09 June 2010

Digital Forensics – art of eJames Bonds

Most of us have come across USB failures and hard disks failures that leave us in a frustrated state. May be it is our precious office data or memorable pictures and videos that are physically still there but unable to be accessed for unknown reasons.

We hope that our precious data held as 0 and 1s can just be recovered somehow. Another similar situation is that systems recovered from cyber criminal may be damaged badly but even little data recovered from them can be helpful in pinning down the criminal with the act of crime.

Accidental or intentional file deletions also create the need for tools and systems to recover the deleted data. It may be necessary to audit employee’s activities with systems by capturing some deeper sets of data from logs and analyse them for traces of activities, time stamps and user identities.

In research scenarios reverse engineering of systems and their outputs help computer engineers understand how these systems works and what could or what did go wrong in the processing. Security experts often require technical peek-ins and tweaks to make decisions about the level of penetrations and the possibility of criminals having access to critical data.

In all the above situations, a specialised field termed ‘Digital Forensics’ rules the game. Technically digital forensic is a newly sprouted branch of ‘forensics’ aiming to demystify and produce legally valid evidential data.

Law enforcement official use several tools and techniques to produce enough evidences from electronic sources such as computer systems or digital storage media. They can also generate audit trails of electronic activities involved in cases like telephone call made within criminal networks, internet surfing or chat data concerning terror attacks, or online surveillance of suspected individuals.

The basic process of digital processes begins with getting hold of the computer system or digital media under concern. Then the original is preserved while mirror-replicate is created to examine the data it holds. This is mostly called imaging – an important process which retains the original artefact intact while its copy is examined. After initial examination comes thorough analysis of details all the while creating an investigation trail. Based on this examination and the results a thorough report is prepared.

Due to the sophisticated nature of digital forensics several tools are available to enable the investigations. For example: Forensic Tool Kit by Access data, EnCase by Guidance Software, ProDiscover, Scalpel, Sleuth Kit to name a few. But the highlight of this article is the Open Source SANS Investigative Forensic Toolkit (SIFT) which can be freely downloaded at http://computer-forensics2.sans.org/community/siftkit/

Some companies specialised in this field offer ‘Forensics in a Box’ solutions. Such solutions include setting up of an entire facility including the following:
  • Set-Up of hardware, software and other accessories
  • Implementation of hardware assembly, software installation and configuration
  • Development of policies and procedures and related knowledge transfer
  • Training in the use of hardware and software
  • Technical support and development of tools

Considering the proliferations cyber crimes and the importance of digital lifestyle prevailing, it is very important for law enforcement agencies to gain expertise in digital forensics. At commercial level, such setups could offer sophisticated data-recovery services.

2 comments:

Sangeetha Sridhar said...

Very well said...Tks for dropping a line Jose.

John said...

really nice blog and unique content.
- Offshore Software Development India