eBook - ePub
Digital Forensics in the Era of Artificial Intelligence
Nour Moustafa
This is a test
Share book
- 242 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Digital Forensics in the Era of Artificial Intelligence
Nour Moustafa
Book details
Book preview
Table of contents
Citations
About This Book
Digital forensics plays a crucial role in identifying, analysing, and presenting cyber threats as evidence in a court of law. Artificial intelligence, particularly machine learning and deep learning, enables automation of the digital investigation process. This book provides an in-depth look at the fundamental and advanced methods in digital forensics. It also discusses how machine learning and deep learning algorithms can be used to detect and investigate cybercrimes.
This book demonstrates digital forensics and cyber-investigating techniques with real-world applications. It examines hard disk analytics and style architectures, including Master Boot Record and GUID Partition Table as part of the investigative process. It also covers cyberattack analysis in Windows, Linux, and network systems using virtual machines in real-world scenarios.
Digital Forensics in the Era of Artificial Intelligence will be helpful for those interested in digital forensics and using machine learning techniques in the investigation of cyberattacks and the detection of evidence in cybercrimes.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Digital Forensics in the Era of Artificial Intelligence an online PDF/ePUB?
Yes, you can access Digital Forensics in the Era of Artificial Intelligence by Nour Moustafa in PDF and/or ePUB format, as well as other popular books in Informatik & Künstliche Intelligenz (KI) & Semantik. We have over one million books available in our catalogue for you to explore.
Information
1 An Overview of Digital Forensics
DOI: 10.1201/9781003278962-1
1.1 Introduction
In recent years, society’s dependence on digitized solutions for everyday tasks has led organizations to utilize innovative solutions to power and deliver their internet-based services, including cloud, edge, and Internet of Things (IoT). As technology becomes an integral part of everyday life, enhancing productivity for businesses through automation, it should come as no surprise that attackers would seek to exploit these systems and the services they provide for profit. Through the internet, attacks can launch several various malicious actions such as distributed denial-of-service, scanning/probing, keylogging, malware proliferation, email spamming, click fraud, phishing, identity theft, and more [1,2]. As such, the need for reliable methods of investigation, which can be used to identify security incidents, reconstruction of events, and attribution, is evident. As a result, the discipline of digital forensics was developed.
Chapter objectives: This chapter is an introduction to digital forensics and its concepts. The main objectives of this chapter are as follows:
- To discuss the history of digital forensics and its related disciplines
- To understand the digital forensic process
- To learn the digital forensic investigation steps
- To explain how artificial intelligence (
AI) can be used to automate the digital forensics process - To discuss the various types of cybercrime and digital evidence
1.2 Practical Exercises Included in This Book
In this book, a series of practical exercises will be given to help build practical skills in digital forensics. The practise activities were designed based on three virtual machines (VM),1 an ubuntu server (IP: 192.168.159.152, username: “ubuntu,” password: “admin”) with several running services, a Kali (IP: 192.168.159.150, username: “root,” password: “admin”) equipped with several digital forensic tools and a Windows 10 (IP: 192.168.159.154, username: “windows10,” password: “admin”) as depicted in Figure 1.1.
1.3 A Brief History of Digital Forensics
At first, digital forensics was a misunderstood domain, with minimal space and resources being allocated for investigators to analyse digital data [3]. But as cyber threats started making their appearance, governments and law enforcement agencies began to take notice of this new discipline. One of the first conferences in the field was hosted by the Federal Bureau of Investigation (FBI) academy in 1993, “First International Conference on Computer Evidence,” which gathered the attention of 26 countries. It was one of the first opportunities for practitioners from around the world to exchange ideas.
One of the first education programmes focusing on digital forensics appeared in the early 1990s when the International Association of Computer Investigative Specialists introduced training on software tools for digital forensic investigators. Gradually, various agencies started developing their digital forensic software. The internal revenue service-criminal investigation (IRS-CI) created search-warrant programmes to prepare procedures for executing warrants and search/seizure [3,4]. The first commercially available digital forensic software tool was developed by a group called ASR data. Designed for Macintosh machines, the tool was called the expert witness and allowed searches that spanned an entire hard drive [5]. Software developed and maintained by IRS, specifically the criminal investigation division, is iLook, Linux-based software allowing an investigator to acquire a complete image of a computer system and quickly review its hard drive [6].
A popular commercial product is the AccessData Forensic Toolkit (FTK) which can be used to fully examine a computer, providing email retrieval services and decrypting information found in the registry [7]. FTK is another popular digital forensic developed by Access Data. FTK’s functionality specializes in scanning hard drives to retrieve deleted emails and detect strings that can be used in password dictionaries to crack encryption. It allows for forensic images of hard drives to be generated and cryptographic hashes such as MD5 and SHA1 for integrity verification.
