Branches of Digital Forensics

Digital Forensics has a very wide scope. Hence it must be divided into specialized branches to facilitate greater knowledge base in each area. Cyber Forensics, when divided into 4-5 branches, helps by having experts in each area and not 1 expert knowing all areas. The branches of Digital Forensics are –

1.     Disk Forensics

2.     Printer Forensics

3.     Network Forensics

4.     Mobile Device Forensics

5.     Database Forensics

6.     Digital Music Device Forensics

7.     Scanner Forensics

8.     PDA Forensics

Let us look at these branches in detail :

1.     Disk Forensics

Disk forensics is the science of extracting forensic information from digital storage media like Hard disk, USB devices, FireWire devices, CD, DVD, Flash drives, Floppy disks etc. The processes of Disk Forensics are:

·         Identify digital evidences

First step in Disk Forensics is the identification of the storage devices in the crime scene. Computers may having the disks like Hard disk of IDE/SCSI, CD, DVD, Floppy disk etc, Mobiles, PDAs etc may having the flash card, SIM, USB/ Firewire disks, Magnetic Tapes, Zip drives, Jazz drives etc.

·         Acquire the evidence

Once the digital evidences are identified, it should be acquired by any of the forensic imaging tool. Acquisition is a process of bit-stream imaging. Imaging should be done with correct and complete data and also it should maintain the Disk Geometry. During this process the source media should be write protected.

·         Authenticate the evidence

Once the imaging has done, it should be verified with the original one. Hashing is a mechanism to prove that the copy is exact with original and it has not been altered.

·         Preserve the evidence

Electronic evidences might be altered or tampered without trace. Once the acquisition and authentication has done, the original evidence should be placed in secure storage. One more copy of image should be taken and it needs to be stored into appropriate media or reliable mass storage. Optical media can be use as the mass storage. It is reliable, fast, longer life span and reusable.

·         Analyze the evidence

Analysis is a searching of relevant information in the digital evidence. Analysis should be in the complete evidence without leaving a single bit of information. Searching may be of files or data in normal files and folders, Registries, Pictures, databases, cookies, temporary files, swap, Internet History, passwords etc and ambient data area like deleted, formatted, slack, unallocated, lost

·         Report the findings

Report generation is an important and the final stage in Disk Forensics. The value of the evidence will ultimately depend on the way it is presented. Technical evidence of the report should be in simple and precise way so that the non – technical person can also understand.

2.     Printer Forensics

Printed material is a direct accessory to many criminals and terrorist acts. In addition, printed material may be used in the course of conducting illicit or terrorist activities. In both cases, the ability to identify the device or type of device used to print the material in question would provide a valuable aid for law enforcement and intelligence agencies.

 For example counterfeiters often digitally scan currency and then use colour laser and inkjet printers to produce bogus bills. Forgers use the same methods to make fake passports and other documents. Investigators want to be able to determine that a fake bill or document was created on a certain brand and model of printer. They also want to identify not only which model printer was used but specifically which printer was used. Thus it will be possible to tell the difference between counterfeit bills created on specific printers even if they are the same model.

The two approaches as suggested by the Purdue University are:

·         First, by analyzing a document to identify characteristics that are unique for each printer, and second by designing printers to purposely embed individualized characteristics in documents.

·         The second method is done by most of latest printer manufacturing companies. No two printers of the same model will behave in the exact same pattern. This is because the mechanical parts, which make the printer, will not be 100 percent equivalent.

Manufacturing such printers would reach to the point where each printer would be too expensive for consumers. If, however, the printer cartridge is changed after a document is printed, the document no longer can be traced to that printer.

3.     Network Forensics

Network forensics is concerned with the monitoring and analysis of computer network traffic, both local and WAN/internet, for the purposes of information gathering, evidence collection, or intrusion detection. Traffic is usually intercepted at the packet level, and either stored for later analysis or filtered in real-time. Unlike other areas of digital forensics network data is often volatile and rarely logged, making the discipline often reactionary. In 2000 the FBI lured computer hackers Aleksey Ivanov and Gorshkov to the United States for a fake job interview. By monitoring network traffic from the pair's computers, the FBI identified passwords allowing them to collect evidence directly from Russian-based computers.

4.    Mobile Device Forensics

Mobile phone forensics is the science of recovering digital evidence from a mobile phone under forensically sound conditions using accepted methods. Mobile phones, especially those with advanced capabilities, are a relatively recent phenomenon, not usually covered in classical computer forensics. Cell phones vary in design and are continually undergoing change as existing technologies improve and new technologies are introduced. Developing an understanding of the components and organization of cell phones is a prerequisite to understanding the criticalities involved when dealing with them forensically. Similarly, features of cellular networks are an important aspect of cell phone forensics, since logs of usage and other data are maintained therein. Cell phone forensics include the analysis of both SIM and phone memory, each requires separate procedure to deal with.

