WIXLIB

Overview of Digital ForensicsRELEVANT LAWS In any investigation, it is important to consult with a legalcounsel on the applicability of local, regional, nationaland international laws. In the United States, the ComputerFraud and Abuse Act of 1986, 18 U.S.C. 1030, criminalizesconduct that abuses computer systems. The statuteprotects computers that have a federal interest, i.e., federal computers, financial systems and computers thatare used in interstate and foreign commerce. The statuteprotects computer systems from trespass, threats, damage,espionage and being used as tools of fraud.Other statutes that may apply follow:12CAN-SPAM Act: 18 U.S.C. § 1037. The CAN-SPAMAct of 2003, Pub. L. No. 108-187, 117 Stat. 2699 (2003),which became effective on January 1, 2004, providesa means for prosecuting those responsible for sendinglarge amounts of unsolicited commercial email (a.k.a.“spam”).Wire Fraud: 18 U.S.C. § 1343 provides: Whoever,having devised or intending to devise any schemeor artifice to defraud, or for obtaining money orproperty by means of false or fraudulent pretenses,representations, or promises, transmits, or causes tobe transmitted by means of wire, radio, or televisioncommunication in interstate or foreign commerce, anywritings, signs, signals, pictures, or sounds for thepurpose of executing such scheme or artifice, shallbe fined under this title or imprisoned not more than20 years, or both. If the violation affects a financial 110Prosecuting Computer Crimes institution, such personshall be fined not more than 1,000,000 or imprisonednot more than 30 years, or both. The Interception of Communications:18 U.S.C. § 2511(1)(a) & (b); the disclosure of interceptedcommunications, 18 U.S.C. §2511(1)(c) & (e); and the useof intercepted communications, 18 U.S.C. § 2511(1)(d).These prohibitions are subject to a number of exceptions,most of them detailed in section 18 U.S.C. § 2511(2). Unlawful Access to Stored Communications:18 U.S.C. § 2701; Section 2701 focuses on protectingemail and voice mail from unauthorized access. Aggravated Identity Theft: 18 U.S.C. § 1028A, TheIdentity Theft Penalty Enhancement Act, which tookeffect July 15, 2004, established a new offense ofaggravated identity theft. Section 1028A applies whena defendant “knowingly transfers, possesses, or uses,without lawful authority, a means of identification ofanother person.”Communication Interference: 18 U.S.C. § 136.Where a compromised computer is owned or usedby the United States for communications purposes,18 U.S.C. § 1362 may provide an alternative oradditional charge. Title 18: United States Code, Section 1362 provides:Whoever willfully or maliciously injures or destroysany of the works, property, or material of any radio,telegraph, telephone or cable, line, station, or system,or other means of communication, operated orcontrolled by the United States, or used or intendedto be used for military or civil defense functions of theUnited States, whether constructed or in process ofconstruction, or willfully or maliciously interferes inany way with the working or use of any such line, orsystem, or willfully or maliciously obstructs, hinders, ordelays the transmission of any communication over anysuch line, or system, or attempts or conspires to dosuch an act, shall be fined under this title or imprisonednot more than ten years, or both. 12Access Device Fraud: 18 U.S.C. § 1029. Ten separateactivities relating to access devices are criminalized in18 U.S.C. § 1029. The term “access device” is definedas any card, plate, code, account number, electronicserial number, mobile identification number, personalidentification number, or other telecommunicationsservice, equipment, or instrument identifier, or othermeans of account access that can be used, alone orin conjunction with another access device, to obtainmoney, goods, services, or any other thing of value, orthat can be used to initiate a transfer of funds (otherthan a transfer originated solely by paper instrument).Office of Legal Education Executive Office for US Attorneys, Prosecuting Computer Crimes, pdf 2015 ISACA. All Rights Reserved.5

