Digital Forensic Investigation Development Model

Ankur Kumar Shrivastava Nitisha Payal Archit Rastogi Amod Tiwari Department of IT Department of CSE Department of CSE Department of CSE MIET, Meerut MIET, Meerut MIT, Meerut PSIT, Kanpur � ����� U.P., India U.P., India U.P., India U.P., India ankurshrivastava16@gmail.com nitishapayal@gmail.com rastogiarchit26@gmail.com amodtiwari@gmail.com

Abstract: The arena of computer forensics investigation is a relatively new field of study. Many of the methods used in digital forensics have not been formally outlined. Digital Forensics is looked as part of art and part of science. This paper discussed breaking down the digital forensic investigation and their progression into an investigation development model so that an examiner can easily grip the problem and challenges during preparing and processing investigations. After going through various system and case analyses key issues, resulting in the documentation of role of computer examiner to gather evidence from a suspect computer terminal and determine whether the suspect committed a crime or violated a organization policies. As an outcome Digital forensic investigation development model (DFIDM) is introduced as a tailored approach for computer examiner or investigators for gathering and preserving the necessary digital evidence from different computer terminals or resources. Keywords: Data acquisition, Digital forensic, Network forensic, DFIDM (Digital forensic investigation development model).

I. INTRODUCTION

Digital forensic can be divided into two broad categories: � Computer forensic � Network forensic

A. Computer Forensic Computer forensic has been a professional field from many years, but most well established experts in the field have been self-taught. The growth of internet and the worldwide proliferation of computers have increased and need for computer investigations. Computer can be used to commit crimes, and crimes can be recorded on computers, including company policy violations, embezzlement, e-mail harassment, murder, leak of proprietary information and even terrorism. Law enforcement agents, network administrators, and private investigators are now rely on the skills of professional computer forensic examiners to explore criminal and civil cases. In general, a digital forensic expert investigates data that can be retrieved from computer hard disk or other storage medium, just like an archaeologist excavating a site. The information investigator retrieve might already be on the disk but it is not an easy task to find out them and then decipher them for understanding. Instead of computer investigations network forensics returns information how a user, intruder or hacker gained access into a network. Forensic investigators used log files to gather information about when any user or attacker logged on and what are the various actions performed by them. In network investigation investigator also find out what are the different URls which are visited by them during there login session. Forensic investigation on a network also provides the login IDs used for accessing a network by

user or attackers. The digital forensic investigators generally work as a team to make computers and networks secure with in an organizations. The computer forensic investigation function is any one out of three triangle edges that build up organization computing security. The triangle consist following three edges:

� Vulnerability assessment and risk management � Network intrusion detection and incident

response � Computer investigation

Fig 1: Digital Forensic Investigation Triangle Experts in the vulnerability assessment and risk management group also having the skills in network monitoring, intrusion detection and incident response. In contrast computer investigators group carry investigations and perform forensic analysis on a suspected system for gathering the digital evidence related to the incident or crime. B. Network Forensic Network forensic is the sub category of cyber forensic, which focuses on recording, and analyzing of information’s captured over computer network to collect the digital evidence. Network forensic deals with dynamic and volatile information in contrast of computer system forensic. Network forensic can be divided into two different streams. First is related to security where we continuously monitoring inconsistent network traffic and identifying intrusions. Second is related to law enforcement in which we can analyze the capture or recorded information and try to produce digital evidence, which we can be used in legal proceedings. Network attack can be classified into four main categories as:

� Probing: Surveillance and other probing � DOS: Denial of service � U2Su: Unauthorized access to local super

user (root) privileges � R2L: Unauthorized access from a remote

machine

2013 5th International Conference on Computational Intelligence and Communication Networks

978-0-7695-5069-5/13 $26.00 © 2013 IEEE

DOI 10.1109/CICN.2013.115

532

So in any network forensic analysis an investigation team prepare themselves to record and captures the information over public or private network and tries to reconstruct the path to find out the root of these attacks. Also with the help of these information collected over network investigation team also reconstruct some facts and digital evidence which they can put in front of law enforcement agencies during their proceedings.

