Digital Forensics Vidoushi D. Bahadur-Somrah_____________________________________________________AbstractThis report which is based on digital forensics contains researched information on the computer forensic, and how doinvestigators examine evidence obtained in order to solve crimes such as cybercrimes. Some highlights are being made onways of hiding data alongside with methods and procedures which are used to deploy hidden information. The report alsoshows the effectiveness of the „Daubert guidelines‟ which are used to test digital results for validity and accuracy prior to thecourt of justice. Investigation on e-mail related crimes have been provided which includes some commonly known e-mailscam examples and process involve in finding the offenders.Keywords: Digital forensic; Computer forensic; Steganography; Daubert guidelines; Stegdetect; E-mail crimes and violations.________________________________________________________________________________________________________________1. Introduction Digital technology has been subject to a number of innovations and improvements in various domains overthe years and the Internet and wireless technologies are good examples of successful outcomes. As the use ofcomputers together with the Internet and other digital systems become more popular and significant in our dailyactivities, the numbers of computer related crimes are also proportionally increased . Digital systems todayare the ultimate tool in money management, e.g. banking systems, and criminals / fraudsters are finding newways to make easy money which means the use of computers to attack such systems are more evident.Unfortunately, there have been court cases before where innocent people have been prosecuted and criminalswalked free due to the inability to provide and authenticate evidence by investigators. This is why today digitalforensics form part of crime investigations and play an important role in identifying, collecting and solvingdigital evidence to find the truth. Investigators use highly sophisticated tools and procedures to identify evidenceand aid solving crimes. This report mainly focuses on the digital forensic analysis of digital-related crimes andprovides information on how it operates, the tools available for its successfully application and the challenges itface. Further information is also provided in this report on detection of hidden data, reliability of evidence foundand email crimes.2. Digital forensic Digital forensic is the science of identifying evidence from digital sources and which provides forensicexperts with robust tools and techniques to solve complicated digital-related crimes. There are 4 technical sub-branches within digital forensic which can be applied to solve such crimes and they are listed as follows:Computer, Network, Database and Mobile-Device forensics . Each technique aid to detect, collect, analyseand conclude on evidence found, which could be used in a court of law. Also, the availability of the latestsoftware detection tools and techniques has rendered digital forensics into a more reliable and trustworthymethod to identify evidence. Therefore, digital forensic is used for a number of purposes in an investigationsuch as to support or refute evidence and to check whether documents are legit among others .
3. Computer forensic Computer forensic, which forms part of digital forensics, is the technique used to extract information from acomputer platform to identify evidence. It is defined as “a new discipline which combines computer scienceand law elements in order to collect and analyse data from computer systems, networks, wirelesscommunications and storages devices in a way that the data is admissible as evidence in a court of law” [4, p1]. Through this technique, crimes related to computer, such as intellectual property theft, child pornography,identity theft, hacking attacks and even terrorism activities where emails are exchanged can be traced, stoppedand evidence collected to prosecute the wrong doers. Sophisticated tools available today can also retrieve orrecover purposely „deleted, hidden and even encrypted data‟ of any format and even from damaged media byusing various methods and software capabilities to preserve the evidence found from any further damage.Therefore computer forensics helps to capture vital information today which would not have been possible withtraditional investigation methods.3.1. Examining computer evidence Criminal investigations involving computer forensic are undertaken in accordance with procedures set withinthe science of digital forensics. These procedures depend on the type of data to be collected, and there are twotypes which are known as „persistent‟ and „volatile‟ data. Persistent data remains present even when thecomputer is switched off and are located in devices such hard drives. Volatile data is the opposite of persistentdata and is lost when the computer is switched off and is commonly located in random access memory (ram),registries and cache . Volatile data cannot be preserved or recovered once the computer is in an off state. As aresult, investigators or forensic experts must be able to apply the correct procedures and make use of the correcttools to collect and preserve evidence. Other forms of evidence that are usually collected in an investigation are physical items. Physical items suchas broken CDs, damaged hard drives, shredded paperwork, photographs etc are collected and examined inhighly sophisticated laboratories to identify and preserve evidence. To identify the „hidden‟ evidence, forensicexperts make use of computer software, electronics and other tools to ensure that the information required iscaptured and preserved from the physical evidence. Even though, forensic laboratories are highly reputable forbeing efficient in preserving the integrity of evidence gathered from physical items, it is also important that“computer forensics also require methods to ensure the integrity of the information contained within thosephysical items. The challenge to computer forensic science is to develop methods and techniques that providevalid and reliable results while protecting the real evidence (the information) from harm” [1, p5].4. Hidden information In the past people have used several different techniques such as invisible ink or coded message to hideinformation from others. With the rise of the digital age, new ways are being used to hide information in variousforms such as text, audio waves, imaging, digital coding, digital watermarking, unoccupied space of storagedevices and TCP/IP packets among others. These techniques are also called as „steganography‟ which can bedefined as “the art of covered, or hidden, writing. The purpose of steganography is covert communication tohide a message from a third party” [5, p1]. Therefore this technique allows fraudsters to store hiddeninformation on both computers and networks by employing any binary file format. The most commontechniques used to hid secret messages are via imaging and audio file formats .4.1. Methods to hide information Fraudsters use clever methods to hide information in the digital media. Some common examples that forensicexperts are fully aware of are : Unused, or emptied space in previously used files Unused space of file header Unused section in hard drive Network protocols – “for example, forms a covert communications channel using the identification field in Internet Protocol (IP) packets or the Sequence Number field in Transmission Control Protocol (TCP) segments” [5, p9].
