Data in Digital Forensic Investigation

It is difficult to ignore the fact that modern society exists in the environment of computer technologies. Furthermore, such technologies have penetrated all fields of human activity. There is no doubt that it is considerable progress of the entire mankind, but it is worth saying that every single phenomenon has negative aspects, as well. In such way, computer technologies have become a matter of virtual crimes, numerous incidents of data loss, foreign interventions in networks, etc. Therefore, the ability to response to such sort of incidents has become a central issue to the entire sphere of computer technologies. What is more, a separate discipline has emerged: digital forensic investigation. Taking this point into consideration, it should be admitted that this discipline provides the investigation of computer incidents by means of the same technologies. However, it is important to place the emphasis on the fact that digital forensic investigation primarily operates with different sources of data. Thus, data is increasingly recognized as an essential component of digital forensic investigation.

Having considered this statement, it is necessary to admit that the following paper discusses different sources of data with regard to the priority of their connection to such events as network intrusion, malware installation and insider file deletion. Needless to say, that the study devotes separate sections to discussion of every single source of data. Actually, it can be explained by the fact that various sources of data are applicable to different kinds of incidents. In other words, the paper provides an account of numerous sources of data from the perspective of their ability to be used for a particular case of digital forensic investigation. Eventually, having outlined the thesis statement and the layout of the paper, it is necessary to proceed to the next section.

Network Intrusion

Account Auditing

The first data source is the examination of user accounts in terms of the average maintenance. In fact, average examination of user accounts and permissions will identify an account, which the intruder was using to access the server. Otherwise, the intruder may never be discovered (Casey, 2005). Therefore, the accounts auditing is crucially important.

The Federal Agency of Information Technology advices to verify any asset which is administered by a mixture of technical and administrative controls. It should be done in order to consider the evidences of only approved users who receive an applicable level of accessibility and accountability for their use of information systems. Access has to be observed by positively identified and authorized users. Besides, the weakness of the policy in one sector of the network may put at risk the other sectors. Therefore, it is essential to note that all agencies obatin an access of control policy. Account maintenance requires users to authenticate their accounts with a strong password and to amend them on a regular basis. Subsequently, administrators must validate the names of users belonging to their real owners. Moreover, auditing is also expected to be established on the platform of user accounts in order to make sure that accounts, which have not been used for a long period, are deleted. As for the incorrect login attempts, it should be admitted that accessibility has to be limited after a particular number of failed attmepts.

In case some of the policies do not coincide with the described scenarios, the omnipotent user could have been detected prior to the malicious evidence within the netowrk or even prevented from accessing the network entirely. Still, auditing may face different challenges during investigation of network intrusion. Every single operating system possesses different account systems and auditing procedures. Moreover, it is also relatively hard for organizations with a large segment of users to extract inactive and incorrect accounts. Organizations could also outsource their services of information technologies. User account auditing is the most applicable sources of data because it is quite simple to complete and properly conduct an investigation of network intrusion with their help.

Live System Data

Digital forensic investigators use the EnCase program to capture live data from the systems and save an audit log by incorporation the script of command. At the same time, they identify whether the intruder was accessing the network through a dial-up connection or by installing a sniffer, whcih substitutes the custom Telnet in order to access a version with a backdoor vulnerability. As a result, intruders receive a remote acess to the network. It is also important to mention that the sniffer log aslo possesses the records of the backdoor intrusions, as well as the intial passwords for a certain number of computers. By the same token, such tool also discovers whether hackers have created their own Telnet passwords (Casey, 2005).

The primary reason for usage of such tool as EnCase is the ability to capture live data in order to detect an event which has occurred in case a complete investigation has to be conducted within the system. The challenges of live forensics are presented in the current state within the system, ensuring that the data has been captured is forensically relevant (McDougal, 2006). It is increasingly apparent that the best way to manage it is to use a forensic toolkit EnCase, which is capable of keeping the process to the broadest extent of automatization. Live system data is the second most applicable source of data as it provides a digital forensic investigation with the most reliable evidence of malicied files and systems and gives the information concenring how the hacker managed to access the system (Casey, 2005).

