Evolution of Digital Forensics

Introduction

Digital forensics is an aspect of forensic science put in place to help with investigations revolving around data recovery specifically from digital systems. The recovery follows a series of investigations into digital devices. This research delves into among others the evolution of the digital forensics principle and as such, it would be important to note some important observations. Previously, the terms digital forensics was used exclusively to refer to crimes committed while using computers. However, with time, the scope was widened to cover all investigations done on any kind of electronic device that can store or operate with digital data. Also, the study will address a number of common practical practices that have found their way into being a measure of standard practice. Note that digital forensics is the response to cybercrime which is could be generally described as offences committed with the use of or with intention of attacking computers (Horsman, G. (2019).

CRITIQUE

Cybercrime

Commission of cybercrime involves a series of computers which are connected together in a network and work together in co-ordination to attack targets. The harm to the victim may be physical, mental or may harm reputation of an individual directly or indirectly. The internet is a very powerful tool and so is the threat of a cyberattack. Possible victim of cybercrime is any person using the telecommunications channels such as email, group chats and all mobile phone users. The high number of mobile phone users in the world which is at least 2.7 billion people shows just how much the targets are very many. In spite of the means of acquisition of confidential data, exposure of such content to unauthorized parties could have a devastating effect to the victim in any number of ways. Some examples of cybercrime are debunked (Hill, R. et al, 2019).

Hacking

Hackers are motivated with a number of reasons to locate weaknesses in computer networks and thereafter design methods of breaching the defenses put in place. Some are out to get monetary compensation through blackmail or solidarity in protest or satisfy spirit of adventure. Some hackers just gather information. There are some hackers who are out to find out security integrity of systems and propose methods of improving the weaknesses. This research will focus on black-hat hacking aspect. Therein, we have a number of hackers who come together under umbrellas with common purpose to form communities founded on a set of ideals. The New Hacker’s Dictionary’s author, S. Raymond, holds that crackers is the best name for those hackers that operate in computer underground world. Interestingly, they too feel that the term cracker is quite harsh and the malice of their operation does not befit the ruthlessness of crackers. They too emphasize an array of hacking categories (Page et al, 2019). White hat hackers are more disciplined and earn by performing penetration tests on systems for clients and are as such ethical hackers. Black hat hacking is portrayed as the epitome of cybercrime and their decision to violate security defense is beyond malice or gain. Criminal masterminds in this category are a force to be reckoned with.

Sextortion

This crime is a form of extortion used by a perpetrator to exert his or her will on the target victim with the threat of leaking sexual images. Coercion is therefore key in this crime. This is a classic case of a flagrant abuse of power. The perpetrators always acquire the images from chats which may be accompanied by screenshots capturing the details of the victim. The ultimate threat is risk of sharing pornographic literature with friends, relatives and colleagues. Images shared while sexting may be traded in blackmail to force victims to give into sexual demands or further taking part in hardcore pornography production ( Ekstedt, M et al,. 2019). Sexual coercion is common among people of queer sexual orientation who are highly sensitive about their sexuality. The risk of sexual humiliation may cause a victim depression and eventual suicide. The relevant authority in the UK, National Crime Agency (NCA), produced a video highlighting danger of sextortion. Alternative methods of acquisition of blackmail content is from webcam manipulation where the victims are lured into undressing in front of the webcam and take part in sexual activity. Victims who are mostly men (95%) often masturbate in front of the webcam which is recorded and used to extort money from them (Paige, R. et al, 2018).

Espionage

Governments too can commit cybercrimes and one special case is espionage which is the act of being in possession of classified information and or sharing them with another party without approval of the rightful owner of the information. It is one way of gathering intelligence is and the illegal nature of the trade mostly dictates that the source of the data is not shared. This activity is always involving the military and when it veers into companies and businesses, it is called industrial espionage. The process involves tact and patience whereby the target establishments are infiltrated by enemy spies. The modus operandi of the spies is to convert dissidents through blackmail, harvest technology and sabotage the corporations. Note that despite the penalty of successful espionage convictions being harsh, the rewards are quite great. This motivate the perpetrators to continue with their attacks. Attacks are guided by asset recruitment, techniques of tradecraft and operational techniques (Forster et al 2019).