Audio sound – some small modification in the sound like shifting the wave frequency angle, or beat. Image file – Modification of the original colour palette with the hidden data once it has been compressed.4.2. Examples of hidden information in imaging and audio file Image and audio file alteration is a common method used by those who want to carry hidden data secretly.The hidden information can lead to the audio file sounding too loud or the image file appearing too bright incolour, which are some of distortion in quality as a result of altering the original file of such formats. Thesechanges are caused by the Least Significant Bits (LSB) substitution which either overrides the original colourpalettes or palette pointers in image files such as „GIF‟ files etc, or simply overrides the Pulse Code Modulation(PCM) level in the audio file. The quality of the image and audio file, which is thereafter deformed, can bedetected by examining the file at code level. However, it can be quite challenging to detect hidden data as“almost all techniques used to hide the data within the file use some sort of method to randomize the actual bitsin the carrier file that are modified” [5, p10]. Another method to hide information within image files is the duplication and manipulation of the colorstructure within the color palette and which makes the same color to appear twice in the original color palette.JPEG is an image file format in which data is relatively easy to be hidden using „LSB insertion‟. The hiddendata will alter the original JPEG file and depending on its resolution, might not be detected by the naked eye.However, the change might be evident to lower resolution files. There are several algorithms used to hideinformation within JPEG image files, such as „JSteg‟, „JP Hide&Seek‟, „F5‟ and „OutGuess‟ . Thesealgorithms work differently to hide data into a JPEG file, for example, “JSteg sequentially embeds the hiddendata in LSBs, JP Hide&Seek uses a random process to select LSBs, F5 uses a matrix encoding based on aHamming code, and OutGuess preserves first-order statistics” [5, p16]. Unfortunately, as technology improves, there is the likelihood that more sophisticated techniques will beapplied by fraudsters and which would complicate the investigation. The hidden data could be designed in anon-detectable format and appear to be original and not tempered .5. Detection of hidden information Detecting hidden information is a highly complex exercise for forensic experts. The hidden informationwithin the evidence being investigated can be indistinguishable and appear to be not present. The carriers thatare used to hide the information are more sophisticated in textures and make it difficult to detect anything. Also,if forensic experts lack the skills and experience to distinguish the techniques and tools used to hide the data, theprocess of retrieving the evidence together with the investigation duration is delayed. Steganalysis is a technique used to trace “hidden information based upon observing some data transfer,making no assumption about the stego algorithm” [5, p15]. This method, used since the 1990s, is used to detecthidden information. Once detected, all hidden information are extracted and the original source is disabled so itcannot be accessed and altered, and would remain in a preserved state to be used in a court of law. In cases ofsolving crime investigations, investigators‟ main concerns are the gathering, analysis and preservation ofevidence.5.1. Method and tools used to detect hidden data Because fraudsters are now using highly sophisticated tools to hide data, it has become increasingly difficultfor forensic experts to know when, where, and which algorithm has been employed to hide data. Some of thesophisticated software tools used by forensic experts during an investigation are “WetStone Technologies‟Gargoyle and Niels Provos‟s Stegdetect” [5, p17-18]. These software packages have been specially designedwith the main goal of: Locating the source of the hidden programs. Detecting the form of suspected transportation files. Extracting the secretly hidden message. The Gargoyle software by WetStone Technologies is an effective program that can locate hidden data byusing “a proprietary data set (or hash set) of all of the files in the known stego software distributions, comparing
them to the hashes of the files subject to search” [5, p17]. It can identify any malicious activities such hiddendata, spyware, Trojan horse etc in the files. It therefore helps to detect, disrupt and reduce attacks. The Stegdetect software by Niels Provos is another commonly used software detection tool that locateshidden data in JPEG images and it works by “using steganography schemes like „F5‟, „Invisible secret‟ amongothers” [5, p18]. As Stegdetect is a quality and highly robust software, it detects the hidden data as well as thetechnique used to hide the data onto both JPEG files . Both software detection programs work effectively when there is an indication of the type of file and methodused to hide messages. For example, if investigators suspect that the „S-Tools‟ type was used to hide data, thiswould direct them to file sources like “GIF, BMP and WAV files”  and „JP Hide&Seek‟ type would pointthem to JPEG files format. Carrier file type-specific algorithm is another method of analysis that renders thedetection of hidden data easier . Statistical analysis is a common way to detect untraceable information and it is a robust but much morecomplicated method to measure the amount of redundant data and suspicious activities in both image and audiofiles formats. It is a complicated technique because “some stego algorithms take pains to preserve the carrierfiles first-order statistics to avoid just this type of detection” [5, p16]. Also, the randomness of the hidden andencrypted data results in being more difficult to identify due the 0s and 1s being present with equal likelihood.Therefore, to extract the hidden data by using statistical analysis is a much more complicated task andinvestigators must have a broad knowledge of message lengths including crypto algorithm and encryption keytogether with the techniques to be used to retrieve the data without compromising its integrity .6. Reliability of data