Overview of Digital Forensics

Cybersecurity Digital Forensics Cyberincidents are fast moving and increasing in number and severity. When a cyberincident occurs, the attacked enterprise responds with a set of predetermined actions. Applying digital forensics to aid in the recovery and investigation of material on digital media and networks is one of these actions. Digital forensics is the “process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable in any legal proceedings (i.e., a court of law).” The purpose of this white paper is to provide an overview of digital forensics as it applies to cybersecurity.

www.isaca.org/cyber Overview of Digital Forensics

Cybersecurity Digital Forensics

Cyberincidents are fast moving and increasing in BRIEF HISTORY OF DIGITAL FORENSICS number and severity. When a cyberincident occurs, Digital forensics is nearly 40 years old, beginning in the late the attacked enterprise responds with a set of 1970s as a response to a demand for service from the law predetermined actions. Applying digital forensics to enforcement community (see figure ).1 Most of the first aid in the recovery and investigation of material on criminal cases that involved computers were for financial digital media and networks is one of these actions. fraud.2 In the 1980s, digital forensics training courses were Digital forensics is the “process of identifying, developed by organizations such as the Association of preserving, analyzing and presenting digital evidence Certified Fraud Examiners, the National Consortium for in a manner that is legally acceptable in any legal Justice Information and Statistics, and the High Technology proceedings (i.e., a court of law).”1 The purpose of Crime Investigation Association (HTCIA); the first digital this white paper is to provide an overview of digital forensics company, Access Data, was formed; and the forensics as it applies to cybersecurity. International Association of Computer Investigative Specialists (IACIS) was formed.3 Today, students can earn The methods that digital forensics uses to handle a Bachelor of Science degree in Computer Forensics and digital evidence are very much grounded in the field’s Digital Investigations. roots in the scientific method of forensic science. Every forensic science certification requires a code of conduct of an unbiased and ethical approach to examinations.

FIGURE 1 Digital Forensics Time Line

Ad Hoc Structured Phase Enterprise Phase Golden Age 1970 1980 1990 2000 2010 Evidence1 formed International Organization on ComputerDOJ/FBI Technical Working Group UK National forHi-Tech Computer Crime Forensics Unit Paper SWGD publishes Best PracticesBudapest Convention on CybercrimeISO publishes standard ISO 17025 Financial Cases Fraud ExaminersAssociation Team of Certified HTCIA, FBI CART Search, FLETC, Access Data 1 Digital Evidence (SWGDE) Scientific Working on Computer Group Evidence st st Forensics Company International Conference

1 Mohay, George M.; Alison Anderson; Byron Collie; Rodney D. McKemmish; Olivier de Vel; Computer and Intrusion Forensics, Artech House, USA, 2003 2 Ibid. 3 The International Society of Forensic Computer Examiners®, “Certified Computer Examiner,” www.isfce.com/history.htm

Early forensic tools, like MACE and Norton, provided Following are further developments in digital forensics: basic recovery abilities, such as undelete and • 1993—The first International Conference on Computer unformat. Most investigations were on a single Evidence was held in the United States. workstation that was used by one individual. The open-source, community-driven model that is used • 1995—The International Organization on Computer today for digital forensic tool development makes tool Evidence (IOCE) was formed. evolution modular, extensible, robust and sustainable, • 1998—G8 appointed IOCE to create international across various platforms. Software and standards principles, guidelines and procedures for digital baselines provide a foundation that focuses on evidence and the INTERPOL Forensic Science extensions, plug-ins and digital evidence bag (DEB) Symposium, to respond to issues in computer metaformat for development. forensics. With the advent of cases admitting digital Government involvement in standardizations began evidence in court, there was a need for standardization. in 1984, when the FBI established the Computer • 2002—The SWGDE published “Best practices for Analysis and Response Team (CART) to meet the Computer Forensics.”5 growing demands of law enforcement for a more • 2004—The Budapest Convention on Cybercrime, which structured approach to examine evidence. By the was signed in 2001, became effective. The convention early 1990s, the FBI was assisting the US Postal worked to reconcile national computer crime laws, Service in creating its own computer forensics unit. investigative techniques and international cooperation. A group of federal crime laboratory directors, which The Convention was the first international treaty on became the Scientific Working Group on Digital crimes committed via the Internet and other computer Evidence (SWGDE), began meeting twice a year to networks, focusing on infringements of copyright, discuss areas of mutual interest. After Mark Pollitt, computer-related fraud, child pornography, hate crimes Unit Chief of CART, spoke to the directors about and violations of network security.6 The United States digital evidence and Scott Charney, CCIPS, discussed was the sixteenth country to ratify the Convention in legal aspects of computer evidence and search 2006.7 warrant requirements for seizing digital evidence, another technical working group (TWG) was formed • 2005—The International Organization for to address the forensic issues that are related to Standardization (ISO) published ISO 17025, General digital evidence.4 In the United Kingdom, the needs requirements for the competence of testing and of law enforcement led to the creation of the National calibration laboratories. Hi-Tech Crime Unit in 2001, with resources that are centralized in London. The unit became the Serious Organised Crime Agency (SOCA) in 2006.

