1

CLIFFORD UNIVERSITY

COURSE TERM PAPER

ON

DIGITAL FORENSIC IN
THE FUTURE
COURSE CODE: CSC 426 COURSE TITLE:
SPECIAL TOPICS IN COMPUTER
SCIENCE
2

CHAPTER 1

1.0. INTRODUCTION
Digital Forensics (DF) has grown from a relatively obscure tradecraft
to an important part of many investigations. DFtools are now used on
a daily basis by examiners and analysts-within local, state and Federal
law enforcement; within the military and other US government
organizations; and within the private “e-Discovery” industry.
Developments in forensic research, tools, and process over the past
decade have been very successful and many in leadership positions
now rely on these tools on a regular basis frequently without realizing
it. Moreover, there seems to be a widespread belief, buttressed one by
portrayals in the popular media, that advanced tools and skillful
practitioners can extract actionable information from practically any
device that a government, private agency or even a skillful individual
might encounter.This paper argues that we have been in a “Golden
Age ofDigital Forensics,” and that the Golden Age is quickly coming
to an end. Increasingly organizations encounter data that cannot be
analyzed with today’s tools because of format incompatibilities,
encryption, or simply a lack of training. Even data that can be
analyzed can wait weeks or months before review because of data
management issues. Without a clear research agenda aimed at
dramatically improving the efficiency of both our tools and our very
research process. Had won capabilities will be degraded and
eventually lost in the coming years. This paper proposes a plan for
achieving that dramatic improvement in research and operational
efficiency through the adoption of systematic approaches for
representing-forensic data and performing forensic computation. It
draws on more than 15 years’ personal experience in computer
forensics, an extensive review of the DF research literature, and
dozens of discussions with practitioners in government, Industry, and
the international forensics Community.
3

1.1 DEFINITION OF TERMS

Digital
describes electronic technology that generates, stores, and processes
data in terms of two states: positive and non-positive. Positive is
expressed or represented by the number 1 and non-positive by the
number 0.Broadcast and phone transmission has conventionally used
analog technology.

1.0 Forensic relating to or denoting the application of

scientific methods and techniques to the investigation of crime.

2.0 Digital Forensic

Digital forensics (sometimes known as digital forensic science) is a
branch of forensic science encompassing the recovery and
investigation of material found in digital devices, often in relation to
computer crime. The term digital forensics was originally used as a
synonym for computer forensics but has expanded to cover
investigation of all devices capable of storing digital data.] With roots
in the personal computing revolution of the late 1970s and early
1980s, the discipline evolved in a haphazard manner during the 1990s,
and it was not until the early 21st century that national policies
emerged.

1.2Brief History of Digital Forensic

Prior to the 1970s crimes involving computers were dealt with using
existing laws. The first computer crimes were recognized in the 1978
Florida Computer Crimes Act, which included legislation against the
unauthorized modification or deletion of data on a computer
system.Over the next few years the range of computer crimes being
committed increased, and laws were passed to deal with issues of
copyright, privacy/harassment (e.g., cyber bullying, happy slapping,
cyber stalking, and online predators) and child pornography.It was
4

not until the 1980s that federal laws began to incorporate computer
offense. Canada was the first country to pass legislation in 1983. This
was followed by the US Federal Computer Fraud and Abuse Act in
1986, Australian amendments to their crimes acts in 1989 and the
British Computer Misuse Act in 1990.

1980s–1990s: Growth of the field Edit

The growth in computer crime during the 1980s and 1990s caused law
enforcement agencies to begin establishing specialized groups,
usually at the national level, to handle the technical aspects of
investigations. For example, in 1984 the FBI launched a Computer
Analysis and Response Team and the following year a computer
crime department was set up within the British Metropolitan Police
fraud squad. As well as being law enforcement professionals, many of
the early members of these groups were also computer hobbyists and
became responsible for the field's initial research and direction.

