Abstract
Digital forensics is a critical component of forensic discipline that includes crimes and misconducts with respect to computer systems. The use of computers to investigate online crimes led to the development of this new field known as Digital forensics. The field provides new ideas for understanding and betterment of concepts and directing future concepts in Digital Forensics. Over the last few years, with the advent of latest electronic devices such as mobile phones, tablets and laptops, the concept has gained popularity over the span of few years. This has resulted in a shift of thefts from real time to online mode where the entire data and information thrives. The paper below is a survey on the existing Digital Forensics Education programs and Digital Forensics practitioners regarding the tools they use and report if the tools being taught are the same as the tools that are being used. The paper also examines 3 different tools used by forensic practitioners in a real-time scenario.
Keywords: Digital Forensics, curriculum, undergraduate program, graduate program, survey
Introduction
Digital forensics is no new concept. It has existed for a long time as computer systems has the capability to preserve valuable data to be used for a variety of uses. In the past, digital forensics was primarily performed by the government to safeguard the interest of those who rely on internet for most of their business transactions but, has gained popularity in all other sectors within no time (Boucher et.al. 2008). With computers and internet technology invading lives, the use of digital devices has become irreplaceable from our professional and personal lives. For instance, electronic communication using instant messaging and emails has become universal. Mobile phones, computer systems and laptops are increasingly being used for business communication, e-commerce and internal management. The world society collectively has become so much dependent on e-media and internet technologies that internet infrastructure has become the basis of every organization be it banking, finance, entertainment, health, transportation, warfare, communications etc. (Boucher et.al. 2008). However, the not so good side is, with so much invasion into our society, the entire world wide web has become the target for hackers, criminals, fraudsters and terrorists. In the recent years, the number of fraudulent activities online have increased in frequency and loads of financial losses have been recorded by the cyber security (Carlton, 2007). With fraudulent transactions of billions of dollars each year, there is an urgent need to address these concerns by building a stronger and vigilant workforce to detect and prosecute these crimes, attacks and fraudulent activities. Nevertheless, computers involve a lot of technical concepts and only educated and expert digital forensic practitioners who have the right knowledge and skill set can conduct digital investigations (Brueckner et.al., 2008). The process of Digital Forensic Investigation Process chiefly consists of five major steps. These are listed as below:
Conservancy: Conserving digital data in the form of evidences is vital for successful investigation of an online fraudulent case
Collection: Next, comes the collection of devices containing digital information in the form of digital data
Examination: The original evidences are then examined in a way the integrity of evidences is preserved
Analysis: During investigation, an examiner recovers the available evidences with the help of tools and other resources
Reporting: The analysis is then reported that includes a comprehensive review and audit information concerning technical cases
Digital Forensics education program is accessible as one of the five different courses under the subject of Information Security. Upon successful graduating the course, students will be adept in:
The basic concepts of digital forensics
Synthesizing the ethical aspects of dealing with cyber forensics
Differentiating the data recovery methods with the help of storage devices
Explaining the legal forces associated with evidence collection
Gathering new evidences
Comparing the implications of privacy laws in context of digital forensics
Segregate methods of data recovery using varied storage devices
Application of data access, data hiding and storage techniques to real time digital forensics (Carlton, 2007)
More often it is seen that criminals tend to hide or delete the files in multiple ways. This is more commonly observed in cases of child pornography. While some criminals just change the file type so that the investigator wouldn’t recognize it and even the operating system in use would identify it as a different file type (Boucher et.al. 2008). One of the most critical task of a computer forensic practitioner is to restore all the deleted files from the system and those which have been changed in a way that they look unusable. In this regard, it is all the more important to learn the operation of some powerful tools available such as the File Hound (2013) and Evidence Eliminator (2013) which amplify an investigating officer’s work to a great extent (Brueckner et.al., 2008). When Evidence Eliminator is accessed to delete a file, there’s no trace of file left behind. During the laboratory teaching, students are given this exercise to perform to test the case using both Evidence Eliminator and FTK. File Hound is a free to use software that performs excellently in locating all the image files in a system or mobile storage device (Carlton, 2007).
