To combat cybercrime and collect digital evidence relevant to all crimes, law enforcement agencies are integrating digital evidence collection and analysis, also known as computer forensics, into their infrastructure. Law enforcement agencies face the need to train officers to collect digital evidence and keep up with rapidly evolving technologies such as computer operating systems. Whenever law enforcement officers are involved, compliance with legal requirements is critical to the successful completion of an investigation. Following proper procedures for handling evidence will be a primary concern for digital forensics experts.
The CHFI presents a methodical approach to computer forensics that includes the search and seizure of digital evidence, as well as the collection, storage, analysis, and reporting of that evidence to serve as valid information in investigations. A CHFI may use various methods to obtain data from a computer system, cloud service, cell phone, or other digital device. Recovered data is often used as evidence in criminal trials, but is also sometimes recovered for businesses after a data breach. In addition, the criminals investigated by computer forensic experts are not always cyber criminals. Since almost everyone uses a computer, there is often valuable information on your personal device that can contribute to an investigation.
Finally, our services team can help you test your playbooks with exercises such as penetration testing, red and blue team exercises, and adversary emulation scenarios. Behavior analysis has been used very successfully to support traditional criminal investigations. This digital forensics chapter explores how behavior analysis can be adapted for use in cybercrime investigations. The weaknesses of the traditional digital forensics model are discussed, and then the behavioral analysis model is presented with its potential applications and limitations.
In the 1980s, there were very few digital forensic tools, forcing forensic investigators to perform live analysis and use existing system management tools to extract evidence. This risks altering data on disk, which can lead to lawsuits for tampering with evidence. Digital forensics is concerned with the identification, preservation, examination, and analysis of digital evidence using scientifically accepted and validated methods for use in court and in public. Electronic evidence is a component of nearly all criminal activity, and digital forensic support is critical to police investigations.
Three case studies will be presented to illustrate how behavioral analysis helps in the investigation of cybercrime. Digital forensics experts are also being hired by the private sector as part of cybersecurity and information assurance teams to determine the root causes of data breaches, data leaks, cyberattacks, and other cyberthreats. Digital forensics can also be part of incident response to recover or identify sensitive data or personally identifiable information lost or stolen in a cybercrime. In the 1990s, digital investigations were conducted through live analysis, and using the device in question to investigate digital media was commonplace. Over time, live analysis became ineffective due to the increasing use of devices filled with vast amounts of information. Eventually, digital forensic tools were developed to examine the data on a device without damaging it.
Digital forensics is an extensive process, and a secure environment is required to recover and secure digital evidence. Each subset of digital forensics may have its own specific guidelines for conducting investigations and handling evidence. For example, cell phones may be required to be placed in a Faraday shield during seizure or capture to prevent the device from receiving further radio traffic.
SMS data from a mobile device investigation helped exonerate Patrick Lumumba in the murder of Meredith Kercher. Digital forensics is not limited to recovering data from computers, as criminals are breaking the law and small digital devices (e.g., tablets, smartphones, flash drives) are now widely used. There are sufficient methods for retrieving data from volatile memory, but there is a lack of detailed methodology or framework for retrieving data from non-volatile memory sources. Depending on the type of device, media, or artifact, digital forensic investigation branches into several types.
However, in the 1970s and 1980s, the forensic team consisted primarily of federal agency representatives with computer skills. The first problem area for law enforcement was data storage, since most records were created digitally. It is undeniable that seizing, storing, and analyzing the records was a time-consuming task for the agencies. In this situation, the FBI launched the Magnet Media program in 1984, the first official digital forensics program. Organizations that lose valuable digital information can also enlist the help of digital forensic experts to recover lost data from a deleted hard drive.
Unlike other areas of digital forensics, network data is often volatile and rarely recorded, so the discipline is often reactive. When used in court, digital evidence is subject to the same legal guidelines as other evidence; courts generally do not require stricter guidelines. In the United States, the Federal Rules of Evidence are used to assess the admissibility of digital evidence, the United Kingdom has similar guidelines in the PACE and Civil Evidence Acts, and many other countries have their own laws. It is acknowledged that it is not always possible to determine this for digital media prior to an examination. Digital forensics positions carry titles such as investigator, technician, or analyst, depending on specialization and seniority, and most positions are in the public sector, such as law enforcement, state or national agencies, or crime labs.