Investigative forensics is the study and investigation of crimes committed using or aimed at a technological platform and is carried out by formally qualified investigators. In today’s environment, digital forensics plays an important role. Detection and conviction of cybercriminals rely heavily on the use of computer forensics. Collecting, inspecting, and reporting data stored on computers and networks in relation to a civil or criminal occurrence is part of the process.

The SOC (Security Operations Center) plays a vital role in computer forensics, forensic preparation, and incident response. Additionally, it sheds insight into investigators’ difficulties and obstacles when performing forensic investigations. Digital evidence fundamentals and regulations, and procedures that investigators must follow are also covered in this subject.

1.1 Fundamentals of Computer Forensics

  • 1.1.1 Understanding Computer Forensics
    • Computer forensics is a set of methodological methods and techniques for identifying, gathering, preserving, extracting, interpreting, documenting, and presenting evidence from computing equipment in legal or administrative proceedings.
    • Objectives:
      • To track and prosecute the perpetrators of a cybercrime
      • To gather cybercrime evidence in a forensically sound manner
      • Determining the perpetrator’s intent and estimating the incident’s possible impact on the victim
      • To reduce the organization’s tangible and intangible losses
      • To protect the company from future accidents of this nature
  • 1.1.2 Needs for Computer Forensics
    • To ensure the organization’s IT system and network infrastructure’s overall integrity and continued existence.
    • To collect, process, and interpret factual evidence so that it can be used in court to prove the attacker’s actions.
    • To locate and apprehend criminals from all over the world.
    • To safeguard the organization’s financial assets and time.
  • 1.1.3 Why Should Computer Forensics be Used?
    • To gather evidence of computer crimes in a forensically sound manner
    • To protect the organization from similar incidents in the future
    • To minimize the tangible and intangible losses to the organization
    • To support the prosecution of the perpetrator of an incident
  • 1.1.4 When should Computer Forensics be Used?
    • If a breach of contract occurs
    • If copyright and intellectual property theft/misuse occurs
    • In case of employee disputes or disgruntled employees
    • In case of damage to resources

1.2 Cybercrimes and their Investigation Procedures

  • 1.2.1 Types of Cybercrimes
    • Cybercrimeβ†’is defined as any illegal act involving a computing device, network, its systems, or its applications
    • Cybercrime is categorized into two types
    • Internal/Insider Attack
      • An entrusted person (insider) who has authorized access to the network is an attack performed on a corporate network or on a single computer.
      • Such insiders can be former or current employees, business partners, or contractors
    • External Attack
      • This type of attack occurs when an attacker from outside the organization tries to gain unauthorized access to its computing systems or informational assets
      • These attackers exploit security loopholes or use social engineering techniques to infiltrate the network.
  • 1.2.2 Impact of Cybercrimes at the Organizational Level
    • Loss of confidentiality, integrity, and availability of information stored in organizational systems
    • Theft of sensitive data
    • Sudden disruption of business activities
    • Loss of customer and stakeholder trust
    • Substantial reputational damage
    • Huge financial losses
    • Penalties arising from failure to comply with regulations
  • 1.2.3 Cybercrime Investigation
    • The investigation of any crime involves the meticulous collection of clues and forensic evidence with attention to detail
    • Inevitably, at least one electronic device will be found during the investigation
    • Processes such as collection of data, analysis, and presentation differ based on the type of case
  • 1.2.4 Civil vs. Criminal Investigation
    • Civil cases are brought for violation of contracts and lawsuits, where a guilty outcome generally results in monetary damages to the plaintiff, whereas criminal cases are generally brought by law enforcement agencies in response to a suspected violation of law, where a guilty outcome may result in monetary damages, imprisonment, or both.
      • Criminal Cases
        • Investigators must follow a set of standard forensic processes accepted by law in the respective jurisdiction
        • Investigators, under a court’s warrant, have the authority to forcibly seize computing devices
        • A formal investigation report is required
        • Law enforcement agencies are responsible for collecting and analyzing evidence
        • Punishments are harsh and include a fine, jail sentence, or both
        • The Standard of proof needs to be very high
        • It is difficult to capture certain evidence, e.g., Global Positioning System device evidence
      • Civil Cases
        • Investigators try to show the opposite party some proof to support the claims and induce settlement
        • Searching of the devices is generally based on mutual understanding and provides a wider time window to the opposite party to hide the evidence
        • The initial reporting of the evidence is generally informal
        • The claimant is responsible for the collection and analysis of the evidence
        • Punishments include monetary compensation
        • Poorly documented or unknown chain-of-custody for evidence
        • Sometimes, evidence can be in third-party control
  • 1.2.5 Administrative Investigation
    • Administrative investigations generally involve an agency or government performing inquiries to identify facts with reference to its own management and performance.
    • Administrative investigations are non-criminal in nature and are related to misconduct or activities of an employee that includes but are not limited to
    • Violation of organization’s policies, rules, or protocols
    • Resource misuse or damage or theft
    • Threatening or violent behavior
    • Improper promotion or pay raises
    • Any violation my result in disciplinary action such as demotion, suspension, revocation, penalties, and dismissal.

