Web Site: www.ijettcs.org Email: [email protected], editorijettcs@gmail.

com Volume 2, Issue 1, January February 2013 ISSN 2278-6856

Forensic Investigation Life Cycle (FILC) using 6R Policy for Digital Evidence Collection and Legal Prosecution
Dr. Jigar Patel
Associate Professor, MCA Programme, Kalol Institute of Management, Kalol.

Abstract: It is hard to prosecute Cyber criminals in the

borderless Internet era rather than the other conventional type of criminals. Therefore, the number of Cyber crime cases in the court is rare even after cases of Cyber crime increase drastically day by day. The most challenging task in the Cyber crime prosecution is the collection of evidences against the Cyber criminals because it is in digital form rather than the physical form in other crimes like theft, robbery, murder etc.. Here, in this paper it is explained, how the forensic investigation should be carried out using 6R policy which can be very helpful to prove the Cyber crime as well as to prosecute the Cyber criminals using digital evidence in the court of law.

investigator to collect, analyze, store and present the evidence in such a manner that court will believe in such digital evidences and give appropriate punishment to the Cyber criminal.

2. FORENSIC INVESTIGATION LIFE CYCLE (FILC) USING 6R POLICY

Here in the paper we focus on the FILC using 6R which gives the needed steps for the investigator and that all starts from alphabet R. Therefore, the process is known as Forensic Investigation Life Cycle using 6R policy as shown in Figure 1. The major advantage of this investigation cycle is easy to use in real time investigation process and easy to remember because all steps are starts from letter R as given below. 1) 2) 3) 4) 5) 6) Requirement Analysis Retrieval of Data Reliability Review of Evidence Representation of Evidence Repository of Data

Keywords: Cyber Crime, Digital Evidence, Forensic Investigation, Forensic Tools

1. INTRODUCTION
There is plenty of research done by the researchers on digital investigation process based on different criteria like evidence collection, use of tools, analysis of data and many more [6], [7], [8]. That all have the common intention that how the Cyber criminals should be prosecuted in the court and what are the digital evidences needed that can be enough to prove the crime against the Cyber criminals. For different types of digital data records or logging data for processes, it is obvious that they can potentially be relevant as digital evidence in the case of disputes [1]. Computing and storing pictures taken by digital cameras or critical workflows on enterprise service buses are examples of processes that somehow need to be produced, documented and stored in a secure way in order to enable their use at court [14]. In general, data records or log files are not sufficiently protected to prevent manipulations and raise the question of validity and admissibility of the digital evidence in the court. Therefore, if any case is come in to the court of law for the trial to prove the Cyber crime, it is necessary to present the chain of evidence in the court and thats why the role of Cyber crime investigator is crucial in the entire prosecution. As the many type of Cyber crimes are taking place in the digital world, it is important for the Volume 2, Issue 1 January - February 2013

These steps are concern with how the investigator can conduct the perfect investigation process to catch the Cyber criminals. The success of the investigation is depends on how the chain of evidence is used in court to prove the Cyber crime. So, the forensic investigation life cycle is defining both technological as well as legal aspect of forensic investigation. Here, we have 6R policy which supports the investigator to help in a legal prosecution. When all six stages are applied correctly the investigation process is giving the optimum result. Therefore, first of all it is necessary to understand all are the stages of FILC individually in detail. The cycle is there which indicate if the case goes for revision and/or court require more specific type of digital evidences then the entire process cycle will be repeated many times by the Cyber crime investigator. Page 129

Web Site: www.ijettcs.org Email: [email protected], [email protected] Volume 2, Issue 1, January February 2013 ISSN 2278-6856
storage devices, and how the data of that storage device is taken in to own storage devices without loss and alteration of the data, which can be further use as legal evidence in the court. After determining the source and destination media the investigator is preparing the image. The tools, techniques and methodologies of electronic investigation, gathering and analysis have been tried and proven and are accepted in many countries. While recovering the data the integrity of the original media must be maintained throughout the entire investigation. The basic methods of recovering unrecoverable data are described in various resources [10], [11]. The forensic analysis tools are used for recovering hard-disk information. Forensic tools analyze hard disks or harddisk images from a variety of different operating systems and provide an Explorer-style interface so that one can read the files. The internationally important forensic tools like Drivespy, TASK, Encase, Forensic Tool Kit, I Look, XWays, Norton Utilities, The Coroners tool kit are widely used to collect the computer data from the suspected computers for further analysis[12]. The use and selection of forensic investigation tools for specific type of digital evidence collection is depend on the knowledge and experience of forensic investigator however the Forensic Tools Matrix can be very helpful to guide the investigator for selection of forensic tools should be use in particular kind of Cyber crime [14].

