A QUARTERLY PUBLICATION OF ACCS
Digital Forensics


Sanjay Sahay

In the technology age there is forensics in everything, is how the adage goes. Hacking has become the new normal, resilience is the key to our existence. This formula has to be cracked and the preferred tool is digital forensics. This understated tool can find ways and means to conclusively improve our cybercrime investigation / cyber security preventive stance by leaps and bounds. If we study the trajectory of cyber criminals in the last 25 years of commercial internet, from their initial intent of curiosity and proclaiming their technical superiority today their challenge to national security is true and grave. The nefarious journey to becoming challengers to national security has come through the well-known route of revenge, monetary gain, espionage & political activism. Cyber Security was declared the number one national security threat of the US in 2014 and continues at the pole position even to this day.

The Age of Scientific Evidence has finally arrived. If we overlay the major components of Digital Forensics and all our digitally documented activities, the two nearly completely overlap. Digital Forensics can be broadly divided into computer forensics, mobile device forensics, network forensics, database forensics and the final arena of forensic data analysis. 

To overcome the current problem, for handling cybercrime cases and incident response the following Forensic Tools plays a vital role for thorough examination and documentation.

Finding key evidence becomes critical in this fast-paced world. Magnet Axiom, with advanced parsing and carving techniques bundled with built-in analytics features like Connections, Timeline, and Magnet.AI gets the most data from each evidence source.  It is a complete digital intelligence tool that allows investigators to acquire and analyse forensic data automatically, saving a lot of time. Magnet is very versatile allowing for the examination of range of devices such as laptops, smartphones (android, windows, iOS), memory devices, IoT devices and also cloud data. With features such as advanced keyword searches, filters and tags Magnet Axiom is the perfect tool to conduct timeline analysis. 

In the technology age there is forensics in everything, is how the adage goes. Hacking has become the new normal, resilience is the key to our existence. This formula has to be cracked and the preferred tool is digital forensics.

FTK uses distributed processing and is the only forensics solution to fully leverage multi-thread/multi-core computers. While other forensics tools waste the potential of modern hardware solutions, FTK uses 100 percent of its hardware resources, helping investigators find relevant evidence faster. No matter how many different data sources you’re dealing with or the amount of data you have to cull through, FTK gets you there quicker and better than anything else.

AD Triage is an easy-to-use data acquisition and extraction tool for forensically sound on-scene collection. Whether you are in law enforcement dealing with the growing backlog of devices waiting to be processed or a company managing the rising costs of e-discovery, AD Triage allows users to collect data from computers, whether they are turned on or turned off.

Cerberus is an automated malware triage platform solution designed to easily integrate with FTK, empowering organizations to proactively identify compromised systems. It’s a first layer of defense against the risk of imaging unknown devices and allows you to identify infected files and avoid exporting them after processing your data.

UFED from Cellebrite is the gold standard when it comes to mobile device forensics. Whether it is iOS or android or a crude chipset, UFED offers end – to – end solution for most of the smartphones. It consists of advance features to unlock, decrypt and bypass the lock to acquire the data from the device. Apart from smartphones UFED can also be used to extract data from drones, SIM cards and storage media. The user-friendly interface of UFED makes it easy to comprehend the extracted data, thus speeding up the process of evidence analysis. 

Falling under the GNU General Public License version 2, Wireshark is magnificent tool when it comes to network forensics. Wireshark runs on multiple platforms such as windows, linux, macOS, Solaris, etc. and has advance decryption support even for high security network protocols such as WPA/ WPA2, SSL/TLS, WEP, etc., and there are many advanced tools which are not listed. 

Forensic data analytics can at time be a very demanding and intelligent data crunching and big data analytics game. It can be path breaking too. DeepMind has been able to bring down energy consumption of Google by 40% using a similar nature of AI tool. This gives us an indication of the exponential trajectory that this tool can take and deliver.

The game is to effectively use the cyber forensic investigative methods using forensic tools for the scenarios mentioned below:

  • Homeland Security  
  • Counter-terrorism   
  • Collection & Examination of Digital Evidences  
  • Support Law Enforcement Agencies  
  • Crime Scene Investigation  
  • Financial Crime  
  • Cyber Security   
  • Computer & Mobile Phone Forensics  
  • Video & Audio Forensics
  • Cyber Crime Investigation 
  • Dark Net Monitoring & Tracking  
Before we delve deep into digital forensics spectrum and its roadmap, its nuances can be best explained by the stuxnet saga, which can be termed as the 9/11 of digital forensics. widely believed to be backed by US & Israel, Stuxnet was the first digital weapon of the world.

