Keywords

Introduction

Digital forensics is new in the forensic science and efforts are underway to experiment, explore, discover, enhance, and reconstruct the incidents that work together to make the investigations complete and successful. A digital forensic investigation model is to make the investigation perfect and error free. Each footstep in investigation is decisive and evidence of scrutiny has to surface the facts. Overlooking one step or interchanging any of the steps may lead to incomplete or inconclusive results and erroneous interpretations. A computer crime culprit may escape from light of justice or an innocent suspect may suffer negative consequences. Ultimately, evidence left is in zeros and ones, so forensics investigation can be mislaid by criminal thoughts. Higher levels of concerns are to be on account of a forensics investigation to avoid any misleading and thereby any loop holes to the accused. In this paper we explain the investigation processes of crime committed in cyber space [2].

Cyber space is the electronic space of computer communication or networks. Cyber space was imagined and actually implemented as a borderless new space, transcending physical borders and formal legal rules. Within the past few years a new class of crime scenes has become more prevalent, that is, crimes committed within electronic or digital domains, particularly within cyber space.

Cyber Forensic is the discovery, analysis, and reconstruction of Evidence extracted from and/or contained in a computer, computer system, computer network, computer media, or computer peripheral. A digital forensic investigation is an inquiry into the unfamiliar or questionable activities in a cyber space or digital world. According to the Oxford Dictionary digital forensic science is the systematic gathering of information about electronic devices that can be used in a court of law. Digital forensic science is more popularly called digital forensics and sometimes also called computer forensics as digital forensics is the science of identifying, extracting, analyzing, and presenting the digital evidence that has been stored in the digital electronic storage devices to be used in a court of law.

A cyber crime can be defined as crime committed in the cyber space or crime committed with the assistance of the Internet. In cyber crime externally or internally the computer takes part in the attack. Cyber crime investigations are always difficult because the evidence are very critical, i.e., the life of data are sometimes within fractions of a second. Evidences in the running memory registers are available only in some seconds. Digital evidence [3] at present, the analysis of digital evidence, must depend on forensic tools such as Forensic Toolkit (FTK) of Encase, or WinHex. Most of them are commercial software and are too expensive for the small enterprises or individual. Digital evidence stored in a computer can play a major role in a wide range of crimes, including murder, rape, computer intrusions, espionage, and child pornography as proof of a fact of what did or did not happen. Digital information is fragile in that it can be easily modified, duplicated, restored, or destroyed, etc. In the course of the investigation, the investigator should assure that digital evidence is not modified without proper authorization. The typical goal of an investigation is to collect evidence using generally acceptable methods in order to make the evidence accepted and admitted at court.

The final forensic report must include:

  1. (1)

    Where the evidence was stored?

  2. (2)

    Who had obtained the evidence?

  3. (3)

    What had been done to the evidence?

Any step in the process must be carefully recorded in order to prove that the electronic records were not altered in the investigation procedure (Table 1).

Table 1 Shows sources of evidence in different types of files in a computer
Full size table

Types of Cyber Crimes

Computers are an integral part of our life. A significant percentage of today’s transactions and processes take place using information technology and the future is pregnant with innovations, including nanotechnology, silicon chips, quantum computers, and even biochips. People have readily adopted this technology and have innocently trusted it while performing many tasks, with ignorance about the limitations and threats to their securities. With this advance in technology, an equally advanced form of crimes has emerged. The crimes being committed in cyber space like Internet fraud, business espionage, pornography, sexual assault, online child exploitation, cyber terrorism, and more are on the rise. The following statistical data shows various attacks and their total percentage.

Data Theft

Data are precious assets in this modern age of Cyberworld. Data are important raw materials for business organizations, call centers, and I.T. companies. Data have also become an important tool and weapon for companies, to capture larger market shares. Due to the importance of data, in this new age, its security has become a major issue in the I.T. industry. The piracy of data is a threat faced by I.T. players who spend millions to compile or buy data from the market. Their profits depend upon the security of the data. The above statistics reveals that 33 % of cyber crime is data stealing (Table 2).

Table 2 Shows the statistical data on different types of attacks reported
Full size table

A case has been reported in Bangalore (9 Crore loss) where some key employees of the company had stolen source code and launched a new product based on stolen source code and mailed to former clients. Social engineering techniques can also be applied for such attacks. For example, a beautiful lady meets the young system admin and collects the username and password.

