Introduction of DFIR in Digital Forensics
Intro to DFIR in Digital Forensics
Digital Forensics and Incident Response is referred to as DFIR. Identifying, preserving, recovering, analyzing, and presenting digital evidence, often in connection with cybercrime, as well as gathering forensic artifacts from digital devices (such as PCs and media players), are all part of this subject.
DIGITAL FORENSICS
A subfield of computer forensics called “digital forensics” is responsible for locating, preserving, examining, and presenting digital evidence, such as PCs, laptops, smartphones, cloud computing, etc.
Goal
- This is the procedure for locating and reviewing data on electronic devices.
- To gather and examine this information so that it can be utilized as proof in court.
- It guarantees that electronic evidence is managed to preserve its integrity for use in court.
INCIDENT RESPONSE
Real-time detection and response to security breaches or threats.
Govern/ Preparation, Identify, Protect, Detect, Respond, Recovery, and Lesson Learned are the fundamental functions of incident response.
Goal
- Defending data, apps, and systems against theft, harm, and illegal access.
- Reducing the amount of money lost and company interruption brought on by a security breach.
- Avoiding a bad reputation with clients.
- Constantly adjusting to evolving danger situations.
Types of Cyber Crime Investigation
- Civil: Investigators attempt to present the other side with evidence to back up their allegations and persuade them to reach a settlement.
- Criminal: Investigators are required to adhere to a set of standard forensic procedures that are recognized by the relevant jurisdiction’s law.
- Administrative: An organization or government conducting an administrative investigation typically looks for information about its own performance and management.
Why do we need Digital Forensics?
In cybersecurity
- It assists in identifying the hacker and their method.
- Improving security and averting new cyberattacks depend on digital forensics.
- Through accurate documentation of breaches and actions, it assists enterprises in meeting regulatory requirements.
- By identifying the methods, resources, and strategies used by attackers, it enhances threat intelligence initiatives are enhanced.
In law enforcement
- It assists detectives and law enforcement in resolving crimes using computers and other electronic devices.
- Investigators can uncover evidence that helps apprehend and prosecute offenders by examining digital data.
- It helps find deleted or hidden files that can hold important evidence.
- Using digital timestamps and metadata enables law enforcement to create timelines of suspicious activities.
HISTORY and EVOLUTION of DIGITAL FORENSICS
Because law enforcement and the military were required to look into crimes involving technology, digital forensics was established in the US more than 30 years ago.
How has it evolved in legal systems?
A new area known as e-discovery emerged as a result of the importance of digital forensics in criminal cases and civil litigation. Digital evidence is becoming essential in many kinds of court disputes.
Legal Framework and Regulatory Compliance
In India:
- Information Technology Act, 2000 (IT Act):
- Digital forensics is covered by the main statute that regulates cyber activity in India.
- Gives electronic documents and transactions legal status; sections 65, 66, and 67 address cybercrimes and offenses.
- Indian Evidence Act, 1872 (Amended by IT Act):
- In court, digital evidence is now allowed.
- In particular, the acceptability of electronic records is covered in Sections 65 A and 65 B.
- Indian Penal Code (IPC), 1860:
- Covers a range of cybercrimes, including data breaches, identity theft, and hacking.
- Offers a structure for the prosecution of digital offenses, which frequently call for forensic examination.
- Criminal Procedure Code(CrPC), 1973:
- Controls how crimes are investigated and prosecuted, especially when digital evidence is used.
- During investigations, authorities are authorized to summon electronic records under Sections 91 and 92.
International Standards:
- ISO/IEC 27037
- Rules for locating, gathering, purchasing, and safeguarding digital evidence.
- Acknowledged globally and adhered to by numerous Indian firms to guarantee that digital forensics procedures meet international requirements.
- ISO/IEC 27001
Outlines specifications for digital forensics management processes as part of an information security management system (ISMS).
Forensics Process Models
- Digital Forensics Investigation Frameworks
- Purpose: Establish systematic procedures for exhaustive and legally sound investigations.
Like:
1. FBI CART Process
2. NIST Guidelines
3. IOCE Model
4. Indian Cyber Crime Coordination Centre (I4C)
5. Indian Standard IS 18000-6
6. National Technical Research Organization (NTRO)
Phases of the Forensic Process
| Identification | Find pertinent digital proof. |
| Collection | Collect evidence without compromising its integrity. |
| Preservation | Prevent evidence from being altered. |
| Examination | Utilize forensics tools to examine the evidence. |
| Analysis | Analyze results to make inferences. |
| Reporting | Record and properly communicate the results. |
- 3A’s of Computer Forensics
“Computer Forensics: Essentials of Incident Response.” The 3A’s of computer forensics, which apply to Windows and other operating systems, have been supplied by them.
- Get the proof without destroying or changing the original.
- Verify that the retrieved evidence matches the original data that was seized.
- Analyzes information without making any changes.
