Role of Digital Forensics in Cyber Crime Investigation

AUTHOR: Anushka Swaroop a student at Chhatrapati Shahu Ji Maharaj University (ABVSLS), Kanpur

ABSTRACT

The field of digital forensics has enabled law enforcement agencies in the most effective manner by offering useful tools in the identification, tracking, and prosecution of all forms of cybercriminal activity. This paper highlights the changing methods of digital forensics in the context of the most well known criminals today which are ransomware and databreaches. The study starts by presenting the concept of digital forensics and discusses its importance in protection and management of information resources.

This part of study considers the applications of some additional techniques of digital systems forensics, such as reverse engineering of malware, network traffic analysis and analysis of log files. Investigations related to ransomware, the attention is paid to the tracing of the encryption techniques used. In the case of databreaches, this study refers to forensic techniques for detecting intrusions, building event timelines, and studying data cleansing techniques.

Discussions on impediments to digital forensics introduce factors such as the great affinity for use of encryption technologies, anti forensic methodologies, and the cross border nature of cyber crimes that complicate criminal prosecution. Additional consideration is given to the trends of digital forensics and focuses on the use of advanced tools such as AI, block chain analytics, and quantum computing in solving crimes.

In particular, this study shows that law enforcement, corporate, and academic structures should be provided constant updates, trainings and interactions in order to cope with the dynamic changes in the cyberenvironment.

In conclusion, it is urged that more resources be allocated for the capacity building of digital forensics in order to enhance the fight against cybercrime and enhance accountability in the modern world. 

INTRODUCTION

The contemporary world is characterized by the growing prevalence of the internet and the digitalization of many aspects of life. This advancement has a lot of opportunities for the organizations, and governments however it has also posed them security threats on cyberspace that have never been experienced before. Among these, Ransomware and Databreaches appear to be the most pressing issues. The advancement in information technology has provided the cybercriminals with better means of exploiting the vulnerabilities, extorting their victims and stealing private data. To mitigate the risks, there is a demand for effective strategies to respond for threats , and most especially, investigative strategies with digital forensics being key to the whole equation in fighting cybercrimes and the people behind them.

 Digital forensics is a refinement of the cyber security framework, which deals with the collection, analysis and presentation of electronic evidence for the purpose of revealing crimes. In years to come, as cyber warfare increases, not only shall the activities depend on all available resources, but animated images in fighting and plotting strategies will also become a part of digitalforensics. This paper examines the impact of digital forensics development on the emergence of Ransomware and Data breaches, innovative designs implemented, current gaps, and future direction within the area of concern in perpetrators of cybercrime.

Whereas, data breaches are also very dangerous in that they can lead to accessing and even sharing information without authorization. The negative effects of such attacks have been made clear by high-profile cases involving governments, international companies, and medical facilities                                                                                                                               Cybercriminals’ growing use of encryption, difficulties in conducting cross-border investigations, and the incessant change of attack methods are significant challenges. There is a need for the collaboration of police, cyber security experts and legal systems in dealing with these problems. This paper focuses on the purposes of analyzing contemporary trends in digital forensics concentrating on the use of this discipline in cases of ransomware and databreaches.

UNDERSTANDIN DIGITAL FORENSICS IN CRIME INVESTIGATION

1. What is Digital Forensics?                                                                                                           Digital forensics is a legal process that involves the collection, preservation and analysis of electronic data, it is essential in crime investigations today, especially where there is an element of technology.                                                                                                                                           The procedures used in the investigation of computer related crimes include:

• Identification
• Preservation
• Analysis
• Presentation

2. The Intersection of Digital Forensics and Cybercrime:                                                                With characteristics unique to each century, so has every century required its means of law investigation into crimes committed in that particular Year. Cybercrime leave something behind which forensic investigator can use to establish:                                                                             

The whereabouts of assailants using an IP address, a digital signature and infected files, Indecent or erased information, linking an action to a perpetrator.

3. Cyber Crime Investigations Punishment:

• Preparation
• Data Collection
• Examination
• Analysis
• Reporting

TECHNIQUES USED IN DIGITAL FORENSICS

1. Data Collection Method- This stage entails surgical intervention on computer devices and network systems to extract evidence while at the same time protecting it from alterations.

How does it work?

Cloning a hard disk or any other storage media to enable investigators to carry on working on copies rather that the original hard disk.

For instance,  obtaining intelligence from live systems and or processes such as those having active users or networks that are engaging in activities especially where ransom ware is still fighting.

2. Data Recovery and Analysis-Newest deleted or damaged files have to be looked for and understood. This is data recovery.

