Technology and the Birth of Digital Forensics
The Evolution of Digital Forensics and Growth of the Industry
The rapid growth of technology has resulted in the computer age, which has given rise to cybercrimes. Savvy criminals today use devices such as tablets, computers, smartphones, and cloud storage in the planning and commission of cybercrimes, whether to wreak havoc in the system of an organization or in the commission of a crime of self-enrichment. According to McAfee, global losses from cybercrime in 2019 exceeded $1 trillion, which was a 50% increase over 2018. These major challenges have been met by cyber sleuths, who are trained in the collection and analysis of data and in navigating the legal basis surrounding the data in the judicial process. Today, digital forensics truly is the intersection of science and the legal process. This article describes the evolution of the digital forensics industry.
The rapid growth of technology has resulted in the computer age, which has given rise to cybercrimes. Savvy criminals today use devices such as tablets, computers, smartphones, and cloud storage in the planning and commission of cybercrimes, whether to wreak havoc in the system of an organization or in the commission of a crime of self-enrichment. According to McAfee, global losses from cybercrime in 2019 exceeded $1 trillion, which was a 50% increase over 2018. These major challenges have been met by cyber sleuths, who are trained in the collection and analysis of data and in navigating the legal basis surrounding the data in the judicial process. Today, digital forensics truly is the intersection of science and the legal process.
Digital forensics is the science behind the recovery and investigation of data stored in digital devices, and often in relation to computer or computer related crimes. Though initially this science was called computer forensics, the advent of numerous devices designed to store digital data, resulted in the name change to digital forensics. Digital forensics is broad and covers civil and criminal court applications and private sector applications, including internal corporate investigations wherein devices and systems were used to commit or hide offenses. As one might imagine, there is crossover between digital forensics and cybersecurity, and professionals from both disciplines communicate with each other in security design and implementation, and post incident investigation. Digital forensics science is also used to assess any damage resulting from a breach. Concerning breaches, S. Terry Brugger, PhD, Founder and Computer Scientist, Bubowerks, stated every organization will get breached at some point, and that is a very unfortunate fact of life. Dr. Brugger added that even companies that are Systems and Organizations Controls 2 (SOC2) audit certified get breached, and that the speed and method of the response shall have tremendous bearing on the outcome. Enter digital forensic examiners, who can stop hackers who seek to bring harm to an organization’s digital infrastructure and help in the recovery of lost or stolen data. These examiners seek to discern the origins of an attack, identify the source, and of course, prepare reports for any legal process which may follow. Dr. Brugger informed attacks can come from either insider attackers or external attackers, and the process is dependent on the nature and source of the threat. According to Dr. Brugger, insider threats can happen to any firm, and it is important to discern who did it and exactly what they did. Dr. Brugger added that these incidents can and often do result in litigation, and require proper evidence preservation of laptops, desktops, and tablets, along with strict adherence to the rules of evidence. The dynamic is very different with external attackers, as told by Dr. Brugger, with the incident response usually varying by the size of the organization attacked. He stated, it makes sense for a large organization to investigate an attack to prevent the same in the future but added, small to midsize organizations usually are not in the position to commit to a $50,000 investigation. With the smaller organizations, a missing computer patch is usually to blame and enabled the vulnerability. In terms of large organizations, as conveyed by Dr. Brugger, attackers use zero-day exploits, a method attackers or hackers use to attack systems with a not yet known vulnerability and is done to damage the system or steal data. According to Dr. Brugger, large organizations usually do not know that these vulnerabilities even exist and sometimes result in post incident collaboration with the software company to remediate and repair the newly identified flaw. In direct contravention to internal attacks, external attacks are focused on reverse engineering rather than evidence preservation.
