I would like to talk about cyber forensic techniques today without reading or referring any white papers or publications. This would be uniquely through my research and study on the subject.
What is Computer Forensics?
Computer Forensics is a detailed and scientific study, research and implementation of computer science subjects for the purpose of gathering digital evidence in cases of cyber crimes or for other scientific research purposes. According to legal perspective, a government authorized computer forensic agent can investigate into computer systems and networks and after application of series of technical steps involved, reach at what I just briefed - digital evidence. Digital evidence is just as any evidence but the difference is it is digital evidence exists in digital form like computer data, disks, printed documents, etc.
Why Computer Forensics?
Computer Forensic Techniques help provide a methodological and systematic approach to gathering information on computer systems and networks, which could be cryptic and hidden and which would otherwise be extremely hard to get through normal routine access to computer resources.
Normally a computer system or network on which forensic science techniques are to be applied hides the data or garbles the data through encryption, steganography or other technical methods. The process of first analyzing the system, gathering important data fragments which are prevalent over the system and interpreting it with the use of certain mechanisms and tools, is the process which is called computer forensics. Let us see what are the techniques used in computer forensics:
Basic Computer Forensic Techniques
For Computer Networks
For computer networks, the following are the forensic techniques that are most commonly used -
Sniffing, in normal language means sensing something and here too it has the same meaning. Data flows through the network lines just like oxygen through air, pulling out critical data packets from these networks is called packet sniffing. This data may contain usernames or passwords, sent and received emails or it can be any data that flows through the network.
Internet Protocol Address Tracing means to trace an IP address right down to its real address. IP Address tracing involves reverse address look up, which means, counting the number of servers that lie between source and destination. These are referred to as hops. One of the lowest address during the tracing process we get is the ISP server. The target IP address is then checked with the ISP and ownership information can be gathered with the help of it.
Sometimes it becomes important to know where an email came from. This can be achieved by analyzing email headers. Email headers consist of source machine IP address which could be used for an IP Trace. Email headers also consist of important details such as the real email server from which the email originated, the date and time and other such minute details.
For Computer Systems
For a physical computer system, the file structure is analyzed and a look out is done for suspicious files which are scattered in every nook and corner of the system. Some of these files may be encrypted, garbled or hashed with some algorithms. Such files are then processed and decrypted for gathering digital evidence. Generally, this task is achieved with the use of automated tools and utilities but manual interference also plays an important part.
Storage media might be in the form of physical or removable disks. These disks might have been erased (formatted) and it can become almost impossible to recover data from it. However, with the help of advanced utilities and data recovery tools this is possible. Every time data is recovered, it is not necessary that it would be in proper form, so it is seen that whatever data fragments are gathered, are put up together to form formidable digital evidence material.
Steganography is the art of hiding information in images, sounds or any other file format than the routine format. A piece of data or information hidden into a image or sound file is extremely difficult to catch and this can lead to wast propagation of the material through internet or other media. Steg-Analysis and decryption techniques are applied to get the data back to its original form.
Prints are print outs which are taken from a computer printer device. Most of the computer forensic experts forget to concentrate on these print outs. These print outs are taken such that at first glance they are not visible to the naked eye. They would either be too microscopic or would be garbled or again crypted for deception. So while evaluation and gathering of digital evidence analyzing print out becomes a very important aspect and should not be neglected or handled carelessly.
Tools of the Trade
Some of the most common tools of the trade use in Computer Forensics are:
- Hex Editors
- Disassemblers
- Disk Analyzers
- Decryptors
- Packet Sniffers
- DNS Tools
Computer Forensic Science is a field which is gaining heavy momentum across the world due to rise in cyber crimes and will continue to rise at a tremendous pace in the coming decade.
