How to Conduct a Network Forensic Investigation

How to Conduct a Network Forensic Investigation

Network forensic is a branch of digital forensics that is concerned with overseeing computer traffic in order to collect information and detect intruders who might interfere with data stored in computers. Network forensic investigation is conducted for security purposes and to ensure that the law takes effect. When conducted for security purposes, it encompasses overseeing computer network to avoid any traffic and to identify any intruders (Du, Le-Khac & Scanlon, 2017). For instance, an intruder might gain access to the computers and crush the system software, thereby deleting relevant information, and in such a situation, a network forensic becomes the only option that can support forensic analysis. In ensuring law enforcement, there is a need to evaluate already held traffic, and the evaluation may involve recouping previous communications such as through emails and gathering of shared information. With the increased use of the internet, data security issues have significantly increased, and hence network forensic investigation has also gained popularity.

Conducting a network forensic investigation is an activity of several steps. The first step involves creating the policies and procedures to be followed throughout the process. Professionals conducting the investigation are aware that the information is of great importance and needs to be highly protected. Hence there is a need to develop proper guidelines. Koroniotis, Moustafa, Sitnikova & Slay (2017), states that some of the policies that can be followed in network forensic investigation include determining where recouped data should be kept, ensuring proper systems are in place for retrieving the lost data, deciding when the professionals should commence the activity of recouping the evidence and ensuring adequate documentation that will guarantee the legitimacy of the recovered data. Before undertaking the process of network forensic investigation, the investigators need to be conversant with the details of the subject matter; they should understand all investigative actions allowed by the law, whether there any search warrants to prevent legal suites against them and acquire permissions that may be required for the activity.

Forensic investigators need to consider the already available policies such as security of information, retention of data, and how to avoid cybercrime. According to Riadi (2017), new policies need to build on the existing ones to make the process effective. Network forensic policies should also include preservation of the available and recovered data, methods of retaining data, how to accelerate the investigation process, and privacy policies. In addition, policies should include training programs that may require the hiring of expertise, or it may be outsourced to third parties. The team conducting the forensic investigation should also attend forensic training sessions both locally and internationally, in order to be up to date with technology.  Organizations should also install digital management systems to preserve original content without any alteration. Developing the best policies and procedures for the investigation process helps to avoid errors while conducting the process.

Once the relevant policies and procedures have been put in place, the next step is obtaining evidence. The correct evidence needs to be acquired in order for the final results to be considered genuine. To ensure the effective acquisition of relevant evidence, the cybercrime investigators need to ensure proper documentation of data before, during, and after the process of obtaining the evidence. Investigators need to develop an appropriate plan to obtain evidence (Harbawi & Varol, 2017). The plan should include when to commence the process of obtaining the data, the tools to be used in collecting the evidence, all stakeholders that might be consulted to gather the data, and the time of finalizing the evidence obtaining process. While obtaining the evidence, the network forensic investigators should uphold the integrity of the evidence, and measures that can be considered for protecting the integrity of the evidence include incorporating the appropriate procures to of copying and sharing evidence to the system of the investigators and safe removal of physical devices used for keeping data.

One tool that is used to collect evidence in forensic network investigation is the FTK imager, which is a tool that was created by AccessData to foresee data and evaluate reliable evidence on a machine. When using the FTK Imager, the investigator creates a forensic data image and reduces cases of duplication to preserve the originality of the evidence. While using the Forensic Toolkit Imager, the investigator is able to view images in storage devices such as hard disks and compact disks. Another important tool is the ProDiscover Forensic that enables investigators to trace all the available data in a storage device while preserving the needed evidence. ProDiscover Forensic is considered mostly due to its ability to recoup deleted materials. Additionally, forensic investigators use the Sleuth Kit to evaluate images from hard disks and trace files from those images. The key feature of the Sleuth Kit is that it allows for the evaluation of larger files that contain higher volumes of data (Yusoff, Dehghantanha & Mahmod, 2017).

Network forensic investigators also use digital forensic process models to acquire evidence. The process models include the Extended Model of Cybercrime Investigation, whereby the relevant activities are conducted sequentially. Fraunholz, Krohmer, Anton & Schotten (2017), assert that the model allows for iteration of evidence to ascertain its validity. The other model is the Digital Forensic Triage Process Model, which focuses on obtaining evidence within the shortest time possible, and it is fast as compared to the traditional models. Digital Forensic Model on Malaysian Investigation Process is another model that focuses on the acquisition of live and static data in network investigation, and it is also used when there is a need for detailed evidence. Systematic Digital Forensic Investigation Model helps to acquire evidence relating to computer fraud.

