Data in Digital Forensics Investigation

Abstract

The digital space is becoming increasingly volatile and dangerous. Digital forensics experts need to improve their skills if they are to keep up with the changes taking place in this space. Data is one of the tools that allow the experts to tackle the challenges present in the digital space. Various sources provide investigators with information that can prove useful. There are a number of challenges that the investigators grapple with in their efforts to reveal the individuals responsible for various forms of cyber attacks. These challenges and the different sources of data are the subject of this paper. 

Introduction

Information technology has revolutionized virtually all aspects of human life. From communication to entertainment, all human endeavors have been affected by information technology. Whereas the benefits of information technology must be recognized, it is important to mention the challenges that it presents. Individuals and organizations rely on information technology for such issues as communication. Despite instituting measures to ensure data security, breaches usually occur. Left unaddressed, these breaches could devastate any organization. For instance, Yahoo recently reported that a security breach had allowed hackers to obtain the personal details of millions of users (Moritz & Womack, 2016). Investor panic was the result of this breach. The case of Yahoo underscores the need for organizations to dedicate all their efforts to securing their systems. Digital forensics investigation is one of the tools available to individuals and organizations which desire to secure their systems. Basically, digital forensics investigation involves examining digital data and assessing the tools used for handling this data to determine if any breach or unauthorized access has occurred (Mulazzani, Huber & Weippl, n.d). This form of investigation aids law enforcement officials to gain insights about cyber crime and to collect evidence that can then be presented in court. There are different types of data that are used in this type of investigation. Social media data, data contained in smartphones, data stored in servers, data contained in hard and network drives and data held by network service providers are some of the data sources that may prove useful in digital forensics investigation. These data sources are the subject of this paper. The paper evaluates the usefulness of each of these sources and explores the challenges that may be faced in their collection and their examination. Network intrusion, malware installation and insider file deletion are the main benchmarks against which the data sources are evaluated. 

Social media data

Challenges 

The emergence of social media as an important tool for communication provides digital forensics investigators with opportunities for tackling crime. Such social media platforms as Facebook contain personal information about millions of individuals from across the globe. Despite this fact, there are still some challenges that are faced in the collection and examination of this data. Some of these challenges are of a legal nature. Social media sites such as Facebook have developed privacy policies in which users are guaranteed that personal information will not be shared by any third party (Wright, 2012). It would therefore be difficult for an investigator to secure this data. There have been reports that security agencies in the United States are compelling social media platforms to share personal information. Some of these cases have found their way to the courts. These cases highlight the legal challenges that investigators face as they try to obtain social media data. In an effort to safeguard user privacy, there are some social media platforms that have introduced new security measures. For example, Whatsapp introduced a new feature that encrypted messages such that only individuals involved in a conversation can read the messages. Measures such as this would make it very difficult for a digital forensics investigator to collect social media data. 

The other challenge that investigators face in the collection and examination of social media data lies in the evolving nature of social media. Every day, social media undergoes some form of change. It is quite difficult for investigators to keep up with these changes. The case of Snapchat can be considered. This is a social media platform that allows users to share their pictures. One of the features that have made this platform very popular is the automatic deletion of posts made by users (French, 2015). Suppose an investigator wishes to obtain data on this platform. Unless the investigator intercepts the data at the exact moment when it is posted, this data will be lost. The investigator will be unable to collect or examine the data. This challenge is worsened by the fact that investigators lack the expertise or the tools needed to keep up with the changes. The case of the FBI which had to turn to a private organization to unlock the phone of a suspected terrorist highlights the fact that investigators are not fully equipped to keep up with the evolution that social media and the larger technological landscape are undergoing. 

Network intrusion

Network intrusion refers to a situation where some unauthorized party gains access to restricted or personal information. For example, an individual may obtain the login credentials of a social media user and use these credentials to gain access to the user’s account. It would be the role of an investigator to examine how this intrusion occurred. When such challenges as the legal hurdles have been overcome, social media data can be useful in investigating network intrusion. The fact that social networks enjoy a wide pool of users means that social media data can indeed be useful in investigations (Mulazzani, Huber and Weippl, n.d). Most social media platforms are based on the premise that one user is connected to another user who is also linked to other users, and so on. Investigators can leverage on these connections to investigate intrusions. Social media data can provide investigators with clues that can be used to nab those responsible for network intrusions. For example, when a user brags on social media about an intrusion that they orchestrated, investigators can use this information as evidence and to initiate legal action. 

