The Increasing Need for Cyber Forensic Awareness and Specialisation in Army
Abstract
Threat forces are becoming increasingly familiar with the capabilities of information and communications technology devices. Given their ability to store and rapidly disseminate data and information, these devices will only become more prevalent in the battlespace. While they have been exploited as methods of intelligence- gathering and within intelligence-led operations, little attention has been paid to the potential use of digital evidence in the prosecution of offenders. This article will argue that Army must continue to learn from the experience of recent deployments and develop an awareness of cyber forensic operations to support indigenous forces and the prosecution of threat forces in criminal investigations. This article will further argue that the Royal Australian Signals Corps is best placed to lead the development of a cyber forensics capability in Army.
Cyber-, a prefix popularly used to indicate a connection with computers or the world of computing.
Forensics, having to do with courts of law or legal proceedings.1
Introduction
On 16 February 2012, the Army newspaper published an article entitled ‘Beyond the Battle’ which described the initiatives of the Special Operations Task Force’s Rule of Law Cell.2 The cell had conducted training designed to ‘improve coordination between justice officials in Uruzgan province by increasing the evidentiary understanding between the police, prosecutors and judges.’3 Ultimately, the aim was to provide law enforcement officials with the skills and knowledge to collect and handle evidence within legal processes. Given that the course duration was nine days, it is reasonable to assume that cyber forensic investigations were not covered in any significant detail due to the technical nature of collecting such evidence. With the drawdown of forces in Afghanistan, Army’s learning and adaptation cycle will draw on lessons learned to inform future force structures and capabilities. This presents a significant opportunity for supporting corps to advance their roles in the battlespace from those of passive support providers to active force multipliers.
This article seeks to enhance understanding of one key area associated with the emerging technological battlefield. Given the highly technical nature of the concepts proposed, the discussion will not address specific themes associated with introducing and sustaining this capability. Instead, the article will describe and discuss the relevance of the processes and the challenges involved in identifying, recovering, securing, examining, analysing and preparing digital evidence from information and communications technology (ICT) equipment. This discussion will address general understanding and awareness and attempt to demystify digital evidence by debunking the myths associated with cyber forensics. The article will then describe the processes involved in cyber forensic investigations before briefly considering some of the readily available, open-source tools and techniques that can be employed in a stand-alone capacity and adapted to develop and understand this capability.
The crux of this article is that Army’s personnel must be familiar with, if not professionally trained, in the methods and techniques associated with cyber forensic investigations. These investigations are highly technical in nature and, due to the increasing use of and reliance on technical devices by threat forces (in particular), the importance of cyber forensic investigations as part of the judicial process cannot be understated.4
General awareness and presumptions
By definition, forensics is a legal process. Cyber forensics therefore deals with the legal investigation into the use and misuse of ICT equipment. Cyber investigations may be conducted to examine cases involving industrial espionage, harassment through the distribution of electronic media, policy violations, copyright infringement, hacking, fraud, criminal activities or, in short, any inappropriate use of computing resources.5 For Army, this includes the extraction of data as evidence of criminal activities in support of partnered forces or enabling host nation police prosecutions.
In Australia, cyber forensic investigations are conducted in public law enforcement cases by private organisations or by contracted practitioners. In a deployed context, Australian forces and those they mentor are unlikely to have immediate access to the requisite knowledge and resources to conduct these highly technical investigations. The prevalence of ICT services in Defence and the battlespace suggests the increasing need to ensure that Army is equipped with the knowledge and skills to support cyber forensic investigations and, where necessary, conduct technical exploitation of ICT equipment in a manner that does not jeopardise judicial processes.
In the deployed environment, the Royal Australian Signals Corps (RA Sigs), as the lead technical specialist, is well placed to join Army’s subject matter experts including legal officers, the Military Police and intelligence personnel. In this role, RA Sigs would work to assist investigators to source admissible evidence from the digital world. At this point, awareness should be promoted and discussion of the capabilities and techniques should be advanced. Ultimately, specialist training continuums should be developed to formalise these processes and procedures.6
Some may argue that this is merely an attempt to expand the role of RA Sigs into the area of law enforcement. This is not the case, as the scope of the capabilities identified are beyond the expertise of the Military Police while, on the other hand, RA Sigs lacks the requisite expert knowledge to become involved in law enforcement. However, a partnership between the two corps would provide Army a potent capability in the fight against cyber crime.
This article thus proposes a ‘combined arms team’ — although not in the usual manoeuvrist sense. RA Sigs is well suited to develop and foster Army’s technical understanding of the associated capabilities thereby providing a ‘first port of call’. However, the corps cannot develop this capability in isolation. Investigative expertise must be drawn from the Military Police and formal advice and expertise from Army’s lawyers is critical in understanding evidentiary processes. The collection of actionable intelligence is also vital to the building of prosecution cases. Intelligence personnel must have access to the results of evidence produced by these capabilities to ensure that the best possible intelligence picture is developed.
