As the world moves from analogue to digital format technologically, it presents potential threats to digital forensic investigation. However, it is observed that retrieval and transfers of unauthorized data through digitized technology has transformed as well as destroyed the relevant digital evidence which are essential for prosecuting associated computer or cyberspace criminal cases. The emergence of new advanced digital technologies has sophisticated the manner at which criminals use such devices in accessing potential information of which they can use to distort money from victims. This in turn has made it difficult for forensic investigators in accurately obtaining relevant data from sources such as mobile devices, database systems, social network, and computers. In doing so, the authenticity, reliability, and relevancy of collected and examined digital evidence are at stake. The write up thus assess four different sources of data that can be used in digital forensic investigation. It compares challenges regarding collecting and examining these different sources based on network intrusion, malware installation, and insider file deletion.
With the increasing advancement in digital technology, most organizations or individuals rely heavily on digital devices and internet to improve their businesses. This is done by offering digital processes such as data storing and recovery. As Ademu, Chris & Preston noted, massive amount of information is normally produced, accumulated, and even dispensed through electronic means (Ademu, Chris & Preston, 2011). Recent studies have depicted that almost 98 percent of organization documents have been electronically produced. Equally, the growing use of social networking in the current digitized world has encouraged new mode of communicating and sharing information (Zainudin, Merabti & Jones, 2008). This rapid growth of online social networking has contributed to increased sophistication of technology and criminal activities.
Criminals have advanced on their activities as they increasingly try to use technology in order to evade being detected, thereby engaging in criminal acts (Zainudin, Merabti & Jones, 2008). The use of computers as medium for communication has allowed online transactions thereby giving fraudsters new and advanced methods of attacking various technological systems. This requires the emergence of a systematic approach that can be incorporated by digital forensics investigators in resolving such related cyber crime. The three scholars pointed out that such revolutionized approaches should ensure that any recovered digital evidence is processed, presented, and used in a court of law.
On the other hand, a digital forensic investigation is a special branch of a digital investigation in which procedures and events used can allow a specialized case to enter into a court of law (Carrier, 2006). While a digital investigation answers basic questions of about digital states and events, the Carrier noted that digital forensic investigators do concentrate on depicting whether or not contraband digital images do exist on a computer.
Similar to computer forensic, digital forensic investigation should be used as an investigative tool that allows the investigator to gather all required information and sufficient evidence in order to prosecute associated criminals (Zainudin, Merabti & Jones, 2008). It should be able to determine what, when, and how the crime was committed while also trying to find out who is responsible for the act. However, the main challenges of engaging digital forensic investigation is to know whether the incorporated evidence analysis and reporting would ensure the consistency and reliability of digital evidence for allowing effective prosecution of criminals in court of law.
There are a number of sources that can be useful in digital forensic investigation. However, the use of these sources poses a number of challenges based on network intrusion, malware installation, and insider file deletion.
Chapter 2: Data Used for Digital Forensic Investigation
Data is basically distinct pieces of information which have been formatted into a digital format (Kent, Chevalier & Dang, 2006). The increased use of computers for either professional or personal use coupled with the pervasiveness of networking has called for the need to incorporate tools that are able to record and analyze the massive amount of data from different sources. According to these three scholars, data in digitized format can either be stored or transferred through standardize computer systems, networking equipments, computing peripherals or by personal digital assistants which include removable hard disk drives, as well as flash memory among others.
The increased availability of such electronic devices as used to reach consumers including; cell phones, digital video recorders, and digital audio players has helped in storing large capacities of data (Kent, Chevalier & Dang, 2006). The availability of variety sources of data has called for the development of refined forensic tools and techniques that can secure and ensure the integrity of digital evidence as presented in the court of law. It is by forming an effective forensic tool and technique that the basic phases of digital forensic investigation would be followed thereby helping in resolving related computer or cyberspace crimes.
It is noted that there is need of identifying the authenticity and reliability of sources of data in digital forensic investigation (Kent, Chevalier & Dang, 2006). According to the three, the sources of data that can be used for forensic investigation can only be captured as valid and reliable if the basic phases of investigation process are adhered to. Collecting data from a given sources is the first phase of identifying the relevancy of sources of data. The three scholars pointed out that collection, as a process in digital forensic process, helps in identifying, labeling, and recording the acquired data as they are retrieved or obtained from the source. Therefore, by following the required and stipulated guidelines and procedures in obtaining digital evidence data while also avoiding the loosing of dynamic data, one would not only be able to ensure that data is of high integrity but will also project the relevancy of the source of data.