EnCase is another popular digital forensics tool that provides threat detection and mitigation, aside from traditional forensic activities such as identification and collection. Previous modules enabled endpoint protection from data exfiltration, mitigation, and remediation of cyberattacks with minimal impact on everyday operations and provided remote worldwide forensic triage.
1.4 What Is Digital Forensics?
Locard’s Exchange Principle states that any contact the criminal has had with the crime scene will leave backtraces of that interaction in the centre of all forensic disciplines and sub-disciplines [8,9]. Thus, the purpose of forensics has always been to identify these traces to assist a criminal investigation in apprehending a criminal. As criminals have expanded their activities into the internet and made use of computers to commit their crimes, law enforcement and forensics have evolved to keep up with the criminals, giving rise to a new discipline called digital forensics.
There have been multiple definitions for digital forensics, each with its own merits, proposed by different organizations and viewing the field from different perspectives [2]. One such popular purpose by McKemmish [10] is that: digital forensics is the process of identifying, preserving, analysing, and presenting digital evidence in a legally acceptable manner. As shown in Figure 1.2, based on McKemmish, the digital forensics process starts with an investigator identifying possible sources of evidence and data type. Next, the investigator must preserve the crime scene by ensuring that data is not altered during collection.
The collected data is processed and analysed during analysis to identify actual evidence and inferences about the case, often presented in a court of law. Evidence acquired during a digital forensic investigation may be required for many computer crimes and misuse. The collected information may be used by law enforcement, assisting in arrests and prosecution. Still, companies can also use it to terminate employment due to sabotage or misuse of corporate systems or even counter-terrorism to prevent future illegal activities.
Another definition for digital forensics, given by (National Institute of Standards and Technology) NIST [11], identifies four slightly different elements: collection, examination, analysis, and reporting. There is some overlap between the stages by McKemmish and NIST, as given in Figure 1.2. As computers rely on several specialized subsystems to function (HD, RAM, NIC, etc.), attackers may target any subsystem, depending on the purpose of the attack. Thus, in digital forensics, there are multiple methods for:
- Discovering data on computer systems
- Recovering deleted, encrypted, or damaged file information
- Monitoring live activity
- Detecting violations of corporate policy
Digital evidence can take many forms but can be thought of as any information being subject to human intervention or not that can be extracted from a system such as computers, mobile phones, and embedded devices. It must be in a human-readable format or interpreted by a person with expertise in the subject to be used in legal procedures. The digital forensic process can be seen in Figure 1.3 and is briefly discussed in Table 1.1, with more details below.
| Stages | Description |
|---|---|
| Identification | Defines the requirement for evidence management, knowing it is present, its location, and its type and format |
| Preservation | Concerned with ensuring evidential data remains unchanged or changed as little as possible |
| Analysis | Interprets and transforms the data collected into evidence |
| Presentation | Presents evidence to the courts in terms of providing expert testimony on the analysis of the evidence |
1.4.1 Identification
Forensic experts seek to identify security events in the first stage of an investigation and determine if a crime has occurred. Investigators must establish the cybercrime type, what devices have been affected, and which need to be accessed for data collection. Identification in a cloud setting primarily focuses on establishing the requirements for carrying out the collection in a forensically sound manner. For example, identifying evidence can be done from cloud storage such as Dropbox, iCloud, and Google Drive. NIST has identified several challenges in the identification of data within a cloud instance. Furthermore, volatile forensic traces must be detected in a dynamic distributed environment.
1.4.2 Collection and Preservation
Preservation corresponds to methods and tools that ensure that extracted traces are maintained in their original form by preventing unintentional alterations, modifications, and overwrites. Challenges for this stage correlate to selecting proper methods for the assurance of data integrity and proving the effectiveness of the utilized techniques such as cryptographic hash digests. Isolation of VMs and sensitive data needs to occur in hard drives, RAM, logs, etc. In contrast, a chain of custody needs to be established, with entries spanning multiple geographical locations.
After the security incident has been detected, sources of interest have been identified, and measures have been taken to ensure that the integrity of collected data is maintained, the collection process can happen. Investigators focus on the state of the underline VM that provides the service users are accessing, by monitoring, among other things, certain logs, such as application, access, error, authentication, transaction, and data volume logs [12]. Other sources may include database entries, RAM images, network traffic (extracted or logged), and hard drives. NIST acknowledges several challenges when it comes to collecting data from the cloud: (1) extracting data from VMs, (2) ensuring data integrity in multi-tenant environments, (3) obtaining forensic images without breaching the privacy of other users, and (4) deleting data recovery from distributed virtual environments.
1.4.3 Examination and Analysis
After the data collection, the investigation process proceeds to the examination and analysis stages. In these stages, forensic investigators scan the collected data for patterns to extract initial traces that indicate a security event. The identified traces are further analysed, and inferences are extracted about the events, leading to the transformation of traces to evidence. The purpose of the investigation is to answer five questions related to a security incident, including who, what, where, when, and why.
1.4.4 Presentation
The forensic investigator ...