eBook - ePub
Digital Forensics in the Era of Artificial Intelligence
Nour Moustafa
This is a test
Buch teilen
- 242 Seiten
- English
- ePUB (handyfreundlich)
- Über iOS und Android verfügbar
eBook - ePub
Digital Forensics in the Era of Artificial Intelligence
Nour Moustafa
Angaben zum Buch
Buchvorschau
Inhaltsverzeichnis
Quellenangaben
Über dieses Buch
Digital forensics plays a crucial role in identifying, analysing, and presenting cyber threats as evidence in a court of law. Artificial intelligence, particularly machine learning and deep learning, enables automation of the digital investigation process. This book provides an in-depth look at the fundamental and advanced methods in digital forensics. It also discusses how machine learning and deep learning algorithms can be used to detect and investigate cybercrimes.
This book demonstrates digital forensics and cyber-investigating techniques with real-world applications. It examines hard disk analytics and style architectures, including Master Boot Record and GUID Partition Table as part of the investigative process. It also covers cyberattack analysis in Windows, Linux, and network systems using virtual machines in real-world scenarios.
Digital Forensics in the Era of Artificial Intelligence will be helpful for those interested in digital forensics and using machine learning techniques in the investigation of cyberattacks and the detection of evidence in cybercrimes.
Häufig gestellte Fragen
Wie kann ich mein Abo kündigen?
Gehe einfach zum Kontobereich in den Einstellungen und klicke auf „Abo kündigen“ – ganz einfach. Nachdem du gekündigt hast, bleibt deine Mitgliedschaft für den verbleibenden Abozeitraum, den du bereits bezahlt hast, aktiv. Mehr Informationen hier.
(Wie) Kann ich Bücher herunterladen?
Derzeit stehen all unsere auf Mobilgeräte reagierenden ePub-Bücher zum Download über die App zur Verfügung. Die meisten unserer PDFs stehen ebenfalls zum Download bereit; wir arbeiten daran, auch die übrigen PDFs zum Download anzubieten, bei denen dies aktuell noch nicht möglich ist. Weitere Informationen hier.
Welcher Unterschied besteht bei den Preisen zwischen den Aboplänen?
Mit beiden Aboplänen erhältst du vollen Zugang zur Bibliothek und allen Funktionen von Perlego. Die einzigen Unterschiede bestehen im Preis und dem Abozeitraum: Mit dem Jahresabo sparst du auf 12 Monate gerechnet im Vergleich zum Monatsabo rund 30 %.
Was ist Perlego?
Wir sind ein Online-Abodienst für Lehrbücher, bei dem du für weniger als den Preis eines einzelnen Buches pro Monat Zugang zu einer ganzen Online-Bibliothek erhältst. Mit über 1 Million Büchern zu über 1.000 verschiedenen Themen haben wir bestimmt alles, was du brauchst! Weitere Informationen hier.
Unterstützt Perlego Text-zu-Sprache?
Achte auf das Symbol zum Vorlesen in deinem nächsten Buch, um zu sehen, ob du es dir auch anhören kannst. Bei diesem Tool wird dir Text laut vorgelesen, wobei der Text beim Vorlesen auch grafisch hervorgehoben wird. Du kannst das Vorlesen jederzeit anhalten, beschleunigen und verlangsamen. Weitere Informationen hier.
Ist Digital Forensics in the Era of Artificial Intelligence als Online-PDF/ePub verfügbar?
Ja, du hast Zugang zu Digital Forensics in the Era of Artificial Intelligence von Nour Moustafa im PDF- und/oder ePub-Format sowie zu anderen beliebten Büchern aus Informatik & Künstliche Intelligenz (KI) & Semantik. Aus unserem Katalog stehen dir über 1 Million Bücher zur Verfügung.
