1.

Introduction to cyber Forensics

1. Introduction to cyber Forensics

One of the biggest threats facing businesses and corporations today is that of Cyber-
attacks and threats. If these are large enough in scale and magnitude, it could even be
considered as an act of Cyber terrorism, in which a significant impact can be felt in both
regarding cost and human emotion. Whenever something like this occurs, two of the
most common questions that get asked are:
1. How did it happen?
2. How can this be prevented from happening again in the future?
Obviously, there are no easy answers to this, and depending on the severity of the
Cyber-attack, it could take weeks and even months to determine the answers to these
two questions. Regarding the latter, this can be answered via the means of conducting
various, in depth penetration testing exercises.
In this regard, once the lines of defence have been beefed up, these tests can push
these defence mechanisms to their absolute breaking point, to determine and uncover
any hidden weaknesses or holes.
Regarding the former, this is where the role of forensics comes into play. For
instance, any remnants of the Cyber-attack and any evidence left behind at the scene
needs to be collected very carefully collected and examined. It is from this point onwards
then the questions of “who, what, where, when and why” can be answered by the
forensics examiners and investigators.
It is important to keep in mind that the field of forensics, especially as it relates to
Information Technology is very broad in nature, and involves many sub specialties.
These include digital forensics, mobile forensics, database forensics, logical access
forensics, etc. to just name a few.
In this article, we provide an overview of the field of computer forensics. We focus
primarily on what it is about, the importance of it, and the general steps that are
involved in conducting a computer forensics case.

A Definition of Computer Forensics and Its Importance

The term forensics literally means using some sort of established scientific process
for the collection, analysis, and presentation of the evidence which has been collected.
However, all forms of evidence are important, especially when a Cyber-attack has
occurred. Thus, a formal definition of computer forensics can be presented as follows:
“It is the discipline that combines the elements of law and computer science to collect
and analyze data from computer systems, networks, wireless communications, and
storage devices in a way that is admissible as evidence in a court of law.”
Obviously, when a Cyber-attack has occurred, collecting all relevant evidence is of
utmost importance to answer the questions which were outlined in above. However,
keep in mind that the forensics examiner/investigator is particularly interested in a
particular piece of evidence, which is known specifically as “latent data.”
In the Cyber security world, this kind of data (also known as “ambient data”) is not
easily seen or accessible upon first glance at the scene of a Cyber-attack. In other
words, it takes a much deeper level of investigation by the computer forensics expert to
unearth them. Obviously, this data has many uses to it, but it was implemented in such
a way that access to it has been extremely limited.
Examples of latent data include the following:
1. Information which is in computer storage but is not readily referenced in the file
allocation tables;
2. Information which cannot be viewed readily by the operating system or commonly
used software applications;
3. Data which has been purposely deleted and is now located in:
 Unallocated spaces in the hard drive;
 Swap files;
 Print spooler files;
 Memory dumps;
 The slack space between the existing files and the temporary cache.

AWT Page 1
 1. Introduction to cyber Forensics

The importance of computer forensics to a business or a corporation is of paramount

importance. For instance, there is often the thinking that simply fortifying the lines of
defence with firewalls, routers, etc. will be enough to thwart off any Cyber-attack. To the
security professional, he or she knows that this is untrue, given the extremely
sophisticated nature of today’s Cyber hacker.
This premise is also untrue from the standpoint of computer forensics. While these
specialized pieces of hardware do provide information to a certain degree as to
what generally transpired during a Cyber-attack, they very often do not possess that
deeper layer of data to provide those clues as to what exactly happened.
This underscores the need for the organization also to implement those security
mechanisms (along with hardware above) which can provide these specific pieces of data
(examples of this include those security devices which make use of artificial intelligence,
machine learning, business analytics, etc.).
Thus, deploying this kind of security model in which the principles of computer
forensics are also adopted is also referred to as “Defence in Depth.”
By having these specific pieces of data, there is a much greater probability that the
evidence presented will be considered as admissible in a court of law, thus bringing the
perpetrators who launched Cyber-attack to justice.
Also, by incorporating the tenets of a “Defence in Depth,” the business or corporation
can come into compliance readily with the federal legislations and mandates (such as
those of HIPPA, Sarbanes-Oxley). They require that all types and kinds of data (even
latent data) be archived and stored for audit purposes. If an entity fails any compliance
measures, they can face severe financial penalties.

1.1 Information Security Investigations

The Steps Involved in Conducting a Computer Forensics Case:
Equally important in this regard is maintaining a chain of custody, which details who
had custody of the evidence and the latent data over the course of the actual
investigation. It is important to note that the steps outlined below are only the general
steps which are utilized.
Obviously, the specific sequencing and the activities which encompass them will vary
greatly. In fact, it is important to implement a dynamic computer forensics investigation
methodology as each Cyber-attack is very different from one another.
1. Readiness:
This first part ensures that the forensics investigator/examiner and his or her
respective team is always prepared to take on an investigation at literally a moment’s
notice. This involves:
 Making sure that everybody has been trained in the latest computer forensic
research techniques;
 Being aware of any legal ramifications when it comes time to visit the scene of
the Cyber-attack;
 Planning ahead as best as possible any unexpected technical/non-technical issues
at the victim’s place of business;
 Ensuring that all collection and testing equipment are up to speed and ready to
go.

