital forensic cases

Digital Forensics Is More Important Now Than Ever

With 95% of the Americans owning mobile phones today, the existence of data is staggering. But it is not just mobile phones that forms a part of investigation, but other devices like laptop, desktop, tab, juke box, play station, smart watches, and everything under the Internet of Things family are responsible for exchange of data. The advancement of technology adds more to the volume of data, and therefore, digital forensics should be expanded to adapt to meet the needs of the users. The emergence of higher sophisticated devices has stressed on the importance of digital forensics too.

Eminent Cases Solved with Digital Forensics

Digital footprint stands the amount of usage or accessing the data on various digital devices. By following the digital footprints, the investigator would be able to retrieve the data that are critical for solving the crime case.

1. Matt Baker—2010

Matt Baker, a Baptist preacher, was convicted of murder of his wife and was sentenced to imprisonment for 65 years. In the year 2006, his wife had apparently committed suicide by overdosing on sleeping pills. The suicide was confirmed based on the suicide note left by his wife. Later, while analyzing Baker’s computer, the search history of Baker’s computer had found that he has searched for “overdosing on sleeping pills” and had also visited several pharmaceutical websites prior to the wife’s death.

2. Krenar Lusha—2009

Krenar Lusha of the United Kingdom was arrested based on his internet search pattern. On investigating his laptop, it was found that he had downloaded a manual of 4300 GM to make explosives and search belts. When they searched his apartment for further investigation, the police also recovered 71.8 l of petrol, potassium nitrate, and a live shotgun cartridge. He had also used his laptop to chat with people via MSN, describing himself as a terrorist or a sniper. He presented himself as a person who wanted to see Jewish and American people killed. These conversations were retrieved from his computer and used as digital evidence in the court.

3. Larry Jo Thomas—2016

More than 250 Facebook posts are mentioned as a source of digital information gathered during a forensic investigation in the Indiana appellate court. One of the recorded cases talks about Larry Jo Thomas who was wrongly representing himself under the name ‘Slaughtaboi Larro’ on Facebook. He posted a photo on his Facebook wall with an AR-15-style assault rifle. When the investigation on the murder of Rito Llamas-Jaurez occurred, Larry was found guilty as Llamas-Jaurez was shot dead with AR-15-style ammunition. Investigators also found a bracelet near the crime scene which matched the one that Thomas was found wearing in one of the photos on Facebook.

4. Mikayla Munn—2016

A Manchester University student, Mikayla Munn, gave birth to a baby in her dorm room bathtub. She immediately drowned her new born in the bath tub but covered it up stating that she was not aware of her pregnancy and labor pains were felt while taking a bath, followed by the baby’s arrival. On verifying her digital assets, investigators have found that she had searched on Google for “at home abortions” and “ways to cut the umbilical cord of a baby.” Munn pleaded guilty to neglect and was imprisoned for 9 years.

5. Ross Comptown—2017

Ross Compton from Middletown, Ohio, was convicted on the grounds of aggravated arson and insurance fraud of his Court Donegal house. The incident costed him $4 millions in damage. When Ross submitted fake medical certificates describing his heart illness, the data from his pacemaker served as evidence before the court of law. The data collected from pacemaker included his heart rate, pacer demand, and heart rhythms which helped prove arson and insurance fraud.