Digital Forensics Education Programs
Given that the level of online fraudulent activities is considerably increasing, several degree programs in computer and digital forensics training have been designed these days. A bachelor’s degree in computer and digital forensics is so framed to build a strong foundation of students in advanced computer systems and super advanced digital forensics. A master’s degree on the other hand is catered to prepare graduates to transform into professional examiners of digital forensics. Some other graduation certificates also assist students in preparing for prosecution of criminal activities that utilize computers and other electronic devices used for communication (Endicott et.al. 2007).
A bachelor’s degree program in digital forensics prepares the students with a strong background in rich in three different courses namely criminal justice, computer science and accounting. Upon graduating, students are eligible to receive a professional certificate of program completion. For those who wish to seek a fraud examiner certificate can also opt to undergo professional training through a master’s degree program (Carlton, 2007). Additionally, many such programs can be accessed partially or completely online. These are mostly graduate level programs.
Another concept in graduating as a digital forensic practitioner is of continuing education. As computer technologies are continuously evolving, it is critical of computer forensic professionals to stay updated and informed about the latest fraudulent techniques that criminals might be using and must learn how to counter attack those practices (Brueckner et.al., 2008). This can be achieved through free software’s available online, by joining hands with concerning professional associations and by actively participating in university continuing education departments.
A digital records forensics program is designed with the following objectives:
Like other professions, it’s the amount and level of training undertaken that will determine the eligibility of professionals for various jobs. Some of the most common jobs available these days in the field of computer systems and digital forensics include the following:
Digital or system forensic examiner
Consultant-Computer Systems
Installation technician
Applications specialist
Cybercrime specialist (Carlton, 2007)
Digital Forensics Investigative and Analysis tools used by experts
Cyber forensic investigation is a very complicated and investigative procedure which requires intense analysis and reporting. This calls for the introduction of some dependable and reliable tools to be used by experts for better management and to ensure accuracy and flexibility. For example, when a digital investigator analyzes and studies a fraudulent case, he gets to experience numerous evidences ranging from all electronic devices to other modes of communication (Brueckner et.al., 2008). This is where he needs to have some handy tools to perform network and email, volatile memory and hard drive forensics. Some of the most commonly used digital forensics tools used by practitioners are listed below:
SANS SIFT
SANS Investigative toolkit for forensics is built on UBUNTU environment and comes all in a single package that makes use of VMware computer forensics as the underlying concept. The toolkit comes preconfigured with all the tools needed to carry out an investigation like memory forensics, network tools etc (Endicott et.al. 2007). The main feature about the software is that it supports multiple operating systems including Windows, Mac and Solaris. Additionally, it is also compatible with multiple forensic image formats such as AFF (Advanced forensic format), expert witness file format EO1 and RAW DD (Carlton, 2007). Further, it has some inbuilt tools such as sleuth kit, volatility and autopsy that can used by the practitioner at no additional charge.
Encase Computer Forensics
This particular tool comes under the range of digital forensics tools created by the Guidance Software. It finds use in imaging, analysis, digital forensic machine acquisition and in evidence reporting. It also includes forensic solutions for Smart Phones, hard disk, removable media and tablets. The software is laid with a unique scripting facility known as EnScript and various API’s interact with the evidence (Carlton, 2007). A generic review process to share the findings and evidences, password recovery toolkit, FTK imager and registry viewers are some other features of this software.
X-ways
Product of a German manufacturer, the software is laid on the foundations of the concept of Win-Hex. Win-Hex in itself was used for data recovery, ram editing, hex editing and for computer forensics application. With this software, forensics investigating officers can image or create a clone of a suspect device, read file systems like HSE, FAT, NTFS and EXT. It also permits to perform intense analysis and take impulsive memory dumps without altering the memory dump (Carlton, 2007). Unlike other investigation tools, this is fast, superior and more powerful and the quick reporting mechanism and advanced filtering options make it the most reliable forensic investigation tool of all.
FTK Imager
Under the Access Data Forensic Toolkit comes the FTK imager which is ideally developed for mounting, digital forensic imaging and analysis. It does not need to be installed and can quickly create image versions in multiple formats such as SMART, raw (dd) and E01 file format. Apart from the GUI interface, FTK imager also renders a command line version for to carry out the functioning of the tool (Brueckner et.al., 2008). Further, it also enacts as a HEX interpreter or viewer gives user an added capability to carry out investigation without changing the initial evidence.