In addition to cyberattacks and other cybercrimes, theft of proprietary information is a problem that plagues the corporate and government sectors. Keith Chval, Esq., President and CEO, Protek International (Protek), a digital forensics, advisory, cybersecurity, and eDiscovery firm, stated that the greatest amount of work done by his firm is in unfair competition and theft of proprietary information and trade secrets. Chval informed Protek’s examiners recreate the users’ activities to see files, find artifacts, and conversations in these matters. He added it is not unusual for an employee to begin theft of proprietary information predating that employee’s departure, and Protek’s collection, preservation, and analysis should be able to show and document that. Along these lines, Chval suggested employers should save, set aside, or back up a computer when an employee leaves, allowing examiners to initiate investigation down the road should an issue arise.
The history of digital forensics is relatively short, beginning in the late 1970s. In fact, the first reported computer crime in the United States dates to 1978, which resulted in federal law enforcement agencies developing forensic teams utilizing special agents with computer experience and/or education. The 1978 Florida Computer Crimes Act was passed to prevent alteration or deletion of data. Canada followed in 1983 by passing legislation addressing cybercrimes and computer forensics. As this is an international issue, Britain developed their first ever computer crime department in 1985. Though legislation was being passed internationally, it was Britain’s 1990 Computer Misuse Act that put digital forensics on the map world-wide. While numerous countries passed legislation and created computer crime detection units post 2000, it was the ISO 17075 standard for digital forensics in 2005 that standardized digital forensics laboratories in the United Kingdom. Debate remains in the United States whether this standard is suitable for digital forensics. Realizing that seizing, retaining, and analyzing the data was a large concern, in 1984 the Federal Bureau of Investigation (FBI) developed their first digital forensics program, known as the Magnet Media Program. The FBI addressed forensic investigations with the development and staffing of their Computer Analysis and Response Team (CART), a team of highly trained FBI Special Agents with computer backgrounds who aided all areas of FBI jurisdiction in digital investigations. Since this time, numerous law enforcement and intelligence agencies have contributed to digital forensics, employing cybercrime divisions, laboratories, and highly trained staff who collaborate with both government and non-government associations to develop protocols, training, and best practices relative to digital forensic science.
As this discipline is subject to court challenge, the process is of the utmost importance and must be defensible. Though the process is dependent upon the type of matter, data stored, and type of device, there are five basic steps comprised of identification, preservation, collection, analysis, and reporting. Throughout all five stages, the digital forensic examiner takes copious and contemporaneous notes documenting procedural steps and results, providing the means by which another examiner can produce the same results solely from the detailed, contemporaneous notes. The initial stage of identification consists of identifying potential sources of data, information and or/evidence and the location of the data and the custodians of said data. Electronically stored information (ESI) must be preserved by securing the scene, capturing images of the scene, and memorializing pertinent information about the evidence and the method of acquisition. Collection is the process of collecting the digital information and is comprised of removing the device(s) from the scene if necessary, imaging, copying, or printing out the device contents. The analysis portion is a very detailed search of evidence relative to the incident under investigation, with the analysis seeking to provide conclusions. Lastly, reports are drafted clearly delineating accepted methodologies and techniques, to which any other forensic examiner would be able to duplicate the process and produce the same results.