1.3 Digital Evidence

  • 1.3.1 Introduction to Digital Evidence
    • Digital evidence is defined as “any information of probative value that is ether stored or transmitted in a digital form”
    • Digital information may be found while examining data storage media, monitoring the network traffic, or making duplicate copies of digital data found during a forensic investigation
    • Digital evidence is circumstantial and fragile ion nature, which makes it difficult for a forensic investigator to trace criminal activities
    • **According to Locard’s Exchange Principle,**↔"anyone or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave"
  • 1.3.2 Types of Digital Evidence
    • Volatile Data
      • Data that are lost as soon as the device is powered off
      • Ex. system time, open files, network information, process memory, etc.
    • Non-volatile Data
      • Permanent data stored on secondary storage devices such as hard disks and memory cards
      • Ex. hidden files, slack space, swap file, unused partitions, registry settings, event logs, etc.
  • 1.3.3 Sources of Potential Evidence
    • User-Created Files
      • Address books
      • Database files
      • Media files
      • Document files
      • Internet bookmarks, favorites, etc.
    • User-Protected Files
      • Compressed files
      • Misnamed files
      • Encrypted files
      • Password-protected files
      • Hiddent files
      • Steganography
    • Computer-Created Files
      • Backup files
      • Log files
      • Configuration files
      • Cookies
      • Swap files
      • System files
      • History files
      • Temporary files
  • 1.3.4 Rules of Evidence Collection
    1. Understandable
      • Evidence must be clear and understandable to the judges
    2. Admissible
      • Evidence must be related to the fact being proved
    3. Authentic
      • Evidence must be real and appropriately related to the incident
    4. Reliable
      • There must be no doubt about the authenticity or veracity of the evidence
    5. Complete
      • The evidence must prove the attacker’s actions or his/her innocence
  • 1.3.5 Best Evidence Rule
    • States that the court only allows the original evidence of a document, photograph, or recording at the trial rather than a copy. However, the duplicate can be accepted as evidence, provided that the court finds the party’s reasons for submitting the duplicate to be genuine.
    • The principle underlying the best evidence rule is that the original evidence is considered as the best evidence.
  • 1.3.6 Federal Rules of Evidence (United States)
    • Rule 102: Purpose
      • These rules should be constructed so as to administer every proceeding fairly, eliminate unjustifiable expense and delay, and promote the development of evidence law, to the end of ascertaining the truth and securing a just determination.
    • Rule 103: Rulings on Evidence
      • (a) Preserving a Claim of Error
        • A party may claim error in a ruling to admit or exclude evidence only if the error affects a substantial right of the party and:
          • if the ruling admits evidence, a party, on the record (a) timely objects or moves to strike; and {b) states the specific ground, unless it was apparent from the context; or
          • if the ruling excludes evidence, a party informs the court of its substance by an offer of proof, unless the substance was apparent from the context
      • (b) No Need to renew an Objection or Offer of Proof
        • Once the court rules definitively on the record - either before or at trial - a party need not renew an objection or offer of proof to preserve a claim of error for appeal
      • (c) Court’s Statement About the Ruling; Directing an Offer of Proof
        • The court may make any statement about the character or form of the evidence, the objection made, and the ruling. The court may direct that an offer of proof be made in question-and-answer form
      • (d) Preventing the Jury from Hearing Inadmissible Evidence
        • To the extent practicable, the court must conduct a jury trial so that inadmissible evidence is not suggested to the jury by any means
      • (e) Taking Notice of Plain Error
        • A court may take notice of a plain error affecting a substantial right, even if the claim of error was not properly preserved
    • Rule 104: Preliminary Questions
      • Questions of admissibility in general
        • The court must decide any preliminary questions about whether a witness is qualified, a privilege exists, or evidence is admissible. In so deciding, the court is not bound by evidence rules, except those on privilege.
      • Relevancy conditioned on a fact
        • When the relevance of evidence depends on whether a fact exists, proof must be introduced sufficient to support a finding that the fact does exist. The court may admit the proposed evidence on the condition that the proof be introduced later
      • Conducting a hearing so that the jury cannot hear it
        • The court must conduct any hearing on a preliminary question so that the jury cannot hear it if
          1. The hearing involves the admissibility of a confession
          2. A defendant in a criminal case is a witness and so requests
          3. Justice so requires
        • Cross-examining a defendant in a criminal case
          • By testifying on a preliminary question, a defendant in a criminal case does not become subject to cross-examination on other issues in the case
        • Evidence relevant to weight and credibility
          • This rule does not limit a party’s right to introduce evidence relevant to the weight or credibility of other evidence before the jury.
    • Rule 105: Limited Admissibility
      • When evidence that is admissible as to one party or for one purpose but not admissible as to another party or for another purpose is admitted, the court, upon request, shall restrict the evidence to its proper scope and instruct the jury accordingly
