Professional Documents
Culture Documents
CLIFFORD UNIVERSITY
DIGITAL FORENSIC IN
THE FUTURE
COURSE CODE: CSC 426 COURSE TITLE:
SPECIAL TOPICS IN COMPUTER
SCIENCE
2
CHAPTER 1
1.0. INTRODUCTION
Digital Forensics (DF) has grown from a relatively obscure tradecraft
to an important part of many investigations. DFtools are now used on
a daily basis by examiners and analysts-within local, state and Federal
law enforcement; within the military and other US government
organizations; and within the private “e-Discovery” industry.
Developments in forensic research, tools, and process over the past
decade have been very successful and many in leadership positions
now rely on these tools on a regular basis frequently without realizing
it. Moreover, there seems to be a widespread belief, buttressed one by
portrayals in the popular media, that advanced tools and skillful
practitioners can extract actionable information from practically any
device that a government, private agency or even a skillful individual
might encounter.This paper argues that we have been in a “Golden
Age ofDigital Forensics,” and that the Golden Age is quickly coming
to an end. Increasingly organizations encounter data that cannot be
analyzed with today’s tools because of format incompatibilities,
encryption, or simply a lack of training. Even data that can be
analyzed can wait weeks or months before review because of data
management issues. Without a clear research agenda aimed at
dramatically improving the efficiency of both our tools and our very
research process. Had won capabilities will be degraded and
eventually lost in the coming years. This paper proposes a plan for
achieving that dramatic improvement in research and operational
efficiency through the adoption of systematic approaches for
representing-forensic data and performing forensic computation. It
draws on more than 15 years’ personal experience in computer
forensics, an extensive review of the DF research literature, and
dozens of discussions with practitioners in government, Industry, and
the international forensics Community.
3
Prior to the 1970s crimes involving computers were dealt with using
existing laws. The first computer crimes were recognized in the 1978
Florida Computer Crimes Act, which included legislation against the
unauthorized modification or deletion of data on a computer
system.Over the next few years the range of computer crimes being
committed increased, and laws were passed to deal with issues of
copyright, privacy/harassment (e.g., cyber bullying, happy slapping,
cyber stalking, and online predators) and child pornography.It was
4
not until the 1980s that federal laws began to incorporate computer
offense. Canada was the first country to pass legislation in 1983. This
was followed by the US Federal Computer Fraud and Abuse Act in
1986, Australian amendments to their crimes acts in 1989 and the
British Computer Misuse Act in 1990.
Throughout the 1990s there was high demand for these new, and
basic, investigative resources. The strain on central units lead to the
creation of regional, and even local, level groups to help handle the
load. For example, the British National Hi-Tech Crime Unit was set
up in 2001 to provide a national infrastructure for computer crime;
with personnel located both centrally in London and with the various
regional police forces (the unit was folded into the Serious Organized
Crime Agency (SOCA) in 2006).
During this period the science of digital forensics grew from the
adhoc tools and techniques developed by these hobbyist practitioners.
This is in contrast to other forensics disciplines which developed from
work by the scientific community. It was not until 1992 that the term
"computer forensics" was used in academic literature (although prior
5
Since the late 1990s mobile devices have become more widely
available, advancing beyond simple communication devices, and have
been found to be rich forms of information, even for crime not
6
• Encryption
• Steganography
• Covert Channel
• Data hiding in storage space
• Residual Data Wiping
• Tail Obfuscation
• Attacking the tools
• Attacking the investigators
Encryption
Steganography
Covert Channel
Attackers hide some data inside storage areas and make them invisible
to the usual system commands and programs. It makes the
investigation more complex and more time consuming and sometimes
data can be corrupted too. Rootkit is one of the most popular
techniques used to hide data in storage space.
9
When the attacker uses a computer for his goal, a few hidden
processes (e.g. temporary files, history of commands) are running
without the knowledge of the attacker. But an intelligent attacker can
avoid this risk by wiping out the tracks that were made by his process
and making the system work as if it has not been used for such a
purpose. Lee’s 2013 article indicates that 20-year-old Jake Davis
“was convicted of computer hacking for his role in the notorious
group LulzSec”. Furthermore, Lee (2013) says that he was “forbidden
from creating encrypted files, securely wiping any data or deleting his
internet history”.
Resource Challenges
When collecting data from the source, an investigator must make sure
that none of the data is modified or missed during the investigation,
and the data must be well secured.
Legal Challenges
CHAPTER 2
was already spoiled. Now digital forensic services see sought right at
the beginning of all types of investigations ever. popular crime shows
and novels regularly in corporate digital evidence in their story lines.
As far as “The Bad” and “The Unaddressed,” Beebe said that digital
forensics largely lacks standardization and process, and what little
widespread knowledge that we have is “heavily biases towards
Windows, and to a lesser extent, standardLinux distributions.”
Unaddressed, Beebe says, is the problem of scalability, the lack of
intelligent analytics beyond full-text search, non-standard computing
devices (especially small services), ease-of-use, and a laundry list of
unmet technicalchallenges.Finally, Turnbull et al. performed a
detailed analysis on The specific digital media formats being collected
by the SouthAustralian Police Electronic Crime Section; theirs
appears to be the first quantitative analysis of its kind (Turnbull et
al.,2009), although the FBI’s Regional Computer Forensic Laboratory
program publishes an annual report with the amount of media and
cases that it processes (Regional ComputerForensics Laboratory,
2008). More case studies such as these see needed so that researchers
can use actual evidence, rather then their own personal experiences, to
direct their problem solving effort.
CHAPTER 3
Conclusion
References