Collected data should be stored in digital devices such as hard drives, computers, smartphones, and USB flash disks. The type of data collected is either content or non-content. Content data include email chats, text messages, and recorded videos and content that might be present in social media platforms. Non-content data may include the location of users, the user’s identity, and data about the senders and recipients of the information. The collected data contains information about both events and involved personnel. For instance, the Amazon Echo device may collect data that provides insights on the interests, purchases, and location of users. The data collected is legit and can be used in law enforcement and for purposes of intelligence (Akatyev & James, 2019). Data that can be presented in courts must be genuine and able to support the involved claim. To ascertain whether evidence is genuine, the methods and tools used to collect and store the data may be evaluated to determine if data was manipulated or not.

After the necessary data has been acquired, the next step is the evaluation of available evidence. Assessing the crime evidence is crucial and requires an explicit comprehension of the subject matter. For example, when there is a need to determine cases of stolen data, professionals undertaking the forensic investigation evaluate communications through emails, social media platforms, and other sources that might provide reliable information that might be used as key evidence. Quick & Choo (2017), notes that before the investigation process begins, investigators should have a clear apprehension of the evidence that they will be looking for throughout the process. For instance, the investigators should identify the various platforms that should be considered various ways of formatting the collected data, and they should have proper mechanisms to preserve critical collected data. Once data has been collected, the investigators should ascertain the validity and reliability of the data.

When evaluating evidence, the investigators should have a wide variety of evidence in order to determine the best that suits their tastes and preferences, and they should evaluate both the quality of the evidence and the methods of evaluating the collected data. The evidence collected should uphold ethical integrity, meaning that it should not facilitate moral decay in society. While evaluating network evidence, the investigators should take advantage of cloud computing since it provides important infrastructures. For instance, Infrastructure-as-a-Service (IaaS) which provides investigators with hardware systems such as network services and storage devices, Platform-as-a-Service (PaaS) which offers development and administration opportunities that makes investigators to timely access hardware sources that might contain relevant evidence, Data-as-a-Service (DaaS) which relieves investigators the cost of purchasing expensive database storages by providing an affordable database for storing collected evidence, and Software-as-a-Service (SaaS), which offers software services for investigators through a subscription rather than buying the software which might be expensive (Daryabar, Dehghantanha & Choo, 2017).

To effectively evaluate the collected evidence, the network investigators need to ensure that appropriate procedures that can be used for recouping and preserving evidence are in place. Approaches that can be used by investigators to evaluate evidence include analyzing the system software in order to identify sufficient data that may contain important evidence. Another approach would include measures to recover data that had been deleted, and when recovering deleted data, investigators should capture specific dates and times when the data was deleted and retrieved. To retrieve deleted files, investigators can use live compact disks to mount the computer systems, and the backup drives and then deleted files are transferred to the backup drive. Examples of software for data recovery include Disk Drill Basic which has the ability to create a retrievable USB drives for recouping data, SpinRite which is a FreeDOS software for retrieving data from magnetic sources and hard disks, and SystemRescueCD which is important for mending computer systems that cannot be booted in order to recover data after the computer system has crashed (Ruuhwan, Riadi & Prayudi, 2017).

Du, Le-Khac & Scanlon (2017), revealed that evaluating the names of various files is also a key requirement when evaluating network evidence because this can help understand the time and the place where the files were created and uploaded to the system. Then the investigator can match the files to online data such as those in emails. Online files help investigators to determine the computer systems from which they were created and uploaded, and investigators can then identify the location of the system. To evaluate digital evidence, computer forensic investigators need to connect online data to directories in the hard drive of the suspect. Additionally, the network investigators should establish strong relationships with various stakeholders such as criminal investigators and law experts in order to identify various information that may serve as best evidence and to understand legalized and ethical investigation measures.

After data evaluation, the next step is proper documentation and reporting. Computer network investigators must maintain an accurate record of all the involved activities connected to the investigation process, and this may include the procedures that were used to test the functionality of computer systems, data retrieval, and storage of collected evidence. Additionally, the investigators should record all relevant actions considered while collecting and evaluating the evidence, and this helps to determine whether the investigators followed the legalized procedures and policies throughout the process. The proper recording also helps to ascertain whether the network investigators observed data integrity while collecting the evidence (Koroniotis, Moustafa, Sitnikova & Slay, 2017). Moreover, proper documentation makes the evidence valid to withstand court proceedings. While conducting computer network investigation, the investigators need to account for all actions by recording the data in digital and secure systems, and this helps to determine the ways through which the evidence was collected, the location, and the time when it was collected.

Proper documentation and reporting help cybersecurity experts to compare the digital recorded data by the investigators to the times when the potential suspects gained access to the data in order to ascertain the authenticity of the data. Documentation may also involve photographs and videos unless there was a surveillance system in place when the cybercrime occurred. The importance of capturing photos and videos is that it provides sufficient details of the crime (Harbawi & Varol, 2017). It is also critical to record the status of the computer system, size, and the number of hard drives. The objectives of documentation are to capture the relevant information that was extracted during the investigation process, enhance legal processes, and supports decision-making. The documentation process will influence, to a greater extent, the results of the legal proceedings. Network evidence should be recorded with the addresses of the computer and the source of the evidence. Videos should be documented in one file, and a copy of the same kept in order to provide easy access to the files during the presentation.