Email Abuse

Email abuse takes many forms, for example: unsolicited commercial email, unsolicited bulk email, mail bombs, email harassment, and email containing abusive or offensive content. The format for submitting reports to the abuse department regarding abuse of email is always the same whatever the offence.

Unauthorized Access

Unauthorized Access is when a person who does not have permission to connect to or use a system gains entry in a manner unintended by the system owner. The popular term is “hacking”.Hacking is the viewing of private accounts, messages, files, or resources, when one has not been given permission from the owner to do so. Viewing confidential information without permission or qualifications can result in legal action.

Data Alteration

Changing /modifying /deleting data causes major losses in the cyber world. In a crime reported in the USA (Cyber murder), a patient file data altered by a criminal caused overdose of medicine and the patient got killed.

Denial of Service

A denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. In a distributed denial-of-service, large numbers of compromised systems (sometimes called a bonnet) attack a single target. Dos causes

  • Attempts to “flood” a network, thereby preventing legitimate network traffic.

  • Attempts to disrupt connections between two machines, thereby preventing access to a service.

  • Attempts to prevent a particular individual from accessing a service.

  • Attempts to disrupt service to a specific system or person.

Impact of the DoS is Denial-of-service attacks can essentially disable your computer or your network. Depending on the nature of your enterprise, this can effectively disable your organization. Secondly, some denial-of-service attacks can be executed with limited resources against a large, sophisticated site.

Malicious Codes

Viruses, worms, and Trojans are types of malicious codes which enter into the system without permission of the user and delete, modify, and capture the user files and data.

Sources of Attacks

Cyber crimes such as network intrusion, hacking, virus distribution, denial of service attacks, hijacking (a computer or network), defacing web sites, cyber stalking, and cyber terrorism are included in this category.

Basically, the computer itself becomes the “target” as well as “Source” of the crime. This is “unauthorized access” to the targeted system. The transmission of a program, information, code, or command, and as a result of intentionally causes damage without authorization, to a protected computer.

  • Program/program source code.

  • Disgruntled employees.

  • Teenagers.

  • Political Hacker.

  • Professional Hackers.

  • Business Rival.

  • Desperados.

  • Terrorists.

The Cyber Investigation Process of a Compromised System

Investigation Processes

The entire investigation process can be divided into four phases (Fig. 1).

Fig. 1
figure 1

Shows investigation processes

Full size image
  1. 1.

    Identification: In this phase it collects the information about the compromised system. System Configuration, software loaded, user profiles, etc [4].

  2. 2.

    Collection Phase: Collects the evidence from the following.

  3. 3.

    Evidence is most commonly found in files that are stored on hard drives and storage devices and media.

  4. 4.

    If file is deleted, recovering data from the deleted files and also collects evidence file deleted files.

  5. 5.

    Analysis phase: Analyze the collecting data/files and find out the actual evidence.

  6. 6.

    Report phase: The audience will be able to understand the evidence data acquired from the evidence collection and analysis phases. The report generation phase records the evidence data found out by each analysis component. Additionally, it records the time and provides hash values of the collected evidence for the chain-of-custody.

Investigating Tools

The goal of the investigator is to find every digital evidence stored in devices, or at least sufficient information for building and supporting a crime logic. Investigating tools are used to collect evidence from the crime scene. Throughout our paper mainly WinHex is using for image creation of compromised disk or folder and image analysis. WinHex [1] can recover deleted files.

Cyber Crime Investigation Steps

  1. 1.

    Assesses the crime scene

  2. 2.

    Evidence collection

    1. 2.1

      Select a tool, e.g.: WinHex [1].

    2. 2.2

      Create image of the compromised system disk.

      1. 2.2.1

        Open WinHex.

      2. 2.2.2

        Open particular drive (Tools → open disk).

      3. 2.2.3

        Calculate Hash value of the drive/disk (Tools → compute hash) Store hash value in a text file.

      4. 2.2.4

        Save disk content as image file extension.img file (Fig. 2).

        Fig. 2
        figure 2

        Shows screenshot of Winhex [1] for creating an image of DISK

        Full size image
  3. 3.

    Analyze the Disk image

    1. 3.1

      Calculate Hash value of image (Tools → compute hash).

    2. 3.2

      Compare the Hash value of original with image. If equal start analysis else acquired data altered.

    3. 3.3

      Recover the necessary files and deleted files from the disk image. (Specialist → Interpret as image).

    4. 3.4

      Copied into a folder.

    5. 3.5

      Start analysis of the content recovered files of files.

    6. 3.6

      Image analysis, i.e., hidden data inside an image can be analyzed using steganography tools (Stools).