With 98% of our documented transactions being digital, where will the evidence come from? It has to be necessarily digital forensics. The issue now is, does the tools match the requirements? For sure the answer is no. We have fallen back on the ex-post facto tools, that has been the norm since forensics came into vogue. The tools are conventional and mostly of foreign origin. Digital Forensics expanse is way beyond it and is expanding at an exponential pace. The skills mismatch both with technology and domain is costing us dear. The skill imperatives document for this domain has still to be worked out. Some scientific body will have to take the plunge.

Before we delve deep into the digital forensics’ spectrum and its roadmap, its nuances can be best explained by the Stuxnet saga, which can be termed as the 9/11 of digital forensics. Widely believed to be backed by US & Israel, Stuxnet was the first digital weapon of the world. It successfully accomplished its task of stalling the Iranian nuclear enrichment project at the back end of its nuclear ambitions. The Stuxnet worm played havoc with the centrifuges through its control mechanism and ended up stalling nuclear enrichment.

While the functioning of the Natanz nuclear enrichment plant was hacked, the control systems inclusive of the visual displays showed everything as normal. Seimens and Microsoft who had created and were operating the plant OT and IT systems respectively had no inkling of what had actually gone wrong. Physically the result was out there. This can be termed as Hoodwinked Forensics. It was only cyber security researchers at a much later date who gave a clearer picture. Though the nature of the attack was unraveled, the attribution of the crime to US and Israel has not happened even to this day. Fascinating, as it may be, the whole forensic nightmare started with a deserted pen drive being picked up and inserted into the buffered system.

Not much has changed in the level of cyber forensic investigation into complex multifarious cases where crime, diplomacy, war and national security are all mixed up. Natanz was a negative case study of cyber forensics. One positive one pertains to the Silk Road investigation, the most notorious site on the DarkNet, conducted by the FBI of the US. They were able to get the first investigative lead of the main accused Ross William Ulbricht, when he got connected to the internet just for a while. Dread Pirate Roberts was his DarkNet name. This is the strength of Digital Forensics. It was the end of Silk Road, the site which sold twenty percent of all drugs in the US.

Cyber forensics very rarely has an interface with the DarkNet is a reality. National threats come under heightened risk because of proliferation, intelligence and facilitation activities on the DarkNet. The level to which these issues are being challenged or sorted out remains the sole prerogative of intelligence agencies and specialised technical units. One such case has been the San Bernardino case, where one iPhone5 evidence was required. The phone was likely to get locked. Apple refused to write a script to provide access to phone data. Cellebrite did provide the via media access which sorted out this issue. The generic issue of access continues. The inability of the State to intercept / access data antithetical to the sovereignty and territorial integrity of the nation and life and liberty of the citizens makes it a blind state. 

The details of the murder of the Saudi journalist Jamal Khashoggi in Saudi Arabia’s consulate in Istanbul, Turkey, reveals that the “snooping software” developed by NSO, Israel, provided the much-needed intelligence. Omar Abdulaziz, a sharp online critic of the Saudi royals living in exile in Canada, a friend to Khashoggi claims that their communication was monitored by the Saudis using NSO software. The effort is to hoodwink forensics. It is a battle of attrition where technical superiority would be the winner. Live cyber forensics can only be a solution in the days to come. Windows Scope works on live cyber forensic analysis with computer volatile memory. Unconventional and innovative cutting-edge products will have to fill the tech gap in this field.

Data Wiping has been adding a new dimension to Cyber Forensics. It is a forensic battle that is on. Data wiping can securely erase beyond any forensic recovery. BCWipe can wipe files and BCWipe Total Wipe Out can wipe hard drives. It has a 10+ years trusted experience with US DoD & DoE. It also works for data erasure compliance of GDPR, HIPAA, PCIDSS etc. Trail Obfuscation has been a worrying trend. While dealing with the two seemingly insurmountable issues, the second being encryption there is also a silver lining clearly visible on the horizon.