    • Rule 801: Hearsay Rule
      • Hearsay is a statement, other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted
      • It is not admissible except as provided by these rules or by other rules prescribed by the Supreme Court pursuant to statutory authority or by Act of Congress
    • Rule 801: Statements That Are Not Hearsay
      • Prior statement by witness
      • Admission by party-opponent
    • Rule 803: Hearsay Exceptions - Availability of Declarant Immaterial
      • Even if the declarant is available as a witness, some of them are not excluded by the Hearsay Rule
        • Present sense impression
        • Excited utterance
        • Statements for purposes of medical diagnosis or treatment
        • Recorded recollection
        • Records of regularly conducted activity
        • Absence of entry in records kept in accordance with the provisions
        • Public records and reports
        • Records of vital statistics
    • Rule 804: Hearsay Exceptions: Declarant Unavailable
      • If the declarant is unavailable as a witness, the following are not excluded by the Hearsay Rule
        • Former testimony
        • A statement under the belief of impending death
        • Statement against interest
        • Statement of personal or family history
    • Rule 1001: Definitions (Content of Writings, Recordings, and Photographs)
      • Writing and Recordings
        • Writings and recordings consist of letters, words, or numbers, or their equivalent, set down by handwriting, typewriting, printing, photo stating, photographing, magnetic impulse, mechanical or electronic recording, or other forms of data compilation
      • Photographs
        • Photographs include still photographs, X-ray films, video tapes, and motion pictures
      • Original
        • An original of a writing or recording is the writing or recording itself or any counterpart intended to have the same effect by a person executing or issuing it.
      • Duplicate
        • A duplicate is a counterpart produced by the same impression as the original, or from the same matrix, or by means of photography, including enlargements and miniatures, or by mechanical or electronic re-recording, or by chemical reproduction, or by other equivalent techniques that accurately reproduce the original
    • Rule 1002: Requirement of Original
      • To prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required, except as otherwise provided in these rules or by Act of Congress
    • Rule 1003: Admissibility of Duplicates
      • A duplicate is admissible to the same extent as an original unless
        • A genuine question is raised as to the authenticity of the original, or
        • In the circumstances it would be unfair to admit the duplicate in lieu of the original
    • Rule 1004: Admissibility of Other Evidence of Contents
      • The original is not required, and other evidence of the contents of a writing, recording, or photograph is admissible if
        • Originals are lost or destroyed. All originals are lost or have been destroyed, unless the proponent lost or destroyed them in bad faith
        • Original is not obtainable. No original can be obtained by any available judicial process or procedure
        • Original is in possession of the opponent. At the time when an original was under the control of the party against whom offered, that party was put on notice, by the pleadings or otherwise, that the contents would be a subject of proof at the hearing, and that party does not produce the original at the hearing
        • Collateral matters. The writing, recording, or photograph is not closely related to a controlling issue
  • 1.3.7 Scientific Working Group on Digital Evidence (SWGDE)
    • Principle 1
      • In order to ensure that the digital evidence is collected, preserved, examined, or transferred in a manner safeguarding the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective quality system.
    • Standards and Criteria 1.1
      • All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document. All elements of an agency’s policies and procedures concerning digital evidence must be clearly set forth in this SOP document, which must be issued under the agency’s management authority.
    • Standards and Criteria 1.2
      • Agency management must review the SOPs on an annual basis to ensure their continued suitability and effectiveness.
    • Standards and Criteria 1.3
      • Procedures used must be generally accepted in the field or supported by data gathered and recorded in a scientific manner.
    • Standards and Criteria 1.4
      • The agency must maintain written copies of appropriate technical procedures
    • Standards and Criteria 1.5
      • The agency must use hardware and software that are appropriate and effective for the seizure or examination procedure
    • Standards and Criteria 1.6
      • All activity relating to the seizure, storage, examination, or transfer of the digital evidence must be recorded in writing and be available for review and testimony
    • Standards and Criteria 1.7
      • Any action that has the potential to alter, damage, or destroy any aspect of the original evidence must be performed by qualified persons in a forensically sound manner
  • 1.3.8 The Association of Chief Police Officers (ACPO) Principles of Digital Evidence
    • Principle 1
      • No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court
    • Principle 2
      • In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to explain his/her actions and the impact of those actions on the evidence, in the court
    • Principle 3
      • An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
    • Principle 4
      • The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to