One of the first practical (or at least publicized) examples of digital

forensics was Cliff Stoll's pursuit of hacker Markus Hess in 1986.
Stoll, whose investigation made use of computer and network forensic
techniques, was not a specialized examiner. Many of the earliest
forensic examinations followed the same profile.

Throughout the 1990s there was high demand for these new, and
basic, investigative resources. The strain on central units lead to the
creation of regional, and even local, level groups to help handle the
load. For example, the British National Hi-Tech Crime Unit was set
up in 2001 to provide a national infrastructure for computer crime;
with personnel located both centrally in London and with the various
regional police forces (the unit was folded into the Serious Organized
Crime Agency (SOCA) in 2006).

During this period the science of digital forensics grew from the
adhoc tools and techniques developed by these hobbyist practitioners.
This is in contrast to other forensics disciplines which developed from
work by the scientific community. It was not until 1992 that the term
"computer forensics" was used in academic literature (although prior
5

to this it had been in informal use); a paper by Collier and Spaul

attempted to justify this new discipline to the forensic science world.
This swift development resulted in a lack of standardization and
training. In his 1995 book, "High-Technology Crime: Investigating
Cases Involving Computers", K. Rosenblatt wrote:

Seizing, preserving, and analyzing evidence stored

on a computer is the greatest forensic challenge
facing law enforcement in the 1990s. Although most
forensic tests, such as fingerprinting and DNA
testing, are performed by specially trained experts
the task of collecting and analyzing computer
evidence is often assigned to patrol officers and
detectives.

2000s: Developing standards Edit

Since 2000, in response to the need for standardization, various bodies
and agencies have published guidelines for digital forensics. The
Scientific Working Group on Digital Evidence (SWGDE) produced a
2002 paper, "Best practices for Computer Forensics", this was
followed, in 2005, by the publication of an ISO standard (ISO 17025,
General requirements for the competence of testing and calibration
laboratories). A European lead international treaty, the Convention on
Cybercrime, came into force in 2004 with the aim of reconciling
national computer crime laws, investigative techniques and
international co-operation. The treaty has been signed by 43 nations
(including the US, Canada, Japan, South Africa, UK and other
European nations) and ratified by 16.

The issue of training also received attention. Commercial companies

(often forensic software developers) began to offer certification
programs and digital forensic analysis was included as a topic at the
UK specialist investigator training facility, Centrex.

Since the late 1990s mobile devices have become more widely
available, advancing beyond simple communication devices, and have
been found to be rich forms of information, even for crime not
6

traditionally associated with digital forensics. Despite this, digital

analysis of phones has lagged behind traditional computer media,
largely due to problems over the proprietary nature of devices. Focus
has also shifted onto internet crime, particularly the risk of cyber
warfare and cyberterrorism. A February 2010 report by the United
States Joint Forces Command concluded:

Through cyberspace, enemies will target industry,

academia, government, as well as the military in the
air, land, maritime, and space domains. In much the
same way that airpower transformed the battlefield
of World War II, cyberspace has fractured the
physical barriers that shield a nation from attacks on
its commerce and communication.

1.2 Challenges in digital forensic in the future

According to Fahdi, Clarke & Furnell (2013), the challenges of digital

forensics can be categorized into three parts.

Technical challenges – e.g. differing media formats, encryption,

steganography, anti-forensics, live acquisition and analysis.
Legal challenges – e.g. jurisdictional issues, privacy issues and a lack
of standardized international legislation.
Resource challenges – e.g. volume of data, time taken to acquire and
analyze forensic media.
Technical Challenges

With the vast development of the computer technologies within the

last decade, usage of technology has been defined as both good and
bad. While some people use technology to invent things to benefit
mankind, criminals also use technology to achieve their own targets.
One of the main problems is that as soon as a technology is developed
to identify and investigate criminals, there is another technique that
helps the criminals to hide themselves. This is a massive challenge
forensics officers face today.
7

Unlike many other sources of physical evidence, digital evidence is

easy to modify, remove or hide, possibly without leaving tracks that
might identify the criminal. So anti-forensics has become a major
challenge for digital forensics.