4 Morgan Whitcomb, Carrie; “An Historical Perspective of Digital Evidence: A Forensic Scientist’s View,” International Journal of Digital Evidence, Spring 2002, Volume 1, Issue 1, www.utica.edu/academic/institutes/ecii/publications/articles/9C4E695B-0B78-1059-3432402909E27BB4.pdf 5 Scientific Working Group on Digital Evidence, “Best Practices for Computer Forensics v1.0,” 15 November 2004,https://www.swgde.org/documents/Archived%20Documents/2004-11-15%20SWGDE%20 Best%20Practices%20for%20Computer%20Forensics%20v1.0 6 Council of Europe, “Convention on Cybercrime,” Budapest, 23 November 2001, www.conventions.coe.int/Treaty/en/Treaties/html/185.htm 7 Anderson, Nate; “World’s Worst Internet Law ratified by Senate,” arstechnica.com, 4 August 2006,www.arstechnica.com/uncategorized/2006/08/7421/

In 2013, US President Obama issued Executive Order (EO) The two types of computer crime investigations are 13636, Improving Critical Infrastructure Cybersecurity, computer-based crime and computer-facilitated crime. which calls for a voluntary risk-based cybersecurity In a computer-based crime, a computer or computers framework (the Cybersecurity Framework, or CSF) that is are used as the vehicle to commit a crime. In computer- “prioritized, flexible, repeatable, performance-based, and facilitated crime, a computer is the target of a crime cost-effective.” The National Institute of Standards and (e.g., a hacking incident or theft of information).10 Technology (NIST) led the development of the CSF through Computer-based crimes are activities such as child an international partnership of organizations, including pornography, cyberbullying, cyberstalking, spamming or owners and operators of the nation’s critical infrastructure cyberterrorism. Typically, computers and/or hard drives and ISACA. Key principles from the ISACA COBIT 5 are seized as evidence and provided to a forensic expert business framework, which helps enterprises to govern to analyze. When a computer has been the target of a and manage their information and technology, are crime, usually the information system is compromised, embedded into the CSF. and information on the system or network is stolen, or Implementing the NIST Cybersecurity Framework guide fraudulent documents are created. Digital forensics is implements the CSF using ISACA’s COBIT 5 processes. used to capture volatile information from random access In the CSF, digital forensics is a subcategory in the memory (RAM) and other running processes, including Respond function and Analysis category of the Framework networks.11 It is important for the forensics expert to Core.8 The study guide for the ISACA Cybersecurity consider the following four areas of analyses: Fundamentals Certificate discusses digital forensics in the • Storage media incident responses topic.9 • Hardware and operating systems TYPES OF INVESTIGATIONS • Networks Although cybercrime activity and security breaches • Applications continue to rise, business requirements often take precedence over security requirements. This precedence leaves applications, systems and networks vulnerable to intrusion. When a breach occurs, the forensic analyst must locate the point of compromise. The mission criticality of the compromised application, system or network determines the level of investigation. A full forensic examination is less likely on a highly critical system because the system cannot be shut down or slowed down to do a full backup.

