An Analysis of Digital Forensics in Cyber

Security

D. Paul Joseph and Jasmine Norman

Abstract Digital forensics also called as computer forensics is a major field that
incorporates people regardless of their professions. Digital forensics includes various
forensic domains like network forensics, database forensics, mobile forensics, cloud
forensics, memory forensics, and data/disk forensics. Recent statistics and analytics
show the exponential growth of cyber threats and attacks and thus necessitate the
need for forensic experts and forensic researchers for automation process in the cyber
world. As digital forensics is directly related to data recovery and data carving, this
field struggles with the rapid increase in volume of data. In addition to that, day-
to-day increase of malware makes forensic field slacking. This paper provides the
users and researchers some information regarding forensics and its different domains,
anti-forensic techniques, and also an analysis of current status of forensics.

Keywords Anti-forensics · Cyber-attacks · Cyber targets · Cyber threats · Digital

forensics

1 Introduction

Digital forensics [1] is also called as Digital forensic science [2] is a branch of forensic
science that includes identify—search—seizure—preserving and investigation cycle
of digital data in the crime scenarios. Though the roots of this field were found in
early 1980s, the revolution of this field had started in mid 1990s with the invention
of multi-user, multi-tasking operating systems and wide area networks. In early
years, the forensic was confined to only unauthorized access of information, however
later extended to cyber-attacks, creation of malwares/viruses, financial frauds, child
pornography etc. With the rise in cyber threats and attacks, digital forensics has

D. Paul Joseph (B) · J. Norman

School of Information Technology and Engineering, Vellore Institute of Technology, Vellore, India
e-mail: [email protected]
J. Norman
e-mail: [email protected]

© Springer Nature Singapore Pte Ltd. 2019 701

R. S. Bapi et al. (eds.), First International Conference on Artificial Intelligence
and Cognitive Computing , Advances in Intelligent Systems and Computing 815,
https://doi.org/10.1007/978-981-13-1580-0_67
702 D. Paul Joseph and J. Norman

emerged as one of the key areas in the world of security. Recent KPMG cyber-crime
[3] stated that 72% of companies in India faced cyber-attacks in 2016 followed by
63% of financial loss and 55% of sensual data stolen resulting in 49% of reputational
damage. Survey per Symantec Corp [4] showed exponential growth in the rise of
malwares to 430 million in 2016 from 2.3 million in 2009; that is, 1.1 million of
malwares were created every day. The above issues sum up the one face of digital
forensics and the other face includes data recovery or finding the lost data. The data
may be either in raw format or multimedia format and it can include the hard drives,
mobile phones, databases, GPS devices, IOT, and sophisticated electronic gadgets
[5]. As the secure data storage and secure data retrieval mechanisms are advanced,
data destroying or data shredding also became sophisticated, resulting the job of
forensic experts more difficult. This paper concentrates and gives information on
cyber threats, targets for cyber-attacks, results of that attack, anti-forensic techniques
and eventually concludes with preventive measures of cyber-attacks from a user’s
perspective.

2 Background Work

Digital forensics is not solely assortment of multiple forensic disciplines; however, it

is a combination of multiple subjects and techniques. For example, data storage and
data recovery techniques contain data mining, machine intelligence, deep learning,
algorithms and architectural framework techniques. Memory forensics [6] embodies
kernel level debugging, hardware architectures knowledge, and mobile forensics
which includes android programming knowledge, etc. As aforesaid earlier, it includes
people from multiple professions like forensic experts, law enforcement agencies,
attacker, victim, companies’ courts. On whole, digital forensics incorporates multiple
professions, technologies, and domains, and thus, the complexity is also multifold.

2.1 Digital Forensics Domain and Their Impact

As listed above, digital forensic domain consists of various domains like data foren-
sics, cloud forensics, memory forensics, and android/mobile forensics. Though the
digital forensics came into existence three decades ago, cloud forensics [7] and
mobile forensics [8] were being into existence simply a decade past.
Computer/Disk Forensics
Disk forensics was started in the early 1990s; however, there has been tremendous
research in this field in 2012 and 2014. Later, the graph fell down attributable due
to the lack of proper data forensic tools. There have been small research gap in data
forensics at that point as a result of the birth of big data [9] in forensic field. In the
present year, still lot of research is going on in data forensics associated with big
An Analysis of Digital Forensics in Cyber Security 703

Fig. 1 Disk forensics in the time gap

Fig. 2 Cloud forensics in time gap

Fig. 3 Memory forensics in time gap

data either homogeneous or heterogeneous. Still there are lot of open problems in
this field regarding automation and correlation of data [10]. The following diagrams
represent the familiarity of research in those domains (Fig. 1).
Cloud Forensics
The term cloud forensics was introduced between 2005 and 2009, and initially, it
had very less research scope as only a few cloud vendors were available at that time.
Later in mid 13s, the research in this field raised to sky however with unresolvable
questions at that time. Still this field faces difficulty in forensic area because it does
not contain forensics as a service [7]. Secondly, forensic experts cannot gain access
directly to the cloud servers (Fig. 2).
Memory Forensics
The domain memory forensic [11] is much acquainted with the forensic researchers.
As this domain had started at the early birth of digital forensics, memory here refers
to random access memory, read-only memory, un-separable memory (memory in
mobile), flash devices, etc. A lot of research has been through this field, but still
having some problems in live memory forensics (Fig. 3).
704 D. Paul Joseph and J. Norman