The two types of tool categories generally used by digital practitioners include extraction and presentation. Extraction tools generally are those that synthesize data to harness a subset of it. For instance, a tool used for extracting data would work on an image file system and produce a replica of it when it was last accessed (Endicott et.al. 2007). On the other hand, presentation tools are generally used to organize data created by the extraction tool to a usable format. A single presentation tool is capable of displaying data organized by file directories, which is generally how most people see a file system as. In case of open source extraction tools, the examiner has access to the outcome of this where the user can validate the result of the presentation tool (Boucher et.al. 2008).
Usability of tools in Digital Forensic framework
Needless to say, usability is a critical aspect of any technical framework. Hence, usable security is gradually emerging as a prolific research domain. In the last few years, digital forensics has emerged as a more organized, robust and formal process where there is apt use of the tools available (Endicott et.al. 2007). Today, it is a more mature and operational field. The tools available today can be best utilized to perform constructive analysis and neatly done evidence duplicates. Some contemporary synthesis can help to recover files permanently deleted from the system, frame event timelines and even more (Carlton, 2007). Evidently, there has been observed a significant change in the way training and education is given to new practitioners to acquire an in-depth expertise in the realm of digital forensics.
A Computer and Network Forensics (CNF) laboratory in educational institutions must be equipped with three categories of software’s needed for discovery and recovery of evidences. These include a) CNF tools b) Dedicated Operating Systems and c) User applications (Carlton, 2007). While the CNF tools help the students to quickly analyze the available data and evidences, the operating system software is used to remotely chase the criminal and his machines and the user applications help to further analyze the data and evidences to reach the final conclusions. Although, much of these are available as free online, while others which are not accessible for free can be shared depending on the case in progress. Some online vendors might also offer some educational discount for students but, there’s always a consistent demand in specialized software’s to conduct specific experiments (Boucher,et.al 2008). As there are numerous tracking and assisting tools available for a digital forensic investigator, depending on a student’s specific career goals, it is recommended to seek certifications for some the most popular ones such as X-ways forensics and AccessData (Brueckner et.al., 2008). Moreover, as the field of computer forensics is changing at a rapid rate, the certifications, tools and the licensing processes will definitely evolve in the years to come. Hence, it is critical for all professionals, practitioners and new graduates to stay abreast of the latest available and the most desirable credentials for digital forensics (Endicott et.al. 2007).
Conclusion
Digital information surrounds us from everywhere these days – at home, work or even leisure. Hardly do we use any real time data now. Everything including information, resources, tools, education, finances, grocery, garments and the list is just endless, is available in a soft form online. We now use online banking, shopping, access social media, network for jobs and business online using our desktops, laptops, tablets or mobile phones (Boucher et.al. 2008). Thus, all critical data and valuable information is now available and operational in the form of digital data. And so have thefts and robberies shifted from physical to digital mode. There are newer forms of online malwares and viruses interrupting the world wide web in a number of ways. Technology is changing a fast rate and so are the phases of cybercrimes and warfare. This is where the role of forensic experts come into play (Endicott, 2007).
For those who intend to start their career afresh in digital forensics, a certificate in computer security and digital forensics from a reputed institute will result in an in-depth understanding of data safety and computer security (Endicott et.al. 2007).
In the face of increasing losses owing to computer related crimes, there’s an increased hype about techniques used for investigation and evidence gathering. A critical element in improving forensic methods is development of a detailed curriculum dedicated to forensics education. The paper presents various resources, curriculum details and the necessary tools taught to the students as part of the educational framework (Carlton, 2007). With internet exploding with information every day, it is expected that the cyber related crimes will increase with time. This makes efficient training and education inevitable to address the needs of increasing computer frauds in the years to come.
References
Carlton, G.H. (2007). A grounded theory approach to identifying and measuring forensic data acquisition tasks. Journal of Digital Forensics, Security and Law, 2(1), 35-56.
Brueckner, S., Guaspari, D., Adelstein, F., & Weeks, J. (2008) Automated computer forensics training in a virtualized environment. Journal of Digital Investigation, 5(2008), S105-S111.
Boucher, K., and Endicott-Popovsky, B. (2008), “Digital Forensics and Records Management: What we can Learn from the Discipline of Archiving.” In Proceedings of Information Systems Compliance and Risk Management Institute.Seattle, WA: University of Washington.
Endicott-Popovsky, B., Frincke, D., and Taylor, C. (2007), “A Theoretical Framework for Organizational Network Forensic Readiness.” The Journal of Computers, 2 (3), 1-11