How it Operate?

Involves recovering lost or deleted files such as documents , photos, and emails. Resorting to analysis of metadata (information within files not visible) to determine creation dates, modification dates and access dates of files.

Studying infections like ransom ware to assess the mechanism used to encrypt data and possibly neutralizing that threat with research tools which recover the data.

3. Mobile Device Forensics-This includes the analysis of always connected devices such as cell phones or tablet computers to obtain information.

How it works?

Using various commercial and non-commercial tools to get SMS, call history, pictures videos, files stored within applications, and even geo location data from a cellular device.

Forensic analysis of payment systems or communication applications in order to identify contacts of offenders or evidences of cash transactions made for digital violence.

Accessing sim locked and encrypted phones through use of specialized instruments.

DIGITAL FORENSICS IN RANSOMEWARE INVESTIGATION

1. Case studies of Ransomeware Attack :

• Case Study: Colonial Pipeline’s Ransomware Attack (2021)

Incident Summary: It used the Dark Side ransomware to cause disruption of fuel supplies across the United States of America—for the convenience of the attackers bypassing the use of anti-viruses and any security systems.

Forensic Techniques:  

1. Memory Forensics: Found keys used for encryption in RAM.
2.  Network Forensics: When password cracking failed, the password was  still considered leaked, and the password for the first compromise was determined.
3. Block chain Forensics: Payments made in bit coin to a definite address were tracked, and a refund of the majority of such payments was initiated.

Result: The investigation succeeded in restoring $2.3 million worth of the ransom payment, thanks to the prompt actions of both the police and forensic specialists.

• Case Study: WannaCry Ransomware Attack (2017)

Incident Overview: The spread of the WANAA Crypt ransomware in its various forms affected many companies across the globe especially due to the use of the Eternal Blue flaw.

Forensic Techniques:

1. Malware Reverse Engineering: A domain creating a disruption to the operation of the worms dealing with the code was found in the code.
2. Network Forensics: Analyzed SMB communication to observe and understand the mechanisms of spreading

.

Result: Timely forensic measures successfully contained the extent of the attack as well as the threat of further spread.

2. Decryption Tools and Techniques :
3. Memory Analysis for Key Recovery :

Ransomware holds temporary encryption keys within operating system memory. Investigators are able to effectively extract these legitimate keys from the system memory’s dump.

2. Public Decryptor Tools :

Common ransomware variants have free decryptor tools introduced by cyber security firms and law enforcement agencies.

For instance: No More Ransom provides available decryption tools for ransomware families REvil and others.

3. Vulnerability Exploitation :

Investigators take advantage of some weaknesses found within the ransom ware code e.g. poor key generation methods to produce lost encryption keys.

4. Law Enforcement Collaboration : Dealing with the issue of infrastructural attacks offers unlawful enforcement valuable insight into locating master decryption keys e.g. it was revealed in the case of REvil and Kasey ransomware

DIGITAL FORENSICS IN DATA BREACH INVESTIGATION

1. Common Techniques for Investigating Data Breaches :-

1. Endpoint Forensic :

Goal-  To investigate compromised device in search of access evidence or malware.

Methods-   Investigating the registry and system files for malicious alteration and                      Finding and examining the malware that was used for the breach.

Instruments- Encase, Autopsy.

2. Network Forensics :

Goal-   To understand the course of data movement out of organization and the activity of the assailant within the network.

Methods-   Network packet capture and analysis to identify data leakage or any other suspicious activity and Analyzing firewall and IDS (Intrusion Detection System) logs.

Instruments- Wire shark, Zeek.

3. Log analysis :

Goal –   To   assess the database for any abnormal activities by looking into the information system and application logs.

Methods-   Checking the access log to see any unsuccessful log-ins or log-ins from strangers and Looking at the database history to see if there is any strange activity in queries or extracting data out of the database.

Tools-   Splunk, Elastic Stack.

4. Memory analysis :

Goal-   To use volatile memory to look for processes that may be malicious and encryption keys.

Method- :Dumping and examining primary memory for traces of malware or active malefactors and Recovering login details such as user names and passwords or encryption devices which were in use.

Tools- Volatility, Recall.

2. Attribution and Accountability:
3. Attribution :

• What is Attribution?                                                                                                                           Identifying the culprit behind a given cyber attack.

• Ways to Attribute-                                                                                                                                   Threat Intelligence Correlation: correlating threats findings with the profiles of known threats actors e.g. TTPs in the threat intelligence database

• Infrastructure Tracing-                                                                                                                             Identifying the polymerised infrastructure used by the attackers including server, IP addresses or domains.