Malware installation

Malware refers to programs that are deliberately installed on systems to cause harm. For example, an individual can infect a system with a program that steals private information. Malware installation is a threat that most social platforms continue to face. It usually takes the form of links that direct users to websites from where information can be stolen and other harmful action taken. As is the case with network intrusion, social media data can be helpful in investigating cases of malware installation. Suppose that a social media user is responsible for a malware installation. It has been shown that details such as usernames, passwords, pictures and location data can be obtained from social media platforms (Baggili & Breitinger, 2015). This is particularly true for platforms that are not strongly secured. Investigators can use these details to link the user to the malware installation. These details act as bread crumbs that can lead investigators to the perpetrators of malware installation. The same details can also be used when social media users are the victims of malware installation. Investigators need to look for clues in the social media data that point to the person behind the installation of malware. 

Insider file deletion 

Insider file deletion refers to a process where individuals who have been trusted with classified information betray this trust by clearing records. Insider file deletion is a threat to cyber security since it is carried out by trusted people who understand the vulnerabilities of systems (Chan et al., 2012). The key to tackling this deletion is tracing it back to the perpetrator. It is advised that system administrators should move with speed to identify those responsible for the deletion (Chan et al., 2012). Social media data could provide insights which can be used to identify the responsible party. Suppose that the perpetrator used credentials that can be linked to their social media account. An investigator can exploit this link to identify the perpetrator. Investigators can also rely on network logs to identify incidences of insider file deletion. These logs serve as records of activities carried out on a network. 

Smartphone data

Challenges 

Over the last few years, smartphones have risen in popularity and use. Every year, millions of smartphone units are shipped to different markets across the globe. It is understood that smartphones have provided criminals with a new tool for committing crimes. The use of smartphones for criminal activities presents investigators with a new challenge. This challenge makes the difficulty encountered in collecting and examining smartphone data even more severe. Privacy concerns are some of the challenges that investigators face in their efforts to obtain information from smartphones. Fears have been raised that collecting personal information from the smartphones amounts to a violation of privacy. Recently, Apple was involved in a legal tussle with the FBI which needed to retrieve information from a terror suspect (Kharpal, 2016). FBI’s request for access to the information was denied. Apart from the privacy concerns, the increasing sophistication of smartphone security makes it difficult for investigators to gain access to user information. For example, Apple introduced an update to its operating system which protects users from unauthorized access to information (Perlroth, 2016). Manufactures of Android devices have also implemented an additional level of security. For instance, such companies as Sony have equipped their phones with a feature which secures the phones at the bootloader level. This means that even when one factory resets the phone, they are still unable to use it since the phone will prompt them to supply the details of the owner. Unless a user is compelled by the court to unlock their phone, smartphone data would deliver no good to an investigator. 

Network intrusion

It is true that the challenges discussed above would hamper the efforts of an investigator to collect and examine smartphone data. However, insights can still be gleaned from this data to understand network intrusions. Data mining methods can be used by investigators to detect intrusions against smartphone systems (Addagada, 2010). Most intrusions that affect smartphones occur when the phones are connected to Wi-Fi networks. Attacks are most likely to occur when the networks do not employ strong security measures (Dobrotka & Kibirkstis, 2009). The smartphone data can be used to understand how attacks on Wi-Fi networks occur. Investigators can therefore take part in making the networks more secure. Such tools as firewalls which can be installed on smartphones can also aid in the investigation process (Li, Clarke & Papadaki, 2008). It is important to note that the fact that smartphones are a fairly new technological development makes data retrieval and investigation difficult. Therefore, it can be argued that smartphone data would not significantly improve investigation into network intrusions and other incidents. 

Malware installation

Smartphones are especially vulnerable to malware attacks. This is because they do not enjoy the same level of protection as other systems. Despite this, a digital forensics investigator would find the data that they contain to be helpful. Most malwares are embedded in applications which users install on their phones (Batten, Moonsamy & Alazab, 2016). Basically, as an individual installs a compromised application, they are inadvertently installing the malware. The smartphone data that would be most helpful to an investigator is that contained in the application that is suspected of being a malware. Such details as the permissions that an application is granted, the content provider, the services that it offers and the activities that the application has carried out can easily be gained (Batten, Moonsamy & Alazab, 2016). An investigator can then use this information to confirm if the suspected application is indeed a malware. For example, suppose that an application is granted the permission to use the smartphones camera and the camera develops hitches and it is suspected that a malware is behind these hitches. An investigator can use the details on application permissions to isolate the culprit. 