8 ISACA, Implementing the NIST Cybersecurity Framework, USA, 2014, www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Implementing-the-NIST-Cybersecurity-Framework.aspx 9 ISACA, Cybersecurity Fundamentals Study Guide, USA, 2014 http://www.isaca.org/cyber/Pages/Cybersecurity-Fundamentals-Certificate.aspx 10 Hailey, Steve; “What is Computer Forensics?,” Cybersecurity Institute™, 19 September 2003, www.csisite.net/forensics.htm 11 Ibid.

RELEVANT LAWS • CAN-SPAM Act: 18 U.S.C. § 1037. The CAN-SPAM In any investigation, it is important to consult with a legal Act of 2003, Pub. L. No. 108-187, 117 Stat. 2699 (2003), counsel on the applicability of local, regional, national which became effective on January 1, 2004, provides and international laws. In the United States, the Computer a means for prosecuting those responsible for sending Fraud and Abuse Act of 1986, 18 U.S.C. 1030, criminalizes large amounts of unsolicited commercial email (a.k.a. conduct that abuses computer systems. The statute “spam”). protects computers that have a federal interest, i.e., • Wire Fraud: 18 U.S.C. § 1343 provides: Whoever, federal computers, financial systems and computers that having devised or intending to devise any scheme are used in interstate and foreign commerce. The statute or artifice to defraud, or for obtaining money or protects computer systems from trespass, threats, damage, property by means of false or fraudulent pretenses, espionage and being used as tools of fraud. representations, or promises, transmits, or causes to be transmitted by means of wire, radio, or television Other statutes that may apply follow:12 communication in interstate or foreign commerce, any • The Interception of Communications: writings, signs, signals, pictures, or sounds for the 18 U.S.C. § 2511(1)(a) & (b); the disclosure of intercepted purpose of executing such scheme or artifice, shall communications, 18 U.S.C. §2511(1)(c) & (e); and the use be fined under this title or imprisoned not more than of intercepted communications, 18 U.S.C. § 2511(1)(d). 20 years, or both. If the violation affects a financial 110 These prohibitions are subject to a number of exceptions, Prosecuting Computer Crimes institution, such person most of them detailed in section 18 U.S.C. § 2511(2). shall be fined not more than $1,000,000 or imprisoned • Unlawful Access to Stored Communications: not more than 30 years, or both. 18 U.S.C. § 2701; Section 2701 focuses on protecting • Communication Interference: 18 U.S.C. § 136. email and voice mail from unauthorized access. Where a compromised computer is owned or used • Aggravated Identity Theft: 18 U.S.C. § 1028A, The by the United States for communications purposes, Identity Theft Penalty Enhancement Act, which took 18 U.S.C. § 1362 may provide an alternative or effect July 15, 2004, established a new offense of additional charge. aggravated identity theft. Section 1028A applies when • Title 18: United States Code, Section 1362 provides: a defendant “knowingly transfers, possesses, or uses, Whoever willfully or maliciously injures or destroys without lawful authority, a means of identification of any of the works, property, or material of any radio, another person.” telegraph, telephone or cable, line, station, or system, • Access Device Fraud: 18 U.S.C. § 1029. Ten separate or other means of communication, operated or activities relating to access devices are criminalized in controlled by the United States, or used or intended 18 U.S.C. § 1029. The term “access device” is defined to be used for military or civil defense functions of the as any card, plate, code, account number, electronic United States, whether constructed or in process of serial number, mobile identification number, personal construction, or willfully or maliciously interferes in identification number, or other telecommunications any way with the working or use of any such line, or service, equipment, or instrument identifier, or other system, or willfully or maliciously obstructs, hinders, or means of account access that can be used, alone or delays the transmission of any communication over any in conjunction with another access device, to obtain such line, or system, or attempts or conspires to do money, goods, services, or any other thing of value, or such an act, shall be fined under this title or imprisoned that can be used to initiate a transfer of funds (other not more than ten years, or both. than a transfer originated solely by paper instrument).