Some legal and ethical considerations in digital forensic investigations:
- Legal Considerations in Digital Forensics
- Admissibility of Digital Evidence
- Chain of Custody & Evidence Integrity
- Search & Seizure Laws
- Cross-Border Data & Jurisdiction
- Issues Ethical Considerations in Digital Forensics
- Privacy & Confidentiality
- Objectivity & Bias in Investigations
- Responsible Disclosure of Findings
- Handling of Exculpatory Evidence
- Ethical Use of Forensic Tools & Techniques
How would we ensure the integrity of evidence during an investigation?
Maintaining evidence integrity is critical in digital forensics to ensure that. I’ll take a few crucial actions, like:
- Make use of forensic imaging and write blocks.
- Check hash values both prior to and following analysis.
- Access controls and safe storage.
- Keep up the chain of custody and the appropriate paperwork.
- Be sure to adhere to industry-standard forensic procedures.
Some common challenges in mobile device forensics:
- Passcodes, Face ID, Knox, Secure Enclave, and other encryption and security measures.
- Forensic compatibility is broken by frequent OS updates.
- Sandboxing apps and data in the cloud limits local access.
- SSD wear leveling limits the ability to retrieve deleted data.
- Jurisdictional and legal limitations on the gathering of evidence.
Indian Constitution and Laws:
| Section | Offence | Penalty |
| 65 | Tampering with computer source documents. | Imprisonment up to three years, or/and fine up to ₹2,00,000 |
| 66 | Hacking with computer system. | Imprisonment up to three years, or/or fine up to ₹5,00,000 |
| 66B | Receiving a stolen computer or communication device. | Imprisonment up to three years, or/and fine up to ₹1,00,000 |
| 66C | Using password of another person. | Imprisonment up to three years, or/and fine up to ₹1,00,000 |
| 66D | Cheating using computer resources. | Imprisonment up to three years, or/and fine up to ₹1,00,000 |
| 66E | Publishing private images of others. | Imprisonment up to three years, or/and fine up to ₹2,00,000 |
| 66F | Acts of cyberterrorism | Imprisonment up to life. |
| 67 | Publishing information that is obscene in electronic form. | Imprisonment up to five years, or/and fine up to ₹10,00,000 |
| 67A | Publishing images containing sexual acts. | Imprisonment up to seven years, or/and fine up to ₹10,00,000 |
| 67C | Failure to maintain records. | Imprisonment up to three years, or/and fine. |
| 68 | Failure/refusal to comply with orders. | Imprisonment up to 2 years, or/and fine up to ₹1,00,000 |
| 69 | Failure/refusal to decrypt data. | Imprisonment up to seven years and possible fine. |
| 70 | Securing access or attempting to secure access to a protected system. | Imprisonment up to ten years, or/and fine. |
| 71 | Misrepresentation | Imprisonment up to 2 years, or/and fine up to ₹1,00,000 |
| 72 | Breach of confidentiality and privacy. | Imprisonment up to 2 years, or/and fine up to ₹1,00,000 |
| 72A | Disclosure of information in breach of a lawful contract. | Imprisonment up to 3 years, or/and fine up to ₹5,00,000 |
| 73 | Publishing an electronic signature certificate falsely in certain particulars. | Imprisonment up to 2 years, or/and fine up to ₹1,00,000 |
| 74 | Publication for a fraudulent purpose. | Imprisonment up to 2 years, or/and fine up to ₹1,00,000 |
Key Challenges in Digital Forensics
- Rapid Pace of Attacks
While detectives must deal with sluggish legal procedures like obtaining warrants, cybercriminals act swiftly.
- Masked Identities
By using proxies, VPNs, and false personas, attackers can easily conceal their true identities, making them difficult to track down.
- Fragile Digital Evidence
If not recorded right away, digital evidence such as logs or temporary files can be readily changed, erased, or replaced.
- Overwhelming Data Volumes
Investigators deal with large, dispersed, and intricate datasets that are stored on several platforms and devices.
- Anti-Forensics Techniques
To hide or destroy important evidence, criminals employ obfuscation, data concealing, and encryption techniques.
- Jurisdictional Barriers
Because of differing laws and a lack of authority, cybercrimes frequently come from other nations, making enforcement more difficult.
- Low Legal Awareness Among Victims
Legal investigations are weakened since many victims are unaware of the rules that were broken or how to preserve evidence.
Basic Attacks a Hacker Uses
| Phishing | Phishing is a kind of cyberattack in which perpetrators pose as trustworthy organizations in order to fool victims into disclosing private information. This is frequently done by sending phony emails, texts, or web pages. |
| Anonymity | When no one can identify you online, you are said to be anonymous. Utilizing the TOR browser, VPN, proxy servers, etc. |
| SQL Injection | One method of code injection used to target data-driven applications is SQL Injection. |
| HEX Editor | Modifying and Manipulating |
| Key Logger | This kind of monitoring software may capture every keystroke you make and save it in an encrypted log file. |
Read More :
Cybercriminals Defrauded A Retired Bank Officer of ₹2.33 Cr While Displaying A Profit of ₹11 Cr
About Author
English