Digital forensics is expanding and will continue to do so with the advent of new media. Currently, digital forensics includes computer forensics, mobile device forensics, network forensics, forensic data analysis, database forensics, e-mail forensics, malware forensics, memory forensics, wireless forensics, and disk forensics. Computer forensics, as previously discussed is comprised of the five basic steps of identification, preservation, collection, analysis, and reporting as it pertains to desktop computers, laptop computers, and tablets. Examiners in this area usually specialize in either the investigation of computer crimes or in the process of data recovery for civil litigation and criminal prosecution. Mobile device forensics has grown substantively, as these devices are extremely powerful and almost universally owned. It is not unusual for a specialist to retrieve data from SIM cards, mobile phones, smartphones, video game consoles, and vehicles to be used as evidence in a court of law. Network forensics is also a quickly growing field, whether conducted inhouse by employees or by consultants. Specialists in this area monitor, document, and analyze network traffic and activity both proactively and post incident. This role supports both the preventive and digital forensics incident response (DFIR) function for organizations and is focused on breaches and cyberattacks. Â Â
As the cybercrimes have evolved, so have to the tools used to analyze digital evidence. Examiners did not have many choices in the early days of digital forensic examinations, but over the years numerous tools have come to market. While a search of available tools will produce no less than 15 applications, Dr. Brugger related he has always preferred EnCase, and added it has withstood court challenges and has huge case law support. He noted EnCase’s credibility was strengthened by the EnCase Certification Program, which resulted in the examiner earning EnCase Certified Examiner (EnCE) certification and designation. There is change afoot right now for the legion of EnCase users and enthusiasts such as Dr. Brugger. EnCase, which has enjoyed widespread use by law enforcement and the private sector for many years, no longer updates, leaving a large hole in the marketplace. According to Chval, OpenText purchased Guidance Software, the maker of EnCase, for a single piece of Guidance Software’s inventory, and have not updated EnCase. This change of events has left examiners evaluating new tools to ensure they can perform to both industry standards and as claimed by their developers. Chval said federal law enforcement agencies are now mostly using AccessData by Exterro as their forensic tool kit (FTK). Even though AccessData is gaining users, Chval informed a drawback of using AccessData is the onus is now on the examiner during testimony, whereas in the past the examiner could rely on EnCase’s established case law. At this time, the demand for cybersecurity tools seems to vastly exceed those for digital forensics, and the developers, according to Chval, are now intently focused on cybersecurity rather than digital forensics.
Digital forensic examiners may choose employment in law enforcement, large corporations, cybersecurity, military, law firms specializing in data privacy, and in specialty consulting firms. The career field is evolving and growing, which is providing several different career paths for students seeking careers in digital forensics. Even in law enforcement, digital examiners have the choice of municipal, county, state, or federal law enforcement. Choices are also available for those looking to work for intelligence agencies. Noticeably missing are small companies, which might have digital forensics as part of a larger information technology position, but not as a main focus, as you would see with a fortune 2000 company, according to Dr. Brugger. Â
Like many other disciplines and technical fields, certifications and updating of one’s credentials are very important. Dr. Brugger informed certifications in digital forensics and related fields are available from certifying bodies such as Global Information Assurance Certification (GIAC) to set standards for information security professionals. GIAC provides training and testing for certifications such as the GIAC Certified Forensic Examiner (GCFE), GIAC Network Forensic Analyst (GNFA), GIAC Reverse Engineering Malware (GREM), and the GIAC Cyber Threat Intelligence (GCTI). Dr. Brugger added certifications are available from other certifying organizations and even specific vendors as well.
In the field of digital forensics, it appears the dam has burst, and the water will never return. Now that we are in the computer age, there will always be a need for digital forensics and cybersecurity. Both Dr. Brugger and Chval agree that preservation and response are of the utmost importance. Chval stated that being proactive is worth its weight in gold and that organizations should have reasonable measures in place identifying the business to which they will refer any incident and detailing actions to be taken. Chval stated organizations should act swiftly and assume whatever happened is the crime of the century until they know it is not! Lastly, Chval communicated, you must not underestimate the value of preservation, because you cannot recreate what has not been preserved.
Stuart G. Berman, CFE, CAMS, PSP, is co-founder and Principal of RSA Risk Management & Investigations, LLC (RSA). Prior to co-founding RSA, Mr. Berman was the Special Agent In Charge, General Services Administration, Office of Inspector General, in Region 5, and enjoyed a law enforcement career spanning nearly 25 years.
Mr. Berman is a Certified Fraud Examiner and a Certified Anti-Money Laundering Specialist with more than 25 years of experience conducting and leading audits, quality assurance reviews, examinations, risk assessments, internal controls reviews and testing, and inspections. He possesses strong forensic accounting skills and is highly experienced at implementing proactive data analytics, analyzing records and information, interpreting data, summarizing, and presenting complex financial and commercial-related issues.
Mr. Berman can be contacted at (312) 774-1304 or by e-mail to info@rsariskmanagement.com.