Question

1. what is the timeline of cyber or digital forensics up till date
2. with a case scenario discuss the chain of custody principle in digital or cyber forensics
3. Discuss, compare and contrast the existing hatching algorithms

Answer 1

Today, every activity of organisation or an individual depends on the digital information directly or indirectly and the information is either being created by a person or may be transferred digitally.With the advancement of technology and wide application surface of digital information,cybercrimes jeopardize the users making them victims of the loss created by the cyber crimes.Even multinational comapanies and nations have become the victims of the cybercrimes in the recent past.Due to lack of proper digital evidence of the incident,it has become difficult to perform check on these activities and the digital data can be easily destroyed or manipulated which led them to evolve into severe crimes in the modern society.So there was an urgent need of implementing standardised methods and approaches to investigate and document the evidences so that they could be produced for inspection of a cyber crime for a court or any other judiciary body to take a legal action against the accused one who have committed a cyber crime.
As the internet tecehnology is    deeply rooted in the modern society , there is a wide spectrum of opportunities to associate them into everyday life but ,unfortunately increases the risk of threats to privacy and security of digital information.The cyber forensics play a vital role in the investigation and significantly utilised to establish or to exclude a case between the accused and the victim legally similar to that of any criminal activity to derive a final verdict.
Evolution of cyber forensics
The origin of cyber forensics have been around thirty years past from now.Initially it was implemented by military reasearchers of United states who identified some of the criminal activities carried out by the help of digital information processing systems and computer programs to attack the victim systems to sabotage the information , manipulate the data present on the government systems and eventually get benefited by that activities.The government personnel were deployed to take measures against any such activities performed by the criminals by protecting important and confidential information and improve security measures to prevent the loss of any sensitive information. The requirement of security to the sensitive information not only led to the development of information security to protect against security breaches but also cyber forensics to investigate and trace the evidences of a particular data breach or any such hi-tech crimes associated with digital information .
Over the next decades upto now, the information security and syber forensics have intertwined with each other and their application areas have been increased exponentially .Moreover ,many of the governments have taken initiatives to bring laws to curb cyber crimes and treat them seriously as most of the cyber crimes cause loss of property to and oragnisation or an individual or a national as a whole or may be a life threatening one.This made law enforcement bodies and defence related organisations have their active presence in the fields of information security and cyber forensics at differnt levels .Also , most of the reputed private organisations especially banks and financial organisations rely on them by employing information security and cyber forensics personnel or making contracts with cyber security firms to secure their sensitive information.
The cyber forensics and information security evolves as a never ending process as many of the cyber crimes and attacking mechanisms like worms,spyware,malware and ransomware get evolved inorder to evade the existing security measures.So the software tools related to cyber security and cyber forensics also get evolved in the mean time and there is a need of more number of personnel in response to the increase in the crimes that involve technology and computers
THE TIME LINE OF CYBER FORENSICS
1980s-1990s
⦁   The computers are primarily stand-alone computers with basic storage media
⦁   Simple and non-automated forensic tools
⦁   manual analysis of very small amounts of data, with very slow computers
⦁   Primitive skills for investigation with very simple tools.
2000 to 2010
⦁   Faster computers with Exponential growth in amounts of data for storage and processing compared to earlier systems
⦁   Automated Computer Forensic tools and complex structure of implementation made easy to track security incidents
⦁   More complex data and software
⦁   Security enhanced with strong encryption & antivirus programs
2010 to till date
⦁   New technologies with advancement of network communication and wireless networks
⦁   Rapid increase in the internet usage
⦁   Mobile devices, Social networking, Gaming consoles, Smart Devices and IoT etc.
⦁   New tools with artificial intelligence, infrastructure security and network security were evolved
⦁   More advanced skills required to work with advanced tools and technologies by the security analysts and cyber security investigators

Chain of custody

The chain of custody refers to the standardised process of securing , transporting and verifying the evidences. Here evidence refers to any entity(hardware or a software ) or any other valid proof accepted for investigation. The chain of custody is an essential step in cyber forensics investigation. It acts as an audit trail of all the actions performed with the proof of cyber crime and provides the information of ‘who did what’ and ‘when it happened’ to a particular piece of evidence. It includes all the information of time, place and persons who a responsible for handling of the evidence before presenting into a court. It acts as a proof that the evidence was not tampered during the investigation.

The chain of custody document should provide information for the following questions:

How the evidence was collected ?
When it was collected ?
How you transported it ?
How it was tracked ?
How it was stored ?
Who has access to the evidence?

Chain of Custody - A CASE STUDY

Consider a case scenario in which an employee was fired on the charges of inappropriate usage of office computer.The suspect is misusing the computer on his cubicle to access unsuitable websites at work and performing unsual activity on the network by downloading pornographic material and indulging in chat rooms during office hours .Also the person is suspected to bypass the company's proxy servers to access the internet .These activities are forbidden under company's policy.The accused person claims that he was unaware of such activities and was accidentally done through opening a spam email on his mail account.