Information
1 An Overview of Digital Forensics
DOI: 10.1201/9781003278962-1
1.1 Introduction
In recent years, society’s dependence on digitized solutions for everyday tasks has led organizations to utilize innovative solutions to power and deliver their internet-based services, including cloud, edge, and Internet of Things (IoT). As technology becomes an integral part of everyday life, enhancing productivity for businesses through automation, it should come as no surprise that attackers would seek to exploit these systems and the services they provide for profit. Through the internet, attacks can launch several various malicious actions such as distributed denial-of-service, scanning/probing, keylogging, malware proliferation, email spamming, click fraud, phishing, identity theft, and more [1,2]. As such, the need for reliable methods of investigation, which can be used to identify security incidents, reconstruction of events, and attribution, is evident. As a result, the discipline of digital forensics was developed.
Chapter objectives: This chapter is an introduction to digital forensics and its concepts. The main objectives of this chapter are as follows:
- To discuss the history of digital forensics and its related disciplines
- To understand the digital forensic process
- To learn the digital forensic investigation steps
- To explain how artificial intelligence (
AI) can be used to automate the digital forensics process - To discuss the various types of cybercrime and digital evidence
1.2 Practical Exercises Included in This Book
In this book, a series of practical exercises will be given to help build practical skills in digital forensics. The practise activities were designed based on three virtual machines (VM),1 an ubuntu server (IP: 192.168.159.152, username: “ubuntu,” password: “admin”) with several running services, a Kali (IP: 192.168.159.150, username: “root,” password: “admin”) equipped with several digital forensic tools and a Windows 10 (IP: 192.168.159.154, username: “windows10,” password: “admin”) as depicted in Figure 1.1.
1.3 A Brief History of Digital Forensics
At first, digital forensics was a misunderstood domain, with minimal space and resources being allocated for investigators to analyse digital data [3]. But as cyber threats started making their appearance, governments and law enforcement agencies began to take notice of this new discipline. One of the first conferences in the field was hosted by the Federal Bureau of Investigation (FBI) academy in 1993, “First International Conference on Computer Evidence,” which gathered the attention of 26 countries. It was one of the first opportunities for practitioners from around the world to exchange ideas.
One of the first education programmes focusing on digital forensics appeared in the early 1990s when the International Association of Computer Investigative Specialists introduced training on software tools for digital forensic investigators. Gradually, various agencies started developing their digital forensic software. The internal revenue service-criminal investigation (IRS-CI) created search-warrant programmes to prepare procedures for executing warrants and search/seizure [3,4]. The first commercially available digital forensic software tool was developed by a group called ASR data. Designed for Macintosh machines, the tool was called the expert witness and allowed searches that spanned an entire hard drive [5]. Software developed and maintained by IRS, specifically the criminal investigation division, is iLook, Linux-based software allowing an investigator to acquire a complete image of a computer system and quickly review its hard drive [6].
A popular commercial product is the AccessData Forensic Toolkit (FTK) which can be used to fully examine a computer, providing email retrieval services and decrypting information found in the registry [7]. FTK is another popular digital forensic developed by Access Data. FTK’s functionality specializes in scanning hard drives to retrieve deleted emails and detect strings that can be used in password dictionaries to crack encryption. It allows for forensic images of hard drives to be generated and cryptographic hashes such as MD5 and SHA1 for integrity verification.
EnCase is another popular digital forensics tool that provides threat detection and mitigation, aside from traditional forensic activities such as identification and collection. Previous modules enabled endpoint protection from data exfiltration, mitigation, and remediation of cyberattacks with minimal impact on everyday operations and provided remote worldwide forensic triage.
1.4 What Is Digital Forensics?
Locard’s Exchange Principle states that any contact the criminal has had with the crime scene will leave backtraces of that interaction in the centre of all forensic disciplines and sub-disciplines [8,9]. Thus, the purpose of forensics has always been to identify these traces to assist a criminal investigation in apprehending a criminal. As criminals have expanded their activities into the internet and made use of computers to commit their crimes, law enforcement and forensics have evolved to keep up with the criminals, giving rise to a new discipline called digital forensics.