12 Office of Legal Education Executive Office for US Attorneys,Prosecuting Computer Crimes, www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf

For a more comprehensive reading of applicable US DIGITAL FORENSICS POLICIES AND SET federal laws, Prosecuting Computer Crimes is available OF CONTROLS for download from the Department of Justice.13 State The enterprise cybersecurity program should have statutes should also be considered, and consulting policies that address all forensics considerations, such as with a legal counsel is advised. Additional US laws14 contacting law enforcement, monitoring, and conducting include the following: regular reviews of forensics policies, guidelines and procedures. Good practice requires that policies are part of • Health Insurance Portability and an overall governance and management framework, such Accountability Act (HIPAA) as COBIT 5, from ISACA, which provides a hierarchical • Gramm-Leach-Bliley Act (GLBA) structure into which all policies should fit and link clearly • Sarbanes-Oxley Act (SOX) to the underlying principles.17 Policies should be aligned • Consumer Credit Protection Act with the enterprise risk appetite, which is determined in the risk governance activities, and are a key component of the • Telephone Records and Privacy Protection Act enterprise system of internal control.18 Policies should allow Internationally, the European Union (EU) developed a authorized personnel to monitor systems and networks and working document that pertains to the identification perform investigations for legitimate reasons in appropriate and handling of electronic evidence. The EU/Council of circumstances. The policies should clearly define the roles Europe (COE) Joint Project on Regional Cooperation and responsibilities of all people who perform or assist with against Cybercrime: Electronic Evidence Guide is a the enterprise forensic activities.19 Policies, guidelines and basic guide for law enforcement and judges.15 procedures should clearly identify the tools that may be US law enforcement personnel who search and seize used in a forensic review and provide reasonable guidance computers during an investigation should be aware on the use of those tools under various circumstances. of the requirements in the Searching and Seizing Note: Information security and cybersecurity require a Computers and Obtaining Electronic Evidence in comprehensive set of controls. The set of controls, audit Criminal Investigations manual, from the Department category and reviews for cybersecurity investigations and of Justice Computer Crime and Intellectual Property forensics are explained in detail in the ISACA publication Section.16 Transforming Cybersecurity.20 This publication applies the COBIT 5 framework and its component publications to transforming cybersecurity into a business process in a systemic way.

13 Ibid. 14 Bosworthy, Seymour; M.E. Kabay, M.E.; Computer Security Handbook Fourth Edition, John Wiley & Sons, Inc., October 2002 15 Council of Europe, Electronic Evidence Guide, 2013, http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/Documents/Electronic%20Evidence%20Guide/default_en.asp 16 Cybercrime.gov, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Office of Legal Education Executive Office for United States Attorneys, 2009, www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf 17 ISACA, COBIT® 5 for Assurance, USA, 2013, www.isaca.org/COBIT/Pages/Product-Family.aspx 18 Ibid. 19 Kent, Karen; Suzanne Chevalier; Tim Grance; Hung Dang; NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response, Recommendations of the National Institute of Standards and Technology, National Institute of Standards and Technology (NIST), August 2006, www.csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf 20 ISACA, Transforming Cybersecurity, USA, 2013, http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Transforming-Cybersecurity-Using-COBIT-5.aspx

Many cyberincidents can be handled more efficiently and 3. Image and hash—When digital evidence is found, effectively if forensics considerations are incorporated it should be carefully duplicated and then hashed to into the information system life cycle. Examples of such validate the integrity of the copy. considerations follow: 4. Validate tools—When possible, tools that are used for • Perform regular backups of systems and maintain forensics should be validated to ensure reliability and previous backups for a specific period of time. correctness.