Commanders at all levels are likely to have a passing familiarity with the concept of cyber forensics and the role of digital evidence as part of civilian prosecutions. Domestic law enforcement organisations and strategic assets are well versed in these evidentiary processes. Arguably, however, military commanders are not and this may lead to failed prosecutions if evidentiary processes are not understood and followed correctly.
Digital evidence and cyber forensics
The term ‘cyber’ is a buzzword that has gained broad acceptance and associates computer hacking, system penetration and disruption. However, the concept has been popularised by Hollywood and has thus generated considerable misunderstanding. While there is a role for the development and application of these capabilities, this should remain the remit of strategic organisations. There is no role for the land force in this space and any attempt to pursue such capabilities is misguided. The capability is far too resource intensive, dynamic and specialised to be employed without strategic objectives and direct oversight.
To that end, a clear distinction must be drawn between cyber in a warfare sense and cyber in a forensic sense — a point often missed by the casual observer. Forensics deals with evidentiary processes associated with legal proceedings. This is relevant to the land force because of the prevalence of land-based communication and data storage devices in the modern battlespace. However capturing and exploiting the content of these devices should not be driven by intelligence collection alone. Army must understand the increasing role digital evidence will play in justifying the detention of personnel and during judicial proceedings.
The distinction of digital evidence
Computer data is created in the binary number system as 1s and 0s.7 Computer processors, memory chips and data storage devices are built with transistors and circuit boards to create Boolean algebraic equations that process and store the 1s and 0s as binary code. Computer operating systems and applications translate the binary data into user-friendly functions through various applications, graphical user interfaces and storage mediums.8 It is from these processes and storage devices that digital data is created, manipulated and deleted. Equally, it is from these processes that digital evidence can be retrieved.
Digital evidence is data that can be used to prove behaviour, actions or a significant link between a perpetrator and victim.9 The pervasion of ICT systems has generated many digital mediums that store data which can be extracted, analysed and presented as evidence.10 Some key forms include: the common computer correspondence mediums of email and social network posts; data-basing applications; administrative documentation applications such as Microsoft’s ‘Office’ suite; digital photographs; mobile telephones; internet browsers; and surveillance systems.11 Like physical evidence, digital evidence must be complete, authentic, accurate, and admissible to be applied to judicial processes.12
Collecting digital evidence for judicial processes is distinct from the collection of digital information for intelligence purposes. While the value of such information is undeniable, the raw data must be collected in a manner that does not compromise its use as part of a judicial process. Intelligence personnel will still play a key role in this area as their training ensures that they are well placed to determine the relative value of information through a quick assessment of known targets or names, document interpretation and by correlating data content with key events.
Digital forensic investigations are a natural extension of the principles of physical domain investigations.13 In the physical world, evidence is generally documentary or verbal and can be obtained through tried and tested procedures and rules. These include the instruments and procedures associated with the seizure of property, chain of custody documentation and the conduct of interviews. In the cyber world however, evidence comprises data and data cannot necessarily be seized, documented or obtained through these processes as readily as in the physical world.14
Digital files by their nature can be divided into two categories. The first category describes files referred to as ‘born digital’ which contain data that was created only in digital format. The second category refers to files described as ‘made digital’. These data files have been converted from a physical document to a digital file. For the investigator, the devil is in the metadata. Metadata is information about information and it provides a key source from which to validate findings and provide further avenues for evidence collection and analysis.
The danger in digital evidence
Digital storage is not infallible. Research suggests that there are three core groups of threat to digital storage: natural threats, technological threats and human threats.
Natural threats are those threats that occur as a result of the forces of nature, including natural disasters and extreme weather events. While often unavoidable, the cyber investigator needs to be aware of the impact of these events on data. Wherever possible, collected data should be stored off-site.
Technological threats include those threats that can compromise data holdings as a result of equipment failure or error. Examples include hardware failure or software error. Such malfunctions may see data lost or compromised through power fluctuations or incorrect write procedures. In other cases, the rate of technological change may simply outpace capability.15 For example, the retrieval of data from a system used in the 1980s would require equipment that is capable of accessing it and these systems may not be readily available. Accordingly, technological aspects are likely to challenge investigators. Specifically, the investigator may be forced to undertake painstaking data recovery through file carving or even manipulation at the electron level.