According to Rekhis & Boudriga (2010), anti-forensic techniques can

be classified into categories as listed below.

• Encryption
• Steganography
• Covert Channel
• Data hiding in storage space
• Residual Data Wiping
• Tail Obfuscation
• Attacking the tools
• Attacking the investigators

Encryption

According to TechTerms (2014), encryption is process of scrambling

information that can only be decoded and read by someone who has
the correct decoding key. Encryption is used to hide or make the
evidence unreadable on the compromised system.

Balogh & Pondelic (2011) stated that:

In 2007, an incident happened when the US Customs found child

pornography on Canadian citizen and legal US resident Sebastian
Boucher’s laptop. The laptop was seized as vidence and he was
charged with transporting the pornography across borders. The
problem appeared when examiners tried to open the incriminating
drive Z and found out that it was a Pretty Good Privacy encrypted
container. Although a forensic duplicate of hard drive was created
after shutdown of the notebook, the examiner could not open the
encrypted container.

Attackers use many different encryption methods and in order to

make the data usable, investigators have to decrypt the encrypted
8

data. It is time consuming and sometimes the encrypted data cannot

be decrypted.

Steganography

“Steganography is an encryption technique that can be used along

with cryptography as an extra-secure method in which to protect
data.” (Janssen, 2014). Steganography is a technique that is used to
hide any information inside a file carrier without modifying its
outward appearance. Attackers use this steganography to hide their
hidden data (payloads) inside the compromised system. When
investigating computer crimes, the investigator has to identify these
hidden data in order to reveal the information for further reference.

Covert Channel

“Covert channel in communication protocols allows attackers to hide

data over the network and possibly bypass intrusion detection
techniques. Typically, a network protocol is chosen and its header is
modified to leak messages between attackers, exploiting the fact that
few fields of the header are modified during transmission.” (Rekhis &
Boudriga, 2010).

Attackers use these covert channels in order to maintain a hidden

connection between the attacker and the compromised system. It is
less identifiable.

Data hiding in storage space

Attackers hide some data inside storage areas and make them invisible
to the usual system commands and programs. It makes the
investigation more complex and more time consuming and sometimes
data can be corrupted too. Rootkit is one of the most popular
techniques used to hide data in storage space.
9

According to Microsoft (2014), malware designers use rootkits to hide

malware inside victims’ PCs. It is very hard to identify rootkits and
most computer users do not know how to remove these rootkits. As
mentioned by Kassner (2008), user mode rootkits are capable of
hiding “processes, files, system drivers, network ports, and even
system services”.

Residual Data wiping

When the attacker uses a computer for his goal, a few hidden
processes (e.g. temporary files, history of commands) are running
without the knowledge of the attacker. But an intelligent attacker can
avoid this risk by wiping out the tracks that were made by his process
and making the system work as if it has not been used for such a
purpose. Lee’s 2013 article indicates that 20-year-old Jake Davis
“was convicted of computer hacking for his role in the notorious
group LulzSec”. Furthermore, Lee (2013) says that he was “forbidden
from creating encrypted files, securely wiping any data or deleting his
internet history”.

Tail Obfuscation – attacking the tools

According to Rekhis & Boudriga, (2010), the most common

technique is the obfuscation of the source of the attack. Here, the
attacker uses some false information in order to mislead the
investigator (e.g. false email headers, changing file extensions).
Therefore, sometimes the investigator might miss some data that has
forensic value.

Resource Challenges

Depending on the scenario, the volume of data involved in the case

might be large. In that case the investigator has to go through all the
collected data in order to gather evidence. It may take more time for
the investigation. Since time is a limiting factor, it becomes another
major challenge in the field of digital forensics.
10

In volatile memory forensics, since the data stored in the volatile

memory is ephemeral, user activities are overwritten in the volatile
memory. Therefore investigators can analyze only recent information
that is stored on the volatile memory. This reduces the forensic value
of the data for the investigation.