found Pieces of data retrieved during the investigation process which is to be used as digital evidence must be bothreliable and relevant to the case. That means that investigators have to carefully select the relevant informationvalid to the prosecution case. Not every data obtained from the crime scene is relevant or important. In the sameway, evidence should be carefully be collected, stored and transported from the crime scene to preserve itsoriginality. This will aid the investigators to build a solid case in the form of a chain of evidence which canprove who is involved in the criminal activity. Once the case is built and approved by the team of investigatorsand forensic experts, it is then confidently presented to the court of justice . Digital evidence has a requirement to undergo a Daubert hearing by law prior to being formally presented incourt. The Daubert hearing is a pre-trial session where the judge decides whether the tools and methods used tocollect, analyse and retrieve the digital evidence is viable and can be presented in court. The Daubert guidelinesstate that digital evidence has to be tested against 4 general categories in order to prove its reliability andquality. The four phases are: “testing, error rate, publication, and acceptance” [3, p3]. The testing phase, methods are checked for the accuracy of the results obtained. There are two ways totest the results obtained: “False Negative and False Positives” [3, p4]. The false negative test shows whether thetools and methods used can properly retrieved the data from the system. The false positive test confirms that thetools used have not generated new data and jeopardise the results. The error rate checks the error percentage of the output results and checks that it is within acceptabletolerance . “The publication guideline shows that the procedure has been documented in a public place and hasundergone a peer review” [3, p6]. The acceptance phase checks the feasibility of the tools and procedures applied during the investigationand whether it is acceptable to the scientific community .7. E-mail crimes and violations E-mail is now a very popular mean of communication from one person to another person. It is fullyintegrated in education and businesses as well as for personal use. The advantages of e-mail are non-dependency
on geography or location and the fast/instant and cost-effective delivery of messages. Yet, there are some threatsthat are linked to the usage of e-mail systems and which can affect genuine users and have severe consequencessuch as financial loss, privacy loss and mental persecution and fear . Some of the common examples of e-mail crimes and violations that have been outlined in the past few years are listed as: job opportunity,investment, inheritance and Bank scam.7.1. Some examples of e-mail crimes and violations Inheritance scam The inheritance scam works by luring innocent people with a large amount of money. Fraudsters makecontact with individuals and say that a relative at a particular location has claimed that you are the only relativeleft and hence there is a large sum of money to be inherited. However, the fraudsters claim that to „unlock‟ themoney, the individual must first transfer a smaller fund to an account. They also add that the only way to gainaccess to the inheritance is to open an account with them, where they can get all personal and bank details.Another technique used is that the fraudsters claim that they themselves are to inherit money but need to transfera smaller sum to the lawyers, which they claim they do not have. They ask for the innocent individual to lendthem some money, which they are prepared to compensate for generously once they get their inheritance money.This scam e-mail works . Bank scam The bank scam is another technique used by fraudsters to gain access to innocent people‟s account details. Ittakes the form of an email received by the individual stating that their account has been suspension due to anidentification of unknown access. The received email has a link which re-directs the individual to a look-alike oftheir bank homepage. The individual then try to log into his account, which obviously never works but in doingso, has given all the personal log in details to the fraudsters. There are variations of this scam where fraudstersare trying new ways to make easy money. An example of bank scam is the „HSBC Phishing Email Scam‟ whichHSBC has warned its customers about .7.2. Process of investigating e-mail crimes and violations Email is recognised in most countries as a legal piece of document and therefore can be used as evidence andin a court of law. Cybercrime investigation cases such as stalking, child pornography, money extortion andmental harassment have seen the use of email being widely used as evidence in to convict those guilty of thecrime . There are several phases involved during the process of e-mail crimes and violations investigations. Eachinvestigation includes the collection and analysis of the evidence found, which are fully detailed in a reportbefore being presented to court. The analysis of the email evidence consists of examining, copying and printingthe email message; viewing and examining the email headers; examining any attachments and finally tracing theemail. The investigation of email crimes are very similar to any other crimes and involve analysing the evidenceto identify the person guilty of the crime [9, p394-409]. Examining, copying and printing the e-mail message Investigators need a victim‟s computer and password to examine and decode protected files during aninvestigation. They will also need a copy of the malicious e-mail, identify its source from IP address details andprint it to identify its header. This process can be undertaken by Eudora or Outlook Express email software andsuspected e-mail can be securely transferred from the inbox folder onto disks or alternative sources withoutjeopardising its integrity [9, p394]. Viewing and examining the e-mail headers Email header is the place where most information is normally hidden. The information consists of the sourceemail PC operating system, hostname and e-mail application used, which investigators can use to direct them tofraudsters within no time [9, p396-399].