Human threats encompass those threats that are created by human interaction with computer systems and data storage devices. Specific examples include the manipulation of digital files, deliberate acts of sabotage, hacking, data theft, malware creation and distribution or simply human error.16 The greatest threat to digital data stored as part of an investigation is arguably incorrect evidence handling. Regardless of the method chosen (manual or software based), ‘the important thing is to maintain a chain of custody to demonstrate that you have positive control of the evidence.’17
Digital evidence may be obscured through a number of processes that are usually software based but human initiated. These methods ‘obscure the true nature or meaning of some data, typically by changing its name or its contents.’18 These techniques may be as simple as renaming a file extension or employing compression software; they may also be highly complex and employ file-shredding or encryption software such as TrueCrypt.19 When these anti-forensic techniques are employed, the cyber forensic investigator must develop workable systematic options to locate and select the evidence.
Cyber investigators must therefore be sufficiently flexible to view the investigation objectively. This requires specialist investigative skills and training, and represents a management and oversight role for the Military Police. A fundamental aim of any investigation is to identify a perpetrator. If a perpetrator is captured with a device in hand, he/she is linked to that device. However, in the cyber environment, it is often difficult to link a suspect directly with a computer.20 This presents challenges that can be overcome through collaboration between key specialists.
RA Sigs personnel are trained to understand digital data and its associated threats. Unfortunately, the corps does not currently build on this knowledge to generate technical capabilities that will allow it to assume a more active role as a subject matter expert in cyber forensics for Army. Despite the lack of development in this area, RA Sigs remains well positioned to transfer this knowledge and some associated skill sets to support cyber operations in the barracks environment and, more importantly, to act as cyber forensic subject matter experts in deployed environments. To achieve this, RA Sigs should implement a road map designed to dispel myths and evolve training and capabilities.
Deciphering the mystification of cyber forensics
The main issue in cyber forensics concerns the method used to obtain data in a form that can be presented as credible evidence.21 The craft of the cyber forensic investigator has evolved as a consequence of the need to address this problem. Leading civilian experts have identified the increasing use of digital devices in illegal activities as the impetus for colleges and universities to expand their programs to prepare professionals to meet the growing demand.22 Army is no different.
There are five principles of cyber forensics with which commanders should be familiar and that can be taught by the Military Police and members of the Australian Army Legal Corps. According to these five principles, the evidence must be admissible, authentic, accurate, complete and, finally, it must be convincing to a judge/jury. Adhering to these principles will ensure that the evidence is preserved without alteration, it is analysed in a manner that accords with the rules of evidence (noting jurisdictional variations) and that the analytical processes can be replicated.23
In a civilian judicial setting, a number of additional rules exist to support the presentation of evidence in an Australian court by cyber forensic investigators.24 These additional rules include minimal handling of the original; accounting for any changes to the data; complying with the rules of evidence; and ensuring that the investigator never exceeds his/her knowledge.25
Attainment of these principles when handling digital evidence in the conduct of computer forensic investigations may not be achievable in today’s Army. However, measures to increase awareness of the legal fundamentals should be introduced, particularly for those Army personnel who may be required to handle computer data in an evidentiary process. Arguably, few if any of Army’s people would be in a position to guarantee that their actions are in accordance with the rules of evidence (regardless of the jurisdiction) during the collection stages. To redress this shortfall, short-course packages could be developed and delivered in consultation with the Military Police and Legal Corps, utilising their expert understanding of handling physical evidence.
Given their technical nature, cyber forensic investigations should only be conducted by technically proficient personnel. While commanders are trained in administrative and disciplinary investigations, there are no specialist investigators capable of conducting a cyber forensic investigation within Army. The distinction between different types of investigations is crucial and clarifying the relevant terminology is vital to an understanding of the scope and conduct of cyber forensic investigations. Specifically:
… a digital investigation is a process to answer questions about previous digital states and events, whereas a digital forensic investigation is a form of digital investigation in which the process follows rules that allow the results to be entered into a legal court.26
This is an important distinction. Digital investigations are conducted to determine why events occurred. These investigations are the realm of technical computer professionals who, for example, can review a system event log to determine why a particular process occurred. A digital ‘cyber’ forensic investigation, however, is a process that generates a product that can be admissible as evidence in legal proceedings — that is, evidence to prove or disprove an allegation or fact.27 These investigations must be conducted by technically proficient personnel who either understand the legal processes and procedures of evidence collection and use, or under the guidance of those who do.
As an emerging field of expertise, cyber forensic investigations and their principles are by no means conclusive. For this reason, while RA Sigs is well placed to capitalise on the emerging technical practices and procedures, the corps will be required to work in consultation with others to ensure that high-level skills are developed, applied and maintained. These skills could be employed in a number of key areas including the capture and exploitation of intelligence and in support of a brief of evidence to enable the prosecution of threat forces.