2. Evaluation:
At this stage, the computer forensics team receives their instructions about the
Cyber-attack they are going to investigate. This involves the following:
 The allocation/assignment of roles and resources which will be devoted
throughout the course of the entire investigation;
 Any known facts, details, or particulars about the Cyber-attack which has just
transpired;
 The identification of any known risks during the course of the investigation.

3. Collection:
This component is divided into two distinct sub phases:

AWT Page 2
 1. Introduction to cyber Forensics

 Acquisition:
This involves the actual collection of the evidence and the latent data from the
computer systems and another part of the business or corporation which may have also
been impacted by the Cyber-attack. Obviously, there are many tools and techniques
which can be used to collect this information, but at a very high level, this sub phase
typically involves the identification and securing of the infected devices, as well as
conducting any necessary, face to face interviews with the IT staff of the targeted entity.
Typically, this sub phase is conducted on site.
 Collection:
This is the part where the actual physical evidence and any storage devices which are
used to capture the latent data are labeled and sealed in tamper resistant bags. These
are then transported to the forensics laboratory where they will be examined in much
greater detail. As described before, the chain of custody starts to become a critical
component at this stage.

4. Analysis:
This part of the computer forensics investigation is just as important as the previous
step. It is here where all of the collected evidence and the latent data are researched in
excruciating detail to determine how and where the Cyber-attack originated from, whom
the perpetrators are, and how this type of incident can be prevented from entering the
defence perimeters of the business or corporation in the future. Once again, there are
many tools and techniques which can be used at this phase, but the analysis must meet
the following criteria:
 It must be accurate;
 Every step must be documented and recorded;
 It must be unbiased and impartial;
 As far as possible, it must be completed within the anticipated time frames and
the resources which have been allocated to accomplish the various analyses
functions and tasks.
 The tools and the techniques which were used to conduct the actual analyses must
be justifiable by the forensics team.

5. Presentation:
Once the analyses have been completed, a summary of the findings is then
presented to the IT staff of the entity which was impacted by the Cyber-attack. Probably
one of the most important components of this particular document is the
recommendations and strategies which should be undertaken to mitigate any future risks
from potential Cyber-attacks.
Also, a separate document is composed which presents these same findings to a
court of law in which the forensic evidence is being presented.

1.2 Corporate Cyber Forensics

Computer forensics is the application of investigation and analysis techniques to
gather and preserve evidence from a particular computing device in a way that is
suitable for presentation in a court of law. The goal of computer forensics is to perform a
structured investigation while maintaining a documented chain of evidence to find out
exactly what happened on a computing device and who was responsible for it.
Forensic investigators typically follow a standard set of procedures: After physically
isolating the device in question to make sure it cannot be accidentally contaminated,
investigators make a digital copy of the device's storage media. Once the original media
has been copied, it is locked in a safe or other secure facility to maintain its pristine
condition. All investigation is done on the digital copy. Investigators use a variety of
techniques and proprietary software forensic applications to examine the copy, searching
hidden folders and unallocated disk space for copies of deleted, encrypted, or damaged
files. Any evidence found on the digital copy is carefully documented in a "finding report"

AWT Page 3
 1. Introduction to cyber Forensics

and verified with the original in preparation for legal proceedings that involve discovery,
depositions, or actual litigation.
Computer forensics has become its own area of scientific expertise, with
accompanying coursework and certification. The key points of corporate cyber forensics
that are required to explain the many challenges investigators face within the corporate
environment.
The information technology (IT) environment of a large corporation can be daunting
to characterize. Large corporations are often composed of a mixture of IT components
ranging from legacy production systems to bleeding-edge laboratory systems.
Additionally, business acquisitions, partnering, and nonstandard IT implementations
usually bring additional variety to the mix.
The most important aspect of successfully managing cyber forensics in a corporate
environment is cooperation. Upper management must support a designated corporate
forensics team working all such cases, and the corporation as a whole must be aware of
the proper policies and procedures relating to incident response and digital forensics.
Take, for example, intrusion cases, which have life cycles with the following phases:
preparation, identification, containment, eradication, recovery, and follow-up.
The complexity of the corporate IT environments means that many parties must work
together to handle cases such as these.
For example, legal departments, application owners, application developers, system
administrators, network engineers, firewall administrators, and many others must
cooperate.
Steps to keep in mind
Using all the information related to the incident, investigators must try to identify,
preserve, and acquire all possible sources of potential evidence. The following steps are
important:
1. Ensure that system administrators do not start their own investigation. Many times,
administrators have accidentally corrupted evidence themselves or, in looking for
evidence, were noticed by the hackers, who then deleted log files and their hacker
tools before logging off the system.
2. Ask the network architects for the network diagrams and descriptions of the affected
network.
3. Indentify critical business components related to the affected network (for example,
financial, contractual, legal).
4. Determine if disaster recovery plans exist and can permit certain systems or even the
whole portal to be restored in a clean state without interfering with the ability for the
investigators to complete forensic analysis of the affected systems.
5. Ask the security organization for any recent security audit reports of the affected
network, systems, and applications.
6. Establish the initial goals of the investigation. Goals are not always the same;
however, they would generally include these:
 Identify and preserve evidence.
 Determine, as accurately as possible, the method, time frame, and the scope
of the compromise.
 Provide feedback about containment, remediation, and security enhancement.
 Perform the investigation with as little disruption to the corporation as
possible.
 Identify, immediately, the firewall logs, centralized syslogs, router logs,
IDS/IPS logs, sniffer data, application logs, and any other data that could help
in the investigation.
 Implement, immediately, a plan for the preservation of logs so that historical
evidence is not deleted.
 Identify, immediately, the available data storage to handle copies of all the
logs. Note that this is often a challenge because corporations do not always
have available and accessible storage handy. Sometimes, the easy answer is
to ship out large-capacity USB external hard drives.