1.4 Forensic Readiness, Incident Response, and the Role of SOC (Security Operations Center) in Computer Forensics

  • 1.4.1 Forensic Readiness
    • Forensic readiness refers to an organization’s ability to optimally use digital evidence in a limited period of time and with minimal investigation costs
    • Benefits
      • Fast and efficient investigation with minimal disruption to the business
      • Provides security from cybercrimes such as intellectual property theft, fraud, or extortion
      • Offers structured storage of evidence that reduces the cost and time of an investigation
      • Improves law enforcement interface
      • Easy identification of evidence related to the potential crimes
      • Appropriately uses evidence for positive outcomes of any legal prosecution
      • Helps the organization use the digital evidence in its own defense
      • Prevents attackers from covering their tracks
      • Limits the cost of regulatory or legal requirements for disclosure of data
      • Averts similar attacks in the future
  • 1.4.2 Forensic Readiness and Business Continuity

    • Forensic readiness helps maintain business continuity by allowing quick and easy identification of the impacted components and replacing them to continue the services and business

    • Forensic readiness allows business to
      • Quickly determine the incidents
      • Understand the relevant information
      • Collect legally sound evidence and analyze it to identify attackers
      • Minimize the required resources
      • Eliminate the threat of repeated incidents
      • Quickly recover from damage with less downtime
      • Gather evidence to claim insurance
      • Legally prosecute the perpetrators and claim damages
    • Lack of forensic readiness may result in
      • Loss of clients due to damage to the organization’s reputation
      • System downtime
      • Data manipulation, deletion, and theft
      • Inability to collect legally sound evidence
  • 1.4.3 Forensic Readiness Planning