The second way of determining the reliability of source of data is through the examination of data collected in digital forensic investigation. It is noted that examination can be referred to as a basic forensic process that uses both automated and manual methods in processing the massive data collected (Kent, Chevalier & Dang, 2006). While examination helps in assessing and extracting relevant data of interest from a given sources, it should be noted that any failure to observe the stipulated standards and procedure would not preserve the integrity of the digital evidence and the source as well.
Analyzing the examined digital evidence and reporting on the analysis are also essential phases of validating the relevancy of sources of data for digital forensic investigation process. Analyzing and reporting deal with proper use of justifiable legal methods and techniques including describing procedures, tools, and guidelines that were used during the digital forensic process (Kent, Chevalier & Dang, 2006). These phases, as they constituted forms the basis of which sources of data for digital forensic investigation, can be regarded as admissive, reliable, and valid in prosecution of criminals.
Mobile devices are essential sources of data for digital evidence that can be used for digital forensic investigation. Digital evidence is a digital data that accepts or refutes a digitally conducted event based hypothesis or the state of digital data (Ademu, Chris & Preston, 2011). These three scholars noted that any source of digital evidence that acknowledges its own fragility thereby providing significant link between the cause of committed crime and the associated victim is rendered admissible. Due to investigative value of digital evidence, any source of data that offers hidden evidence in the same manner as fingerprint or Deoxyribonucleic Acid (DNA) evidence is substantial for digital forensic investigation.
Equally, mobile devices which include cell phones and smart phones have formed the integral part of people’s daily activities and lives (Casey & Benjamin, 2011). Such devices have constituted personal computing devices of which people have been able to store personal information such as text messages, digital photographs, call history, and credit card numbers. However, the manner in which mobile devices have necessitated easy exchange and storage of data and information has given room to criminal activities by being the mode at which crime is constituted.
Mobile devices have made communication, exchange of digital photographs, connecting to social networks, recording and consuming both video and audio media products much easier (Casey & Benjamin, 2011). This higher data transmission with similar computing power has created advanced opportunities for criminals and even digital forensic investigators. The information being stored on and related to certain mobile devices can be used in addressing pertinent question in digital forensic investigation. That is, through analyzing call history, digital forensic investigators are able to reveal contacted individuals, the content of their communication, and the places where the conversing individuals associated with the crime were.
For instance, sexual offenders who make initial contact with victims, exchange photographs or videos through social networking cites can be a vivid cyber trail for any digital forensic investigation. Casey & Benjamin added that retrieving or monitoring data from mobile devices have been instrumentally utilized in solving homicide cases where terrorists use such devices for coordination and reconnaissance (Casey & Benjamin, 2011). Additionally, the rapid growth of computational power of mobile devices has optimized the ability to acquire data either through credit scanning or event scientific measurements. In the process, mobile device have been used in stealing credit card or even in triggering bombs raising questions as to whether mobile devices can be used as useful sources of digital evidence for digital forensic investigation.
Usefulness of Mobile Device as a Source of Data for Digital Forensic Investigation
Mobile devices present different types of digital evidence which varies significantly depending on the criminal offense being investigated. The devices have a number of locations from which relevant data of interest can be obtained (Casey & Benjamin, 2011). These include “the embedded phone memory, attached removable memory, and Subscriber Identity Module (SIM) card,” (p.6). It is significant to point out that not all of the presents components may be available during mobile device forensic as phone information. Equally, capabilities tend to vary from one device to another.
While phone applications vary significantly, each device is expected to contain minimum applications such as address books, call registers, and short messaging services. Casey & Benjamin noted that text massages provide an accurate full transcript of digital evidence since they are inserted by systems as provided by network service provider rather than the mobile device itself (Casey & Benjamin, 2011).
Additionally, mobile devices can present photographs, audios, and videos which may constitute in compelling digital evidence in prosecution of the associated criminals. This was evident in the case of a 15-year old girl who was guilty and prosecuted for aiding and abetting manslaughter based on her recording of fatal beating of a man in UK (Casey & Benjamin, 2011). The accidental voicemail recorded the traumatized sounds being produced by the victim as he was being physically assaulted. This shows the ability of effectively using mobile devices in demonstrating digital evidence thereby leading to successive prosecution and conviction of offenders by the court. However, there are a lot of challenges regarding collecting and examining digital evidence collected from mobile devices.
Challenges Regarding Collecting and Examining Data from Mobile Devices
Casey & Benjamin admitted that the increasing development of new models of mobile devices have presented a lot of challenges to digital forensic investigators (Casey & Benjamin, 2011). This is based on the fact that the growing existence of variety of mobile devices have made it difficult in developing a single collecting and examining process which can effectively address the associated eventualities. Most of mobile devices are networked based thereby allowing individual to send or receive data through telecommunication system, Bluetooth piconets, or via Wi-Fi access point. In doing so, digital evidence may be completely lost due to them being destroyed by destruction commands it encounter on wireless networks.
