Computer Forensics-Source of Data that could be used in digital investigation
Digital forensic investigations handle a massive amount of data sources that aids in capturing and preserving evidence which is in turn becomes useful in legal platforms. The different crime or events encountered by scenes investigators act as a driving force for the prioritization of the various forms of data analysed, the required information as well as the value of the data concerning to the event. Various forms of data sources as used in digital forensic investigations vary markedly based on the case. The current paper prioritizes such data in terms of their potential usefulness and on the basis of three diverse levels: network intrusion, Malware installation, as well as insider file deletion.
A network intrusion occurs when an unauthorized party gains access to a computer network. Casey (2005) opines that network intrusions could lead to considerable impacts on the computer network of the victim, such as in the case of stolen, deleted, or altered files, and the damage or destruction of software or hardware.
Prioritized data sources
This is the first data source that forensic investigators would be interested interms of eexamining the data, tracking the intruder, preserving evidence, and reconstructing crime. NIST (National Institute of Standards and Technology) (2002) advocate for control in access to any asset through an integration of administrative and technical controls as a means of ensuring that only approved users have access to the information systems, and that they are in turn held accountable for this role. To monitor access, it is necessary to positively classify and verify users. It is important also to realise that in case a node in the network has a weakness in policy this places the other nodes at risk. For this reasons, NIST (2002) recommends that all agencies ensure that their access control policy is uniform. Role and account maintenance demands that user authenticity be accompanied by a very strong password. Moreover, users are also advised to constantly keep on changing their passwords. Administrators also have an important role to play in seeing to it that the user names in the systems belong to currently identified users. Moreover, user updating and deletion should also happen on a regular basis. User accounts also need to be audited so that administrators can delete inactive accounts. There is also the need to limit incorrect logon attempts. Such should be locked following several erroneous password entries (NIST, 2002).
Live system data
Forensic investigators may also capture live data from the systems using such software as the Encase program and thereafter, maintain an audit log via the use of the script command. This mode of capturing data could enable forensic investigators to establish how intruders have managed to access the network, such as the installation of a sniffer. Intruders may also replace the original Telnet with a more vulnerable version, thereby facilitating remote access (Casey, 2005). The main reason why an incident handler could be compelled to utilise a tool like Encase in capturing live data is with a view to establishing whether the event or incident has taken place and whether complete investigations ought to be executed on a system. Live forensics enables forensic investigators to capture volatile data or system information that usually disappears once the device has been switched off. However, McDougal (2006) notes that forensic investigators are usually faced with various challenges in “live forensics” or capturing of data from live systems. One key challenge comes about preserving the nature of the system, as well as seeing to it that the already captured data remains forensically sound. However, this can be accomplished via the use of such forensic toolkits as Encase. In this case, the toolkit maintains the process in an automated version. Live system data is ranked the second most useful source of data after account auditing seeing as it offers by far the most promising evidence that enable forensic investigators to identify the systems and files that might have been compromised, in addition to providing real time evidence that reveals how the intruder has managed to access the system (Casey, 2005).
Intrusion detection systems (IDS)
IDS have proven indispensible in as far as the activity of detecting network intrusions is concerned. This is largely informed by the fact that network administrators can programme IDS to automatically alert them in the event of unusual network traffic. In this case, IDS could be compared to a burglar alarm since while one can still observe cyperspace as well as other physical space, both of them give alerts in the event that the unforeseen does occur (Hill & O’Boyle, 2000). The key dissimilarity is that in the case of cyberspace, it is quite harder to identify unauthorized access in comparison with a physical space. An IDS operator could then be faced with the huge challenge of differentiating the anomalous activities from the harmless ones (Hill & O’Boyle, 2000), in addition to programming the IDS so that it can be bale to capture future anomalies. Automated IDS, along with the associated forensic actions employ “signature matching”, which seeks out network activity and connections alerting on definite patterns of the incidents as well as the means of attack. Sadly, automatic signature matching is yet to be recognised as a specific process and is reliant on various factors. Signatures usually elicit false alarms on account of their broad generalisation, like in the case of alarms for port scanning.
It is also important to note that attack profiles tend to differ markedly so that besides the recognized malware insertion challenges, we now have customised programs developed and directed as specific systems. The sad thing is that the public is privy to most of these customised programs. IDS cannot capture such customised programs seeing as there are no signatures for such a situation. Moreover, signatures only become available after an attack has taken place. The drawback of using IDS in such a situation, in the absence of the most current updates, is that IDS tends to be quite ineffective. Nonetheless, forensic investigators could begin by classifying automatically generated IDS alarms, followed by the utilisation of cues from alarms as a means of undertaking further assessment of the less developed information and system logs. The investigator, in trying to separate evidence of an intrusion, requires vast knowledge of the different hacking techniques and operating systems. Moreover, it is important that the investigator is able to fully understand logs of diagnostic systems and tools.