• Enable auditing on workstations, servers and 5. Analyze—Forensic analysis is the execution of network devices. investigative and analytical techniques to examine the • Forward audit records to secure centralized log evidence. servers. 6. Repeat and reproduce (quality assurance)—The • Configure mission-critical applications to perform procedures and conclusions of forensic analysis auditing and include the recording of all authentication should be repeatable and reproducible by the same or attempts. other forensic analysts. • Maintain a database of file hashes for the files 7. Report—The forensic analyst must document his/ of common operating system and application her analytical procedure and conclusions for use by deployments, and use file integrity checking software others. on particularly important assets. 8. Possibly present expert testimony—In some cases, • Maintain records (e.g., baselines) of network and the forensic analyst will present his/her findings and system configurations. conclusions to a court or another audience. • Establish data retention policies that support the The process involves more than intrusion-related security performance of historical reviews of system and incidents. Zatyko defines scientific digital forensics as: network activity, comply with requests or requirements “The application of computer science and investigative to preserve data that are related to ongoing litigation procedures for a legal purpose involving the analysis of and investigations, and destroy data that are no longer digital evidence after proper search authority, chain of needed.21 custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation.”23 DIGITAL FORENSICS SCIENTIFIC PROCESS Ken Zatyko, the former director of the Defense Computer As the process steps indicate, the digital forensic analyst Forensics Laboratory, defined the following eight-step meticulously handles, analyzes and reports on the evidence digital forensics scientific process:22 obtained, to present an objective opinion on the facts of a case without prejudice. 1. Obtain search authority—In a legal investigation, legal authority is required to conduct a search or seizure of data.

2. Document chain of custody—In legal contexts, chronological documentation of evidence handling is required to avoid allegations of evidence tampering or misconduct.

21 Ibid. 22 Zatyko, Ken; “Commentary: Defining Digital Forensics,”Forensic Magazine, 2 January 2007, www.forensicmag.com/articles/2007/01/commentary-defining-digital-forensics 23 Ibid.

APPLYING VARIATIONS OF THE SCIENTIFIC METHOD Because physical evidence may never depict all the Scientists often use variations of the scientific method events that happened, inductive reasoning has a greater to solve problems. Deductive reasoning applies broad level of uncertainty. The conclusions are based on limited principles to predict specific answers (see figure 2). information rather than on a more solid scientific principle, Conversely, inductive reasoning uses a series of specific but inductive reasoning can be useful when no broad pieces of information to extrapolate a broad conclusion. principle can be applied. The forensic analyst identifies For example, forensic analysts might use inductive the best tools and approach for each case.24 reasoning to determine where a cyberincident started.

FIGURE 2 Variations of the Scientific Method of Forensic Science

Inductive Deductive Reasoning Reasoning

Observation Experiment

Generalizations Predictions

Paradigm/Theory

Source: Forensics: Examining the Evidence, “Understanding the Scientific Method,” www.forensicbasics.org/science-law/what-constitutes-science/understanding-the-scientific-method

Digital forensics follows a rigorous scientific process to present findings of fact to prove or disprove a hypothesis in a court of law, civil proceeding or another action. Zatyko’s eight-step process can be grouped into three basic steps: acquisition, analysis and reporting, which are discussed in the following paragraphs and shown in figure 3.

24 Forensics: Examining the Evidence, “Understanding the Scientific Method,” www.forensicbasics.org/science-law/what-constitutes-science/understanding-the-scientific-method/

FIGURE 3 Digital Forensics Process

• Obtain search authority. • Document chain of custody. Data • Duplicate digital evidence and validate using hash function. Collection

• Validate forensic tools. • Analyze evidence using investigative and analytical techniques. Examination • Repeat and reproduce forensic analysis procedures and conclusions. and Analysis

• Report analytical procedures and conclusions. • Present experts testimony about findings and conclusions. Reporting

Data from: Zatyko, Ken, “Commentary: Defining Digital Forensics,” Forensic Magazine, 2 January 2007, www.forensicmag.com/articles/2007/01/commentary-defining-digital-forensics

