The Evolution of Digital Forensics
By Dr. Christine Izuakor - March 03, 2020
Like a trail of evidence criminals may leave behind after committing a crime; almost every digital activity leaves virtual fingerprints. Even when culprits attempt to delete evidence and cover their tracks, with the right methods, evidence, can be recovered. Over the last few decades, these types of digital investigations and forensics methods have become critical to solving not only some of the most complex criminal cases but also everyday workplace investigation cases involving employee data theft and other insider threats.
What is Digital Forensics?
Digital forensics is the practice of leveraging computer science to investigate, gather, analyze, and ultimately present evidence to courts intact and uncorrupted. The base word "forensics" is a Latin term meaning "to bring to court," which highlights the typical intent of the entire process. Though not all investigations lead to formal court, especially in workplace investigations, the evidence gathered is used to make judgments and conclusions regarding user activities and events. The United States Computer Emergency Readiness Team (US-CERT) formally defines computer forensics as: "the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law." Tom Loper from Bay Path University, says, "information assurance is like the police, and digital forensics is like the detectives." To sum it up, digital forensics is a methodology for collecting computer-related evidence for use in both internal and external investigations, including court presentation.
What Digital Forensics is not
Digital forensics investigators and analysts are not smoking guns allowed to look wherever or collect evidence freely from a target. Like physical investigators leveraging a warrant to collect evidence on a particular case, digital forensics professionals may only investigate assets that they've been warranted to assess. The warranted investigation will have a scope limited to finding the piece of evidence required for court or as specified by the company. Therefore, if a digital forensics investigator shows up to a scene with a warrant to look for evidence of an employee illegally gambling using company resources, they may do so. If that same investigator comes across evidence of theft or money laundering, they must go back and request another warrant or permission; one for laundering and one for proof of theft. Failure to procure proper rights either from a company stakeholder or law enforcement can render digital evidence invalid or inadmissible in court.
The Standard Digital Forensics Process
There are four basic steps in the digital forensics process:
- Identifying – This is the practice of finding and collecting the suspected original source or asset believed to contain evidence. (Example: The investigator has pinpointed a suspicious IP address belonging to the laptop in Ohio. The digital forensics investigator may have a co-worker send them the suspected laptop for analysis.)
- Preserving – This is the practice of ensuring the integrity of the collected evidence and preserving a "digital trail" of the data or media. (Example: It's essential to monitor how the computer and any copies of data have been handled since being taken from the employee, along with who had access.)
- Analyzing – This is the investigative portion of the process where a forensics practitioner begins looking into the acquired asset or medias data to find evidence of the suspected crime. (Example: The investigator may look through documents, email and chat conversations, browser website history, hard drives, and other user activities.)
- Reporting – This is the process of creating a report of findings from the investigation for presentation to stakeholders and, in some cases, an attorney or jury in court. Reporting must also be tailored to the audience. In a court case where the jury is not technically savvy, findings must be explained in ways that are easy to understand for everyone. Failure to do so might render even the most irrefutable evidence ineffective. (Example: A digital forensics investigator may debrief a company's technical leaders in detail and then give a high-level summary to the general manager.)
The Importance of Digital Forensics Evidence
How you collect, handle, and preserve evidence during a workplace investigation is very important, as it can make or break a case. Digital forensics is equivalent to assessing a crime scene or performing an autopsy. When, for example, an employee is suspected of theft or other offenses, oftentimes, the crimes may warrant legal action.
Here are some common types of evidence and how they will be perceived in court. One of the best reasons to employ certified forensic professionals and leverage state of the art technology is that navigating various types of evidence and steps needed to ensure admissibility can be complicated. A robust digital forensics program requires the ability to investigate and capture evidence, as well as navigate all of the legal, political, and technological guidelines associated. Preservation of evidence is also a meticulous process, and failure to leverage best practices may render findings useless in court.
Types of evidence:
- Real Evidence: Tangible and physical objects such as disk drives, tablets, and phones. Note that this usually does not include the data on the devices.
- Direct Evidence: Testimony from a first-hand witness who states what they experienced with their five senses.
- Circumstantial Evidence: Evidence to support circumstances for a point or other evidence.
- Collaborative Evidence: Evidence to support collective elements or facts of the case.
- Hearsay: Information that is not first-hand knowledge, normally inadmissible in a case.
Rules of Evidence:
- Best Evidence Rule – The courts prefer the best evidence possible. Evidence should be accurate, complete, relevant, authentic, and convincing.
- Secondary Evidence – This is common in cases involving Information Technology. Logs and documents from the systems are considered secondary evidence.
- Evidence Integrity – It is vital that the evidence's integrity cannot be questioned. This is often done by creating hashes on copied evidence. Note that forensic analysis is done on copies, and never the originals. Investigators can then compare hashes on both original and copy before and after the forensics to ensure nothing has changed.
- Chain of Custody – This process ensures the integrity of the evidence by tracking how it's been managed. Common elements of concern when it comes to evidence are:
- Who handled it?
- When did they handle it?
- What did they do with it?
- Where did they handle it?
