Digital Forensics to Reveal the Unknown
By: Dr. Ebru Cankaya, UT Dallas
In a world of rapidly developing technology, it is getting easier and more prevalent each day to conceal data in digital media. As new techniques become available, the countermeasures to recover hidden or corrupt data are becoming available as well. Digital forensics make possible the entire effort for data recovery with no- or least-loss. Forensic investigations employ various hardware as well as software products to facilitate this process.
Historically, digital forensics have been referred to as computer forensics. Today multiple forms of data are stored in various media. In general, all that was needed in the past was to recover data that were first stored and subsequently deleted on a desktop computer. In today’s world, however, more complicated cases need to be addressed, such as discovering when and with which digital camera a picture was taken, or determining what actually happened at the time of an accident by reading an event data recorder (EDR) of a vehicle, or what actual cell phone conversations at what times took place between two criminals. Consequently, this is why the more general term “digital forensics” to refer to all media involved in a data-oriented forensics examination is used.
Data can be in one of three forms at a time: in storage, in transition, or in process. Accordingly, different branches of digital forensics efforts are dedicated to handling data in each form, namely database/cloud forensics for stored data, network forensics for transmitted data, and all other forensics efforts for recovering data processed. However, it should be mentioned that some complex investigations may involve more than one form of data, which would require employing more than one branches of digital forensics.
For one to carry out digital forensics examinations, the very first requirement is to acquire a digital forensics investigation certificate. American Society of Crime Laboratory Directors provides resources for obtaining such certificates. The International Association of Computer Investigative Specialists is one of the reliable certification authorities in the nation. They offer several certification training programs in various levels from introductory to advanced, as well as certification renewal programs. It is important to know that certificates do expire and need to be renewed in certain intervals.
Once a digital forensics examiner certificate is obtained, the next step is to establish a forensics lab. Many parameters are involved in making the decision about what type of a forensics examination lab (small-sized, mid-sized, or large/regional) to establish. Some of these parameters are the finances that can be invested in the hardware, software and personnel, the nature of potential cases on which the lab plans to work, and the physical space available.
The next step is to purchase the necessary hardware and software forensics tools for the lab. Many hardware tools exist to facilitate a forensics investigation. Some of these tools are F.R.E.D., forensic write blockers, standalone forensic devices, etc. For software digital forensics tools, there is ever-evolving variety as some tools focus on a particular type of software, some others only on hexadecimal processing of data, and yet others on a GUI based environment with several added features such as hash validation, generating a user-friendly web report, full recovery of deleted content, ability to create a copy (image) of source media in several different formats (disk to disk copy, disk to image copy, partial file copy, etc.). Some common software forensics tools are: ProDiscover Basic, WinHex editor, OSForensics, Access Data Forensics Toolkit, Sleuthkit, and Autopsy. Some of these tools are open source, while others are proprietary.
One of the biggest challenges of the digital forensics field is to identify training data for experiments. As most cases are carried out in full privacy, access to real data for even solved cases is not possible. The National Institute of Standards and Technology (NIST) provides great support by issuing a comprehensive list of common file types (called forensics reference data sets) so that forensics examiners can compare them with their images for validation purposes, as well as by providing a search engine to determine a software forensics tool based on certain criteria such as OS, the type of media, etc.
Digital forensics is an emerging field with a wide range of possibilities for employment ranging from the FBI to the CIA, NSA, as well as many other government or private security institutions. As part of our Information Assurance track, we offer an undergraduate level Digital Forensics course at UT Dallas to provide our students with the opportunity to learn more in this field. Even though we do not seem to know a way to break the vicious cycle of malicious entities hiding data in digital media and have forensics examiners recover it, we are hopeful for the future as digital forensics science promises to continue to be one step ahead all the time.