    • Forensic readiness planning refers to a set of processes to be followed to achieve and maintain forensic readiness

    • Key activities in forensic readiness planning
      1. Identify the potential evidence required for an incident
      2. Determine the sources of evidence
      3. Define a policy that determines the pathway to legally extract electronic evidence with minimal disruption
      4. Establish a policy to handle and store the acquired evidence in a secure manner
      5. Identify if the incident requires full or formal investigation
      6. Create a process for documenting the procedure
      7. Establish a legal advisory board to guide the investigation process
      8. Keep an incident response team ready to review the incident and preserve the evidence
  • 1.4.4 Incident Response
    • Incident response↔is a process of responding to incidents that may have occurred due to security breach in the system or network
    • The goal of incident response is to handle the incidents to minimize the damage and reduce recovery time and costs.
    • It is performed by the Computer Incident Response Team (CIRT) of an organization, which is responsible for identifying how a breach occurred, how to locate the method of the breach, and how to mitigate the breach
    • Incident response processes differ across organizations according to their business and operating environment
  • 1.4.5 Computer Forensics as a Part of Incident Response Plan

    • Organizations include computer forensics as part of the incident response plan to track and prosecute the perpetrators of an incident.

    • Role of Computer Forensics in Incident Response
      • Prepare for incidents in advance to ensure the integrity and continuity of network infrastructure
      • Determine the exact cause, nature, and impact of the incident
      • Generate a timeline for the incident that helps correlate different incidents
      • Identify and track the perpetrators of the crime or incident
      • Extract, process, and interpret the factual evidence so that it proves the attacker’s actions in the court
      • Protect the organization from similar incidents in the future
      • Minimize the tangible and intangible losses to the organization or an individual
  • 1.4.6 Overview of Incident Response Process Flow

    • Steps of the Incident Response process flow
      • Step 1: Preparation for Incident Handling and Response
      • Step 2: Incident Recording and Assignment
      • Step 3: Incident Triage
        • Incident analysis and validation
        • Incident classification
        • Incident prioritization
      • Step 4: Notification
      • Step 5: Containment
      • Step 6: Evidence Gathering and Forensic Analysis
      • Step 7: Eradication
      • Step 8: Recovery
      • Step 9: Post-Incident Activities
        • Incident documentation
        • Incident impact assessment
        • Review and revise policies
        • Close the investigation
        • Incident disclosure
  • 1.4.7 Role of SOC in Computer Forensics
    • Security Operations Center (SOC)β†’is a centralized unit that continuously monitors and analyzes ongoing activities on an organization’s information systems such as networks, servers, endpoints, databases, applications, websites, etc. to look for anomalies
    • The SOC team acts as the initial point for incident detection and validation
    • Upon incident validation, the incident response team gathers the evidence and provides it to the forensics team, which then starts the forensic investigation.
    • SOC Workflow
      • Collection
        • Security logs are collected and forwarded to Security Information and Event Management (SIEM).
      • Ingestion
        • SIEM ingests log data, threat information, indicators of compromise, and asset inventory for machine-based correlation and anomalous activity detection.
      • Validation
        • SOC analysts identify the indicators of compromise, triage alerts, and validate incidents.
      • Reporting
        • Validated incidents are submitted to the incident response teams through a ticketing system.
      • Response
        • The SOC team reviews incidents and performs incident response activities. Simultaneously, a digital forensics investigation team conducts a detailed forensics investigation.
      • Documentation
        • In the final step, incidents are documented for business audit purposes.