Unwarranted Mass Surveillance

This exercise is always done by both the government and some institutions for the purposes of monitoring activities of the citizens. Mass surveillance should be noted to be different form targeted surveillance. Unlike targeted surveillance in which the government policing bodies already know what they are looking for, mass surveillance is a stake out and as such unwarranted. The government stresses the importance of surveillance in curbing terrorism and protect national security. Concerns have been raised that the continuing trend could lead to illegal surveillance country and violation of privacy rights. Undertaking mass surveillance on citizens was first flagged by global surveillance disclosure authored by Edward Snowden in 2013. This scourge is faced by all countries in the world, just like the UK (Lowry et al, 2019).

The threat from cybercrime

Cybercrime rates have increased in criminality based on the larger sums of ransom sought and the scale of destruction incurred. For instance, a campaign by WannaCry ransomware affected NHS among many other target corporations. It is encouraging that with time, fewer people are falling for online pranks and criminals have shifted their attacks onto businesses. Businesses in the UK face more risk due to the double attack faced from both homegrown cyber criminals and Russian hackers (Shi et al, 2019).

Areas of weakness appealing to attackers stem from human weaknesses to security defense integrity which are marked for exploitation to obtain data and passwords. Security personnel must always be right on track to address the complexity of cyberattacks. Even hacking novices referred to as ‘Off the shelf’ can deliver lethal attacks using guidelines from the more proficient experts. The promise of huge profits has made the game to evolve in the art and science of attacks.

Cyberattacks are expensive to police and cut into the turnover of businesses. The official number of cases reported is not consistent with the increased level of attacks coordinated. It is clear that there is underreporting of these crimes. There is a promise of better results considering the new General Data Protection Regulation. Also to be considered is the inconsistency in penalty and the gravity of attacks (Haywood, D. (2018).

Digital forensics

Development of Digital forensics

Cybercrime is perpetrated in all parts of the world. The level of coordination involves usage of computer servers hosting operations in other countries which the affected countries have no jurisdiction. This necessitates a timely and effective level of intergovernmental collaboration between victim states. Such corporations involve UK police, partners in international policing such as the Europol and regional organized cybercrime centers. The need and method employed to capture criminals forms the backbone of this research (GENG et al 2019).

Digital forensics has its origin from the computer evolution which occurred between the late 1970s into the early 1980s. During the 1990s, the principle evolved in no organized manner and it was not until the next century that national policing was instituted (McCartney, C., & Amoako, E. N. 2019).

For any given field of study to be regarded as a science, it has to conclusively show study, description and investigation into the said field. Knowledge obtained must be repeatable. Finally, review by peers must follow thereafter. One main problem encountered in digital forensics is the fact that the evidenced composed by a digital forensics investigator may not be reviewed hence may be expunged on the basis of not being verified. The full flair of science is therefore not always there for digital forensics in such cases. The lag in development of this field could be attributed in part to the fast rate of development of digital technology leaving little time for forensics to catch up (Fenton, N. (2018).

Scope and Science of Digital forensics

Digital forensics is not confined to the practice of criminal investigation. It could be used in business corporations to data recovery, reconstruction of data from compromised devices among others. Some forensic processes are used to find out baseline condition of a computer. Also, some searches done on the computer, botnet and Malware, are done to establish impact.

This field of profession is littered with a series of puzzles and those who like this challenge are already one step closer to the solution. Some instances are tasking as the expert is provided with very little information on the actual nature of attacks rendered. Sometimes, it is an open quest and sometimes within strict timeframe. The investigator is always supposed to improvised because some attacks fall outside the consistency of the guidelines of operation which are put in place to counter them (Conway, A., & Hemphill, T. (2019).