Intrusion Detection System

The third source of data used is the intrusion detection system. Actually, the intrusion detection system is applied in order to monitor network traf?c for the connections. Further, digital forensic investigators need to control network traffic and verify whether the hackers have accessed more computers, which were not previously identified as targeted by the Telnet backdoor password. To the broadest extent, this method can be applied to any evidence of critical network intrusion (Casey, 2005).

Intrusion detection systems are flexible regarding the identification of network intrusions because they can be settled as automatical alert administrating application. In such way, abnormal network traffic occurs. Hill and O’Boyle draw a similiarity between IDS and burglar alarm. Though, the most drastic difference is that cyberspace can be secured by detection of unauthorized actions, while the physical one needs an actual detection. Speaking about contrast, it is worth saying that it is complicated to trace the movement of intruder among sections of data (Hill & O’Boyle, 2000).

Still, it is important to place the emphasis on the fact that automated IDS and correpsonding forensic procedures are particularly focused on a so-called signature matching. It finds network connections and activities, which migh have been alerted concerning specific incident patterns and methods of network attack. On the contrary, automatic signature matching is not suffuciently clear procedure and it is actually determined by numerous factors. Signatures often detect invalid alarms because they occur to be too generalized. Attack profiles can also vary considerably: from well-known malware attacks to unique software, which has been created in order to devastate specific system. One more disadvantege of utilizing IDS in digital forensic investigation is based on the requirement of frequent updates, which are the obligatory conditions for the effective performance (Hill & O’Boyle, 2000).

It is commonly recommended to start with sorting alarms via automatically settled IDS and then utilize signals from the alarms in order to conduct the further analysis of less developed system logs and data. In order to separate evidence of an intrusion, a digital forensic investigator has to possess a deep knowledge on a wide range of operating systems and hacking techniques so that he or she will be capable of comprehension of diagnostic tools and systems logs. IDS is the third most applicable source of data because after detection the intrusion the IDS can capture details concenring the hacker connection and prevent or block potential connections.

Internet Service Provider Records

The last source of data is the Internet Service Provider, which can be used by the hacker. Digital forensic investigators are able to phone the ISP and require logs and records (Casey, 2005). Some of the available data can be names, e-mail addresses and mailing addresses of account holders. Besides that, it is increasingly essential to include such payment information as credit cards or bank account information, which may lead to additional evidences. Likewise, IP addresses, which were assigned to this account during a particular period of time, have to be requested together with any associated activity, which might have been accessible alongside with a MAC address for the computer, which is suspected to be connected to the network. The most difficult aspect of collecting data from an ISP is a requirement of subpoena, while data may easily occur to be irrelevant, and different ISPs obtain various amounts of information concerning their customers. In such way, ISP records are the least useful source of data for forensic investigation of network intrusion.

Malware Installation

Live System Data

In a similar way to the network intrusion, the collection of live system data is applicable to provide evidence of malware installation. Overton (2008) suggests that once suspected system has been identified, traffic in all directions within the system should be captured in order to include detection of hidden files, which were created by malware activity. Nmap, Nessus and a wide range of other vulnerability assessment toolkits can be utilized for the processing of a suspected object, as well as the ananlysis of a network (Overton, 2008). Such software as Helix3 and Windows Forensics Toolchest are capable of examination volatile system data in order to retrieve important information like the following: network routing tables, system drivers and applications and analysis of running processes and services. Even more, such procedure can be conducted without bewarement of the attacker that he or she is suspected. Though, the determination of malware being installed on a live system may become a considerable difficulty regarding tools, which may not akways conduct a scrupulous processing of data. In a similar way, anti-malware tools may be used to produce a great number of false-positives so that the malware can be hidded, making a drastic harm to the system.

Intrusion Detection System

IDS is the second most applicable tool to the evidence malware installation. As soon as the preliminary investigation has been conducted and the analysis has detected a potential infection, workstation has to be removed from the network in order to avoid the spreading of malware activity to the other systems, the ports and protocols, which have been collected. Furthermore, they are supposed to be analyzed with a further utilizing of IDS or any extra network analysis tools, such as Wireshark or Snort (Overton, 2008). Hence, the second step in investigation of malware installation is a specified analysis, which IDS can assist by creation of signatures, which are based on the data from the previous investgiations. Namely, such signatures can also be implemented in order to prevent hackers from potential attacks until anti-virus sofatware is upgraded. In fact, there is a wide range of reasons for IDS being utilized for detection and prevention of malware activity, which is possible through the network boundary. IDS can also become a part of a defense-in-depth strategy, which applies IDS as a mixture with anti-malware scanning tools in order to settle meaningful protection. Eventually, utilizing of IDS for malware investigation usually refers to the IP from the source and this information is capapble of a rapid elimination of the threats spreading within the network (Overton, 2005). As for the difficulties concerning IDS, it should be noted that signatures may be difficult to create and incorporated and that is why they require a sufficient amount of skill for the understanding and utilizing this tool for malware investigation.