1.5 Identify the Roles and Responsibilities of a Forensic Investigator

  • 1.5.1 Need for a Forensic Investigator
    • Cybercrime Investigation
      • Forensic investigators, by virtue of their skills and experience, help organizations and law enforcement agencies investigate and prosecute the perpetrators of cybercrimes
    • Sound Evidence Handling
      • If a technically inexperience person examines the evidence, it might become inadmissible in a court of law
    • Incident Handling and Response
      • Forensic investigators help organizations maintain forensics readiness and implement effective incident handling and response
  • 1.5.2 Roles and Responsiblities of a Forensics Investigator
    • Determines the extent of any damage done during the crime
    • Recovers data of investigative value from computing devices involved in crimes
    • Gathers evidence in a forensically sound manner
    • Ensures that the evidence is not damaged in any way
    • Creates an image of the original evidence without tampering with it to maintain its integrity
    • Guides the officials carrying out the investigation; at times, the forensic investigator may be required to produce the evidence and describe the procedure involved in its discovery
    • Reconstructs the damaged disks or other storage devices, and uncovers the information hidden on the computer
    • Analyzes the evidence data found
    • Prepares the analysis report
    • Updates the organization about various attack methods and data recovery techniques, and maintains a record of them
    • Addresses the issue in a court of law and attempts to win the case by testifying in court
  • 1.5.3 What Makes a Good Computer Forensics Investigator?
    • Interviewing skills to gather extensive information about the case from the client or victim, witnesses, and suspects
    • Researching skills to know the background and activities pertaining to the client or victim, witnesses, and suspects
    • Maintains perfect accuracy of the tests performed and their records
    • Patience and willingness to work long hours
    • Excellent writing skills to detail findings in the report
    • Strong analytical skills to find the evidence and link it to the suspect
    • Excellent communication skills to explain their findings to the audience
    • Remains updated about new methodologies and forensic technology
    • Well-versed in more than one computer platform (including Windows, Macintosh, and Linux)
    • Knowledge of various technologies, hardware, and software
    • Develops and maintains contact with computing, networking, and investigating professionals
    • Honest, ethical, and law abiding
    • Has knowledge of the laws relevant to the case
    • Ability to control emotions when dealing with issues that induce anger
    • Multi~discipline expertise related to both criminal and civil cases
  • 1.5.4 Code of Ethics

    • Code of Ethics refers to the principles used to describe the expected behavior of an investigator while handling a case

    • Computer forensic investigator should
      • Perform investigations based on well-known standard procedures
      • Perform assigned tasks with high commitment and diligence
      • Act with utmost ethical and moral principles
      • Examine the evidence carefully within the scope of the agreement
      • Ensure the integrity of the evidence throughout the investigation process
      • Act in accordance with federal statutes, state statutes, and local laws and policies
      • Testify honestly before any board, court or trial proceedings
    • Computer forensic investigator should not
      • Refuse any evidence because that may cause failure in the case
      • Expose confidential matters without authorized permission
      • Take on assignments beyond his/her skills
      • Perform actions that significantly leads to a conflict of interest
      • Present the training, credentials, or association membership in a wrong way
      • Provide personal or prejudiced opinions
      • Reserve any evidence relevant to the case
  • 1.5.5 Accessing Computer Forensics Resources