DATA COLLECTION The acquisition of data begins with seizure, imaging or reasoning and the items to be seized. Regardless of the collection of digital evidence to capture suspect media country, enterprises should understand and follow local or network traffic and logs, post breach. Enterprises and country jurisdiction laws before seizing materials. typically assume that they have the right to monitor their After digital media are acquired, an exact duplicate image internal networks and investigate their own equipment as long as they observe the privacy right of the employee. (the forensic image) of the original media evidence is Employee privacy rights and the enterprise rights created and validated with hash values that have been should be in written policies that are communicated to calculated for the original digital media and the duplicate employees. In the United States, the Fourth Amendment image. A hashing function, e.g., MD5, SHA-1 and SHA- covers seizures. Federal warrants are issued under 256, applies a mathematical algorithm to the digital data Title 18 of the US Code for probable cause of a crime. and returns a fixed-size bit string hash value. Any change However, exceptions allow data collection without a to the data will change the hash value. Data with the same warrant for reasons such as consent, hot pursuit or hash value are identical. The hash value validates that the plain view. In the United Kingdom, a magistrate issues evidence is still in the original state. The original media warrants to a constable under Section 18 of the Police evidence is write blocked and stored to prevent any and Criminal Evidence Act. In the US, no one should further possible alteration. Hashing may not always be ever go on site until after they read the search warrant possible. Mobile devices and memory, in particular, may to review the seizure authority and the affidavit for the have to be treated differently to maintain evidence.

EXAMINATION AND ANALYSIS Digital forensic analysts provide facts and impart knowledge After the duplicate image of the evidence is created, to give expert opinion only when they are required to do so analysis can begin on the image. The digital forensic in court. They never seek to aid or blame. Instead, analysts analyst may use specialized tools to uncover deleted provide a scientific basis so that the court, company or or hidden material. Depending on the forensic request, other requesting party may use the unbiased evidence the analyst can report findings about numerous types and gain a better understanding of events. of information, e.g., email, chat logs, images, hacking software, documents and Internet history. After evidence BRANCHES OF DIGITAL FORENSICS is collected and analyzed, it is assembled to reconstruct Computer forensics is the oldest and most stable events or actions and provide facts to the requesting discipline of digital forensics. It concentrates on party. These facts may identify people, places, items developing evidence from a computer and associated and events and determine how they are related so that digital storage devices in a forensically sound manner a conclusion can be reached. This effort can include to preserve, develop, recover when necessary, analyze correlating data among multiple sources.25 In some and present facts in a clear and concise manner. environments, early case assessment (ECA) provides In computer forensics, after the storage device is immediate review for the requesting parties, at which time acquired, it is standard practice for an analyst to create they can ask for more advanced analysis. ECA typically a disk image from which to work. If the original device is involves imaging, indexing, archiving and an internal confiscated, it is safely stored as evidence. Sometimes reporting mechanism for the requesting party to quickly a device is not confiscated so that additional evidence access needed reconnaissance. ECA typically saves time can be gathered and future activities can be monitored. and is often preferred over analysis. The forensic analyst creates a disk image of the device to preserve the original evidence. Today, virtual drives may REPORTING also be used as way to emulate an entire machine. After the analysis is complete, a report of the findings is developed, which outlines findings and methodologies. A number of techniques are used in computer forensics The provided exhibits may include attribution of file investigations. Cross-drive analysis correlates information ownership, chat logs, images and emails; detailed login/ that is found on multiple hard drives, which are being logoff times; entry into facility logs and anything that used to identify social networks. Live analysis extracts places the suspect at the device at the same time and dates using existing system administration or developed location of an event. The findings can be used to confirm forensic tools. Recovering deleted files is often in or disprove alibis and provided statements. Digital the news, and it remains a mainstay of forensics for evidence can also be used to prove intent. The completed recovering evidence. Because files are not erased, but are report is given to the investigator, who is usually from law overwritten eventually, over a period of time, an analyst enforcement in a criminal matter or a designated senior has time to reconstruct deleted files. manager in a civil action. Further actions are determined after the report is reviewed.

