Overview of Digital Forensics
Total Page:16
File Type:pdf, Size:1020Kb
Overview of Digital Forensics Cybersecurity Digital Forensics Cyberincidents are fast moving and increasing in number and severity. When a cyberincident occurs, the attacked enterprise responds with a set of predetermined actions. Applying digital forensics to aid in the recovery and investigation of material on digital media and networks is one of these actions. Digital forensics is the “process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable in any legal proceedings (i.e., a court of law).” The purpose of this white paper is to provide an overview of digital forensics as it applies to cybersecurity. www.isaca.org/cyber Overview of Digital Forensics Cybersecurity Digital Forensics Cyberincidents are fast moving and increasing in BRIEF HISTORY OF DIGITAL FORENSICS number and severity. When a cyberincident occurs, Digital forensics is nearly 40 years old, beginning in the late the attacked enterprise responds with a set of 1970s as a response to a demand for service from the law predetermined actions. Applying digital forensics to enforcement community (see figure ).1 Most of the first aid in the recovery and investigation of material on criminal cases that involved computers were for financial digital media and networks is one of these actions. fraud.2 In the 1980s, digital forensics training courses were Digital forensics is the “process of identifying, developed by organizations such as the Association of preserving, analyzing and presenting digital evidence Certified Fraud Examiners, the National Consortium for in a manner that is legally acceptable in any legal Justice Information and Statistics, and the High Technology proceedings (i.e., a court of law).”1 The purpose of Crime Investigation Association (HTCIA); the first digital this white paper is to provide an overview of digital forensics company, Access Data, was formed; and the forensics as it applies to cybersecurity. International Association of Computer Investigative Specialists (IACIS) was formed.3 Today, students can earn The methods that digital forensics uses to handle a Bachelor of Science degree in Computer Forensics and digital evidence are very much grounded in the field’s Digital Investigations. roots in the scientific method of forensic science. Every forensic science certification requires a code of conduct of an unbiased and ethical approach to examinations. FIGURE 1 Digital Forensics Time Line Ad Hoc Structured Phase Enterprise Phase Golden Age 1970 1980 1990 2000 2010 1 InternationalEvidence formedOrganization on ComputerDOJ/FBI Technical Working Group UK National Hi-Tech Crime Unit SWGDfor Computer publishes Forensics Best Practices PaperBudapest Convention on CybercrimeISO publishes standard ISO 17025 Financial Cases Fraud ExaminersAssociation of Certified Team Search,HTCIA, FLETC, FBI CART 1 Access Data ScientificDigital Evidence Working (SWGDE) Group on Computer Evidence st st Forensics Company International Conference 1 Mohay, George M.; Alison Anderson; Byron Collie; Rodney D. McKemmish; Olivier de Vel; Computer and Intrusion Forensics, Artech House, USA, 2003 2 Ibid. 3 The International Society of Forensic Computer Examiners®, “Certified Computer Examiner,” www.isfce.com/history.htm © 2015 ISACA. All Rights Reserved. 2 Overview of Digital Forensics Early forensic tools, like MACE and Norton, provided Following are further developments in digital forensics: basic recovery abilities, such as undelete and • 1993—The first International Conference on Computer unformat. Most investigations were on a single Evidence was held in the United States. workstation that was used by one individual. The open-source, community-driven model that is used • 1995—The International Organization on Computer today for digital forensic tool development makes tool Evidence (IOCE) was formed. evolution modular, extensible, robust and sustainable, • 1998—G8 appointed IOCE to create international across various platforms. Software and standards principles, guidelines and procedures for digital baselines provide a foundation that focuses on evidence and the INTERPOL Forensic Science extensions, plug-ins and digital evidence bag (DEB) Symposium, to respond to issues in computer metaformat for development. forensics. With the advent of cases admitting digital Government involvement in standardizations began evidence in court, there was a need for standardization. in 1984, when the FBI established the Computer • 2002—The SWGDE published “Best practices for Analysis and Response Team (CART) to meet the Computer Forensics.”5 growing demands of law enforcement for a more • 2004—The Budapest Convention on Cybercrime, which structured approach to examine evidence. By the was signed in 2001, became