Additionally, extracting data from mobile device require interaction with the device (Casey & Benjamin, 2011). This may alter the state of the system which can in turn destroy or alter the content of existing evidence. While this presents a data recovery and analysis’s challenge, mobile device is essential for containing deleted information of which an individual might have rendered unrecoverable. The two scholars pointed out that the mobile devices are incorporated with Flash memory chips which stores data and can only be erased block-by-block. This assists digital forensic investigators in accessing and examining deleted data which are essential for case prosecution.
Even with such advancements, there are still enormous challenges associated with collecting and examining data obtained from mobile devices. For example, while text messages are essential for forensic investigation, there is no accurate record to show when they were first read and may also be incomplete incase they were erased through the device (Casey & Benjamin, 2011).
Additionally, the installation of malware software on the devices makes it difficult for the investigator to collect and examine the data obtained from mobile devices. According to Casey & Benjamin, “malware installation enables criminal to intercept SMS messages from online banking transaction thereby allowing them to steal money directly from victim’s bank account,” (Casey & Benjamin, 2011, p.12). But with the innovation of monitoring programs such as Mobilespy installed into mobile devices, forensic investigators are able to examine traces left by the spy program. Additionally, the importation of network security tools such as Metasploit for port scanners, and wireless network security analyzer into Apple iPhone and Android devices have made it possible in collecting and examining data related to terrorist activities (Casey & Benjamin, 2011).
Moreover, Casey & Benjamin pointed out that the basic forensic principles should be applied effectively in computing other device on mobile devices in order to authenticate the digital evidence acquired (Casey & Benjamin, 2011). This should include all the aspects of collecting, recording, and examining data in supporting the transparency and credibility of the process. It is also true that some mobile devices receive data via wireless networks which might overwrite the existing data thereby rendering the acquired digital evidence as unreliable and insufficient.
It is noted that computer devices offers the current state of digital artifacts which can identify direct digital evidences that are essential for digital forensic investigation (Alharbi, Jahnke & Traore, 2011). These may include computer system, storage medium, and electronic documentation which can generate spreadsheet used for prosecution of related offender. Additionally, the nature of increased frequency in computer crimes has led to the development of proactive forensic techniques and tools that digitally investigate an event as it occurs. This is to counter anti-forensic methods such as data overwriting and data hiding which prevent forensic investigator from achieving intended goals.
Agarwal, Gupta & Chandra pointed out that computer fraud and digital crimes are on rise day in day out thereby calling for the need to develop proper methodology that is able to search digital devices for significant digital evidence (Agarwal, Gupta & Chandra, 2011). The digital evidences require an effective legal setting that would render the collected and examined evidence as authentic, non-contaminated, and reliable to be presented in court of law.
Computers as Sources of Data for Digital Forensic Investigation
As pointed out by Schwartz, the newly developed digital forensic techniques has enabled investigators in collecting and examining information from computers in order to resolve the problem of malicious insiders (Schwartz, 2011). This has been used by both private and corporate investigators in obtaining admissible, precise, authentic, and accurate digital evidence. In most forensic investigative processes, it is difficult to collect and examine evidence of the crime committed if it is linked to independent individuals who is authorized to handle and use computers.
Almost 90 percent of files in computers are not used annually due to insider file deletion practices (Schwartz, 2011). While he associated majority of these insider attacks young men, initiating and examining a suspected inside-attacker’s behavior can serve as effective forensic investigation in providing digital evidence. This can enable investigators in displaying the escalating behaviors of rule-breaking thereby gaining enough evidence for prosecution.
Research has proved that watching the suspicious nature of insider attacker cannot prevent more insider file deletion or provide sufficient evidence for prosecution (Schwartz, 2011). He noted that deploying a stochastic forensic technique would be able to reconstruct unusual accessing patterns of given files being investigated. This technique provides a notable pattern for which files which had copied en masses and thereafter deleted were reconstructed. Unlike in mobile devices, using stochastic techniques gives subdirectories and time-date stamps when certain deleted files were accessed. As Schwartz (2011) noted, “it does not matter whether the data was loaded onto a USB key or copied from internet, what is needed is the source of data,” (p.1).
But similar to mobile device forensic, computers also pose potential challenges in collecting and examining data acquired. Even though data recovered from logs such as internet history and actual files on hard disks of computers are important for digital forensic investigation, a problem occurs where the installed operating system does not have log access time. This would assist investigators in examining when the file was deleted and by whom. This bars the authenticity of presenting digital evidence in court of law. Therefore, creating automated forensic tools, as Schwartz noted, would spot unfolding insider theft in time and monitoring the unusual patterns of file-accessibility would result into getting precise digital evidence for prosecution (Schwartz, 2011).
