Understanding Cyber Forensics

Cyber forensics can be defined as the process of extracting information and data from computer storage media and guaranteeing its accuracy and reliability. The challenge of course is actually finding this data, collecting it, preserving it, and presenting it in a manner acceptable in a court of law.
In other words, Cyber forensic or Computer forensics is the application of scientifically proven methods to gather, process, interpret, and to use digital evidence to provide a conclusive description of cyber crime activities. Cyber forensics also includes the act of making digital data suitable for inclusion into a criminal investigation. Today cyber forensics is a term used in conjunction with law enforcement, and is offered as courses at many colleges and universities worldwide.

In cyber crimes, physical evidence, which was the backbone of criminal investigation, no longer exists. The domain of evidence has transcended from the physical to the virtual – digital evidence. Digital evidence is latent in nature and needs use of some tools to gather and interpret the evidence just like DNA analysis.

Since any evidence has to be accepted by the court of law, digital evidence also needs to be produced in a manner acceptable to the court. Cyber Forensics to facilitate digital evidence acquisition and analysis has become the need of the hour.
Electronic evidence is fragile and can easily be modified. Additionally, cyber thieves, criminals, dishonest and even honest employees hide, wipe, disguise, cloak, encrypt and destroy evidence from storage media using a variety of freeware, shareware and commercially available utility programs.
A global dependency on technology combined with the expanding presence of the Internet as a key and strategic resource requires that corporate assets are well protected and safeguarded.
When those assets come under attack, or are misused, infosecurity professionals must be able to gather electronic evidence of such misuse and utilize that evidence to bring to justice those who misuse the technology.
Cyber forensics, while firmly established as both an art as well as a science, is at its infancy. With technology evolving, mutating, and changing at such a rapid pace, the rules governing the application of cyber forensics to the fields of auditing, security, and law enforcement are changing as well. Almost daily, new techniques and procedures, are designed to provide infosecurity professionals a better means of finding electronic evidence, collecting it, preserving it, and presenting it to client management for potential use in the prosecution of cyber criminals.
The anonymity provide by the Internet, and the ability for society’s criminal element, to use information technology as a tool for social and financial discourse, mandates that those professionals charged with the responsibility of protecting critical infrastructure resources, have the tools to do so. The authors of this site have developed a text that will provide one of those tools.
Cyber Forensics activities can be broadly classified into three.
Computer (disk) forensics - deals with gathering evidence from computer media seized at the crime scene.
Network Forensics – deals with gathering digital evidence that is distributed across large-scale, complex networks. Often this evidence is transient in nature and is not preserved within permanent storage media.
Device Forensics - deals with gathering digital evidence available in different types of devices such as mobile phones, PDA, printers, scanners, camera, fax machines, etc. All these areas itself became independent research areas.
In Cyber Crimes the evidence is digital information available in the computer or devices used in the crime. This digital evidence is highly volatile and prone to modification by others. The challenge before the information technology community is how to prepare evidence in cyber crimes from computers and networks so that it can be effectively presented before the court of law. Cyber Forensics procedure, which will conform to the law, is needed for proving the digital evidence in the court. The most accepted procedure is Identify, Seize, Authenticate, Acquire, Analyse, and Preserve the evidence. In this authentication of digital evidence is most important component due to the fact that digital evidence is highly tampered prone. Cyber Forensics analysis requires tools, which will be able to access any data available on the mass storage media including deleted files and data in unallocated disk areas. Cyber Crime investigation is actually a team effort where law enforcement agencies, computer experts and cyber forensics experts work together to unearth evidence required for proving the crime in the court of law.