1.6 The Challenges Faced in Investigating Cybercrimes

  • 1.6.1 Challenges Cybercrimes Pose to Investigators
    • General Challenges
      • Speed: Advancement in technology has boosted the speed with which cyber crimes are committed, whereas investigators require authorization and warrants before starting legal procedures
      • Anonymity: Cybercriminals can easily hide their identity by masquerading as some other entity or by hiding their IP addresses using proxies
      • Volatile nature of evidence: Most of the digital evidence can be easily lost as it is in the form of volatile data such as logs, records, light pulses, radio signals, etc.
      • Evidence Size and Complexity: Diversity and distributed nature of digital devices results in increased size and complexity of evidence data
      • Anti-Digital Forensics (ADF): Attackers are increasingly using encryption and data hiding techniques to hide digital evidence
      • Global origin and difference in laws: The perpetrators can initiate the crime from any part of the world, whereas the authorities have jurisdiction over domestic crimes only
      • Limited legal understandingMany victims are unaware of the law violated during the incident and fail to defend their claim
    • Legal Issues
      • Digital evidence is fragile in nature, which makes it susceptible to changes during the course of the investigation process and might render it inadmissible in a court of law
      • The legal system differs across jurisdictions, which makes the task of an investigator difficult as different legal systems have different rules for acquiring, preserving, investigating, and presenting digital evidence in the court
      • Every legal system has a slightly different approach towards the issues related to authenticity, reliability, and completeness
      • The approach of investigation differs and evolves with changes in technology, and the legal systems might not address these technological advances
    • Privacy Issues
      • When retrieving evidence from a particular electronic device, investigators must be cautious to avoid charges against unlawful search and seizure, i.e., they need to be in compliance with the Fourth Amendment of t he U.S. Constitution
      • The Fourth Amendment states that government agents may not search or seize areas or things in which a person has a reasonable expectation of privacy, without a search warrant
      • When dealing with the evidence related to Internet usage, investigators must preserve other users’ anonymity while determining the identity of the few involved in illegal activities
  • 1.6.2 Other Factors that Influence Forensic Investigations
    • Resources: The investigator should effectively utilize the available resources such as forensic tools, storage media, etc., while examining larger volumes of electronic data
    • The number of Users: Increase in the number of users availing cloudβ€’based services allows them to access data from any device. Hence, it becomes difficult for the examiner to gather evidence and identify the source of criminal activity.
    • Automation: In some cases, automated tools might miss evidence that can strengthen the investigation. This occurs when the investigator uses the tool without complete knowledge of its operation.
    • Anonymous Communications: When the offender uses Tor Browser to carry out malicious activities, it is impossible to track the details of the activity since the Tor browser protects the anonymity of the user
    • Failure of Traditional Instruments: The traditional approach mainly focuses on attaching a physical device to the forensic workstation, collecting an image of that device, and examining the image. This approach does not work when examining Cloud artifacts since the data are scattered across various systems/servers.
    • Increasing use of Information and Communications Technology (ICT) and need for New Investigative Instruments: Due to the significant increase in the use of ICTs, new forensic tools should be developed that can overcome the challenges faced by the current forensic tools
    • New Offences: Technological advancements have led to an increase in offenses such as hacking, illegal data tampering, DoS (Denial of Service) attacks, etc., and the investigators have to devise a new forensic approach for every new offense committed by the perpetrator.
  • 1.7.1 Computer Forensics and Legal Compliance

    • Legal compliance in computer forensics ensures that any evidence that is collected and analyzed is admissible in a court of law

    • Compliance with certain regulations and standards plays an important part in computer forensic investigation and analysis

    • Some regulations and standards to remember

    • Gramm-Leach-Bliley Act (GLBA)
      • Requires financial institutions-companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance-to explain their information-sharing practices to their customers and to safeguard sensitive data.
    • Federal Information Security Modernization Act of 2014 (FISMA)
      • Required the Office of Management and Budget (0MB) to amend/revise A-130 to eliminate inefficient and wasteful reporting and reflect changes in law and advances in technology.
    • Health Insurance Portability and Accountability Act of 1996 (HIPAA)
      • Provides federal protections for individually identifiable health information held by covered entities and their business associates and offers patients an array of rights with respect to such information.
    • The Electronic Communications Privacy Act
      • Protects wire, oral, and electronic communications, while such communications are being made, are in transit, and stored on computers.
    • General Data Protection Regulation (GDPR)
      • Designed to harmonize data privacy laws across Europe, protect and empower all EU citizens’ data privacy, and reshape how organizations across the region approach data privacy.
    • Data Protection Act of 2018
      • Controls how your personal information is used by organisations, businesses or the government.
    • Payment Card Industry Data Security Standard (PCI DSS)
      • Proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.
    • Sarbanes-Oxley Act (SOX) of 2002
      • Protect investors from the possibility of fraudulent accounting activities by corporations.
  • 1.7.2 Other Laws Relevant to Computer Forensics