The following are the key point of accused in the plaintiff:
⦁   The plaintiff was submitted accusing the employee's computer consisting of a large volume of pornographic material
⦁   Usage of offensive and misleading terms
⦁   Visiting websites hosting explicit material
⦁   Using administrator privileges to install software required to bypass proxy servers

Objectives
⦁   Performing a preview of the activities on the accused person's workstation.
⦁   Collecting a supporting evidence for the incident for investigation.
⦁   Recovering volatile information like internet cache and temporary files on the system which are crucial to analyse the web activity.
⦁   recover the deleted items and search history of the user's web browser.
⦁   Collecting the usage logs from the administrator.
⦁   To establish evidences whether the user accessed web mail .
⦁   To establish evidences whether the user accessed restricted websites and chat rooms deliberately or not.

Investigation process:
⦁   The details of network configuration and access logs of a duration of 60 days prior to the dismissal of the employee were collected and stored in a CD.
⦁   The accused persons' workstation was securely transported to the forensics laboratory.
⦁   The harddisk of the accused system was removed and connected to a foransic workstation and a write locker was implemented so that the contents were accessed by the analyst in a proper manner without any manipulation and the content is preserved during access.
⦁   A formal documentation of collected material was prepared and was duly signed
⦁   A forensic copy was made and preserved in a sealed container

The analysis of the collected data yielded the following results:
⦁   Presence of pornographic images and video content is observed and the directory listing is prepared for the harddisk
⦁   URLs directing to restricted websites were recovered from the internet cache and recovered internet history
⦁   Several search results with offensive words were colected from the web search history
⦁   The access times and dates were identified which showed that all these activities were usually done during the lunch break or off shift hours of the company .However such actions were frobidden as per company's norms
⦁   Usage of malicious plugins to manipulate the registry and to bypass proxy servers were identified
⦁   Usage of mail inbox was observed but it was not related to the above activity.Also the history recovered doesnot show any sign of "unknown" redirects through spam

The above report will be From the above investigative analysis , the accused was proved to be involved in the misuse of company's computer which violates the company's norms and the company may take necessary disciplinary action against the accused

Just as with physical evidence, law enforcement must maintain a chain of digital evidence. This is especially important as someone could easily erase or manipulate the data. The following example of chain of custody steps can help preserve the reliability and relevancy of evidence.

After law enforcement collects digital evidence, a computer forensics technician analyzes the data before making a copy. The technician may install “a write blocker” or password to reduce the risk of altering the data. Some even use digital hashing to secure the evidence.

The hash uses an algorithm to create a unique impression of the digital content. If anyone alters the data, the algorithm creates a new hash making the tampering apparent. After securing the data, the technician will tag the hardware or device and lock it up. To maintain the chain of digital evidence, anyone that accesses the hardware must log it in and out.

A full report outlining the findings of the investigation was generated along with chain of custody by the forensic officer and presented to the investigator.in the following format

< NB: fill with appropriate data as required >

EVIDENCE CHAIN OF CUSTODY TRACKING FORM

Case Number: _______2012_________________ Offense: _inappropriate usage of computer in workplace__
Submitting Officer: (Name/ID#) _______________________________________________
Victim: __M/S Orange Insurance Ltd._
Suspect: _Mr.John Gill_
Date/Time Seized: _10-09-2019___Location of Seizure: __Orange Insurance Lts., Main Branch,Pkwy,California_

Description of Evidence
Item #   Quantity   Description of Item (Model, Serial #, Condition, Marks, Scratches)
      
1

2

3

Chain of Custody
Item #   Date/Time   Released by   

1

2

3

(Signature & ID#)   Received by (Signature & ID#)   Comments/Location
              

              
EVIDENCE CHAIN-OF-CUSTODY TRACKING FORM

Chain of Custody

Description of Evidence
Item #   Quantity   Description of Item (Model, Serial #, Condition, Marks, Scratches)
1

2

3   

(Signature & ID#)   Received by
(Signature & ID#)   Comments/Location
              
              
  

Final Disposal Authority
Authorization for Disposal

Item(s) #: __________ on this document pertaining to (suspect): ____________________________________________
is(are) no longer needed as evidence and is/are authorized for disposal by (check appropriate disposal method)

☐ Return to Owner ☐ Auction/Destroy/Divert

Name & ID# of Authorizing Officer: ____________________________

Signature: ______________________Date: _______________

Witness to Destruction of Evidence

Item(s) #: __________ on this document were destroyed by Evidence Custodian ___________________________ID#:______
in my presence on (date) __________________________.

Name & ID# of Witness to destruction: ________________________

Signature: ______________________Date: _______________

Discuss, compare and contrast the existing hatching algorithms

I THINK THIS QUESTION IS ABOUT HASHING

HOPE THE FOLLOWING MAY HELP

Hashing

Digital chain of custody are also dependent on hashing. Hashing is a cryptographic method to convert digital data of any file format into a string of characters.It provides security through encryption.Also, hashing creates a more efficient store of data by creating the hash values of a fixed size.It is done with the programs that implement hashing algorithms.

Characteristics of hashing algorithms:
⦁   The same input data value always generate the same output hash value.
⦁   Creating the hash takes less time and less computing power.
⦁   Any change in the input must produce an entirely different output.
⦁   The input cannot be deduced or calculated using the output.
⦁   The hash should be of a fixed number of characters, regardless the size or type of data used as an input.

The above diagram demonstrates hash generated for different strings .We can observer that all hash values(on the right side) have same size .Even small changes in the inputs generates very different hash values.

Hashing algorithms commonly used in cyber security and foresnics

SHA-1,SHA-2

MD5

AES

RIPEMD etc.,