Mobile and cell phone user’s numbers stood at 5 billion by the year 2010 and by then, it was already enhanced by incorporation of cameras in the design. As such, the need for forensic investigators has spiked to take care of the variety of problems accompanied by owning a cellphone. The expertise of forensic investigators is a preserve for the few because analysis of graphics and other details requires deep understanding which is not easily available. There is shift towards cloud computing and this has had a great impact on digital forensics. Cloud computing contracts pooled resources from cloud providers for storage and operations. The pooled resources are open to other organizations for hosting services (Gillespie, A. A. (2019). The discipline has been forced to make adjustments when handling such happenings where a business contracts third party for pooled resources in case of high demand and revert back to their smaller resources during low seasons. The change in usage of the said resources from one party to another causes conflict of convenience for forensics. The investigators are always forced to highlight instances of interest where; if the contract by the business is expired and they have deleted their storage compartments but failed to wipe them making their data vulnerable to falling in the wrong hands after being repurposed. Alternatively, when data has been deleted and consequently wiped out, then any effort to repurpose it will be unsuccessful more so when the resources have been contracted to other users (Sunde, N., & Dror, I. E. 2019).

A digital investigator understands that in their operations, once cloud computing has been used, the data of relevance will be stored in a number of devices and therefore establishing their origin is complex. Also, it means that data can exist in one instance then not be available in the next. The need to improve skills of digital investigation has been enhanced by the possibility of completely masking the trail of perpetrators by improving cloud computing services.

Some organizations available for the investigators are discussed. Formal forensics training is a prerequisite for an investigator despite his expertise. His or her understanding must be properly sanctioned by the relevant authority which is recognized by the legal apparatus for the evidence presented in court to hold. Competency evaluation of a report by the expert is always done before the evidence is admitted. Vendors always provide penetration testing training on their tools and accompany them with certification (Paige, R. et al, 2018).

Composing digital forensic protocols

Computer systems handle hundreds of millions of data structures and handling such astronomical content requires one to have a well-documented method of sorting and dealing with it coupled with a manageable plan of handling it. As relates to digital forensics, a court order referred to as examination protocol helps with guidelines and supervising experts charged with the responsibility of testing the origin of digital evidence. The name could also be used to refer to a formal understanding between parties that dictate inspection. These guidelines see to it that integrity of data is not compromised, privileged data is protected and standard practice is upheld in acquiring, analyzing and reporting of electronically stored information (ESI). Other advantages of laid down protocol ensures little or no delay and envisages stalling tactics and provides for ways to deal with it. Effective protocols are conclusive (Montasari F.et al,2019).

Insight into formulation and working of protocols is provided by an expert who has been in the field for more than 25 years. He states that he has been contracted by litigants to inspect digital devices and in his experience, he explains that there is no general guidelines standard for all instances of digital inspection. The procedures at one point in time which could be regarded as standard practice at that time alone are subject to changes in the technological advancement of digital evidence. In spite of this logical hindrance in consistency, investigators are bound to have some protocols failure to which they would spend a considerable amount of time trying to establish a working framework. The choice to stick to protocols which have been rendered obsolete by technological advancement points the investigator towards the wrong tasks and as a result miss out on important evidence (Choo, K. K. et al, 2018, August)

For one to come up with executable protocols, the investigator must comprehend the working of the tools and forensic techniques. They deal in patterns, artefacts and configurations. The data structures they deal in would not make much sense to a typical computer user. Obvious data such as date, time, relevant machine pre-settings, variation in time zones and other operating system status are always captured (Zamroni, et al,2018).

When considering the act of trying to collect data from a digital device a deposition, then the bit involving designing the questions to be asked is perfectly substituted by composition of forensic investigation protocol. In the same spirit, a competent and ethical interrogator is likened to an investigator who is guided by the trails of evidence but is always disciplined enough to draw boundaries. A further comparison with a litigant is the fact the former lets the evidence tell its own story whereas the latter will always coerce the evidence to align with the report of their clients. Despite digital investigation protocols varying from one device to another and from time to time, s set of elements hold true for all of them. They always ensure that they state the identity of examiner and clearly state the device under review. They ensure that depth of the investigation is set to be covered topically and time allocated for each topic. The integrity of evidence handled must always be upheld at all times and outline procedures to be followed to completion. The exercise requires high level of cooperation and this is followed in suit deadlines and reporting duties. Finally, payment responsibilities are set (Ferra, F. et al, 2018).