Tracing the e-mail Tracing the IP address which has been retrieved from an email can sometimes be hard to locate. This is because not all information obtained can trace back to the original sender. There are some websites that can help the investigators trace the original host such as “www.arin.net, and www.freeality.com” among others [9, 404- 405]. There are number of other tools and techniques that can be used during an investigation in order to validate and authenticate the evidence found via email, such as system logs like “network equipment, and UNIX email server” [9, p405]. These system logs are used to check the source and path of the email on order to find the fraudster behind the crime. 8. Conclusion Digital forensic today is an essential part of any investigation which involve the use of new technologies to gather, analyse evidence to be used in court. It is a challenging science and researchers must continue to improve the forensic techniques, tools and software to incorporate new capabilities and counter new techniques used by fraudsters and criminals. Forensic experts must maintain the high reputation of being able to detect, extract or prevent these unauthorised encrypted messages from causing any harmful attack to government, businesses or civilians. It is believed that newer techniques will be introduced to detect hidden information and locate evidence as the fraudsters try new ways to get around existing systems. 9. References1. M.G. Noblett. et al. Article: “Recovering and examining computer forensic evidence”. [Internet]. Publication: Volume 2, Number 4, 2000. Accessed on 09/10/2011. Available through Google document at http://docs.google.com/viewer .2. Ehow.com [Online community]. Article: “Forensic Topics”. Published: 2010, updated 11/12/2010. Accessed on 12/10/2011 at http://www.ehow.com/list_7481819_forensics-topics.html.3. Digital-evidence.org [Online research paper]. Article: “Open Source Digital Forensics Tools”. Author: Carrier, B. Published: 2002. Accessed on 10/10/2011 at http://www.digital-evidence.org/papers/opensrc_legal.pdf.4. US-CERT.gov [Online United States Computer Emergency Readiness Team]. Article: “Computer Forensics”. Published: 2008. Accessed on 10/10/2011 at http://www.us-cert.gov/reading_room/forensics.pdf.5. Citeseerx.ist.psu.edu [Online Scientific Literature Digital Library]. Article: “Overview of Steganography for the Computer Forensics Examiner”. Author: Kessler, G. C. Published: February 2004. Accessed on 10/10/2011 at http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.90.8113&rep=rep1&type=pdf .6. Citeseerx.ist.psu.edu [Online Scientific Literature Digital Library]. Article: “Digital Forensic Analysis of E-Mails: A Trusted E-Mail Protocol”. Author: Gupta, G. et al. Publication: Volume 2, Issue 4, 2004. Accessed on 06/10/2011 at http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.63.3656&rep=rep1&type=pdf.7. Money.uk.msn.com [Online business news]. Article: 2010s biggest email scams – “The inheritance scam”. Author: Simon Ward, senior editor. Published: 24/12/2010. Accessed on 12/10/2011 at http://money.uk.msn.com/news/crime/photos.aspx?cp- documentid=155566151&page=11 .8. Money.uk.msn.com [Online business news]. Article: 2010s biggest email scams – “The account maintenance scam”. Author: Simon Ward, senior editor. Published: 24/12/2010. Accessed on 12/10/2011 at http://money.uk.msn.com/news/crime/photos.aspx?cp- documentid=155566151&page=12 . Kleiman, D. The Official CHFI Exam 312-49: “For Computer Hacking Forensics Investigators”. Kevin Cardwell, Dave Kleiman, Timothy Clinton, editors [internet]. Burlington:Syngress publishing Inc.;2007. Accessed on 14/10/2011. Available through google website: http://books.google.co.uk/books.