AWT Page 4
 1. Introduction to cyber Forensics

1.3 Scientific method in Forensic Analysis

Forensic Data Analysis (FDA) is a branch of Digital forensics. It examines structured
data with regard to incidents of financial crime. The aim is to discover and analyse
patterns of fraudulent activities. Data from application systems or from their underlying
databases is referred to as structured data.
The procedure by which scientists, communally and over periods, attempt to
assemble a precise interpretation of the world, is referred to as the scientific method.
Perceptions and interpretations of natural phenomena can be influenced by personal and
cultural beliefs; however, the application of criteria and standard procedures assists in
the minimization of these archetypal persuasions while developing a theory. The
scientific method attempts to reduce the presence of prejudice or bias in the assessor
when examining theories and hypotheses.
The scientific method is comprised of four steps:
a. Observation and description of a phenomenon or group of phenomena;
b. Formulation of a hypothesis (or hypotheses) to explain the phenomena;
c. Use of the hypothesis to predict the existence of other phenomena, or to predict
quantitatively the results of new observations; and
d. performance of experimental tests of the predictions by several independent
experimenters.

a. Observation and Description of a Phenomenon or a Group of Phenomena

The first step involved in the scientific method is the observation and description of a
phenomenon or a group of phenomena. The forensic examiner must observe an incident
or situation. How this scientific method step relates to forensic science would be, for
example, in a crime scene investigation involving ballistics.
The observation would be of a particular bullet impression in an environment.
Perhaps the defense in the case would rise in their legal argument that the defendant
could not possibly have murdered the victim given the point of entry and point of exit
wounds or the type of bullet involved.
The forensic examiner on the particular case may have the responsibility of disputing
this claim. Forensic ballistic examination in criminal cases is not limited solely to
ballistics, rather encompasses bloodstain pattern analysis as well involving projectile.

b. Formulation of a Hypothesis (Or Hypotheses) to Explain the Phenomena

The second step involved in the scientific method is the formulation of a hypothesis or
hypotheses to explain the phenomena. Essentially, this is the framing of a question or
theory around the incident. Perhaps there is a particular firearm in question or perhaps
the firearm is undetermined at this juncture. The forensic examiner would then
determine whether or not the bullet came from a particular gun in question.
Tool mark and firearm examinations would be conducted to determine, consisting of
analysis of ammunition, tool mark and firearm evidence, to establish whether the
weapon in question was employed during the commission of the crime in question.
Trajectory paths would also be examined to conduct the bullet’s route. The following
paragraph will discuss the usage of the hypothesis to predict the existence of other
phenomena or to quantitatively predict new observation results.

c. Use of the Hypothesis to Predict the Existence of other Phenomena, or to

Predict Quantitatively the Results of new Observations
The third step involved in the scientific method is the use of the hypothesis to predict
the existence of other phenomena, or to predict quantitatively the results of new
observations. The hypothesis is the “tentative answer to the question: a testable
explanation for what was observed.” The forensic examiner or scientist attempts to
explain what has been observed. This cause and effect relationship, the hypothesis is
the possible cause, while the observation is the effect. This is not to be confused with a
generalization, as a generalization is based on inductive reasoning. The hypothesis is
the potential account for the observation.

AWT Page 5
 1. Introduction to cyber Forensics

Science is a continually evolving discipline involving ongoing research. Oftentimes

experts have presented erroneous opinions, which must be challenged. The following
paragraph will discuss the importance of experimental tests conducted by several
independent experimenters.

d. Performance of Experimental Tests of the Predictions by Several

Independent Experimenters.
The fourth and final step involved in the scientific method is the performance of
experimental tests of the predictions by several independent experimenters. This aspect
actually denotes whether or not the hypothesis is supported by the results.
Once the experimentation has been conducted and predicted results achieved, the
hypothesis is reflected to be plausible. The experiment must be a controlled experiment
performed by several independent experimenters.

AWT Page 6