Virtual Machine

The third most applicable source of data for investigation of malware installation is the utilizing of a virtual machine. As Overton suggests, a private network or a closed lab environment are supposed to be used for the analysis of ptential malware activity (2008). Virtual machines can conduct such procedures by enabling multiple systems to run from one hardware so that the observer can watch a string of malware behaving in a particular way. Virtual machines can obtain numerous forms of systems and platforms without the entire toolkit of expensive technologies. Virtual machine software allows the administrator to make multiple snapshots of the system’s preferences, performance and volatile data via the procedure of monitoring so that the future investigation will not have to conduct the same procedure one more time. VMW also creates a simulated network so that the digital forensic investigator does not have to connect the infected computer to a live network and conduct analysis in the safe environment, while the ability to analyze network traffic remains avialable. In these terms, threats can be detected, as well as mitigations can be tested and verified. The use of virtual machines also presents difficulties regarding a virtual environment which cannot always substitute the paraemeters of an operating system on a physical platform. In certain cases, a virtual environment tends not to face such need due to the type of system being simulated or the response of the malware which obliges digital forensic investigator to use a sophisticated and expensive lab techniques.

Insider File Deletion

Hard Drive

In the previous cases of network intrusion and malware installation, live system data has been described as a source of the primary application due to the indications, which are produced by volatile data. Though, in case of insider file deletion, the primary objective is a creation of a forensic copy of the hard drive in order to recover data that could have been overwritten. Moreover, the least careful computer user will be aware of deletion files from the recycle bin so that the volatile data is an equal concern to the non-volatile data. Actually, it can be explained by the fact tha the master file table can be restored with the assistance of numerous external applications.

For instance, a file is removed from the recycle bin in Windows, only the file data lie the path, sector, and extra information of identification can be deleted. To put it in a simpler way, Windows is informed by the file system that new space is available for a new usage. Despite of this fact, if a recently saved file is not suffciently large or does not obtain the entire space of the intially deleted file, it still can be restored by means of forensic software. Providing that a short period has passed since the deletion of the file, such tools as WinUndelete for Windows may recover the file without any diffculties (Landry & Nabity, n.d.). The diffculties of data recovery from a computer hard drive are based on the evidence after a certain period, the intended files may be totally overwritten. Therefore, a smart hacker can utilize such software as Eraser in order to overwrite deleted data by making it unrecoverable.

Network Storage

In the same way, the recovery of deleted files from a network storage device obtains the same priority for the evidence of insider files deletion. In the majority of cases, files, which are considerably important to an organization, should be shared with a group of people, who who have access to such network storage devices as Network Attached Storage, Windows File Server and Storage Area Network. When the file is erased from the folder of the network, the easiest way to restore is to follow the procedures, which have been described in the previous section. By the same token, NAS and SAN file systems suggest recovery of the latest snapshots from the interfaces of administrative use. The most drastic difficulty with recovery files from a network storage device is based on the possibility of RAID’s copy . Morover, other file system disk may be extremely large and thus too sophisitcated for performing the analysis. Insiders with access to the administrative sector should be aware of permanent deletion of files or even the devastation of network storage.


All in all, it is to be said that present paper has discussed the prioritization of data sources for utilizing them in the process of digital forensic investigation. To be more exact, the study has discussed such cases of digital forensic investigation as network intrusion, malware installation and insider file deletion. Accordingly, the related sources of data have been discussed. As a result, the study has sufficiently proved that different sources of data are supposed to be applied to different cases of malicious activity within computer environment. Therefore, it should be admitted that data soruces are the essential components of digital forensic investigation, even though data is a passive material for forensic toolkits.