ISP (Internet Service Provider) Records
In the event of a network intrusion, investigators may have to call the ISP and ask for records and logons associated with the case being investigated (Casey, 2005). Daniel (2012) opens that in case a subpoena is requested it is possible to glean certain basic information for ISP records, based on the ISP account holders and what the ISP collects. Example of information available from the IPS include e-mail addresses, names and mailing addresses of account holders, as well as payment information like bank account information or credit cards which could help uncover other evidence (Daniel, 2012). However, it may be necessary to have a subpoena to facilitate collection of information form an ISP. Moreover, such information might not always be trustworthy, not to mention that various ISPs carry varying information on their customers.
Malware is defined as malicious software that might emanate from codes or scripts hidden in content or websites, embedded in various forms of software programs or buried in web advertisements. Malware may infect a system in case a user opens an email, visits a webpage, or even clinks on a given hyperlink. We have different forms of malware but the most common ones are rootkits, viruses, worms, and spyware. Each form of malware infects a network system differently (Goodrich, 2012). Malware is quite dangerous considering that it exists in various forms, is quite hard to investigate, but very easy to develop. While numerous anti-spyware, anti-malware and anti-virus applications have thus far been developed with the aim of detecting and eradicating malware form a system, the effectiveness of such programs is only as good as the updates offered to identify the attack.
Prioritised day sources
Live system data
It is important to collect live systems data in case of a malware installation scenario. For example, Overton (2008) recommends that as soon as the identification of a suspect system has been made, there is need to capture all traffic leaving and coming to the system in question to encompass a search for hidden files that might have been inserted by the malware. In this case, one can make use of various vulnerability assessment tools such as Nessus and Nmap on not just the suspect workstation, but also the entire network as a key step towards analysisng the anomalies (Overton, 2008). One can also rely on such programs as Windows Forensics and Helix3 to assess volatile system data for helpful evidence like systems applications and drivers, networking routing tables, and analysis of running services and processes without the attacker knowing that there is an investigation going on (Aquilina, Maln & Casey, 2010). A key challenge in establishing whether malware has been installed ion a live system is the unavailability of tools to undertake an in-depth assessment. Moreover, there is the possibility that the anti-malware tools being used could yield a lot of false-positives. Alternatively, the malware could be so quiet such that it does not get noticed until after the system has suffered irreparable damage.
Intrusion detection system (IDS)
Malware installation also requires IDS. Following the completion of the initial investigations and the analysts has established the possibility of an infection that the anti-malware program did not capture, it is important to remove the workstation form the network. This move is aimed at ensuring that the malware does not spread other systems. Moreover, the protocols and ports collected should also undergone further analysis using network analysis tools like IDS, Snort, or Wireshark (Overton 2008). IDS find use in malware detection through the development of signatures that has been created on the basis of information collected by past inspection. Such signatures could then be implemented to aid in blocking future attacks until such time as when updating of anti-virus programs has been accomplished. IDS have proven essential in detecting and preventing malware entering the system via the network boundary. We can also combine IDS with anti-malware scanning tools with the goal of providing enhanced systems protection. Moreover, IDS as used in the detection of malware utilises the IP from its source. Therefore, such data could quickly get rid of threats within the network (Overton 2005). A key drawback with IDS however is the difficulty in developing and maintaining signatures, as they need training to understand and use these in detecting malware. Moreover, an investigator could be overwhelmed by the sheer amount of information that he/she has to sift through in detecting intrusions.
Virtual Machine (VM)
A VM is another useful tool in the malware installation. Overton (2008) recommends that a lab environment or private/closed network be utilised to analyse malware where possible. Such a possibility could be realised using virtual machines by facilitating running of multiple systems on a single hardware, in effect facilitating “behaviour malware analysis” (Zeltser 2007). Virtual machine programs like VMWare enable system administrators to take various snapshots of systems performance, settings, and volatile data via the observation process. This ensures that should further study of the system be deemed necessary; one can easily retract to the previous snapshot. VMWare also facilitates the development of a simulated network, thus rendering it unnecessary to connect infected systems to a live network.
Consequently, it becomes easier to undertake systems analysis in a very protected environment and still analyse network traffic (Zeltser 2007). A virtual environment also facilitates the detection of threats, not to mention the testing and verification of mitigations. However, virtual machines are not without their fare share of challenges. For example, sometimes a virtual environment might fail to fake the attributes of an OS (operating system) on a physical platform, and this could enable attackers to recognise the virtual machine. Under certain circumstances a virtual environment could fail to meet the requirements owing to malware response or the nature of systems being impersonated (Brand, Valli & Woodward 2010).
