Computers are a common medium for criminals to commit acts of crime whereas for others it is a weapon to battle against those crimes. Whatever happens in the digital world involves a computer, one-way or the other. Digital Forensics, on the other hand, uses the once misused technology, as a resource to understand such acts and get to their roots so that a fair conclusion can be drawn.
Digital Forensics is the procedure of implementing techniques of investigation, using computer science, for legal purposes of providing evidence against illegal acts carried out over the web or using digital mediums. The article takes you through the key points about eDiscovery, to given an insight into digital forensics – how to carve data artifacts.
Understanding Evidence and Carving Through It
Lack of awareness about the technological developments and possibilities of using them is the root cause behind the rapid rise in cybercrime ratio. Therefore, a lot of the cyberspace is used by people having barely any understanding of the dos and don’ts of cyber world.
Court of law considers digital evidence as a very crucial piece of information during investigations. Therefore, it automatically becomes extremely necessary for examiners to study artifacts minutely and in an organized manner. In order to get the understanding of what and how to be investigated, one should be aware of the types of potential evidential digital storage.
Types of Digital Evidence:
The dependency over technology has given rise to an immense data getting in the form of data, databases, media, email storage, etc. Some of the common data types that are encountered during investigation procedures are listed and explained below:
Instant Messenger is the trendiest and most preferred medium of communication in the present time. As the name suggests, the exchange of message is done instantly through such platforms. Therefore, for studying conversation of suspect(s) will prove helpful if done on the storage of IMs, as are a rich source of evidentiary material. Storage by these messengers is usually done in DB format files (SQLite) which are application readable (dependent) files.
Examples: Skype, Yahoo Messenger, AOL, Live Messenger, etc.
TIP: IMs can be used by people regardless of their age, gender, nationality, or even computer skills. Therefore, a massive audience is in usage of this technological creation.
Web is the answer to most of our queries, which makes it the richest source of information in relation to any act involving the use of cyberspace. The information consists of components like; bookmark, web history, cache, images, saved credentials, etc.
TIP: When browser cache is looked into, one may find illicit content in the form of images or JS based malware, which could be a potential source of suspicious looking activities taken place.
Examples: MS Internet Explorer, Google Chrome, Mozilla Firefox, etc.
Despite the availability of Instant Messaging services and mobile applications, emails are still existent and still the most preferred medium of communication within corporates, especially. Emails are also used personally when large sized media has to be shared or communication with a person not having IM service has to be done.
TIP: Emails consist of corporate communications, leaving traces to cases of corporate espionage or phishing, etc. The storage of local email clients is done on the user machine itself; therefore, catching hold of the artifact is not a difficult thing to do. However, being application readable only, accessing them makes them a little tricky to be examined.
Examples: MS Outlook, Windows Live Mail, IBM Notes, Thunderbird, etc.
Media file involvement in investigative cases generally represents cases that link up to pornography owing to the repositories consisting of morphed images, video, documents consisting of scanned images, and other media. The occurrences of such cases are common, both personally and professionally.
TIP: Properties of these files can prove helpful in studying them in an in-depth manner like; date and time of modification and creation, GPS coordinates, etc.
Examples: Word Files, MP3, MP4 media files, etc.
Discover How To Carve Artifacts to Explore Evidence
Studying digital media without the involvement of software applications is an impossible task regardless of the investigator being equipped with all the right knowledge and equipments. The speed and accuracy of investigation is only guaranteed when performed through an automated procedure. Therefore, a well-examined list of appropriate applications has been given below, that helps in examining the above stated types of evidence.
- SQLite Database Viewer/Recovery: The tool is well equipped with the right programing to read DB files of SQLite (used by IMs and Web Browsers) application independently. Moreover, the recovery tool ensures that examination (preview) of data is made possible even in the case of evidence spoliation (corruption/deleted records).
- Email Recovery Tools: The readability of email data without the need of external support provided is possible with this range of application. Email repositories are the only requirement for conducting such examinations (with hard deleted emails too).
- MailXaminer: Properties of media files or document exchanged over emails can very well be examined for hints of pornographic contents (attached or embedded) with the help of this one-stop email examination solution. The software offers exact attributes of each email along with attachment, and permits the storage of GPS coordinates (if available) from the image to be further examined for tracing the location.
Observational Verdict: Digital platforms are a boon for the next generation however, at the same time comes with the warning of being used carefully too. Just as the coin has two sides, technology too can be used and misused, and where there is misuse of technology taking place, digital forensics is applicable to get into the roots of the activity. The carving of artifacts allows investigator to get to the actual evidence that points to the suspect in a case. Therefore, it is important to be able to understand evidence before studying them. Moreover, the approach of involving third party proves to be an intelligent one owing to the added benefits attached to it like the automated processing and discovery of evidentiary matter without any compromise made with its quality and quantity.