Identify the investigator

Provided involved parties have come to a mutual agreement on a suitable digital investigator, the protocol must therefore capture the expert’s academic and professional qualification. Also, for the process to be transparent, there must be a mention of the process of selection. Other important guidelines involving how to deal with neutral investigators or how to handle the scenario where there is mistrust between parties necessitating use of their own investigators. The court reserves the right to assess the curriculum vitae of the proposed experts to establish credibility of the professional certifications. Parties have until a given date set by the court to agree upon a neutral expert or seek the courts help in recruiting their trusted investigation. After successful selection, the experts must submit to the authority of the court and serve as an officer of the court (Materko et la,2019).

Identify devices and media

The investigation protocol must ensure that with the help of the now selected court officers, conclusively identify media under review. The identification may either be particular or generic in nature and must always documents the person whose care it is under. As the process of examination continues, the investigators may find out other missing devices which may be relevant to the investigation and as such prompt parties to develop mistrust and or charge on one another with obstruction of justice. It is thus important for the protocols to show the possibility of devices being discovered and advice on the necessary steps needed to address this unfolding (Soobhany, A. et al, 2018).

Set scope of investigation

Remember the analogy of device examination to deposition of a crime suspect. As such, there is no standard queries for all kinds of examinations (Hughes, J. (2019). Either way, a competent investigator follows the logic of presented evidence and makes the most out of it. The investigator is must always remember to be open to the possibility of new evidence coming into light and must never overreach himself to get quick results with weak case. The court while giving its orders must never in any way hinder the ability of the investigator to figure out mandate. The court order must never be structured with ultimatums but rather with achievable goals and remember to outline the possible drawbacks. Such structuring ensure that the overall cost of the investigation is manageable (Goldsmith, M. et al, 2019).

Set time framework

Parties always find a way of putting constraints in the research by digital investigators by limiting the time they have to relay the findings back to the court. The limitation on the scope of work of expert considering the time allocated for the study could be argued to be frustrate the efforts of the investigator. There is no forensic tools which can hinder clusters which have not been allocated and investigative artifacts to a date range. Generally, due to the unreliable nature of time data of a given digital document, there are limited guidelines for forensic artefacts as appertains to time. Even when considering active data, there won’t be auxiliary data to help understand verifiable time constraint. A perfect example would be the time stamps that always show date of computations but there is no data to capture the date of the logs themselves. As such, failing to include logs hinders the querying of log entries that are relevant to the investigation (Lopes, R. H et al, (2019). Parties that do not understand data structures cannot appreciate developments such as the fact that apart from coming earlier than any other authoring time thereafter, the creation time of a file has no particular verifiable relationship with subsequent authoring. As such, the investigator can only process date range for documents that have associated temporal history appended to them. Based on this development, one favorable protocol would be not to include data in the final report when the time in which it was authored or modified falls out of the scope of timeframe of the protocol (Hosseinian-Far et al, 2019)

Evaluate integrity of evidence produced

A client seeking digital investigation must always keep in mind that there is possibility that the evidenced taken in could be reimaged of corrupted to tamper with the result. Thus, a relevant step to ascertain that supplied evidence is what it ought to be and that its contents have not been compromised. The researcher could choose to ensure that time captured on important files are reliable when matched up against the date in the device under review; try to establish attempts by any party to compromise log data or be keen not to miss installation or uninstallation of anti-forensic tools to mask illicit activities (Ranadive et al 2016).

Ensure maximum cooperation

Advancement in cyber security has made it very hard for investigators to bypass such measures easily and necessitates full cooperation of both parties to ensure efficient usage of resources for the research. As it stands, it is an obligation on the part of parties to provide they login credentials for easy bypassing of the multi-layered levels of encryption. Guidelines always explicitly show that at no point in time would the investigating personnel use the credentials to access data other than the prescribed one (Sommer, P. (2018).

Plot the process

The drafters of the protocol must always detail undertakings to be done. They must be logically laid out in steps for them to figure out the best tools to use in the process to achieve best results. Composers of protocols must avoid ambiguities and avoid objectives that cannot be implemented. Better yet, the protocols could always be drafted with informed guidance of experts (Farrell, G., & Birks, D. (2018).

Establish the party which settles the bills

Digital forensic investigators charge high rates per hour, and rightly so due to the blood and sweat invested in training, and very long investigations whose protocols are poorly drafted are unmanageably expensive. It is therefore important that protocols are open to modification and close supervision to maintain low cost. Protocol must capture who pays for services rendered by a neutral expert (Casey, E. 2011).