Fig. 4 Mobile forensics

In 2004, black analysis or death analysis is observed. That is, when system is in
off stage or about to switch off, the experts used to take a snapshot of the memory
and perform the analysis. But now many tools are available for live memory analysis
[6] but these could not give efficient results, which is still an open problem.
Mobile/Android Forensics: Mobile forensics was started in the year 2000 with the
invention of new Motorola phones which work on java mobile editions. But nowadays
with the development of android and Windows operating systems, the day-to-day
increase of mobile phones had been greatly increased. Since android phones serve
as a mini computer, major work is done through the mobile itself. In the forensic
stream, mobile forensics plays a vital role when compared to other domains. For
the past two years, many android forensic tools [8] were developed and commercial
tools were also available (Fig. 4).
But the major drawback [12] of this field is that the memory of the mobile and
operating system cannot be separated, which is a difficult task for forensic examiners.
The cause for the downfall of the graph is as many new mobiles with different archi-
tectures and new operating systems are being developed, the tools so far developed
are not sufficient to gather the evidence from new devices.

2.2 Cyber World Crimes and Targets

Cyber-crime, synonymously called as computer crime, involves a computer and a

network. The computer may be a target computer or may be an attacker’s stand-alone
computer. The network is simply not restricted to LAN, however extended to MAN,
WAN, and SAN. Different types of cyber-crimes with their brief are as follows:
Cyber Terrorism: It is nothing but entering into security agencies of different
countries, searching for the loopholes, and with the help of that loopholes, stealing
the confidential matter regarding country’s internal security. The persons who do
these types of activities are referred to as cyber terrorists and their role is to steal the
highly confidential matters like military plans and moves.
Cyber Warfare: Cyber warfare became a national concern as each country is per-
forming their attacks on their enemies. For example, USA on Russia, China on USA,
India on Pakistan and the list follows by many other countries. This mainly deals
An Analysis of Digital Forensics in Cyber Security 705

Table 1 Cyber-attacks at cyber targets

S. No Cyber-attack Cyber target Severity
Desktop Mobile IOT Server SCADA ERP
1 Application-layer • • • • • • Severe
attack
2 SQL injection • – – • • • Catastrophic
3 Spear phishing • • – • • – Moderate
4 DDOS attack – – – • • • Moderate
(no data
loss)
5 Malware/virus • • • • • • High
6 Botnets – – – • • • Moderate
7 Social engineering • • – • – – Moderate

with hacking of nuclear plants, electricity distribution plants, air defense systems,
government Web sites defacing, military agencies, etc.
Cyber Extortion: It is a cyber-attack within which the attackers send multitudes
of requests to a Web server, thereby reducing the ability of that server in handling
requests of other users. Then, these attackers demand some money from that server
admins so as to stop that flooding attacks.
Financial Fraud: The most common cyber-attack is financial frauds. This hap-
pens so by unauthorized altering of data. This is observed mostly during online
money transactions. This attack occurs by phishing mails, spam mail, and unautho-
rized second authentication factor from attackers.
Cyber Stalking: The name itself indicates that this attack could be a quite of
either online or offline harassment of the persons. This attack includes defamation,
depreciation, and false impeachments. This attack comes underneath criminal offense
and has its own rules.
Identity Theft: This attack is also rising in an alarming way within which the
assaulter uses the user’s information like his name, mobile number, address, bank
details and card numbers and does the financial transactions, which results in the
great financial loss of the user.
Child Soliciting and Abuse: This attack can be seen at the time of children
chatting in their personal chat rooms online. Some attackers use the chat rooms as
baits and attract thousands of children into pornography field, which adversely affects
the country itself.
Targets of Cyber World
Since there are multiple cyber-crimes [3], the targets also existed in multiple ways.
The different targets of cyber attackers are as follows:
1. Desktop/Laptops/Mobiles/PDA
2. IOT
3. Servers (File Server, Web server, Email server)
4. SCADA systems and ERP systems (Fig. 5; Table 1).
706 D. Paul Joseph and J. Norman

Fig. 5 Targets of cyber world with their impact [4]

3 Forensic and Anti-Forensic Techniques

The goal of the digital forensics is to recover, identify, and analyze the information so
as to grasp who the offender is. By forensic process irrespective of domains, the goal
is to recover the data that was either formatted, deleted, or shredded, and therefore,
the goal of anti-forensics [13] is to delete the data without leaving any traces of log
file, text file, or any temp file. So far for the last three decades, thousands of forensic
tools were available in all the forensic domains. The anti-forensic tools were also
developed which were a boon to attackers and criminals and ban to forensic experts
as they struggle a lot to cope with that data. But still, only a few tools are available
that supports all the domains. Examples of forensic tools are Encase, Caine Forensic
tools, Oxygen Forensic Suite, etc.
Anti-forensic techniques in present scenario:
1. Overwriting metadata/Shredders [13]
2. Cryptographic techniques and Steganography techniques
3. Program Packers
4. Live CDs and Bootable Drives
5. Virtual systems
6. S.M.A.R.T technique in hard disks
7. Denial of kernel access
8. Altering of MAC (modified, access, control) and timestamps
9. Hiding in slack space and boot records
10. Using of encrypted and secured network protocols
11. Proxy and anonymous surf (for network attacks).
An Analysis of Digital Forensics in Cyber Security 707