When collecting data from the source, an investigator must make sure
that none of the data is modified or missed during the investigation,
and the data must be well secured.

Data sources which are damaged cannot be easily used in

investigations. So it is a major issue when an investigator finds a
valuable source that is not usable.

Legal Challenges

Privacy is also important to any organization or victim. In many cases

it may be required that the computer forensics expert share the data or
compromise privacy to get to the truth. A private company or an
individual user might generate lots of private information in their day
to day usage. So asking an investigator to examine their data might
risk their privacy being revealed.

Casey (2011) stated that:

In 2000, during an investigation into the notorious online Wonderland

Club, Grant argued that all evidence found in his home should be
suppressed because investigators had failed to prove that he was the
person associated with the illegal online activities in question.
However, the prosecution presented enough corroborating evidence to
prove their case.

It becomes a challenge when the investigator ‘accidently’ figures out

or stumbles across some facts related to the crime, but is not allowed
to use these against the attacker due to privacy issues. This affects the
whole investigation process and limits the investigator to a point.
11

As stated by Bui, Enyeart & Luong (2003), ethical considerations

should be examined because of the wealth of information that is
collected from forensic investigations. In order to ensure integrity of
the data, these should be collected and stored carefully and legally. As
mentioned by Bui, Enyeart & Luong (2003) it is important to be
aware of the privacy of suspects and victims. Furthermore, Bui,
Enyeart & Luong (2003) stated that investigators need to have good
knowledge of several laws and “statutes that govern electronic
evidence collection including the fourth amendment of the
constitution.”

CHAPTER 2

2.1 Literature review

Although there has been some work in the DF community to create

common file formats, schemas and ontologies, there has been little
actual standardization. DFRWS started theCommon Digital Evidence
Storage Format (CDESF) WorkingGroup in 2006. The group created
12

a survey of disk image storage formats in September 2006, but then

disbanded inAugust 2007 “because DFRWS did not have the
resources required to achieve the goals of the group. (CDESF
workgroup, 2009)” Hoss and Carver discuss ontologies to support
digital forensics (Carver and Hoss, 2009), but did not proposing
concrete ontologies that can be used. Garfinkel introduced an XML
representation for file system metadata (Garfinkel,2009), but it has
not been widely adopted.

Richard and Rousseau reviewed requirements for the

Next-generation digital forensics.” Their work stressed
systemrequirements, and argued that inefficient system design, wasted
CPU cycles, and the failure to deploy distributing imputing
techniques is introducing significant and unnecessary delays that
directly translate into unnecessary delays (Richard and Roussev,
2006). Elements of a modular computer forensics system exist in both
Corey et al.’s design of a network forensics analysis tool (Corey et al.,
2002) and in Cohen’s PyFlag (Cohen, 2008), although the rest of the
DF research community had generally failed to appreciate how these
architectures can satisfy Richard and Roussev’s requirement for
parallelism.Ayers ignored all of the previous work on this topic in
his“second generation computer forensic analysis system,” presented
at DFRWS 2009 (Ayers, 2005). In general, it seems y few DF systems
designers build upon previous works instead, each new project starts
afresh. Following the first DFRWS, Mochas proposed a framework to
help build “theoretical underpinnings for digital forensic are search
(Mocas, 2004).” The purpose of the framework was to “define a set of
properties and terms that can be used as organizing principles for the
development and evaluation of research in digital forensics.” Monas
suggested that research should consider context in which evidence is
encountered, data integrity, authentication, reproducibility,
noninterference and the ability of proposed techniques to comply with
federal minimization requirements. reviewed 14 different models for
digital forensics-investigation but did not attempt to evaluate or
catalog them given time constraints (Pollitt, 2007). Most of these
investigation models rely on the ability to make the best use of digital
13

