Little Learn: Digital Forensics (20)

Cybercrimes have the following characteristics: Criminal subjects are professional, criminal behavior is intelligentized, criminal objects are complicated, criminal targets are diverse, and consequences are covert. These characteristics distinguish cybercrimes from traditional criminal crimes.

Cybercrimes have increased year on year over the past decade or so. They bring huge economic loss and other severe consequences, and can severely threaten a nation's security and social order.

Other forms of cybercrimes:

Weak password attack
Network sniffing
Spoofing
Information loss, tampering, and destruction
Connection hijacking
Damage to the domain name system and other infrastructure
Database damage via the web
Malicious damage
Intrusion by exploiting CGI/IIS vulnerabilities
Buffer overflow
DoS/DDoS
Intrusion by exploiting vulnerabilities in scripting languages, such as PHP and Javascript
Attacks from insiders (90% related)
Social engineering

Digital evidence can be presented in various forms, such as text, graphs, images, animations, audio, and videos. Multimedia forms of computer evidence covers almost all traditional types of evidence.

Digital evidence may be obtained from a variety of sources, such as:

System audit trails
IDS, firewall, FTP, website, and antivirus software logs
System audit trails
E-mail
Temporary files or hidden files in an operating system and database
Swap partitions on hard disk drives
Script files implementing specific functions
Bookmarks, browsing history or session logs, real-time chat history, and so on

As an interdisciplinary science between computer and jurisprudence, computer forensics is gradually becoming the focus of research and attention.

Computer forensics is the process of obtaining, preserving, analyzing, and presenting evidence in a legally-compliant manner targeting computer intrusion, damage, fraud, attack, or other criminal behavior.

Technically, computer forensics is a process of scanning and cracking the intruded computer system to reproduce the intrusion event.

Computer forensics includes two phases: physical evidence collection and information discovery.

Physical evidence collection is the search for and retention of related computer hardware at the scene of the cybercrime or intrusion.
Information discovery is the extraction of evidence (that is, digital evidence) from original data (including files and logs) for proof or refutal.

ISO

The IT Security techniques subcommittee of the ISO, ISO/IEC JTC 1/SC 27, released the Guidelines for identification, collection, acquisition and preservation of digital evidence (ISO/IEC27037: 2012) in October 2012. The Guidelines stipulates the definition, handling requirements, handling procedure, and key components (including the continuity of evidence, evidence chain, security of the scene, and roles and responsibilities in evidence collection) of digital evidence.

National Institute of Standards and Technology (NIST)

2014: SP 800-72 Guidelines on PDA Forensics and PDA Forensic Tools: an Overview and Analysis; 2005: Cell Phone Forensic Tools: an Overview and Analysis (updated in 2007); 2006: SP800-86 Guide to Integrating Forensic Techniques into Incident Response; 2007: SP800-101 Guidelines on Cellullar Phone Forensics, updated to SP800-101 Guidelines on Cell Phone Forensics in 2013; 2009: Mobile Forensic Reference Materials: a Methodology and Reification; 2014: NIST Cloud Computing Forensic Science Challenges.

British Standard Institute (BSI)

Since 2003, the BSI has released a series of national standards, such as BIP 0008:2003 Evidential Weight and Legal Admissibility of Information Stored Electronically, BIP 0008-2:2005 Evidential Weight and Legal Admissibility of Information Communicated Electronically, BS 10008:2008 Evidential Weight and Legal Admissibility of Electronic Information (updated in 2014), and BIP 0009:2008 Evidential Weight and Legal Admissibility of Electronic Information - Compliance Workbook For Use With BS 10008.

Comprehensiveness

Search all files in the target system. Display the content of hidden, temporary, and swap files used by the operating system or applications, and analyze data in special areas of disks.
Comprehensively analyze results and provide necessary expert testimony. Examples: Overall situation of the system; file structures, data, and author information that are found; any attempt to hide, delete, protect, and encrypt information; other related information found in the investigation.

Image check tool: Thumbs Plus helps users easily view and edit all images on their computers.
Anti-deletion tool: Hetman Uneraser can restore deleted files or folders.
CD-ROM tool: CD-R Diagnostics can display data that cannot be viewed in normal cases.
Text search tool: dtSearch is used for text search, especially in Outlook .pst files.
Disk erasing tool: This type of tool is mainly used to erase residual data from the disks of analysis machines before they are used in forensic analysis. Simply formatting such drives is insufficient. For example, NTI's DiskScrub software can be used to completely wipe data on a disk.
Driver image programs: Driver image software, such as SafeBackSnapBack, Ghost, and dd, can create a bit-for-bit image of an entire driver for forensic analysis.

Chip forensics: When a communications device cannot be used due to either intentional or unintentional damage, chip forensics can be performed to extract information from the device.
Cloud forensics: When data is deleted, cloud forensics can be used to locate the cloud service provider to restore the data.
IoT forensics: When a networked device is intruded, IoT forensics can obtain related data using sniffing and forensic technologies such as IoT black-box and distributed IDS.
SCA forensics: SCA is an attack against encryption devices. It exploits the leak of sidechannel information, such as timing information, power consumption, or electromagnet radiation during device operation.