    7. 3.7

      Check header and footer of application file. Copy header and footer and paste into text pad. Sometimes evidence should be present in header and footers.

  4. 4.

    Conclude the investigation and generate report.

Recover Deleted File Using WinHex

  1. 1

    Open Drive image [1].

  2. 2

    Make as file view mode.

  3. 3

    Recover the necessary files and deleted files from the disk image. (Specialist → Interpret as image).

  4. 4

    Copy into a folder.

  5. 5

    Start analysis of the content recovered files.

  6. 6

    Open drive image–select file and right click.

Investigation on IPR Crime–Source Code Theft

IP crime is generally known as counterfeiting and piracy. Counterfeiting is intentional trademark infringement, while piracy involves intentional copyright infringement. Now, IPR crimes are becoming a big issue in big businesses. However, it is not a new phenomenon but due to globalization and advances in technology counterfeiting and piracy become big business (Fig. 3).

Fig. 3
figure 3

Screenshot of Winhex tool [1] to recover/copy deleted file

Full size image

The investigation procedure of a source code theft

  1. 1.

    Assess the crime scene.

  2. 2.

    Find which source code files are thefts.

  3. 3.

    Calculate hash value of the theft files and save it into text file.

  4. 4.

    Find out who are involved in the project.

  5. 5.

    Investigate their USBs and PCs–Take an image of all drives using Winhex tool…

  6. 6.

    Investigate their email accounts—take an image of Email folders using Winhex tool.

  7. 7.

    Analyze the drives–Open drive images in Winhex.

(Tools → open disk).

  1. 8.

    Calculate hash value of the drive/disk.

(Tools → compute hash).

  1. 9.

    Store hash value in a text file.

  2. 10.

    Find out if source codes are available in drives.

  3. 11.

    If deleted recover all deleted files using winHex (Right click on the files folder and recover).

  4. 12.

    Again calculate the hash value of the recovered files.

  5. 13.

    If the hash value of the recovered source code files are equal, then commit the crime happened by the person who owns the above files.

  6. 14.

    Sometimes source code can hide inside the image.

  7. 15.

    We can find out the hidden data using steganography tools or click the particular image in the winHex and check the content displaying window. If the content contains hidden text data then it will display directly.

Algorithm to Find Evidence in the Storage Media

  1. 1.

    Start.

  2. 2.

    Take the image of the disk drive (using tools like Winhex or Linux dd command) (For integrity, perform hash value calculation).

  3. 3.

    Perform chkdisk of the particular drive.

  4. 4.

    Shows the number of bad sectors.

  5. 5.

    Open the particular drive using Runtime Explorer or Anadisk/BXDR.

  6. 6.

    Copy the content of bad clusters.

  7. 7.

    Analyze using any hexeditors.

Investigating Emails

Email is an essential type of communication in the current fast world. It is the most preferred form of communication. The ease, speed, and relative secrecy of emails have made it a powerful tool for criminals.

The following are the major email-related crimes.

  1. 1

    Email spoofing.

  2. 2

    Sending malicious codes through email.

  3. 3

    Email bombing.

  4. 4

    Sending threatening emails.

  5. 5

    Defamatory emails.

  6. 6

    Email frauds.

Email Investigation Procedure

Email investigation can be done with two methods Email tracking and Email tracing. Email Tracking tells us that tracking down an IP address will give a general idea of what city, state, and other geographical information pertains to the original sender. You can also determine what ISP a computer user is networked with through an IP address lookup tool. www.ReadNotify.com is an online service for email tracking. It tracks an email as to when it was read/reopened/forwarded, and much more. In cases where only an email ID is obtained as clue to track the sender of an email, services like ReadNotify.com can prove helpful. Email Tracing gives other information, such as how many times an email was sent to various servers and is an important method used for determining the original source of an email. By tracing an email you can determine the original sender’s IP address, therefore giving you a geographical location of the email sender.

  1. 1.

    Assess the crime scene.

  2. 2.

    Take a copy of compromised email folder.

  3. 3.

    Analyze Email folder.

    1. 3.1.1

      Open Email folders–inbox, outbox, spam.

    2. 3.1.2

      Open each mail and analyze header of email.

    3. 3.1.3

      From header can identify IP address of source.

  4. 4.

    Analyze Body message.

    1. 4.1.1

      Copy body message into a notepad (text file).It shows any hidden formatted messages.

  5. 5.

    Download any attachments the particular email has.