• Block chain Analysis-                                                                                                                             Following up on the cyber terrorism associated crypto currency transactions.

• Language and Time zone Analysis –                                                                                                                      studying residues, such as code comments, and timestamps to help gauge the location of the attackers.

2. Accountability :

• Supporting Legal Prosecution:

Seeking for evidence which can be produced in the Courts in order to bring the cyber criminals to justice.

Helping out in arresting members of such organizations that are cyber criminals groups.

• Regulatory Compliance:

Complying with the regulations that require reporting such as GDPR and HIPAA and CCPA.

Preserving evidence that outlines the nature of the attack and the attack’s response for internal controls’ audits.

• Minimizing Civil Litigation:

Open communication with those who were affected by the incident and other interested parties.

Showing that the organization took the necessary steps in response to the 

Incursion.

CHALLENGES IN DIGITAL FORENSICS

With the increased sophistication of cyber attacks, criminals today are adopting measures such as the use of encryption or anti-forensic tactics to disrupt the process of inquiry. Such approaches are geared towards the prevention of effective evidence collection, analysis and attribution, and as such pose research problems for digital forensic practitioners.

1. Effects of Encryption: One of the positive aspects of digital forensic investigation is the availability of encryption. On the other hand, this process is often used in crimes.

• End-to-End Encryption- Criminals resort to targeted encrypted messaging applications to plan their attacks which make any interception or analysis of such communications extremely difficult for law enforcement agencies.

• Encrypted Storage- Some cyber criminals tend to shred and store their incriminating data in secure file systems, thus forcing investigators to break the security or seek for keys through other means layered within the law or operations.

2. Anti-Forensic Techniques : Anti forensic methodology tries to destroy, remove or cloud any observations or evidence which makes it impossible for the investigators to put back together the events or find out who did the attack.

• Data Wiping- Criminals operate secure deletion applications, which allow users to wipe sensitive data from a device beyond the point of recovery.

• Steganography:- Host files (e.g. images and videos) are used to carry concealed information or messages which makes the retrieval of subversive objects difficult.

• Timestamp Tampering- Changing the timestamps regarding the creation, modification or access of files misrepresents the sequence of activities to investigators.

THE FUTURE OF DIGITAL FORENSICS

1. A Look at the Use of Artificial Intelligence and Machine Learning- The field of digital forensics is hugely benefitting from ai and ml in carrying out non-creative and busy activities and detection of underlying trends in big data.

2. Crime Ledger Investigations: Crime Anti-Money Laundering Technological Tools- As criminal moves and activities extend onto territories covered by virtual currency, and to accommodate the situation, block chain analytics tools track transactions and search for the reach of the activity of the client.

3. Quantum Computing- In the same breath, quantum computing attacks the basis of any classical system which relies on encryption for security, however it also aids those working to compromise encrypted information, thus speeding up the process of sifting through piles of locked information.

4. Cloud-native Forensics- Due to the increasing deployment of cloud computing services, cloud forensic tools are designed to carry out the assessment of logs, snapshots and other metadata based forensic analysis to a pertinent level within the framework of data retention policies and territoriality.

CONCLUSION

Digital forensics plays a key role in the fight against ransom ware attacks and data breach incidents. Digital forensics assists in every step in the process of combating cybercrime comprising deep-rooted understanding of attack strategies, tracking of perpetrators out to legal proceedings. As such, this menace continues to expand with the advances in technology. Likewise, as these assaults become more advanced, 

So does the final forensic investigation, utilizing new technologies such as AI, block chain, quantum computing and others.

In addition there should be prevention measures which can be introduced such as constant education and inter sectoral coordination in order to achieve fruitful investigations. They cannot be solely implemented by law enforcement. It is necessary for private entities and scientists to join forces in order to create new technologies as well as to improve the mechanisms of response to cybercrime on an international level.

Call to action: Additionally, universally all the governments and firms and educational institutions should enhance their digital forensic capabilities and encourage activity to seem more on the subject. Invigorating these aspects guarantees a stronger response in the face of the ever increased threats posed by cyber criminals, thus protecting the cyber space without any impunity

REFERENCING

• https://www.startertutorials.com/blog/challenges-in-computer-forensics.html
• https://intrix.com.au/articles/how-digital-forensics-aids-in-data-breach-investigations/
• https://www.researchgate.net/publication/364050427_Forensic_Analysis_of_a_Ransomware
• https://www.sikich.com/insight/the-role-of-digital-forensics-in-fighting-and-preventing-cybercrime/