25 Op cit. Kent

Network forensics is a relatively new field within digital as contacts, emails, web browsing information, photos, forensics. Generally, network forensics focuses on monitoring videos, calendars, geolocation, and social network messages and analyzing computer network traffic to gather evidence and contacts. Mobile devices present greater challenges of exceeding authorization or detect an intrusion from a in handling due to memory volatility, so proper handling party with no authorization to be on that system or network. procedures must be followed to protect digital data. Because network traffic is volatile and dynamic, analysts Most mobile devices have a basic set of comparable must be proactive in their approach to capturing information. features and capabilities. They house a microprocessor, Network forensics takes two approaches to gathering read-only memory (ROM), random access memory (RAM), information: a radio module, a digital signal processor, a microphone and speaker, a variety of hardware keys and interfaces, • The more traditional approach catches and stores and a liquid crystal display (LCD). The operating system all data for analysis at a later time (e.g., logging the of a mobile device may be stored in either NAND or NOR Internet usage of all users and only reviewing the memory, while code execution typically occurs in RAM.26 data after an alert). Generally, the information collected comes from internal • The second approach scans the data that pass through memory (flash memory) or external memory (subscriber the network and is selective about the data that are identity module [SIM], Secure Digital [SD], MultiMediaCard captured (e.g., only logging blocked sites and specific [MMC], CompactFlash [CF] cards or memory sticks). Call file formats from user activity). records and mobile backups can also be obtained through The benefit of the first approach is that the analyst has all carriers, which provide other information that is useful in the information, but the negative aspect is that a large amount developing evidence, especially in cases of encryption. of archival storage space is needed and analysis is done later. For a more complete understanding of techniques for In the second approach, the analyst does not need to waste handling mobile devices, NIST SP 800-101, Guidelines on 27 time filtering, but the approach requires faster processing Mobile Device Forensics and the SWGDE “Best Practices 28 speed to manage incoming network traffic. Because data for Mobile Phone Forensics” should be reviewed. gathering is minimized, the likelihood of private or sensitive Encryption has become the standard on Windows® 8.1, information being captured is substantially reduced. Digital Mac® OSX 10.9, and will continue to be a challenge in forensic analysts can review network communications from the field. Circumventing encryption can involve a few obscure sources such as BitTorrent clients, PlayStation® steps, including memory capture for passwords in RAM, and Xbox® game consoles, and Raspberry Pi. Network password cracking of a system image, interrogating the forensics continues to grow, due to the popularity of wireless suspect or obtaining a search warrant for a mobile backup communication, obfuscated communication (e.g., Tor of a phone from a service provider. There are endless anonymity software), and mobile devices. ways to defeat encryption, but forensic analysts must be willing to evolve with technology. This may include the Mobile device forensics roots began when mobile devices started to become popular, about 2000. Forensics of mobile biggest taboo in the field: modifying the user’s data in devices includes cell phones, but can also include Universal order to obtain said encryption keys. Memory forensics Serial Bus (USB) drives, personal digital assistants (PDAs), is too large a topic to be discussed here, but previewing global positioning systems (GPSs), cameras and tablet applications and obtaining data from RAM leaves a devices. From a law enforcement prospective, these data footprint. Having a standardized process and taking sources may provide a wealth of personal information, such copious notes are just two ways to justify actions in the field, but this does not erase the blurred lines.

26 Ayers, Rick; Sam Brothers; Wayne Jansen; NIST SP 800-101 Rev 1, Guidelines on Mobile Device Forensics, National Institute of Standards and Technology (NIST), May 2014, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf 27 Ibid. 28 Scientific Working Group on Digital Evidence, “SWGDE Best Practices for Mobile Phone Forensics, Version: 2.0,” 11 February 2013, www.swgde.org/documents/Current%20Documents/2013-02-11%20SWGDE%20Best%20Practices%20for%20Mobile%20Phone%20Forensics%20V2-0

CONCLUSION

Digital forensics is a growing field with much diversity in Note: Because not all aspects of the digital forensics field the technologies in which a professional can specialize. could be covered in this paper, such as eDiscovery and From the early stages of digital forensics, when evidence anti-forensics techniques, the reader can explore the field was collected from a stand-alone machine, to the highly further to gain a wider knowledge of digital forensics. networked cloud and mobile environment of today, digital forensic analysts have always taken great care while handling and preserving electronic information. Developing a step-by-step approach to preserve information for each new type of technology has evolved along with the field. The National Academy of Science recently identified digital forensics as a subfield within cybersecurity. As Scott Charney, head of the Department of Justice, Computer Crimes and Intellectual Property Section (CCIPS), stated, “The Internet crime problem is going to get worse. How do I know? Simple. There is always a percentage of the population who are up to no good. As the entire population moves to the Internet, so will the criminals.”