Symmetric encryption: In a symmetric encryption algorithm, only one key is used. Both parties use this key to encrypt and decrypt data. Therefore, the decryption party must know the encryption key in advance.
Asymmetric encryption: An asymmetric encryption algorithm requires two keys, namely, a public key and a private key, for encryption and decryption.
Digital envelope: Symmetric cryptography and public-key cryptography are used in digital envelopes. An information sender uses a random or pre-configured symmetric cipher to encrypt the information, and then uses the public key of the receiver to encrypt the symmetric cipher. The encrypted symmetric cipher is a digital envelope. To decrypt the information, an information receiver must decrypt the digital envelope with its own private key to obtain a symmetric cipher and then use it to decrypt the information. This ensures the authenticity and integrity of data transmission.
In digital signature technologies, digest information is encrypted using the private key of the sender and then sent to the receiver together with the original text. The receiver can decrypt the encrypted digest only by using the public key of the sender. The receiver uses a hash function to generate a digest of the original text and then compares this digest with the decrypted digest. If the two digests are the same, the received information has not been tampered with during transmission. In this way, digital signatures can verify information integrity
A digital certificate is a file that contains information about the owner of a public key and the public key, and is digitally signed by a CA. An important feature of a digital certificate is that it is valid only within a specific period of time. Digital certificates can be used for sending secure mail, accessing secure sites, and online electronic transaction and trading, such as online securities transactions, online bidding and procurement, online office work, online insurance, online taxing, online signing, and online banking.
Timestamp: A timestamp is information that proves the completeness, integrity, and verifiability of data before a specific time point.

Judicial verification is a special measure to extract, preserve, and examine electronic data evidence and to review and judge such evidence. It mainly includes identifying content consistency of electronic data evidence, data stored in or deleted from various electronic devices or storage media, content of encrypted files, computer program functions or system status, and authenticity and formation processes of electronic data evidence.

Relevance

Relevance is the association of evidence to case facts. Digital evidence that may have a substantial impact on the facts of a case shall be judged by the court as relevan.

Objectivity

Objectivity can also be called authenticity. Digital evidence must remain unchanged during whole process, from initial collection to submission.

Legitimacy

Evidence is legitimate only when it is obtained by a legal entity in legal forms through legal means from legal sources. The acquisition, storage, and submission of digital evidence should be legitimate and do not constitute a serious violation of basic rights, such as national interests, social public welfare, and personal privacy.

Legitimacy: The judicial verification of electronic data should be standardized and institutionalized in terms of the business scope, verification procedure, and technical standards. This includes two aspects:

Legitimacy of behavior: requires that electronic data be verified by a certified verifier in a timely manner to prevent the data from changing over time.
Legitimacy of status: requires that electronic data should have multiple backups, be kept away from the high magnetic field, high temperature, dust, squeezing, and damp, and be kept consistent with the original status of the target system or have minimum changes.

Independence: In the absence of external interference, the judicial verifier of electronic data independently expresses verification opinions and makes scientific judgment according to the actual result. The results of the verification are formed independently based entirely on science and law.

Supervision: The judicial verifier of electronic data must be supervised:

By the investigator: The transfer, custody, unsealing, disassembly, and analysis of electronic data shall be supervised by the investigator and jointly signed by the verifier and investigator.
By the public: Public oversight is provided to help combat corruption. Electronic data verification is an activity that conforms to legal requirements. Public supervision can help ensure fairness and justice.

Other analysis techniques include:

Infer the possible author based on the obtained documents, words, syntax, and writing (coding) style.
Discover the relationship between different pieces of evidence obtained from the same event.

Attack sources can be devices, software, and IP addresses.

Link test: Link tests (also called segment-by-segment tracing) determine the source of attacks by testing network links between routers, usually starting with the router closest to the victim host. A tester performs hop-by-hop tests, testing whether a router's uplink carries attack data. If a spoofing packet is detected, the tester will log in to the uplink router to continue monitoring packets. This process continues until the attack source is reached.
Packet recording: Packets are recorded on the key router of the Internet, and then data mining technologies are used to extract information about the attack source. This technique can produce valuable results and accurately analyze attack services (even after the attack stops). However, it places high requirements on record processing and storage capabilities. In addition, legal and confidentiality requirements must be carefully considered when storing and sharing the information with ISPs.
Packet marking: Packets can be marked on each router through which they traverse. The simplest method to mark packets is to use the record routing option (specified in RFC 791) to store the router address in the option field of the IP header. However, this method increases the length of packets at each router and may lead to packet fragmentation. In addition, attackers may pad fields reserved for routing with fake data to avoid tracing.
Spam tracing: Shallow mail behavior parsing can check and analyze the server connection count, sender's IP address, sending time, sending frequency, and number of recipients. It can also check the shallow mail subject and detect sending behavior. In addition, the SMTP MTA host can perform transparent parsing on the source of the mail to identify illicit behavior, such as anonymity, forgery, and abuse. In this way, the host can reject the mail or limit the frequency of delayed sending.

Ref : [1]