It’s time to discover the new trajectory. Artificial Intelligence and Digital Forensics are the holy grail. Preventive forensics is the science of today or tomorrow. Let preventive forensics prevent security incidents, crime and disaster. It is a precarious cyber security scenario that we are in, hacks are inevitable is what we already believe in. Preventive cyber forensics is bound to rule the world. The trend should be to create preventive digital forensics systems to proactively resolve computer security incidents in organisations of every type. At the core of our existence in a Big Data world, is predictions and that will decide health of our body, our systems, nations and the world.

It is a different forensic world we are getting into. As in the case of everything else, the digital world is not a replication of the physical world but way beyond it. Proactive approach enabled Preventive Digital Forensics is based on experimentation, iteration and learning. This approach allows us to design, develop and evaluate a set of digital forensic capabilities. It also facilitates digital forensic tasks making it easy to discover and evaluate indicators of malicious behaviour. This capability leads to an effective response to computer incidents in shortest possible time and with reduced cost. The pre-incident evidence which is the product of Preventive Digital Forensics has become a reliable technically validated resource to detect and mitigate threats.

If we are not able to predict and have to keep waiting for disaster or incident to happen, it is back to naturalism of a different kind. We will never be able to get the causality connect. Artificial intelligence in preventive forensics is already gaining ground. Can the forensic analysis of humongous railway signaling data of over the decades usher in better railway safety? Can the ICU, ventilator’s data of the deaths of COVID-19 patients suggest some new trajectory of treatment? We can get answers to the questions we raise and not beyond. There is a need for forensic methodologies to get these results. It’s time to get into this act.

National Forensic Sciences University, Gandhinagar, leads the way in Cyber Forensics Courses with its School of Cyber Security and Digital Forensics. The two relevant courses are M.Tech in Cybersecurity and Incident Response and M.Sc. Digital Forensics and Information Security. Rashtriya Raksha University, Gandhinagar, offers a course on M.Sc in Digital Forensics and a Post Graduate Diploma in Cyber Security and Cyber Forensics. Vellore Institute of Technology, Madhya Pradesh, has a BTech Program in CSE with specialization in Cyber Security & Digital Forensics. There are number of other courses in Digital Forensics in the lesser known academic institutions. 

It is a different forensic world we are getting into. As in the case of everything else, the digital world is not a replication of the physical world but way beyond it. proactive approach enabled preventive Digital Forensics is based on experimentation, iteration and learning.

Digital forensics being in the nascent stage opens up immense areas of both enquiry and research. A white paper needs to be created on Cloud forensics which is in a nascent stage whereas practice cloud has taken over the world courtesy COVID-19. Protocols and benchmarks have to be worked upon. Digital forensics education has still to take off in an industry ready structure, which is the need of the hour. Technology transfer will always remain an issue, Digital forensics Indian products needs to be developed across the complete spectrum. A small beginning has to be made in any research institution of repute. The best location can be IISc with the ecosystem it commands. The country needs a Cyber Forensics  Research and Product Center. 

There are lots of areas where productive, skill based, job oriented, industry ready certification courses can be provided and that is also the need of the hour. It can be in areas of Cloud Forensics, Cyber Threat Intelligence, ML/AI enabled Cyber Forensics, Cyber Risk Threat Management, Preventive Cyber Forensics, eBanking / Financial Services Forensic Analysis, Threat Intelligence Analyst, IOT Digital Forensics, and OSINT (Open-source intelligence) Forensics.

Given the present scenario the problems areas of research can be:

  1. Methods of security, mitigation and forensic of attacks on IOT and AI enabled devices.
  2. Study and analysis of attacks related to Crypto-currencies and blockchain technology.
  3. Cloud Security forensic issues and strategies. 
  4. Creating a Cyber Threat Intelligence Platform and study of tools.
  5. Security and Forensics of Cloud based APIs and 
  6. Study of Cyber Forensics in Cyber deception to contain attacks

 

While the traditionalists would find this to be an unnecessary twist to the world of established forensics, there is no denying the fact that science, research and practice are to create better enabled tools /study / processes to cater to its objective. Preventive digital forensics is the way forward. This would lead to a paradigm shift in the use and utility of forensics. Taken vociferously these scientists and practitioners would become our saviours in more ways than one. It’s time to change gears and propel confidently into our digital future.