Phone: +1.847.253.1545 With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business Fax: +1.847.253.1443 and IT leaders build trust in, and value from, information and information systems. Established Email: [email protected] in 1969, ISACA is the trusted source of knowledge, standards, networking, and career Web site: www.isaca.org development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity Nexus™, a comprehensive set of resources for Provide feedback: cybersecurity professionals, and COBIT®, a business framework that helps enterprises govern www.isaca.org/digital-forensics and manage their information and technology. ISACA also advances and validates business- Participate in the ISACA critical skills and knowledge through the globally respected Certified Information Systems Knowledge Center: Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance www.isaca.org/knowledge-center of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™)

Follow ISACA on Twitter: credentials. The association has more than 200 chapters worldwide. https://twitter.com/ISACANews Disclaimer Join ISACA on LinkedIn: ISACA (Official), ISACA has designed and created Overview of Digital Forensics white paper (the “Work”) primarily as an educational resource http://linkd.in/ISACAOfficial for security professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety Like ISACA on Facebook: of any specific information, procedure or test, security professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment. www.facebook.com/ISACAHQ

ACKNOWLEDGMENTS

Expert Reviewers Knowledge Board Cybersecurity Task Force Jaime Buzzeo, USA Steven A. Babb Eddie Schwartz Joel Valverde, USA CGEIT, CRISC, ITIL CISA, CISM, CISSP, MCSE, PMP, Vodafone, UK, Chairman USA, Chairman Alexander Applegate, USA Rosemary M. Amato Manuel Aceves CISA, CMA, CPA, CISA, CISM, CGEIT, CRISC,CISSP, FCITSM, ISACA Board of Directors Deloitte Touche Tohmatsu Ltd., The Netherlands Cerberian Consulting, SA de CV, Mexico Robert E Stroud Neil Patrick Barlow Sanjay Bahl CGEIT, CRISC, CISA, CISM, CRISC, CISSP, CISM, CIPP, CA, USA, International President Capital One, UK India Steven A. Babb Charlie Blanchard Neil Patrick Barlow CGEIT, CRISC, ITIL, CISA, CISM, CRISC, CIPP/US, CIPP/E, CISSP, FBCS, ACA, CISA, CISM, CRISC, CISSP, Vodafone, UK, Vice President Amgen Inc., USA Capital One, UK Garry J. Barnes Sushil Chatterji Brent Conran CISA, CISM, CGEIT, CRISC, CGEIT, CISA, CISM, CISSP, BAE Systems Detica, Australia, Vice President Edutech Enterprises, Singapore USA Robert A. Clyde Phil J. Lageschulte Derek Grocke CISM, CGEIT, CPA, HAMBS, Australia Clyde Consulting LLC, USA, Vice President KPMG LLP, USA Samuel Linares Ramses Gallego Anthony P. Noble CISA, CISM, CGEIT, CRISC, CISSP, GICSP, CISM, CGEIT, CCSK, CISSP, SCPM, CISA, Industrial Cybersecurity Center (CCI), Spain Six Sigma Black Belt, Viacom, USA Marc Sachs Dell, Spain, Vice President Jamie Pasfield Verizon, USA Theresa Grafenstine CGEIT, ITIL V3, MSP, PRINCE2, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, Pfizer, UK US House of Representatives, USA, Vice President Ivan Sanchez Lopez Vittal R. Raj CISA, CISM, ISO 27001 LA, CISSP, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, DHL Global Forwarding & Freight, Germany Kumar & Raj, India, Vice President Tony Hayes CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International President Gregory T. Grocholski CISA, SABIC, Saudi Arabia, Past International President Debbie A. Lew CISA, CRISC, Ernst & Young LLP, USA, Director Frank K.M. Yam CISA, CIA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, Director Alexander Zapata Lenis CISA, CGEIT, CRISC, ITIL, PMP, Grupo Cynthus S.A. de C.V., Mexico, Director