evidence that is found. An alternative approach is proactive Digital

forensics door example, Ray et al.’s design for a system that predicts
attacks and changes its collection behaviorbeforean attack takes place
(Allen Ray, 2007). Bradford et al. likewise argue that it is unwise to
depend upon “audit trails and internal logs” and the digital forensics
will only be possible on future systems if those systems make
proactive efforts at data collection and preservation; they present a
mathematical model for deciding the content and frequency of
proactive forensic event recorders (Bradford et al., 2004).Polite et al.
discussed how virtualization software and techniques can be
productively applied to both digital forensics research and education
(Pollitt et al., 2008). Any discus-sion of virtualization with respect to
digital forensics faces an unwelcome tautology. In practice, the
impact of virtualization in forensic examination can usually be
ignored excerpt when-it can’t. That’s because sometimes the
virtualization is the subject of the forensic examination, and
sometimes the virtualization is a tool it is used by the forensic
examiner. In June 2008 a brainstorming session at CISSE
2008explored research categories, topics and problems in digital
forensics. One of the results of this project was an article byNance,
Hay and Bishop that attempted to define a DigitalForensics Research
Agenda (Nance et al., 2009). The authors identified six categories for
digital forensics research: Evidence Modeling, Network Forensics,
Data Volume, LiveAcquisition, Media Types, and Control
Systems. This taxonomy is useful, but believe that the tactical
analysis must be accomplish by strategic thinking.
In January 2009 Beebe presented an invited talk at the FifthIFIP WG
11.9 International Conference on Digital Forensics entitled “Digital
Forensics: The Good, The Bad, and theUnaddressed (Beebe, 2009).”
Beebe argued convincingly that digital forensics was no longer a
niche discipline. “It is now mainstream knowledge that the digital
footprints that remains free interactions with computers and networks
are significant and probative. Digital forensics was once a niche
science than was leveraged primarily in support of criminal
investigations, and digital forensic services were utilized only during
The late stages of investigations after much of the digital evidence
14

was already spoiled. Now digital forensic services see sought right at
the beginning of all types of investigations ever. popular crime shows
and novels regularly in corporate digital evidence in their story lines.
As far as “The Bad” and “The Unaddressed,” Beebe said that digital
forensics largely lacks standardization and process, and what little
widespread knowledge that we have is “heavily biases towards
Windows, and to a lesser extent, standardLinux distributions.”
Unaddressed, Beebe says, is the problem of scalability, the lack of
intelligent analytics beyond full-text search, non-standard computing
devices (especially small services), ease-of-use, and a laundry list of
unmet technicalchallenges.Finally, Turnbull et al. performed a
detailed analysis on The specific digital media formats being collected
by the SouthAustralian Police Electronic Crime Section; theirs
appears to be the first quantitative analysis of its kind (Turnbull et
al.,2009), although the FBI’s Regional Computer Forensic Laboratory
program publishes an annual report with the amount of media and
cases that it processes (Regional ComputerForensics Laboratory,
2008). More case studies such as these see needed so that researchers
can use actual evidence, rather then their own personal experiences, to
direct their problem solving effort.