4 Discussion

As security enhances from day to day, thus were the security breaches. As the foren-
sic tools are being developed, so are the anti-forensic tools. Though many security
vendors come up with new software and technologies, there were not efficient tools
available such that they cannot stop deadliest threats and attacks like ransomware,
SQL injections, and spear phishing. Day to day the cyber-crime statistics reveals the
alarming rise of attacks which makes many companies, professionals fear of falling
in those traps. Though the forensic domain attracts many researchers, it could not
yield up to its mark. Still android forensics and cloud forensics [14] stand as a major
challenge for forensic examiners and researchers in implementing forensics as a ser-
vice. The second major challenge for mobile forensics [15] is that there is a need
for multi-tool that supports all operating systems and all architectures. Disk/data
forensics challenges the researchers in correlating the massive amount of big data
[10] and automated approaches in it.

5 Conclusion

So far in this paper, we discussed brief introduction of forensics in light of cyber

world, types of cyber threats, cyber-attacks, current research scope of digital forensic
domain, and various forensic and anti-forensic methods. The further research will
be extended in implementing various professional tools in the environments of Win-
dows and Linux operating systems with different critical test cases, i.e., testing the
efficiency of forensic toolkits when used with anti-forensic techniques, performing
the live analysis with test cases. The further work also includes the designing and
implementing integrated forensic tool that supports all the platforms.

References

1. Raghavan, S. (2013). Digital forensic research: current state of the art. CSI Transactions on
ICT , 1(1), 91–114. https://doi.org/10.1007/s40012-012-0008-7.
2. Beebe, N. (2009). Digital forensic research: The good, the bad and the unaddressed. Advances
in Digital Forensics V , 17–36. https://doi.org/10.1007/978-3-642-04155-6_2.
3. Cybercrime survey report. November (2017).
4. State, U. S., & Survey, C. (2017). Key findings from the 2015 US State of Cybercrime Survey
of Cybercrime Survey, (July).
5. Stamm, M. C., Wu, M., Liu, K. J. R., Member, M. C. S., Fellow, M. I. N. W. U., & Fellow, K. J.
R. A. Y. L. I. U. (2013). Information forensics: An overview of the first decade. IEEE Access,
1, 167–200. https://doi.org/10.1109/ACCESS.2013.2260814.
6. Chan, E., & David, F. (2010). Forenscope: A Framework for Live Forensics, 307–316.
7. Pichan, A., Lazarescu, M., & Soh, S. T. (2015). Cloud forensics: Technical challenges, solutions
and comparative analysis. Digital Investigation, 13, 38–57. https://doi.org/10.1016/j.diin.201
5.03.002.
708 D. Paul Joseph and J. Norman

8. Martinez, J. (2007). Mobile Forensics. Technology, 1(1), 40. Retrieved from www.susteen.
com.
9. Irons, A., & Lallie, H. S. (2014). Digital Forensics to Intelligent Forensics, 584–596. https://d
oi.org/10.3390/fi6030584.
10. Mohammed, H., Clarke, N., & Li, F. (2016). AN AUTOMATED APPROACH FOR DIGITAL
FORENSIC ANALYSIS OF HETEROGENEOUS BIG DATA. Journal of Digital Forensics,
Security and Law, 11N2, 1–16.
11. Vo, S., Freiling, F. C., Vömel, S., & Freiling, F. C. (2011). A survey of main memory acquisition
and analysis techniques for the windows operating system. Digital Investigation, 8(1), 3–22.
https://doi.org/10.1016/j.diin.2011.06.002.
12. Abdallah, A., Alamin, M., Babiker, A., & Mustafa, N. (2015). A Survey on Mobile Forensic
for Android Smartphones. IOSR Journal of Computer Engineering, 17(1), 2278–661. https://
doi.org/10.9790/0661-17211519.
13. Garfinkel, S. (2007). Anti-Forensics: Techniques, Detection and Countermeasures. 2nd Inter-
national Conference on I-Warfare and Security, 77–84. https://doi.org/10.1.1.109.5063.
14. Manoj, S. K. A., & Bhaskari, D. L. (2016). Cloud Forensics-A Framework for Investigating
Cyber Attacks in Cloud Environment. Procedia Computer Science, 85(Cms), 149–154. https://
doi.org/10.1016/j.procs.2016.05.202.
15. Khan, S., Ahmad, E., Shiraz, M., Gani, A., Wahab, A. W. A., & Bagiwa, M. A. (2014).
Forensic challenges in mobile cloud computing. 2014 International Conference on Computer,
Communications, and Control Technology (I4CT), (I4ct), 343–347. https://doi.org/10.1109/I4
CT.2014.6914202.