Recover deleted data

The main objectives of different digital forensic expeditions are not similar for all instances of investigations. However, the one unifying expectation of most investigations is recovery of deleted data. In a bid to recover deleted file, a digital investigator could employ any one of some principle methods (Berger et al,2016).

Search by keyword- when the investigator wants to locate deleted documents, they could trace remnant data by searching keywords in the slack space. This is an inaccurate method but could be used when other methods fail (Faulks, M. et al, (2019, January).

File carving by remnant directory data- some filing systems have their residual file directory markers showing addresses where one can find deleted files. Scans to locate lost directories helps with the process of recovery (Nicholson, S. (2019).

File carving by binary signature- files have digital signatures specific to them and when investigators seek for matches in the clusters (unallocated), and successfully establish the contents of files, software used normally begins a process of successful reconstruction. Note however that the evidentiary integrity of data recovered through this means is highly compromised (Stephens, P. (2018).

Reporting and deadline

Final report will be result of answers from the protocol and both preliminary and final deadlines will be as prescribed in the protocols (Smith, J. (2018).

Conclusion

The rising cases in cybercrime and other computer related attacks have necessitated for improved policing to curb it. The possibility of conducting such attacks in several countries at the same time with the help of cloud computing has made execution of implemented guidelines harder thus calling for regional and international liaison between governments. Arising possibility of outsourcing the ever improving services of cloud computing contractors has made the perpetrators be able to hide their trail. When such perpetrators are incarcerated and tried, the services of qualified digital investigators are needed to make out the level of tampering with the devices using relevant tools (Gundur, R. V. et al, 2019). Due to the varied nature of cybercrimes, experts always have an array of tools to choose from. Their choices are always guided by a series of unambiguous protocols that guide them with their operation. For best services, it is advisable that the advocates always consult with the digital investigators while drafting protocols so that achievable objectives are set. Also, they must ensure that protocols are adjusted as investigations are continuing so that budget allocations are met. The study recommends that training of more investigators is facilitated by the government to cut down on the astronomical fees for their services.

References

Casey, E. (2011). Digital evidence and computer crime: Forensic science, computers, and the internet. Academic press.

Robertson, B., Vignaux, G. A., & Berger, C. E. (2016). Interpreting evidence: evaluating forensic science in the courtroom. John Wiley & Sons.

Neumann, C., Kaye, D., Jackson, G., Reyna, V., & Ranadive, A. (2016). Presenting quantitative and qualitative information on forensic science evidence in the courtroom. Chance, 29(1), 37-43.

Dror, I. E. (2018). Biases in forensic experts.

Cooper, G. S., & Meterko, V. (2019). Cognitive bias research in forensic science: A systematic review. Forensic science international.

Montasari, R., Hill, R., Carpenter, V., & Montaseri, F. (2019). Digital Forensic Investigation of Social Media, Acquisition and Analysis of Digital Evidence. International Journal of Strategic Engineering (IJoSE), 2(1), 52-60.

Schreuders, Z. C., Cockcroft, T. W., Butterfield, E. M., Elliott, J. R., & Soobhany, A. R. (2018). Needs Assessment of Cybercrime and Digital Evidence in a UK Police Force.

Marshall, A. M., & Paige, R. (2018). Requirements in digital forensics method definition: Observations from a UK study. Digital Investigation, 27, 23-29.

Page, H., Horsman, G., Sarna, A., & Foster, J. (2019). A review of quality procedures in the UK forensic sciences: What can the field of digital forensics learn?. Science & Justice, 59(1), 83-92.

McCartney, C., & Amoako, E. N. (2019). Accreditation of forensic science service providers. Journal of forensic and legal medicine, 65, 143-145.

MacDermott, A., Baker, T., & Shi, Q. (2018, February). Iot forensics: Challenges for the ioa era. In 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS) (pp. 1-5). IEEE.

Sunde, N., & Dror, I. E. (2019). Cognitive and human factors in digital forensics: Problems, challenges, and the way forward. Digital Investigation, 29, 101-108.

Horsman, G., Page, H., & Beveridge, P. (2018). A preliminary assessment of latent fingerprint evidence damage on mobile device screens caused by digital forensic extractions. Digital Investigation, 27, 47-56.