CHAPTER 3

3.1Future paradigms of digital forensic

Many of the digital forensics tools tailored to discovering evidence

are expected to reside on the suspect’s device, but offer limited
15

features for investigating unknown and complex environments,

including big data–like sources.2,3,8 Consequently, the majority of
forensic software is unsuitable for identifying anomalies in an
automatic or unattended way. One of the major challenges to be
addressed in the near future, therefore, is the creation of tools and
techniques to analyze the bulk of data and report possible digital clues
to the examiner for further investigation. Alas, such tools and
techniques’ engineering, including proper visualization features to
help the forensic examiner, is a complex task, particularly because of
the lack of unified standards and the nontrivial computational
requirements. Fortunately, digital investigation can leverage the
features of cloud computing, for instance, to offload the most
demanding operations of digital forensics procedures, such as log
analysis, data indexing, and multimedia processing. From this
perspective, one of the most interesting aspects of the cloud is the
opportunity to exploit a new paradigm in which forensics is provided
as a utility, à la forensics as a service (FaaS). For example, Guiseppe
Totara and his colleagues developed a tool for indexing forensic disk
images that can be easily used by investigators through a web
interface.12 An additional benefit of pursuing an FaaS paradigm is the
possibility of concentre ting the software in a single point, which
makes updates and improvements easier. This can also hide
complexity from end users, allowing professionals to concentrate on
the investigation. Similarly, digital investigations can leverage the
proliferation of software-defined networking techniques, which offer
additional layers of abstraction useful for analyzing attacks or
infections without the need for resource-consuming traffic analysis
campaigns. Lastly, digital forensics could quickly become essential
even in new and unforeseen scenarios. IoT usage creates a point of
interaction between the cyber and physical worlds, making digital IoT
forensics an effective way to collect information about the nondigital
environment as well. For example, IoT nodes can provide evidence of
when a person was present in a room by investigating in-door
presence sensor values.13,14 Obviously, such investigations are
linked to further privacy issues,14,15 especially as sensors might be
influenced not only by a single user but by an undefined set of
16

influencers: several individuals could trigger a presence sensor in a

room each day, not just the potential criminal. Because personal
devices, appliances, and IoT nodes are starting to “reverse the fate” of
several court trials, in the following section, we focus on how IoT and
CPS can impact digital forensics, in terms of both challenges and
opportunities

Conclusion

This paper predicts an impending crisis in digital forensics given a

continuation of current trends that have been identified by many
observers. But whereas other papers looking at the future of forensics
have focused on specific tactical capabilities that need to be
developed, this paper discusses the need to make digital forensics
research more efficient through the creation of new abstractions for
data representation forensic processing. Given the diversity of the
research and vendor communities, the development of these
abstractions will not be sufficient to assure their success. Funding
agencies will need to adopt standards and procedures that use these
abstractions for the testing and validation of research products, and
customers will need to demand that these abstractions beimplemented
in tomorrow’s tools. With careful attention to cooperation,
standardization, and shared development, the digital forensics
research community can simultaneously power development costs and
improve the quality of our research efforts. This is probably one of the
few techniques at our disposal for surviving the coming crisis in
digital forensic.
17

References

Fahdi, M.L. Clarke, N.L. Furnell, S.M. (2013). Challenges to Digital

Forensics: A Survey of Researchers & Practitioners Attitudes and
Opinions. [Online]. P 1. Available from:
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6641058
[Accessed 06/22/2017].
Rekhis, S. Boudriga, N. (2010). Formal Digital Investigation of
AntiForensic Attacks. [Online]. P 34. Available from:
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5491959
[Accessed 06/22/2017].
TechTerms. 2014. Encryption. [ONLINE] Available at:
http://www.techterms.com/definition/encryption. [Accessed
06/22/2017].
Balogh, S. Mydlo, M. (2013). New Possibilities for Memory
Acquisition by Enabling DMA Using Network Card Janssen,
C. 2014. Steganography. [ONLINE] Available at:
http://www.techopedia.com/definition/4131/steganography.
[Accessed 06/22/2017].
Microsoft Corporation. 2014. Rootkits. [ONLINE] Available at:
http://www.microsoft.com/security/portal/mmpc/threat/rootkits.aspx.
[Accessed 06/22/2017].
Kassner, M. 2008. 10+ things you should know about rootkits.
[ONLINE] Available at:
http://www.techrepublic.com/blog/10things/10-plus-things-you-
should-know-about-rootkits/. [Accessed 06/22/2017].
Lee, D. (2013). Jake Davis: Freed hacker faces strict tech rules. BBC
news. [Online]. 24th June. Available from:
http://www.bbc.com/news/technology-23029464 [Accessed
06/22/2017].
Casey, E. (2011). Digital Evidence and Computer Crime. 3rd ed.
USA: Elsevier.
Bui, S. Enyeart, M. Luong, J. (2003). Issues in Computer Forensics.
[Online]. P 7. Available from:
http://www.cse.scu.edu/~jholliday/COEN150sp03/projects/Forensic%
20Investigation.pdf [Accessed 06/22/2017].
18