Insider file deletion 

Smartphone data can prove useful to an investigator who wishes to uncover insider file deletion. An insider may delete files on their smartphone and think that these files are unrecoverable. Advances in mobile computing have made it possible to recover deleted files. In an effort to understand if files that have been deleted can be recovered, researchers carried out a study. They observed that it was indeed possible to use memory dumps to recover the deleted data (Samson, 2013). The data that was recovered included files that had been stored in the cloud. Basically, forensic investigators can now rely on residual artifacts to gain insights from smartphone data (Grispos, Glisson & Storer, 2013). This should be a welcome development for forensic investigators whose efforts have previously been hampered by the ease with which individuals could easily delete files and ensure that they could not be recovered. 

Data stored in servers

Challenges 

With the emergence of cloud technology, servers are emerging as a popular method of storing data. Even before the development of cloud technology, servers played an important role in the management and storage of data. There are a number of security threats that servers face which necessitate the involvement of digital forensics investigators. Denial of service attacks are just some of these. Basically, these attacks involve a serve being bombarded with more requests than it is designed to handle. The result of this is that the serve may be forced offline. There are some challenges that investigators need to be prepared for as they collect and examine data in servers. One, legal challenges make it difficult for investigators to obtain the data (DeRosa, 2014). This is particularly true when there are laws that prohibit access to the data without court approval. Two, there are administrative reviews that investigators are subjected to (DeRosa, 2014). These reviews make it difficult for investigators to collect the data before it is tampered with. Three, some features possessed by cloud technology prove a challenge to investigators. These features include the scalability and flexibility of servers (DeRosa, 2014). Without the appropriate tools and expertise, an investigator will simply be unable to obtain or examine data. The vast amounts of data that are usually held in servers also present a challenge for investigators. Investigators may be forced to rummage through troves of data before identifying the data of interest. This is a costly and time-consuming endeavor. 

Network intrusion

Most cloud solutions are fitted with security measures and protocols that are intended to guarantee data security. However, network intrusions can still occur. This is evidenced by the case of Apple’s iCloud. Private photographs of celebrities were obtained and leaked online. The case of iCloud points to the devastating damage that can result when a network intrusion occurs. The data obtained from networks can be useful in investigating network intrusions. Data mining is a tool that investigators can use as they examine network data to identify the perpetrator of a network intrusion (Bloedorn et al., n.d). Data mining is a process that is used to explore any patterns in data. These patterns can offer investigators clues as to the source of a network intrusion. Network logs can also be used in the investigative process. It is usual for networks to monitor traffic and to record all activities that take place (Gupta, 2012). These logs can provide investigators with the information that they need to identify culprits behind network intrusions. 

Malware installation

From the discussion above, it is clear that data from servers can be useful in investigating network intrusions. The application of this data can also be used to investigate malware installation. When malware is installed on servers, the effects can be devastating. For example, the server may be forced offline or users may be exposed to the malware. It is therefore important to move with speed to secure servers when it is suspected that a malware installation has occurred. Investigators can begin by examining programs that have been developed and installed to detect and fix malware attacks (Barreiro, 2013). Server data may contain information on this data. When investigating malware installation, an investigator may also examine the operating system for any signs of the malware. There are certain malwares that mimic the behavior of normal process in an effort to avoid detection (Barreiro, 2013). Tools have been developed to assist in the identification of such malwares. The information that makes this possible can be obtained from data contained in servers. Such details as the applications that have been installed by users can also offer insights into malware installation. There are users who inadvertently install malwares when they install add-ons and other programs (“Malware Analysis and Investigation”, n.d). It is possible that an investigative body may not have the expertise or tools needed to investigate malware attacks on network servers. There are a number of cyber security firms that offer this service. The investigators can simply turn to these firms. However, focus needs to be placed on boosting the capacity of the investigative bodies so that they are better placed to tackle the various challenges of cyber security. 

Insider file deletion 

The operation of any network server relies on stability. When this stability is lacking, the operation may be compromised. File deletions by insiders are some of the factors that could result in network instability. It is therefore important to erect measures aimed at ensuring that no unauthorized deletions occur. In the event that these measures fail to prevent deletions, it is the mandate of the investigator to assess the network as they try to identify the responsible party. Data from servers is one of the tools that the investigators will need. Network logs contain important information that can be used to detect insider file deletion. Another method involving psychological manipulation has also been developed. Basically, this method involves baiting insiders who wish to delete files and keeping an eye on their activities (Sasaki, 2011). The network data is then used to determine if any deletion occurred. The network logs can help organizations detect file deletions before real damage is done. Investigators can also benefit from these logs as they provide clues that aid in the identification of the person responsible for the file deletion. It should be noted that data from servers may be useless in investigating file deletion done by insiders. Most of the attacks that organizations and individuals face are perpetrated by outside parties (Ruppert, 2009). Very few organizations have implemented measures to protect themselves from malicious acts by insiders. It could therefore be possible that the network logs and other data do not contain any information on file deletions carried out by insiders. This highlights the urgent need for organizations to recognize the fact that insiders can be the biggest threat and to implement safeguards. 