If it contains any images, then check with steganography tools. All these analyses give the necessary evidence of the email crime.

Networks Forensic

Network forensics is a subfield of digital forensics where evidence is captured from networks and interpretation is substantially based on the knowledge of cyber attacks. It aims to locate attackers and reconstruct their attacks actions through the analysis of log files and monitoring network traffic.

Log File Analysis

In many cyber crime cases (especially web defacement cases), analysis of FTP and web server logs gives the most crucial evidence—IP address of the suspect [5]. Log files are key informers of web usage. Log files typically keep logs of the requests they receive. Data that are often logged by web servers for each request include Timestamps; IP address, Web server version, Web browser version, and OS of the host making the request; Type of request (GET/POST) read data or write data; the resource is requested and the status code. The response to each request includes a three-digit status code that indicates the success or failure of the request.

Log file investigation procedure.

Step1:

Collect server log file from the network administrator.

Step2:

Open file notepad.

Step3:

Searching key words (Given in the case scenario–or IP or admin username) from this file using searching utility of notepad.

Step 4:

Copy and Paste those particular lines into another text file.

Step 5:

Analyze all fields of logfile, for e.g.: IP, Access Time, file Path, status codes, methods (GET/POST).

Network Traffic Analysis

Network traffic analysis will help investigators to reconstruct and analyze network-based attacks and inappropriate network usage, as well as to troubleshoot various types of operational problems. Network forensic analysis relies on all of the layers. Analysts begin to examine data, likely an IP address, protocol, and port information. Collecting network traffic can create legal issues. Capture (intentional or incidental) of information breaks privacy or security implications, such as passwords or the contents of e-mails.

Sources of Network Traffic

  • Firewalls and routers.

  • Packet sniffers and protocol analyzers.

  • Intrusion detection system.

  • Remote access.

  • Network forensic analysis tools.

  • Other sources are:

  • Dynamic Host Configuration Protocol Servers.

  • Network Monitoring Software.

  • Internet Service Provider Records.

  • Client/Server Applications.

  • Hosts. Network Configurations and Connections.

Examination and Analysis of Network Traffic

The examination process extracts and prepares data for analysis. The examination process involves data translation, reduction, recovery, organization, and searching. For example, known files are excluded to reduce the amount of data, and encrypted data are decrypted whenever possible to recover incriminating evidence. A thorough examination results in all relevant data being organized and presented in a manner that facilitates detailed analysis. The analysis process involves critical thinking, assessment, experimentation, fusion, correlation, and validation to gain an understanding of and reach conclusions about the incident based on available evidence (Casey and Palmer, 2004). In general, the aim of the analysis process is to gain insight into what happened, where, when, how, who was involved, and why [6].

The first step in the examination process is the identification of an event of interest. There are two types of identification.

  1. 1.

    Someone within the organization–system administrator, network administrator, user, or employee.

  2. 2.

    Some monitoring system like IDS or Firewall alerts showing an incident happened [6].

Child Pornography Investigation Examination Process Would Include

  1. 1.

    Examining all graphics or video files from network traffic.

  2. 2.

    Examining all web sites accessed.

  3. 3.

    Examining all Internet communications such as IRC, Instant Messaging (IM), and email.

  4. 4.

    A search for specific usernames and keywords to locate additional data that may be relevant.

  5. 5.

    Most of the relevant data to the investigation have been extracted from network traffic.

  6. 6.

    Extracted data made readable.

  7. 7.

    They can be organized in ways that help an individual analyze them.

  8. 8.

    Gain an understanding of the crime.

As the analysis process proceeds, a complete picture of the crime emerges often resulting in leads or questions that require the analyst to return to the original data to locate additional evidence, test hypotheses, and validate specific conclusions (Fig. 4).

Fig. 4
figure 4

A conceptual representation of packets in network traffic relating to a single flow being extracted and reconstituted to obtain the data they carry [6]

Full size image

Flow Reconstruction [6]

Because most networks use TCP/IP to transmit data between hosts each TCP connection is bi-directional, comprising one flow for receiving data and a second flow for sending data. Because TCP breaks data into packets prior to transmission, tools for examining network traffic require some ability to reconstruct flows [6].

Conclusion

This paper explains introduction to digital forensics and summarizes different types of attacks and its sources in Sect. “Types of Cyber Crimes”. Section “The Cyber Investigation Process of a Compromised System” explains steps in the investigation process practically with WinHex tool. Section “Networks Forensic” explains the network forensics and investigation procedures in the log files as well as in the Network traffic.