Figure 1: Forensic Investigation Life Cycle using 6R

3. REQUIREMENT ANALYSIS
Here in the first step, when any case comes in the court, the investigator has to decide what are the evidences that will be taken in to consideration for the particular type of Cyber crime. Sometimes there is specific type of data only accepted by the court to prove specific type of Cyber crime. Therefore, in the requirement analysis investigator has to think on what are those evidences and what is the investigation process, and how much data are required to prove the crime has to be analyzed. In further analysis, the investigator should determine what amount of data must be collected to complete the investigation process and do we have storage capacity to hold those evidence data, and availability of forensic tools for the specific type of investigation has to be evaluated. In short, in this preliminary step we should check our technological feasibility. Then investigator has to determine how we can protect the stored data from misuse and tampering that is known as chain of custody, that means investigator has to prove that nobody has alter or tampered the evidential data after it has been collected by him. In the requirement analysis it is also measured what amount of time is require to collect the data and what approximate effort is require to conduct the successful investigation process. For example, Eugene Wang worked at Borland International, Inc., a software manufacturer, when he used email to allegedly send trade secrets from his current employer to his new employer. Wang was caught when someone read his email, and his messages are being used as legal evidence against him [9] i.e. the email can be considered as valid evidence in some cases to prove the crime that the investigator has to identify in this step.

5. RELIABILITY
Apart from collecting the data and evidence it is also important to determine that, how much authenticated the data is? Therefore, the image we have created must be identical to original data. To check the originality of the data we should create the hashes of original data before we create the image. Immediately after creating the image, create the hash of image data. These two hashes must be match and if they dont match then it shows something wrong happened with the imaging process and thus data is unreliable. That is suggested to use any complex algorithm to build the hash of the data like MD5 or SHA-1, which is very difficult to spoof. Having incorrect information is potentially more damaging than having no information. The situation, of course, raises the question of accuracy or uncertainty of a measurement, Faulty information in the investigative stages, the uncertainty in digital evidence is not being evaluated at present, thus making it difficult to assess the reliability of evidence stored on and transmitted using computer networks. The uncertainty due to date and time along with its various format when evidence collected , network delay, determining accurate email origin, tampering in the logs or its corruption poses the lots of question on the reliability of collected evidence. The origin and time of events can be uncertain, errors can occur in logging applications, system limitations can Page 130

4. RETRIEVAL OF DATA
After the first step of analysis we have second step in which we actually acquired the data for further investigation. Here in the data retrieval process it is most important to identify the source and destination media. Generally the suspected computer or server storage is worked as a source media and data available on that is taken on to the other media for further investigation. So the investigator should has knowledge of different kind of Volume 2, Issue 1 January - February 2013

Web Site: www.ijettcs.org Email: [email protected], [email protected] Volume 2, Issue 1, January February 2013 ISSN 2278-6856
exacerbate data loss, individuals can conceal or fabricate evidence, and mistakes can occur in data presentation and analysis. At the same time, networks provide many opportunities from a forensic standpoint. One of the advantages of networks as a source of evidence is that a single event leaves traces on multiple systems. Therefore, it is possible to compare traces from different systems for consistency and it is difficult for criminals to destroy or alter all digital traces of their network activities [2]. The need for measures of error in forensic analysis of computer systems is apparent in the history of scientific evidence [3]. Therefore, digital forensics analysis tools are needed to translate them and provide an error value that will help determine how trustworthy the result is. No software is perfect and therefore each analysis tool will have an associated Tool Implementation Error based on its history. This value will help to establish trust when using an analysis tool [5]. Thus, it is forensic examiners duty to estimate how closely the measured values represented in their data approximate reality. Only reliable data should be put in front of the court of law as a digital evidence to prove the Cyber crime against the Cyber criminals. the same data as valid evidence because of the improper representation of the digital evidence. It has been also found in the court that judge, lawyer, police may not have computer and its networks knowledge and that makes more hindrances in the prosecution process. Therefore, the investigator responsibility is to represent the evidence in such a manner that the evidence will be understood by all in the court of law.

8. REPOSITORY OF DATA
After the successful investigation it is also equally important that how you can archive the data in repository for future use. First important thing is to determine what are the data that can be useful for future use and how long we have to store that data. So, in the legal procedure, the completed case may be re-open in future or opponent may go for appeal or revision in the higher court. Since it is very difficult to store all the data related to the case in the repository, investigator has to find that; what are the important datasets that can be useful for the future use and only those data is stored in the repository. Therefore, the removal of the data from the repository are depend on the likelihood of the case will be appealed.