According to Riadi (2017), reporting of network investigation evidence requires the preparation of a final report in order to ensure that potential evidence is not lost. Sometimes the court may rely on findings from the report to draw important conclusions. Network investigation reports should contain the following; title page, table of contents, the reason for conducting the investigation, page for signatures, evaluated evidence, investigation description, and findings. The title page should contain the title, name of the case, and the file number of the case. Additionally, it should also contain the date when the report was prepared, names of the investigators together with their certifications, and names of agents if they involved. The table of contents highlights all the important sections of the report. The reason for conducting the investigation should include any search warrants from relevant authorities, and in case the investigator is acting on behalf of any company, they should provide a document from the principal organization. The signature page contains the signatures of the investigators.

The section containing the evidence contains all relevant examined together with serial numbers and any models that were involved. Part of the evidence should incorporate the procedures observed when conducting the investigation. The investigators should also explain any searches that they conducted and any files that they retrieved. Additionally, they should also capture the software and hardware tools involved during the investigation process. Such tools may include write-blockers that help reading hard drives without crashing them and Kali Linux, which helps in retrieval of data and creation of images. Finally, the report must contain the investigator’s findings (Fraunholz, Krohmer, Anton & Schotten, 2017). The findings section should include any retrieved files, image analysis, data analysis, system encryption, analysis of website traffic, and network access, and traffic logs. If the suspect of the crime is from the external environment, the network forensic evidence should be in the form of internet logs, network traffic, and network activity logs, whereas if the suspect is an internal one, evidence should be collected from the organization’s hardware system.

Conducting network forensic investigation may not be an easy task since the investigators may encounter a number of challenges. The challenges may include; technical challenges such as encryption and different formats of data, legal challenges may include data privacy issues and lack of standard legislation recognized internationally, and resource challenges, which may include more time required and large volumes of data (Akatyev & James, 2019). However, the challenges can be controlled. Technical challenges may be avoided by collecting data that will be needed and not data that will be available and ascertaining the integrity of files. Legal challenges can be addressed through the collaboration of governments to craft standard legislation. Collecting only the needed data can help save time and solve some of the resource challenges.

References

Du, X., Le-Khac, N. A., & Scanlon, M. (2017). Evaluation of digital forensic process models with respect to digital forensics as a service. arXiv preprint arXiv:1708.01730.

Koroniotis, N., Moustafa, N., Sitnikova, E., & Slay, J. (2017, December). Towards developing a network forensic mechanism for botnet activities in the iot based on machine learning techniques. In International Conference on Mobile Networks and Management (pp. 30-44). Springer, Cham.

Riadi, I. (2017). Forensic Investigation Technique on Android’s Blackberry Messenger using the NIST Framework. International Journal of Cyber-Security and Digital Forensics, 6(4), 198-206.

Harbawi, M., & Varol, A. (2017, April). An improved digital evidence acquisition model for the Internet of Things forensic I: A theoretical framework. In 2017 5th International Symposium on Digital Forensic and Security (ISDFS) (pp. 1-6). IEEE.

Yusoff, M. N., Dehghantanha, A., & Mahmod, R. (2017). Forensic investigation of social media and instant messaging services in Firefox OS: Facebook, Twitter, Google+, Telegram, OpenWapp, and Line as case studies. In Contemporary Digital Forensic Investigations Of Cloud And Mobile Applications (pp. 41-62). Syngress.

Fraunholz, D., Krohmer, D., Anton, S. D., & Schotten, H. D. (2017, June). Investigation of cyber crime conducted by abusing weak or default passwords with a medium interaction honeypot. In 2017 International Conference on Cyber Security And Protection Of Digital Services (Cyber Security) (pp. 1-7). IEEE.

Akatyev, N., & James, J. I. (2019). Evidence identification in IoT networks based on threat assessment. Future Generation Computer Systems, 93, 814-821.

Quick, D., & Choo, K. K. R. (2017). Pervasive social networking forensics: intelligence and evidence from mobile device extracts. Journal of Network and Computer Applications, 86, 24-33.

Daryabar, F., Dehghantanha, A., & Choo, K. K. R. (2017). Cloud storage forensics: MEGA as a case study. Australian Journal of Forensic Sciences, 49(3), 344-357.

Ruuhwan, R., Riadi, I., & Prayudi, Y. (2017). Evaluation of integrated digital forensics investigation framework for the investigation of smartphones using soft system methodology. International Journal of Electrical and Computer Engineering, 7(5), 2806.