Data held by network service providers

Challenges 

Network service providers are organizations that provide individuals and organization with access to the internet. They do this through the sale of bandwidth. One of the hurdles that investigators need to overcome if they are to collect and examine data held by network service providers is of a legal nature. There are laws that require these providers to safeguard the privacy of their users (Kang, 2016). It would be difficult for the providers to avail information without violating these laws. Today, individuals have become very wary of privacy intrusions. This has forced them to turn to tools which mask their identities and allows them to surf the internet anonymously. Even the network service providers are unable to monitor the network activity of these individuals. It would therefore be impossible for the network providers to supply investigators with information that they are simply unable to obtain. 

Network intrusion

The challenges discussed above would greatly erode the usefulness of data held by network providers. However, investigators can still glean some information from this data. Network service providers routinely collect information such as the ISP addresses of users. The addresses can be used to identify the location of the party responsible for a network intrusion. By analyzing the flow of network data, it is also possible to gain insights about network intrusions. The data flow can be constructed using event plots and timelines (Phan et al., 2007). Basically, an investigator reconstructs an intrusion to identify the perpetrator. To investigate network intrusion, an investigator will need the cooperation of the network provider. Without this cooperation, the investigator will not derive any benefit from the data held by the network service provider. 

Malware installation

The data held by network service providers can be a vital tool for an investigator attempting to gain insights into a malware installation. As mentioned above, network providers usually collect user details. These details include IP addresses and the sites that a user has visited. Consider a situation where a certain user is suspected of having installed a malware. The IP address can be used to pinpoint the user’s location. It is also possible to use the details of the sites visited to understand the source of the malware installation. A trend has emerged where scammers install malware on computers by masquerading as the internet service provider (Wakefield, 2016). Investigators can use the information provided by the network providers to identify these scammers. The data provided by network service providers can indeed be useful in the investigative process. 

Insider file deletion 

Investigating insider file deletion can benefit from the data shared by network service providers. Internet service providers are able to access such files as those contained in emails. They can work with investigators to recover emails that are lost following a deletion (Ceresney, 2015). With the emails recovered, the investigator can then determine such issues as the motive of the perpetrator. There is need to note that there are laws that bar ISPs from accessing private information, let alone sharing that information with other parties. Overall, ISPs are rather uncooperative and the information that they possess may be difficult to obtain. In the current legal landscape, an investigator will need to obtain a warrant and this could be a daunting task. 

The importance of the role performed by digital forensics investigators cannot be overstated. These investigators keep individuals and organizations secure by investigating acts such as network intrusion and file deletions by insiders. There are a number of sources of information that provide data which allow investigators to execute their mandate. However, with each source, there are challenges that investigators need to overcome. Additionally, the data from some of these sources is not necessarily useful. To ensure that they obtain useful information, investigators need to abide by the law and exercise judgment. 

References

Addagada, B. K. (2010). Intrusion Detection in Mobile Phone Systems Using Data MiningTechniques. Retrieved 19th October 2016 from http://lib.dr.iastate.edu/cgi/viewcontent.cgi?article=2766&context=etd  

Baggili, I., & Breitinger, F. (2015). Data Sources for Advancing Cyber Forensics: What the Social World has to Offer. Retrieved 19th October 2016 from

http://www.aaai.org/ocs/index.php/SSS/SSS15/paper/viewFile/10227/10092  

Barreiro, A. (2013). How to Respond to a Malware Incident. Retrieved 20th October 2016 from

http://www.techrepublic.com/blog/it-security/how-to-respond-to-a-malware-incident/  

Batten, L. M., Moonsamy, V., & Alazab, M. (2016). Smartphone Applications, Malware and Data Theft. Retrieved 19th October 2016 from http://www.cs.ru.nl/~vmoonsamy/pubs/c2015.pdf  

Bloedorn, E., Christiansen, A. D., Hill, W., Skorupta, C., Talbot, L. M., & Tivel, J. (n.d). Data Mining for Network Intrusion Detection: How to Get Started. Retrieved 20thOctober 2016 from https://www.mitre.org/sites/default/files/pdf/bloedorn_datamining.pdf  

Ceresney, A. (2015). Testimony on Updating the Electronic Communications Privacy Act. Retrieved 20th October 2016 from https://www.sec.gov/news/testimony/testimony-ceresney-12015.html  

Chan, E., Chaugule, A., Larson, K., & Campbell, R. (2012). Performing Live Forensics onInsider Attacks. Proceedings of the 2010 CAE Workshop on Insider Threat. 