Overview of Digital ForensicsFor a more comprehensive reading of applicable USfederal laws, Prosecuting Computer Crimes is availablefor download from the Department of Justice.13 Statestatutes should also be considered, and consultingwith a legal counsel is advised. Additional US laws14include the following: Health Insurance Portability andAccountability Act (HIPAA) Gramm-Leach-Bliley Act (GLBA) Sarbanes-Oxley Act (SOX) Consumer Credit Protection Act Telephone Records and Privacy Protection ActInternationally, the European Union (EU) developed aworking document that pertains to the identificationand handling of electronic evidence. The EU/Council ofEurope (COE) Joint Project on Regional Cooperationagainst Cybercrime: Electronic Evidence Guide is abasic guide for law enforcement and judges.15US law enforcement personnel who search and seizecomputers during an investigation should be awareof the requirements in the Searching and SeizingComputers and Obtaining Electronic Evidence inCriminal Investigations manual, from the Departmentof Justice Computer Crime and Intellectual PropertySection.16DIGITAL FORENSICS POLICIES AND SETOF CONTROLSThe enterprise cybersecurity program should havepolicies that address all forensics considerations, such ascontacting law enforcement, monitoring, and conductingregular reviews of forensics policies, guidelines andprocedures. Good practice requires that policies are part ofan overall governance and management framework, suchas COBIT 5, from ISACA, which provides a hierarchicalstructure into which all policies should fit and link clearlyto the underlying principles.17 Policies should be alignedwith the enterprise risk appetite, which is determined in therisk governance activities, and are a key component of theenterprise system of internal control.18 Policies should allowauthorized personnel to monitor systems and networks andperform investigations for legitimate reasons in appropriatecircumstances. The policies should clearly define the rolesand responsibilities of all people who perform or assist withthe enterprise forensic activities.19 Policies, guidelines andprocedures should clearly identify the tools that may beused in a forensic review and provide reasonable guidanceon the use of those tools under various circumstances.Note: Information security and cybersecurity require acomprehensive set of controls. The set of controls, auditcategory and reviews for cybersecurity investigations andforensics are explained in detail in the ISACA publicationTransforming Cybersecurity.20 This publication applies theCOBIT 5 framework and its component publications totransforming cybersecurity into a business process in asystemic way.Ibid.Bosworthy, Seymour; M.E. Kabay, M.E.; Computer Security Handbook Fourth Edition, John Wiley & Sons, Inc., October 2002Council of Europe, Electronic Evidence Guide, 2013, de/default en.asp16Cybercrime.gov, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Office of Legal Education Executive Office for United States Attorneys, nual2009.pdf17ISACA, COBIT 5 for Assurance, USA, 2013, d.19Kent, Karen; Suzanne Chevalier; Tim Grance; Hung Dang; NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response, Recommendations of the National Institute of Standardsand Technology, National Institute of Standards and Technology (NIST), August 2006, 00-86.pdf20ISACA, Transforming Cybersecurity, USA, 2013, -Using-COBIT-5.aspx131415 2015 ISACA. All Rights Reserved.6

Overview of Digital ForensicsMany cyberincidents can be handled more efficiently andeffectively if forensics considerations are incorporatedinto the information system life cycle. Examples of suchconsiderations follow: Perform regular backups of systems and maintainprevious backups for a specific period of time. Enable auditing on workstations, servers andnetwork devices. Forward audit records to secure centralized logservers. Configure mission-critical applications to performauditing and include the recording of all authenticationattempts. Maintain a database of file hashes for the filesof common operating system and applicationdeployments, and use file integrity checking softwareon particularly important assets. Maintain records (e.g., baselines) of network andsystem configurations. Establish data retention policies that support theperformance of historical reviews of system andnetwork activity, comply with requests or requirementsto preserve data that are related to ongoing litigationand investigations, and destroy data that are no longerneeded.21DIGITAL FORENSICS SCIENTIFIC PROCESSKen Zatyko, the former director of the Defense ComputerForensics Laboratory, defined the following eight-stepdigital forensics scientific process:221.Obtain search authority—In a legal investigation,legal authority is required to conduct a search orseizure of data.2.Document chain of custody—In legal contexts,chronological documentation of evidence handling isrequired to avoid allegations of evidence tampering ormisconduct.2122233.Image and hash—When digital evidence is found,it should be carefully duplicated and then hashed tovalidate the integrity of the copy.4.Validate tools—When possible, tools that are used forforensics should be validated to ensure reliability andcorrectness.5.Analyze—Forensic analysis is the execution ofinvestigative and analytical techniques to examine theevidence.6.Repeat and reproduce (quality assurance)—Theprocedures and conclusions of forensic analysisshould be repeatable and reproducible by the same orother forensic analysts.7.Report—The forensic analyst must document his/her analytical procedure and conclusions for use byothers.8.Possibly present expert testimony—In some cases,the forensic analyst will present his/her findings andconclusions to a court or another audience.The process involves more than intrusion-related securityincidents. Zatyko defines scientific digital forensics as:“The application of computer science and investigativeprocedures for a legal purpose involving the analysis ofdigital evidence after proper search authority, chain ofcustody, validation with mathematics, use of validated tools,repeatability, reporting, and possible expert presentation.”23As the process steps indicate, the digital forensic analystmeticulously handles, analyzes and reports on the evidenceobtained, to present an objective opinion on the facts of acase without prejudice.Ibid.Zatyko, Ken; “Commentary: Defining Digital Forensics,” Forensic Magazine, 2 January 2007, fining-digital-forensicsIbid. 2015 ISACA. All Rights Reserved.7

