black and white round textile
Fri May 12

Digital Forensics 101: Understanding the Basics of Investigating Cyber Crimes

With many and many more devices connected to the internet, system breach is one of the most common issues faced by not only the large organization, but also small or home business. For this reason security becomes the main concern and protecting your data against the adversaries is essential. Even on a much larger scale like a country, it is not so different. To go against it, whether corporate or a country taking action by doing some security measurement known as digital forensics.

Digital Forensics: The Evidence Collection

Digital forensics is the branch of forensic science which involves collection and protection of digital evidence related to some security event. It includes lots of recovery and analysis of the data from computers, servers, smartphones and any other digital devices.

The collected digital evidence is related to some sort of criminal activities such as hacking and fraud. As for, the collected materials can include some forms of archival media including email, social media posts, photos, videos, or any type of digital files. However, it can be in other volatile data like temporary files, registers, and cache.

The order of evidence collection should begin with the most volatile and progress to the less volatile. The reason for this is that the volatile data are most likely to change or disappear quickly as compared to less volatile data. Thus, preserving this kind of evidence is critical.

If done the other way around, there is a chance that the collection process may disturb or destroy more volatile evidence which compromising the integrity of the investigation. The order from the most volatile to less volatile is shown at the table below.

Order from most to less volatile

CPU registers, CPU cache
Routing table, ARP cache, process table, kernel statistics, memory
Disk
Remote logging and monitoring data
Physical configuration, network topology
Archival media

It is important to note that during the evidence collection process, we have to be as detailed as possible. Therefore we want to collect everything following the order we have discussed above which is known as order of volatility.

CPU(Central Processing Unit)

CPU registers are small, high-speed storage locations within the processor, while CPU cache is a small amount of a high- speed memory used to temporarily hold instructions and data that a CPU is likely to reuse which is also part of a CPU. Both are volatile, meaning that the data will be erased once the computer is switched off.

RAM (Random Access Memory)

Routing table, ARP cache, process table, kernel statistics, memory are all types of volatile data that are stored in the system’s memory. They are used by the operating system to manage network connections, processes, and other system resources. While memory is volatile, it can be preserved for a short time by powering the system with an uninterruptible power supply (UPS). Once the power is off, everything on RAM is gone.

Hard Disk

Data stored on a disk is non-volatile, meaning it is not lost when the system is shut down or rebooted. However, the data can still be lost or changed due to physical damage, data corruption, or intentional deletion. In a hard disk, there is also a space on a hard drive used as a temporary location to store information when RAM is fully utilized called swap. This is also called virtual memory because it pretends to work like RAM. During investigation, it is critical to prioritize this although it is located in a non volatile medium.

Some other data like logs, physical configuration, and network topology are more likely to be non-volatile depending on the configuration. Other types of data like some kinds of file and archival media are non-volatile, which can have the least priority.

Tools needed

To ensure proper evidence collection and forensics, it’s recommended to have a set of necessary programs on read-only media, such as a CD. It’s crucial to prepare this toolkit in advance for each Operating System managed to avoid any delay or inconvenience.

The toolkit should include programs like ps for examining processes, showrev, ifconfig, netstat, arp for examining system state, dd and SafeBack for doing bit-to-bit copies, and sha1sum, dd (a checksum enabled), SafeBack, pgp for generating checksums and signatures. Additionally, gcore, gdb can be used for generating and examining core images.

It’s crucial to ensure that all the programs in the toolkit are statically linked and do not require any libraries other than those on the read-only media. However, it’s essential to keep in mind that modern rootkits can be installed through loadable kernel modules, which may not be identified by the toolkit.

Finally, it’s essential to testify to the authenticity and reliability of the tools used during evidence collection and forensics.

Action to avoid

When trying to collect the evidence of some type of security incident, it is always better to avoid doing things that can destroy the evidence.

Avoid shutting down the system

Some evidence is volatile and may be lost once the system is shut down. For example, the data inside the RAM will be erased once the computer shuts down. Hence, it is also common for the attacker to manipulate the shutdown scripts and service in order to destroy the evidence.

Avoid trusting particular programs on the system

By trusting or letting programs to have high privilege, there is a chance that the program can be used by the attacker to erase the evidence.

**Avoid run program with the ability to modify the access time of all

files**

Some commands like ‘tar’ or ‘xcopy’ can do this and can obfuscate the process of evidence collection.

Summary

Digital forensic is done to investigate and uncover evidence related to crimes that involve digital devices, such as computers and mobile phones. These crimes can include cyber-attacks, intellectual property theft, online fraud, and other computer-based offenses.

Digital forensic helps to collect, preserve, analyze, and present digital evidence in a legally acceptable format, which can then be used to identify and prosecute offenders in a court of law. Additionally, digital forensic can help organizations and individuals take necessary measures to prevent similar incidents from happening in the future.

You might like

Nmap Usage And Examples: A Complete Guide

Learn how to install and use Nmap, the most popular network scanning tool, to discover hosts, services, vulnerabilities, and more. Also learn various commands to release its full potential. Click here now!
The OSI Model Layers Explained

Learn about the OSI model layers, a framework that explains how data flows in a network. Discover how protocols work together on different layers to enable communication. Read more and get started with networking.