Fig 2: Graphical Representation of Digital Forensic Steps

II. DIGITAL FORENSICS

METHODOLOGIES

There are a variety of steps that must be performed during a forensics investigation. The following steps are the basis for conducting any forensics investigation:

� Acquire the Evidence � Authenticate the Evidence � Analysis the Evidence � Present the Evidence

Along with this basic methodology developed by Kruse II and Heiser, other more formal methodologies have been developed. Some of the methodologies are abstract and can be used in any situation, which concerns digital evidence, and others are aimed at a certain implementation. In the first step an investigator will try to acquire the evidence from digital media or with the help of system log files. In the next step he perform some checks to authenticate the acquire evidence so that he assure himself the evidence he is collected are related to the digital crime he is investigated. Then he performs some test on collected evidence to analyze the data and gather some useful information that he can present in his report as evidence. In last step he report all the information collected by analysis process into the proper sequence.

III. PREPARING FOR DIGITAL FORENSIC

INVESTIGATION

In preparation of digital forensic cases we have to consider some issues thoroughly:

� Setting up workstation for digital forensic � Understand the digital forensic software needs � Understand the digital forensic hardware needs � Types of software and hardware digital forensic

tools � Understand concepts and terms used in warrants

There are two different nature of case, based on these nature forensic experts starts working on any digital crime and try to investigate the incident. The two different natures of forensic and computer investigation such as:

� Public Investigation � Private or Corporate Investigation

A. Public Investigation In public investigation government agencies involve and responsible for criminal investigation or crime. During public investigations it is necessary that investigator must understand the local city, state, country and follow all the federal law related to cyber crime and computer investigation including the standard legal process and procedures so that build a criminal case. In criminal case suspect is tried for a criminal offences such as murder, burglary or molestation. For building case Investigator asks questions like: from the help of which tool crime is committed? , What is simple trespass? What is theft or vandalism? The public sector case follows standard federal and legal process such as:

Fig 3: Public Sector Investigation Process

Step 1: After launching a complaint accruing and seizing digital evidence. Step 2: Performing and managing high-tech investigations. Step 3: Present the digital evidence collected during investigation in court for prosecution. B. Private or Corporate Investigation Private or corporate investigation involves private companies and layers who address company policy violation and legal disputes. Investigating during private sector investigator must understand that business must continue with its speed and minimal interruption will arise due to investigations. Private or corporate sector crimes are normally e-mail harassments, falsification of data, gender and age discrimination, sabotage and selling sensitive company information’s. In this investigator cannot seize the evidence: instead they acquire a disk image and pertinent information and allow the system to go back online as soon as possible so that business

533

continues. In private or corporate sector we generally follow this process: Step 1: After getting informed by top-level management forensic investigator start there investigations.

Fig 4: Corporate Sector Investigation Process

Step 2: Try to acquire disk image of suspect laptop or computer terminal for investigation without his knowledge. Step 3: Performing and managing high-tech investigations on acquire disk image. Step 4: Submits investigation report to the top-level management with digital evidence for further actions. -------------------------------------------------------- Opcode AllPass, a, a ain xin ; Generate stable poles; irad exprand 0.1; irad = 0.99 – irad; irad limit irad, 0, 0.99 iang random -$M_PI, $M_PI; iang random -$M_PI, $M_P ireal = irad * cos(iang); iimag = irad * sin(iang); print irad, iang, ireal, iimag; Generate coefficients from poles; ia2 = (ireal * ireal) + (iimag * iimag); ia1 = -2*ireal ia0 = 1; ib0 = ia2; ib1 = ia1; ib2 = ia0; printf_i "ia0 = %.8f ia1 = %.8f ia2= %.8f\n", 1, ia0, ia1, ia2 a out biquad ain, ib0, ib1, ib2, ia0, ia1, ia2 xout aout Endop ------------------------------------------------------

IV. PROPOSED DIGITAL FORENSIC INVESTIGATION DEVELOPMENT MODEL (DFIDM)

Day by day digital crime is increasing drastically in all over the globe in the form of unauthorized access, foot printing, creating back doors, and DDOS attack so it becomes very important how organizations are going to

design and deploys there security policies to avoid such incidents. So to make malicious users, intruder or attacker accountable organizations must adopt 3R model for security surveillance. So organizations security policies are designed and deploy in such a manner that the cover all the three aspect of 3R(Resistance, Recognition, Recovery) strategy where first R (resistance) is used as preventive measures which means organizations security systems has ability to prevent the intruders, second R(reorganization) is for identifying any unauthorized attempt of access or incident with some kind of alarm generating system, and third R (recovery) is used to reduce the overall impact and loss and try to overcome as soon as possible from any unexpected incident. So adoption of this 3R model provides conceptual base for developing organizational security surveillance policies, which also cover digital forensic. So it is clearly reflected from above model that the team who is responsible for security surveillance is must understand the forensic investigation requirements. Authors here presented a flowchart for forensic investigation so that it is easy to understand how to start investigate and what are the requirements associated with each flow of forensic investigation. In proposed DFIDM approach it is trying to propose that how digital forensic investigation prosecute the malicious computer intrusion and integrate the best policies practices, procedures, techniques and training along with DFIDM to assure the security of information and help in taking various measures, for information security with in a well defined IT infrastructure system. These decision are based on embedding conceptual flow of DFIDM:

Fig 5: Conceptual flow of DFIDM Initiation: Additional steps to the preliminary risk assessment would include determination of what assets on the network would warrant digital forensic protection. Acquisition: The first need in digital forensic investigation is to make a copy of the original digital evidence. This procedures preserves the original evidence to make sure its doesn’t become corrupt and damage digital evidence. To perform the task of acquisition these sub functions are performed:

� Physical Data Copy � Logical Data Copy

534

� Data Acquisition format � Command line Acquisition � GUI Acquisition

Validation & Discrimination: When dealing with computer evidence, there are two issues. First insuring the integrity of data being copied-the validation process. Second is the discrimination of the data, which involves sorting and searching through all investigation data. The process of validating the data is what allows for the discrimination of data. The sub functions of the validation and discrimination performed following task:

� Hashing � Filtering � Analyzing file headers

Extraction: The extraction function is the recovery task in a digital investigation and is the most demanding of all tasks for computer investigator to master. Recovery of data is the first step in analyzing an investigation’s data. The sub functions of extraction to perform following task:

� Keyword Searching � Decompressing � Decrypting � Bookmarking

Fig 6: Investigation Flow of DFIDM

Reconstruction: The purpose of reconstruction features in a digital forensic investigation is to recreate a suspect’s storage drive image. The reason behind creating duplicate suspect disk is to create identical copy for other computer investigators, who might need fully functional copy of the suspect’s disk drive so that they can perform their own test and analysis. The sub functions for reconstruction phase are:

� Disk-to-disk-copy � Image-to-image-copy � Partition-to-partition-copy � Image-to-partition-copy

Reporting: After completing a digital forensic analysis and examination investigator need to create a report or log files on the finding of investigation. The report or log files will record the entire finding and presented in the court trial room as an evidence. The log files and reports are also used as a reference in other similar type of digital investigation of a crime. Disposition: In this phase we are trying to ensure that there is no potential useful information or evidence on a retired system, which can be used for any malicious activity. For proper disposition of retired system we are using the concept of chain of custody in digital forensic to create accountability.

V. CONCLUSION The conceptual flow of DFIDM provides the base for readiness of digital forensic investigations. After going through this paper any inexperience digital forensic investigator will get the knowledge regarding the preparation, key issues and major flow of forensic investigations. Future work involves further revision in the flow of DFIDM so that it can be easy to understand, learn and investigate. In future authors are trying to measures efficiency and accuracy of DFIDM models. REFERENCES [1]http://en.wikipedia.org/wiki/Forensic_sciee. [2]http://www.nij.gov/topics/forensics/investigatios. [3]http://www.csis.hku.hk/cisc/forensics/papers/ComputerForensicsInHK.pdf. [4]http://www.oii.ox.ac.uk/microsites/cybersafety/?view=papers. [5]http://webcache.googleusercontent.com/search?q=cache:A0YlbjT0dQIJ:www.securimetric.org/library/software/Computer_Forensics_Past_Present_Future.pdf+&cd=5&hl=en&ct=clnk&gl=in. [6]http://www.dfrws.org/2006/proceedings/5-Brinson.pdf��[7]https://www.defcon.org/images/defcon-18/dc-18-presentations/DSmith/DEFCON-18-Smith-SPM-Digital-Forensic-Methodlogy.pdf. [8]http://en.wikipedia.org/wiki/Digital_forencs. [9]http://en.wikipedia.org/wiki/Computer_forensics. [10]http://nathanbalon.net/projects/cis544/Forensics ResearchPaper.pdf. [11]http://www.cs.unb.ca/profs/ghorbani/ali/papers/Journal_paper/IJNS_Survey_05.pdf. [12]https://www.ncjrs.gov/pdffiles1/nij/grants/236474.pdf.

535