Overview of Digital ForensicsAPPLYING VARIATIONS OF THE SCIENTIFIC METHODScientists often use variations of the scientific methodto solve problems. Deductive reasoning applies broadprinciples to predict specific answers (see figure 2).Conversely, inductive reasoning uses a series of specificpieces of information to extrapolate a broad conclusion.For example, forensic analysts might use inductivereasoning to determine where a cyberincident started.FIGURE2Because physical evidence may never depict all theevents that happened, inductive reasoning has a greaterlevel of uncertainty. The conclusions are based on limitedinformation rather than on a more solid scientific principle,but inductive reasoning can be useful when no broadprinciple can be applied. The forensic analyst identifiesthe best tools and approach for each case.24Variations of the Scientific Method of Forensic tion ySource: Forensics: Examining the Evidence, “Understanding the Scientific ethodDigital forensics follows a rigorous scientific process to present findings of fact to prove or disprove a hypothesis in a courtof law, civil proceeding or another action. Zatyko’s eight-step process can be grouped into three basic steps: acquisition,analysis and reporting, which are discussed in the following paragraphs and shown in figure 3.24Forensics: Examining the Evidence, “Understanding the Scientific Method,” s-science/understanding-the-scientific-method/ 2015 ISACA. All Rights Reserved.8

Overview of Digital ForensicsFIGURE3Digital Forensics Process Obtain search authority. Document chain of custody.DataCollection Duplicate digital evidence and validate using hash function. Validate forensic tools. Analyze evidence using investigative and analytical techniques.Examination Repeat and reproduce forensic analysis procedures and conclusions.and Analysis Report analytical procedures and conclusions.Reporting Present experts testimony about findings and conclusions.Data from: Zatyko, Ken, “Commentary: Defining Digital Forensics,” Forensic Magazine, 2 January ry-defining-digital-forensicsDATA COLLECTIONThe acquisition of data begins with seizure, imaging orcollection of digital evidence to capture suspect mediaor network traffic and logs, post breach. Enterprisestypically assume that they have the right to monitor theirinternal networks and investigate their own equipment aslong as they observe the privacy right of the employee.Employee privacy rights and the enterprise rightsshould be in written policies that are communicated toemployees. In the United States, the Fourth Amendmentcovers seizures. Federal warrants are issued underTitle 18 of the US Code for probable cause of a crime.However, exceptions allow data collection without awarrant for reasons such as consent, hot pursuit orplain view. In the United Kingdom, a magistrate issueswarrants to a constable under Section 18 of the Policeand Criminal Evidence Act. In the US, no one shouldever go on site until after they read the search warrantto review the seizure authority and the affidavit for the 2015 ISACA. All Rights Reserved.reasoning and the items to be seized. Regardless of thecountry, enterprises should understand and follow localand country jurisdiction laws before seizing materials.After digital media are acquired, an exact duplicate image(the forensic image) of the original media evidence iscreated and validated with hash values that have beencalculated for the original digital media and the duplicateimage. A hashing function, e.g., MD5, SHA-1 and SHA256, applies a mathematical algorithm to the digital dataand returns a fixed-size bit string hash value. Any changeto the data will change the hash value. Data with the samehash value are identical. The hash value validates that theevidence is still in the original state. The original mediaevidence is write blocked and stored to prevent anyfurther possible alteration. Hashing may not always bepossible. Mobile devices and memory, in particular, mayhave to be treated differently to maintain evidence.9