Social Network as Source of Data for Digital Forensic Investigation
According to Mulazzani, Huber & Weppl, the increased usage of social networks and sites such as Facebooks, Twitter, and MySpace, while resulting into challenges facing digital forensic, continues to be primary source of data used in court for prosecution (Mulazzani, Huber & Weppl, 2011). Even though traditional forensic evidently relies on physical acquisition of hardware in ensuring the reliability of evidence, such approaches do not apply to cloud services as envisaged in social networking.
Similar to mobile device forensic, obtaining data from social network requires leveraging data directly from service operator through submitted request and corporation. In the processes of acquiring data, Mulazzani, Huber & Weppl pointed out that the involved investigators may not receive all the required data due to restricted guidelines published by service providers (Mulazzani, Huber & Weppl, 2011). This would not only bar collection of important digital evidence, but it further hinders examination of acquired data.
However, Mulazzani, Huber & Weppl noted that social networks have social footprint that provides social graph of the user, his or her communication patterns, the uploaded and tagged pictures and videos which are essential for forensic investigation (Mulazzani, Huber & Weppl, 2011). Unlike in computers, this significant information cannot be obtained from the hard drive of suspected offender since they are solemnly stored within social network operator.
While most of stored data in the social network can be extracted directly through the collaboration of social network operator, some criminals or investigators engage in network intrusion. This allows them to extract low content of data which they used purposely for criminal activities, and investigation process respectively. Unlike other sources of data, Mulazzani, Huber & Weppl noted that network data is usually volatile and rarely logged thereby allowing network intrusion by internet hackers (Mulazzani, Huber & Weppl, 2011). It is only through monitoring network traffic from different network accessibility that investigators are able to identify password that would allow them in collecting relevant evidence.
On the other hand, geo-tagging is essential in forensic examining as it visualizes the locality of a given suspect (Mulazzani, Huber & Weppl, 2011). However, the existing forensic tools are not able to extract geodata as it was originally tagged. These three scholars noted that using Smartphone allows automatic geotag of pictures as taken from a given location. These metadata are usually transformed by most social networks during picture storage. Therefore, investigators who gain access to such picture may not effectively present in court the time, location, and content of digital evidence they acquired.
Database as a Source of Data for Digital Forensic Investigation
Database allows one to store numerous redundant copies of important data items through indexes, logs, and material review which can be used evidently in court for prosecution (Stahlberg, Miklau & Levine, 2007). Usually, the owner of these data has little control over some of system operations that can allow future accessibility of deleted or destroyed data from database. This uncertainty of depicting whether data has been destroyed after deletion or even the duration at which they persist makes database a significant source of data for criminals as well as investigators.
As pointed out by a number of scholars, the existence of remnants of past data and activities is essential for forensic examination (Stahlberg, Miklau & Levine, 2007). Based on the primary goal of conducting forensic analysis, they noted that accurately validating the hypotheses of the past activities with collected and analyzed data recovered from database results into valuable presentation of digital evidence in the court of law. Database system should support accountability by either retaining historically recorded data or operations. And where privacy is observed, database systems should not have the memory over unwanted historical data.
Additionally, using database contents, log files, and even in-Ram data as obtained in order to effectively build a time-line and recover relevant information can prove to be difficult especially where data is stored in storage layers that is not controlled by database. It is also noted that any individual who can access lower storage layers in the system is able to read data which was unintentionally retained (Stahlberg, Miklau & Levine, 2007). The ability of database systems in making numerous redundant copies of data available and persistent in the file system not only threatens privacy, but it also present false view of stored data. This makes it impossible to use recovered data as digital evidence in court proceeding for effective prosecution of associated criminal.
Conversely, LogMiner utility as created by Oracle database allows the recovering of corrupted data or even monitor past operations. Wright (2006) noted that LogMiner allows the recording of transactions in database to be redone in case the database is corrupted. However, it is such redoing of collected data that may result into altering of the original content of required evidence thereby limiting the credibility and authenticity of digital evidence in court of law.
In conclusion, the identification of primary source of data is essential in digital forensic investigation. The write up has illustrated mobile devices, computers, social networks, and system’s database as important sources of data in forensic investigation. That is, they can successfully help ensure effective prosecution of associated criminals. These sources of data have been noted as presenting varying challenges regarding collecting and examining data for forensic investigation. For instance, mobile devices and social networks have personified and operational restrictions which do not allow full disclosure and retrieval of data that can be used in court. On the other hand, computes and database systems have been highlighted as resulting in recovering of unwanted data items which is not helpful for forensic analysis. Therefore, it is imperative for forensic investigators to deploy effective forensic tools and techniques that can be applied to these sources without affective the authenticity, credibility, and reliability of digit evidence.