There have been multiple definitions for digital forensics, each with its own merits, proposed by different organizations and viewing the field from different perspectives [2]. One such popular purpose by McKemmish [10] is that: digital forensics is the process of identifying, preserving, analysing, and presenting digital evidence in a legally acceptable manner. As shown in Figure 1.2, based on McKemmish, the digital forensics process starts with an investigator identifying possible sources of evidence and data type. Next, the investigator must preserve the crime scene by ensuring that data is not altered during collection.
The collected data is processed and analysed during analysis to identify actual evidence and inferences about the case, often presented in a court of law. Evidence acquired during a digital forensic investigation may be required for many computer crimes and misuse. The collected information may be used by law enforcement, assisting in arrests and prosecution. Still, companies can also use it to terminate employment due to sabotage or misuse of corporate systems or even counter-terrorism to prevent future illegal activities.
Another definition for digital forensics, given by (National Institute of Standards and Technology) NIST [11], identifies four slightly different elements: collection, examination, analysis, and reporting. There is some overlap between the stages by McKemmish and NIST, as given in Figure 1.2. As computers rely on several specialized subsystems to function (HD, RAM, NIC, etc.), attackers may target any subsystem, depending on the purpose of the attack. Thus, in digital forensics, there are multiple methods for:
- Discovering data on computer systems
- Recovering deleted, encrypted, or damaged file information
- Monitoring live activity
- Detecting violations of corporate policy
Digital evidence can take many forms but can be thought of as any information being subject to human intervention or not that can be extracted from a system such as computers, mobile phones, and embedded devices. It must be in a human-readable format or interpreted by a person with expertise in the subject to be used in legal procedures. The digital forensic process can be seen in Figure 1.3 and is briefly discussed in Table 1.1, with more details below.
| Stages | Description |
|---|---|
| Identification | Defines the requirement for evidence management, knowing it is present, its location, and its type and format |
| Preservation | Concerned with ensuring evidential data remains unchanged or changed as little as possible |
| Analysis | Interprets and transforms the data collected into evidence |
| Presentation | Presents evidence to the courts in terms of providing expert testimony on the analysis of the evidence |
1.4.1 Identification
Forensic experts seek to identify security events in the first stage of an investigation and determine if a crime has occurred. Investigators must establish the cybercrime type, what devices have been affected, and which need to be accessed for data collection. Identification in a cloud setting primarily focuses on establishing the requirements for carrying out the collection in a forensically sound manner. For example, identifying evidence can be done from cloud storage such as Dropbox, iCloud, and Google Drive. NIST has identified several challenges in the identification of data within a cloud instance. Furthermore, volatile forensic traces must be detected in a dynamic distributed environment.
1.4.2 Collection and Preservation
Preservation corresponds to methods and tools that ensure that extracted traces are maintained in their original form by preventing unintentional alterations, modifications, and overwrites. Challenges for this stage correlate to selecting proper methods for the assurance of data integrity and proving the effectiveness of the utilized techniques such as cryptographic hash digests. Isolation of VMs and sensitive data needs to occur in hard drives, RAM, logs, etc. In contrast, a chain of custody needs to be established, with entries spanning multiple geographical locations.
After the security incident has been detected, sources of interest have been identified, and measures have been taken to ensure that the integrity of collected data is maintained, the collection process can happen. Investigators focus on the state of the underline VM that provides the service users are accessing, by monitoring, among other things, certain logs, such as application, access, error, authentication, transaction, and data volume logs [12]. Other sources may include database entries, RAM images, network traffic (extracted or logged), and hard drives. NIST acknowledges several challenges when it comes to collecting data from the cloud: (1) extracting data from VMs, (2) ensuring data integrity in multi-tenant environments, (3) obtaining forensic images without breaching the privacy of other users, and (4) deleting data recovery from distributed virtual environments.
1.4.3 Examination and Analysis
After the data collection, the investigation process proceeds to the examination and analysis stages. In these stages, forensic investigators scan the collected data for patterns to extract initial traces that indicate a security event. The identified traces are further analysed, and inferences are extracted about the events, leading to the transformation of traces to evidence. The purpose of the investigation is to answer five questions related to a security incident, including who, what, where, when, and why.
1.4.4 Presentation
The forensic investigator ...