Evolution of evidence
Initially, computer-generated records such as log files were considered hearsay, therefore, inadmissible in court. Case law and updates to the Federal Rules of Evidence have changed that. Rule 803 provides for the admissibility of a record or report that was "made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity, and if it was the regular practice of that business activity to make the memorandum, report, record or data compilation." This changed the game regarding the critical role that digital evidence can play in investigations and convictions. It essentially means that activity logs recorded as a part of standard business operations are now admissible. This bolstered the need for employers to have forensic investigation software to monitor user activity, collect activity logs, and securely manage them in case there is ever a need to leverage the data in a legal capacity.
Why digital forensics?
Security breaches have increased by 11% since 2018, and 67% since 2014, according to Accenture. (stand out)
Digital forensics programs enable entities to investigate these breaches, which involve a variety of issues such as intellectual property theft, phishing attacks, data destruction, financial fraud, and more.
Some advanced and specialized programs can also support the recovery of encrypted data, which can be beneficial following a ransomware attack. Ransomware attacks, a significant threat to companies today, hold data hostage in exchange for a demanded payment or "ransom."
Security breaches have increased by 11% since 2018, and 67% since 2014, according to Accenture. (format to stand out)
What are the current challenges in Digital Forensics?
Evidence can be hard to collect and preserve: Digital evidence by default can be fragile, volatile, large in volume, and contain very sensitive content. Data can be quickly destroyed by power surges, natural disasters, human error, intentional tampering, extreme hot or cold temperature conditions, or electromagnetic fields. Protecting evidence from all of these variables can pose a challenge. Furthermore, privacy preservation is another aspect that can confound an investigation. For example, trying to re-enact location and address to prove accountability may not be possible if certain privacy protections are in place in the geographic location.
Cloud environments make evidence collection harder: The cloud poses another risk and challenge both in accuracy and complexity. As data travels throughout the world and is stored in other time zones or virtual environments instead of on physical machines, getting times correct is a challenge. A synced timeline can be another critical element that makes or breaks evidence collection. Lastly, due to the dynamic nature of cloud environments retrieving evidence may be impossible when, for example, an entire Amazon Web Services virtual server can be deleted almost instantly with the push of a button.
Expertise is limited: Hiring cybersecurity talent and can be a challenge. The niche world of digital forensics proves to be an even greater issue. It's important to have qualified investigators on board; however, staffing a digital forensics team is not always an option for smaller businesses.
Criminals use forensics countermeasures: Forensic countermeasures, or anti-forensics, are tactics that criminals and cyber attackers use to escape detection and cover their tracks. This is often common in insider threat situations where employees have greater insight into internal processes and security controls. In a workplace setting, this may take the form of an employee shattering a hard drive, removing digital evidence from the premises, or using anonymity software to mask browser activity. Unlike physical evidence, digital evidence is easy to hide, destroy, modify, sell, and transport without leaving clues as to who the attacker was in the first place. Anti-forensics, therefore, poses a significant challenge to workplace investigations. This is another reason why having certified forensics experts and proper digital forensics software is vital.
According to experts, common anti-forensic methods can include encryption, steganography, covert channels, hiding data in storage space, residual data wiping, tail obfuscation, attacking monitoring or investigation technology, or even resorting to attacking the investigator.
Approaches to digital forensics for businesses and the "on-demand" trend
Outsourced:There are a variety of external vendors offering digital forensics services on-demand. Instead of hiring an in-house team, you'd rely on expert forensic teams when you need them. These providers often have varying levels of expertise and should be thoroughly vetted. In addition, there are typically two pricing models to choose from when securing digital forensic services: "time & materials" or "flat fee pricing." While time and materials usually offer lower initial pricing, flat-fee pricing allows a predictable cost without the by-the-hour rush of work.
In-house: If the entities' cybersecurity posture is mature enough, investing in a small team or even just one certified digital forensics expert can go a long way. There are various benefits to bringing forensics in-house, including agility, ease of contact, familiarity with business infrastructure, predictable cost, ability to get "court ready" without having to sign a new contract or non-disclosure agreement for each investigation, and so on. You can also utilize your forensics team to aid your other information security groups on investigations and help consult proactively by providing best practices against common cyber-attacks.;
There is a wide range of physical and digital technology that can support workplace investigations. The appropriate method depends on the case. One concern has been that without robust training and experience, some digital forensics tools cannot be utilized appropriately by non-experts. It is becoming increasingly popular to find tailored solutions that monitor internal suspicious activity and provide user-friendly "on-demand" digital forensics services such as automated data collection, data preservation, analysis, and reporting. Next-generation forensic investigation software, for example, can comb through user activity information, discover relevant information, create secure logs evidence, and deliver reports to support workplace investigations. The most valuable solutions can enable key insights such as video playback of activities, website activity, email recording, chat and IM, file and document tracking, application and network activity, or keystroke logging. Whether it's leveraged to investigate a workplace policy violation such as gambling or intellectual property theft, or it's used to monitor time stolen through lost productivity, insider threat detection, and other monitoring tools are helping make setting up workplace investigation programs easier for businesses.
Digital forensics methods and investigation software are critical elements of cybersecurity programs. Most incidents, whether they are designated as breaches or not, require some level of investigation. In many cases, these investigations may warrant the need to present valid evidence in court. Doing so requires that entities can securely collect, preserve, analyze, and report on findings. Through outsourced or in-house cybersecurity expertise and critical technical capabilities such as insider threat detection technology, businesses can proactively prepare to take on seemingly unavoidable investigations. Learn more about how Veriato Investigator can help with your digital forensics needs here.