6. REVIEW OF EVIDENCE
After getting all the data from the suspected resources it is most important things that how we get the data that can consider as evidence in the court of law. We require proper chain of evidence that cant be challenge from the opposing party and that is only possible if all the evidence is relevant to the case. After collecting the large set of information it is important to extract the evidence data from media, therefore some tools like Forensic Tool Kit and EnCase are used for the analysis of collected information from the suspected computer. For Linux environment Coronors Toolkit is used for evidence collection and analysis. The analysis of the physical media layer of abstraction, which translates a custom storage layout and contents to a standard interface, IDE or SCSI for example. The boundary layer is the bytes of the media. Examples include a hard disk, compact flash, and memory chips. The analysis of this layer includes processing the custom layout and even recovering deleted data after it has been overwritten [4].

9. CONCLUSION
Since the investigation process of Cyber crime is totally different from the conventional crime and therefore, knowledge, skills and expertise of computer and its network require in the Cyber crime investigator. Cyber forensics is playing the vital role in the investigation process, but only evidence collection is not enough for the Cyber crime investigation process because the admissibility, reliability and originality of the evidence are also equally important in the process. This paper assists to the Cyber crime investigator in the entire Cyber crime investigation and evidence collection as well as evidence representation process.

REFERENCES
[1] Maurer U., New approaches to digital evidence, Proceedings of the IEEE, 92(6):933947, 2004. [2] Eoghan Casey, Error, Uncertainty, and Loss in Digital Evidence, International Journal of Digital Evidence, Volume 1, Issue 2, Summer 2002. [3] Palmer, G., Forensic Analysis in the Digital World, International Journals of Digital Evidence, Volume 1, Issue 1, 2002. [4] Peter Gutmann, Secure Deletion of Data from Magnetic and Solid-State Memory, In Proceedings of the 6th USENIX Security Symposium, 1996. [5] Brian Carrier, Defining Digital Forensic Examination and Analysis Tools Using Abstraction

7. REPRESENTATION OF EVIDENCE
Here due to lots of uncertainty in the validity and acceptability in the digital evidence it is equally important to represent the evidence in such a form that can be understood by the court. For many types of digital data records or logging data for processes it is obvious that they can potentially be relevant as digital evidence in the case of disputes [1]. But sometimes court will not accept Volume 2, Issue 1 January - February 2013

Page 131

Web Site: www.ijettcs.org Email: [email protected], [email protected] Volume 2, Issue 1, January February 2013 ISSN 2278-6856
Layers, International Journal of Digital Evidence ,Volume 1, Issue 4, Winter 2003, [6] Baryamureeba, V., & Tushabe, F., The Enhanced Digital Investigation Process Model, Proceeding of Digital Forensic Research Workshop. Baltimore, MD., 2004. [7] Ciardhuain, S. O., An Extended Model of Cybercrime Investigations, International Journal of Digital Evidence , 3 (1). 2004. [8] Freiling, F. C., & Schwittay, B. A., Common Process Model for Incident Response and Computer Forensics, Proceedings of Conference on IT Incident Management and IT Forensics, Germany, 2007. [9] Suzanne P. Weisband and Bruce A. Reinig, Managing user perception of email privacy, Communications of the ACM, Vol. 38, No. 12, December 1995. [10] Charles H Sobey, Recovering unrecoverable data, Channel Science white paper, 14th April 2004. [11] David Icove, Karl Seqer, William Von Storch, Computer crime: A Crime-fighers Handbook, O'Reilly Media, Inc, USA,1 Aug 1995. [12] Simson L. Garfinkel and Abhi Shelat, Remembrance of Data Passed: A Study of Disk Sanitization Practices, IEEE Security & Privacy, Vol. 1, , pp. 17-27, 2003. [13] C. Rudolph, Z. Velikova, and N. Kuntze, Secure web service workflow execution, Electronic Notes in Theoretical Computer Science, pp. 3346, 2009. [14] Jigar Patel, Forensic Tools Matrix: The Process of Computer Forensic for Digital Evidence Collection, International Journal of Management, IT and Engineering, vol. 1, issue 7, pp. 195-209. December 2011. AUTHOR Jigar Patel received the B.E. and M.C.A. degrees from Gujarat University and North Gujarat University in 2000 and 2003 respectively. He has also received Ph.D. degree in Computer Science from Hemchandracharya North Gujarat University in Cyber Law and Cyber Crime and he has published and presented several research papers in international journals and conferences. He has more than nine year of teaching and research experience and also guiding the Ph.D. and M. Phil. students in the field of Computer Science and Application. He is currently working as an Associate Professor in Master of Computer Application program affiliate to Gujarat Technological University.

Volume 2, Issue 1 January - February 2013

Page 132