Inside File Deletion
An organisation could be faced with inside threats from diverse sources, including employees, vendors, visitor, contractors, and virtually anybody else who has reasonable access to its assets. Insiders are especially a potent threat given their familiarity with the databases, processes, and systems, not to mention their authorised positions within the organisation’s security barriers (Cappelli et al. 2005). Crucial files to an organisation could be intentionally or accidentally deleted and for this reasons, information security personnel need to have the tools and skills required to recover such lost data.
Prioritised data sources
A key goal in inside file deletion is to obtain a forensic copy of the hard drive with the aim of retrieving overwritten data on the hard drive. The non-volatile data that is to be found in the master file table is of key concern here. Such data may be recovered with the help of different third-party applications. For instance, once a file has been deleted form the recycle bin in Windows, the only file information erased is the sector, path, as extra identifying information like modify and create dates. The feel system notifies Windows of the availability of new space for use in the space previously occupied by the erased files. All nearly files with thus constitute overwritten information erased long ago. In case a newly saved file does not take all the space preoccupied by the deleted file, meaning that the old information was not fully overwritten such a file can be recovered via the use of various forensic software. In the event that the file was recently deleted, it could be recovered using a tool like WinUndelete (Landyr & Nabity, n.d.). However, in case the entre file has been overwritten this could prove to be a challenge to its recoverability. The use of such a freeware like “Eraser” by a smart criminal as an attempt to overwrite the erased data immediately means that it cannot be recovered even with the help of forensic toolkits (Capshaw, 2011). It is also quite challenging to try and recover files that have been deleted form a network storage device. Once a file has been deleted from a network or folders, the easiest means of recovering it is via its earlier versions. However, such recovering could be thwarted by the availability of a difficult to analyse or large file system disk. Insiders who also happen to have administrative access to the system could also be privy to techniques of permanently destroying networks storage volumes of deleting files.
Storage area network and local area networks could be easy areas of target for inside file deletion. Organisations with remote collative working systems or windows file servers facilitate remote access of the network system, but they can also be easily identified and deleted. While we have numerous software for undeleting files deleted form the system these are limited to a few days and instances following the deletion. There is need to fully comprehend the kind of deletion since certain events could result in total destruction or deletion of storage devices.
Digital forensics investigations handle massive amounts of data sources. This research paper has endeavoured to examine three key events of digital forensic investigations which determine the prioritisation of the nature of data being analysed, the kind of information required, and the value of data with respect to the event. Examples of important data sources as used with network intrusions are live system data, account audits, IDS, and Internet Service Provider records. In case of Malware installation, this calls for an assessment of live systems data, IDS, and Virtual Machines. While recovering deleted files, this mainly depends on non-volatile data and hard drives. Each of the aforementioned data sources has its own benefits and challenges so that an investigator can take these into account in assessing the situation confronting them.
Aquilina, J. M., Malin, C. H., & Casey, E. (2010). Malware forensic field guide for windows
systems, digital forensics field guides. New York: Syngress. Retrieved from
Brand, M., Valli, C., & Woodward, A. (2010, November). Malware forensics: Discovery of
the intent of deception. Originally published in the proceedings 8th Australian digital
forensics conference, Perth, Australia. Retrieved from
Cappelli, D., Keeney, M., Kowalski, E., Moore, A., & Randazzo, M. (2005). Insider threat
study: Illicit cyber activity in the banking and finance sector. (Technical Report,
Carnegie Mellon Software Engineering Institute). Retrieved from
Capshaw, J. (2011, April 01). Computer forensics: Why your erased data is at risk. Retrieved
Casey, E. (2005). Case study: Network intrusion investigation e lessons in forensic
preparation. Retrieved from
Daniel, L. (2012). Digital Forensics for Legal Professionals. Waltham, MA: Elsevier Inc.
Goodrich, R. (2012). What is Malware? How malicious software can affect your computer.
Retrieved from http://www.technewsdaily.com/15612-what-is-malware.html
Hill, B., & O’Boyle, T. (2000, August). (2000, August). Cyber Detectives employ Intrusion
Detection Systems and Forensics. Retrieved from
Landry, B., & Nabity, P. (n.d.). Recovering deleted and wiped files: A digital forensic
comparison of FAT32 and NTFS file systems using evidence eliminator.
McDougal, M. (2006). Live forensics on a windows system: Using windows forensic
toolchest. Retrieved from
National Institute of Standards and Technology. (2002). Agency IT Security Handbook:
Technical controls. In Federal Agency Security Practices (2 Ed.). Retrieved from
Overton, M. (2005, May). Anti-malware tools: Intrusion Detection Systems. Paper presented
at conference 2005 EICAR Conference, Malta. Retrieved from
Overton, M. (2008, October). Malware forensics: Detecting the unknown . Conference
Paper 2008 Virus Bulletin Conference, Ottawa, Canada. Retrieved from
Zeltser, L. (2007, May 1). Using VMware for malware analysis. Retrieved from