DeRosa, M. (2014). Investigating in the Cloud: Challenges for Digital Forensics. Retrieved20th October 2016 from https://www.safecloud.org/2014/9/3/investigating-in-the-cloud-challenges-for-digital-forensics  

Dobrotka, D., & Kibirkstis, A. (2009). IDFAQ: Intrusion Detection on Wireless Network? Retrieved 19th October 2016 from https://www.sans.org/security-resources/idfaq/intrusion-detection-on-wireless-network/2/24  

French, S. (2015). Snapchat’s New ‘Scary’ Privacy Policy has Left Users Outraged. Retrieved 20th October 2016 from http://www.marketwatch.com/story/snapchats-new-scary-privacy-policy-has-left-users-outraged-2015-10-29  

Grispos, G., Glisson, W. B., & Storer, T. (2013). Using Smartphone as a Proxy for Forensic Evidence Contained in Cloud Storage Services. Hawaii International Conference on System Sciences. Retrieved 19th October 2016 from https://arxiv.org/ftp/arxiv/papers/1303/1303.4078.pdf  

Gupta, S. (2012). Logging and Monitoring to Detect Network Intrusions and Compliance 

Violations in the Environment. Retrieved 20th October 2016 from https://www.sans.org/reading-room/whitepapers/detection/logging-monitoring-detect-network-intrusions-compliance-violations-environment-33985  

Kang, C. (2016). F.C.C. Proposes Privacy Rules for Internet Providers. Retrieved 20thOctober 2016 from http://www.nytimes.com/2016/03/11/technology/fcc-proposes-privacy-rules-for-internet-providers.html?_r=0  

Kharpal, A. (2016). Apple vs. FBI: All you need to know. Retrieved 20th October 2016 from http://www.cnbc.com/2016/03/29/apple-vs-fbi-all-you-need-to-know.html  

Li. F., Clarke, N. L., & Papadaki, M. (2008). Intrusion Detection System for Mobile Devices: Preliminary Investigation. Retrieved 19th October 2016 from https://www.cscan.org/download/?id=438  

Malware Analysis and Investigation. (n.d). Retrieved 20th October 2016 from

http://cybersec.org/incident-response/cyber-incident-readiness-planning/malware-analysis-and-investigation  

Moritz, S., & Womack, B. (2016). Verizon Said to be Antsy over Lack of Detail in Yahoo

Breach. Retrieved 20th October 2016 from https://www.bloomberg.com/news/articles/2016-10-18/verizon-is-said-to-be-antsy-over-lack-of-clarity-in-yahoo-breach  

Mulazzani, M., Huber, M., & Weippl, E. (n.d). Social Network Forensics: Tapping the Data

Pool of Social Networks. Retrieved 19th October 2016 from https://www.sba-research.org/wp-content/uploads/publications/socialForensics_preprint.pdf  

Perlroth, N. (2016). iPhone Users Urged to Update Software after Security Flaws are found/ Retrieved 20th October 2016 from http://www.nytimes.com/2016/08/26/technology/apple-software-vulnerability-ios-patch.html  

Phan, D., Gerth, J., Lee, M., Paepcke, A., & Winograd, T. (2007). Visual Analysis of NetworkFlow Data with Timelines and Event Plots . DOI:10.1007/978-3-540-78243-8_6 

Ruppert, B. (2009). Protecting against Insider Attacks. Retrieved 20th October 2016 from https://www.sans.org/reading-room/whitepapers/incident/protecting-insider-attacks-33168  

Sasaki, T. (2011). A Framework for Detecting Insider Threats using Psychological Triggers. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, 3 (1/2): 99-119. Retrieved 220th October 2016 from http://isyou.info/jowua/papers/jowua-v3n12-7.pdf  

Samson, T. (2013). Deleted Cloud Files can be Recovered from Smartphones, Researchers Find. Retrieved 19th October 2016 from http://www.infoworld.com/article/2614437/mobile-security/deleted-cloud-files-can-be-recovered-from-smartphones--researchers-find.html  

Wakefield, J. (2016). Tech Support Scams Target Victims via their ISP. Retrieved 20th October 2016 from http://www.bbc.com/news/technology-36084989  

Wright, B. (2012). Social Media and the Changing Role of Investigators. Retrieved 19th October 2016 from http://www.forensicmag.com/article/2012/12/social-media-and-changing-role-investigators