It differs from Computer forensics in that a mobile device will have an inbuilt communication system (e.g. GSM) and, usually, proprietary storage mechanisms. Investigations usually focus on simple data such as call data and communications (SMS/Email) rather than in-depth recovery of deleted data. SMS data from a mobile device investigation helped to exonerate Patrick Lumumba in the murder of Meredith Kercher. Mobile devices are also useful for providing location information; either from inbuilt GPS/location tracking or via cell site logs, which track the devices within their range. Such information was used to track down the kidnappers of Thomas Onofri in 2006.

5.    Database Forensics

Database forensics is a branch of digital forensics relating to the forensic study of databases and their metadata. Investigations use database contents, log files and in-RAM data to build a time-line or recover relevant information.

Database Forensics is a branch of digital forensic science relating to the forensic study of databases and their related metadata. The discipline is similar to computer forensics, following the normal forensic process and applying investigative techniques to database contents and metadata. Cached information may also exist in a servers RAM requiring live analysis techniques.

A forensic examination of a database may relate to the timestamps that apply to the update time of a row in a relational table being inspected and tested for validity in order to verify the actions of a database user. Alternatively, a forensic examination may focus on identifying transactions within a database system or application that indicate evidence of wrong doing, such as fraud.

Third party software tools which provide a read-only environment can be used to manipulate and analyze data. These tools also provide audit logging capabilities which provide documented proof of what tasks or analysis a forensic examiner performed on the database.

6.    Digital Music Device Forensics

Large storage capacities and personal digital assistant (PDA) functionalities have made the digital music device a technology that should be of interest to the cyber forensic community (Reith, Carr, & Gunsch, 2002). The digital music revolution has also seen the digital music device become a common household item. It is only a short time until they too make a natural progression into the criminal world. This progression has already begun.

One example is the use of, an Apple iPod by a gang of thieves in England to store information related to their crimes (BBC News, 2004). The latest digital music devices include large storage capacities as a result of hard drive technology. Some of the hard drive-based devices have capacities upwards of 60GB. With this much storage space for music, developers have branched out and included features like a calendar and contact book ("Apple iPod - Music and more", 2004). These devices are simply a portable hard drive, and have the ability to store other types of files besides music; such as documents or pictures.

Thomas (2004) reports that an employee could take sensitive information by using the capabilities of a digital music device. Suspects could potentially store critical evidence on these types of devices. It must be determined if current frameworks of cyber forensic science are applicable and to what extent current guidelines can be applied to digital music device forensics.

7.    Scanner Forensics

A large portion of digital image data available today is created using acquisition devices such as digital cameras and scanners. While cameras allow digital reproduction of natural scenes, scanners are used to capture hardcopy art in more controlled scenarios. For forensic approach a non-intrusive scanner model identification, which can be further extended to authenticate scanned images is a necessity.

Using only scanned image samples, a robust scanner identifier should determine the brand/model of the scanner used to capture individual scanned images. A proposal for such a scanner identifier is based on statistical features of scanning noise. Scanning noise of the images can be done from multiple perspectives, including image denoising, wavelet analysis, and neighborhood prediction, and obtain statistical features from each characterization.

The same approach can be extended to digital cameras and other imaging devices. The most significant challenge is that “analytical procedures and protocols are not standardized nor do practitioners and researchers use standard terminology".

The technology change will result in new devices emerging in the digital world. Whenever a new digital device enters the market a forensic methodology has to evolve to deal with it. This phenomenon will expand the field of device forensics.

8.    PDA Forensics

In the modern era, Personal Digital Assistants (PDAs) are getting immensely popular. They are no longer meagre electronic devices holding personal information, appointments and address book. Modern PDAs are hybrid devices integrating wireless, Bluetooth, infrared, WiFi, mobile phone, camera, global positioning system, basic computing capabilities, Internet etc., in addition to the standard personal information management features.

Technology is often a “double-edged sword” and it “breeds crime”, as Pereira (2005) describes in his article. PDAs are also of no exception. They are becoming more and more involved in electronic crimes, mainly because of their compact size and integrated features. The Federal Bureau of Investigation (FBI, 2005) has recently highlighted the issue of growing crimes involving portable devices, in their computer crime survey.

Investigating crimes involving PDAs are more challenging than those involving normal computers. This is mainly because these devices are more compact, battery operated and store data in volatile memory. A PDA is never really turned off as long as it has sufficient battery power. Evidence residing in PDA is of highly volatile in nature. It can be easily altered or damaged without getting noticed. In order to collect such evidence and ensure its admissibility in a court of law, sound forensic techniques and a systematic approach are needed. A standard forensic model for PDAs, which provides an abstract reference framework, is particularly important in digital crime investigations. In addition to law enforcement officials, such a model can also benefit IT auditors, information security experts, IT managers and system administrators, as often they are the first responders related to any sort of computer crime in an organization.