effective. The convention early 1990s, the FBI was assisting the US Postal worked to reconcile national computer crime laws, Service in creating its own computer forensics unit. investigative techniques and international cooperation. A group of federal crime laboratory directors, which The Convention was the first international treaty on became the Scientific Working Group on Digital crimes committed via the Internet and other computer Evidence (SWGDE), began meeting twice a year to networks, focusing on infringements of copyright, discuss areas of mutual interest. After Mark Pollitt, computer-related fraud, child pornography, hate crimes Unit Chief of CART, spoke to the directors about and violations of network security.6 The United States digital evidence and Scott Charney, CCIPS, discussed was the sixteenth country to ratify the Convention in legal aspects of computer evidence and search 2006.7 warrant requirements for seizing digital evidence, another technical working group (TWG) was formed • 2005—The International Organization for to address the forensic issues that are related to Standardization (ISO) published ISO 17025, General digital evidence.4 In the United Kingdom, the needs requirements for the competence of testing and of law enforcement led to the creation of the National calibration laboratories. Hi-Tech Crime Unit in 2001, with resources that are centralized in London. The unit became the Serious Organised Crime Agency (SOCA) in 2006. 4 Morgan Whitcomb, Carrie; “An Historical Perspective of Digital Evidence: A Forensic Scientist’s View,” International Journal of Digital Evidence, Spring 2002, Volume 1, Issue 1, www.utica.edu/academic/institutes/ecii/publications/articles/9C4E695B-0B78-1059-3432402909E27BB4.pdf 5 Scientific Working Group on Digital Evidence, “Best Practices for Computer Forensics v1.0,” 15 November 2004,https://www.swgde.org/documents/Archived%20Documents/2004-11-15%20SWGDE%20 Best%20Practices%20for%20Computer%20Forensics%20v1.0 6 Council of Europe, “Convention on Cybercrime,” Budapest, 23 November 2001, www.conventions.coe.int/Treaty/en/Treaties/html/185.htm 7 Anderson, Nate; “World’s Worst Internet Law ratified by Senate,” arstechnica.com, 4 August 2006,www.arstechnica.com/uncategorized/2006/08/7421/ © 2015 ISACA. All Rights Reserved. 3 Overview of Digital Forensics In 2013, US President Obama issued Executive Order (EO) The two types of computer crime investigations are 13636, Improving Critical Infrastructure Cybersecurity, computer-based crime and computer-facilitated crime. which calls for a voluntary risk-based cybersecurity In a computer-based crime, a computer or computers framework (the Cybersecurity Framework, or CSF) that is are used as the vehicle to commit a crime. In computer- “prioritized, flexible, repeatable, performance-based, and facilitated crime, a computer is the target of a crime cost-effective.” The National Institute of Standards and (e.g., a hacking incident or theft of information).10 Technology (NIST) led the development of the CSF through Computer-based crimes are activities such as child an international partnership of organizations, including pornography, cyberbullying, cyberstalking, spamming or owners and operators of the nation’s critical infrastructure cyberterrorism. Typically, computers and/or hard drives and ISACA. Key principles from the ISACA COBIT 5 are seized as evidence and provided to a forensic expert business framework, which helps enterprises to govern to analyze. When a computer has been the target of a and manage their information and technology, are crime, usually the information system is compromised, embedded into the CSF. and information on the system or network is stolen, or Implementing the NIST Cybersecurity Framework guide fraudulent documents are created. Digital forensics is implements the CSF using ISACA’s COBIT 5 processes. used to capture volatile information from random access In the CSF, digital forensics is a subcategory in the memory (RAM) and other running processes, including Respond function and Analysis category of the Framework networks.11 It is important for the forensics expert to Core.8 The study guide for the ISACA Cybersecurity consider the following four areas of analyses: Fundamentals Certificate discusses digital forensics in the • Storage media incident responses topic.9 • Hardware and operating systems TYPES OF INVESTIGATIONS • Networks Although cybercrime activity and security breaches • Applications continue to rise, business requirements often take precedence over security requirements. This precedence leaves applications, systems and networks vulnerable to intrusion. When a breach occurs, the forensic analyst must locate the point of compromise. The mission criticality of the compromised application,