Overview of Digital ForensicsEXAMINATION AND ANALYSISAfter the duplicate image of the evidence is created,analysis can begin on the image. The digital forensicanalyst may use specialized tools to uncover deletedor hidden material. Depending on the forensic request,the analyst can report findings about numerous typesof information, e.g., email, chat logs, images, hackingsoftware, documents and Internet history. After evidenceis collected and analyzed, it is assembled to reconstructevents or actions and provide facts to the requestingparty. These facts may identify people, places, itemsand events and determine how they are related so thata conclusion can be reached. This effort can includecorrelating data among multiple sources.25 In someenvironments, early case assessment (ECA) providesimmediate review for the requesting parties, at which timethey can ask for more advanced analysis. ECA typicallyinvolves imaging, indexing, archiving and an internalreporting mechanism for the requesting party to quicklyaccess needed reconnaissance. ECA typically saves timeand is often preferred over analysis.REPORTINGAfter the analysis is complete, a report of the findings isdeveloped, which outlines findings and methodologies.The provided exhibits may include attribution of fileownership, chat logs, images and emails; detailed login/logoff times; entry into facility logs and anything thatplaces the suspect at the device at the same time andlocation of an event. The findings can be used to confirmor disprove alibis and provided statements. Digitalevidence can also be used to prove intent. The completedreport is given to the investigator, who is usually from lawenforcement in a criminal matter or a designated seniormanager in a civil action. Further actions are determinedafter the report is reviewed.25Digital forensic analysts provide facts and impart knowledgeto give expert opinion only when they are required to do soin court. They never seek to aid or blame. Instead, analystsprovide a scientific basis so that the court, company orother requesting party may use the unbiased evidenceand gain a better understanding of events.BRANCHES OF DIGITAL FORENSICSComputer forensics is the oldest and most stablediscipline of digital forensics. It concentrates ondeveloping evidence from a computer and associateddigital storage devices in a forensically sound mannerto preserve, develop, recover when necessary, analyzeand present facts in a clear and concise manner.In computer forensics, after the storage device isacquired, it is standard practice for an analyst to createa disk image from which to work. If the original device isconfiscated, it is safely stored as evidence. Sometimesa device is not confiscated so that additional evidencecan be gathered and future activities can be monitored.The forensic analyst creates a disk image of the device topreserve the original evidence. Today, virtual drives mayalso be used as way to emulate an entire machine.A number of techniques are used in computer forensicsinvestigations. Cross-drive analysis correlates informationthat is found on multiple hard drives, which are beingused to identify social networks. Live analysis extractsdates using existing system administration or developedforensic tools. Recovering deleted files is often inthe news, and it remains a mainstay of forensics forrecovering evidence. Because files are not erased, but areoverwritten eventually, over a period of time, an analysthas time to reconstruct deleted files.Op cit. Kent 2015 ISACA. All Rights Reserved.10

Overview of Digital ForensicsNetwork forensics is a relatively new field within digitalforensics. Generally, network forensics focuses on monitoringand analyzing computer network traffic to gather evidenceof exceeding authorization or detect an intrusion from aparty with no authorization to be on that system or network.Because network traffic is volatile and dynamic, analystsmust be proactive in their approach to capturing information.Network forensics takes two approaches to gatheringinformation: The more traditional approach catches and storesall data for analysis at a later time (e.g., logging theInternet usage of all users and only reviewing thedata after an alert). The second approach scans the data that pass throughthe network and is selective about the data that arecaptured (e.g., o

Cybersecurity Digital Forensics BRIEF HISTORY OF DIGITAL FORENSICS Digital forensics is nearly 40 years old, beginning in the late 1970s as a response to a demand for service from the law enforcement community (see figure 1). Most of the first criminal cases that involved computers were for financial fraud.2 In the 1980s, digital forensics .