Montasari, R., Hill, R., Carpenter, V., & Hosseinian-Far, A. (2019). The Standardised Digital Forensic Investigation Process Model (SDFIPM). In Blockchain and Clinical Trial (pp. 169-209). Springer, Cham.

Montasari, R., Carpenter, V., & Hill, R. (2019). A road map for digital forensics research: a novel approach for establishing the design science research process in digital forensics. International Journal of Electronic Security and Digital Forensics, 11(2), 194-224.

Ledbetter, W., Glisson, W., McDonald, T., Andel, T., Grispos, G., & Choo, K. K. (2018, August). Digital Blues: An Investigation Into the Use of Bluetooth Protocols. In 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE) (pp. 498-503). IEEE.

Horsman, G. (2019). A forensic examination of online search facility URL record structures. Journal of forensic sciences, 64(1), 236-242.

Schreuders, Z. C., Cockcroft, T. W., Butterfield, E. M., Elliott, J. R., & Soobhany, A. R. (2018). Needs Assessment of Cybercrime and Digital Evidence in a UK Police Force.

Iqbal, A., Mahmood, F., & Ekstedt, M. (2019). Digital Forensic Analysis of Industrial Control Systems Using Sandboxing: A Case of WAMPAC Applications in the Power Systems. Energies, 12(13), 2598.

Franqueira, V. N., Inacio, P. R. M., Mileva, A., Conti, M., Leppänen, V., & Lopes, R. H. (2019). Guest Editorial Special Issue on Security and Forensics of Internet of Things: Problems and Solutions. IEEE Internet of Things Journal, 6(4), 6363-6367.

Nouh, M., Nurse, J. R., Webb, H., & Goldsmith, M. (2019). Cybercrime Investigators are Users Too! Understanding the Socio-Technical Challenges Faced by Law Enforcement. arXiv preprint arXiv:1902.06961.

Farrell, G., & Birks, D. (2018). Did cybercrime cause the crime drop?. Crime science, 7(1), 8.

Smith, J. (2018). Book review: Cybercrime and its Victims.

Hughes, J. (2019). An Analysis of Cybercrime Activity within an Underground Gaming Forum.

Williams, M. L., Levi, M., Burnap, P., & Gundur, R. V. (2019). Under the corporate radar: Examining insider business cybercrime victimization through an application of routine activities theory. Deviant Behavior, 40(9), 1119-1131.

Hadlington, L., Lumsden, K., Black, A., & Ferra, F. (2018). A qualitative exploration of police officers’ experiences, challenges, and perceptions of cybercrime. Policing: A Journal of Policy and Practice.

Marshall, A. M., & Paige, R. (2018). Requirements in digital forensics method definition: Observations from a UK study. Digital Investigation, 27, 23-29.

Umar, R., Riadi, I., & Zamroni, G. M. (2018). Mobile forensic tools evaluation for digital crime investigation. International Journal on Advanced Science, Engineering and Information Technology, 8(3), 949-955.

Conway, A., & Hemphill, T. (2019). Growth Hacking as an approach to producing growth amongst UK Technology Start-ups: An Evaluation. Journal of Research in Marketing and Entrepreneurship< onbehalfof@ manuscriptcentral. com>.

Fenton, N. (2018). Regulation is Freedom: phone hacking, press regulation and the Leveson Inquiry–the story so far. Communications Law, 23(3).

Nicholson, S. (2019). How ethical hacking can protect organisations from a greater threat. Computer Fraud & Security, 2019(5), 15-19.

Marchang, J., Beavers, J., & Faulks, M. (2019, January). Hacking NHS Pacemakers: A Feasibility Study. In 12th International Conference on Global Security, Safety & Sustainability. IEEE.

Haywood, D. (2018). The ethic of the code: values, networks and narrative among the civic hacking community (Doctoral dissertation, Goldsmiths, University of London).

Silic, M., & Lowry, P. B. (2019). Breaking Bad in Cyberspace: Understanding why and how Black Hat Hackers Manage their Nerves to Commit their Virtual Crimes. Information Systems Frontiers, 1-13.

GENG, R. B., & KIM, S. H. (2019). The chilling effect of enforcement of computer misuse: Evidences from online hacker forums.