Cyber forensic investigations
The cyber investigative continuum.
Cyber forensic investigations seek to reconstruct the events that triggered the investigation or source data as evidence.28 To be admissible, digital evidence derived from a cyber investigation must conform to chain of custody requirements and adhere to the steps prescribed for six stages:
- preservation of the crime scene,
- location of the evidence,
- selection of the critical evidence,
- analysis of the evidence,
- validation of the evidence, and
- presentation of the evidence pursuant to evidentiary processes.29
The chain of custody is the path through which the evidence moves from the time of discovery to its presentation in court.30 The cyber forensic investigator must be able to prove that the evidence remained uncontaminated throughout the continuum.31 There is a particularly important role for the Military Police in the preservation stage; however, since they rarely deploy forward, this presents a challenge to processes that occur within a field environment.
Stage 1 — preservation of the crime scene
In general terms, there are four steps in the preservation stage.32 First, the storage media and system design must be identified. At this point, the investigator is seeking a ‘carbon copy’ of the environment he/she is analysing.33 In most cases, the key ‘will be recovering the computer used to launch the attack’.34 However, as discussed earlier, this may be problematic for a deployed force in the field or when only certain devices are captured.
A ‘live analysis’ may be required to conduct a quick assessment of the environment which may serve to focus the investigation.35 A live analysis is conducted while the operating system is still functioning and carries the risk that the system or its data may be inadvertently modified by the user. A ‘dead analysis’ is generally preferable. A dead analysis is conducted when the data is obtained without the use of the operating system.36 This is generally performed with the use of a write-blocking device and calls for a high degree of technical skill and expertise.
Once the investigator has determined the preferred method, the preservation can commence. There are a number of documented procedures to lead an investigator through this process.37 The key points in these procedures include documentation of the preservation; ensuring that the image creation process does not alter the data; and ensuring that the image is complete.38 Metadata is essential for validation and authentication and can be used to prove that the image created is identical to the original data.39 Generally, ‘to reliably image drives, halting the target system is common.’40 However, this may lead to the loss of volatile data.41 Once created, the forensic image and associated hardware must be stored in a manner that ensures the chain of custody cannot be questioned.
Stages 2 and 3 — locating and selecting the evidence
This phase of the continuum is driven by a detailed and systematic analysis of the network (live) or preserved system (dead). Unfortunately, ‘there is no magic program we can plug our evidence into that automatically extracts just what we need for our case.’42 So, typically, an investigator will review the system to familiarise him/herself with the content and structure of the system. The examination must be documented for later reference and consider an evaluation of the system configuration, types of media stored, web browsing history, email correspondence and installed applications.43
The investigator has a number of options when searching for evidence. Some investigators may rely on their knowledge of the system. This may work well for small systems but is arguably less than ideal for networks due to the large data holdings of modern systems.44 To facilitate evidence location on networks or to rapidly analyse large storage media, the investigator may rely on forensic search applications. The advantage of such applications is that they save an enormous amount of time.45 Automated processes assist the investigator to quickly select the evidence required.
The investigator may also be faced with data and files that cannot be retrieved or accessed without the use of specialist programs.46 Such programs enable the investigator to access password-protected files, breach encrypted files, counter steganography (the practice of concealing data, information or a picture within another file), or carve files from deleted data.47 The internet is heavily populated with sites and tools to support these processes. However, from an academic perspective, little has been published to formalise the utility and accuracy of these tools.
The evidence itself is selected during the locating phase. Essentially, having discovered the evidence, the investigator’s next task is to select which evidence requires further analysis. Clearly, using the skills of RA Sigs personnel in conjunction with trained investigators during this phase presents an optimum solution. Techniques used at this stage may also be useful as intelligence-gathering tools without the need to adhere to processes in support of judicial procedures.
Stage 4 — analysing the evidence
The evidence analysis phase occurs in conjunction with the first three phases but must also be considered a distinct phase because of the analytical processes employed. During the processes of locating and selecting the evidence, the investigator will begin to formalise and categorise the evidence against hypotheses.48 Throughout this stage, the investigator will use tools and document findings to assist in interpreting the evidence.49
Evidence analysis is a specialist skill that also requires oversight. Army has professionals who can advise in this area and who can assist the investigator to place significant events along a timeline, structure relationships and/or networks and ultimately, reconstruct the crime or events being investigated.50 In doing so, the investigator is cataloging the identified and selected evidence and correlating it to provide an overview of the events.51 At a micro level (individual machine or device), this process can be coordinated locally.
Stage 5 — validating the evidence
Once the cyber forensic investigator believes the events have been suitably reconstructed against a viable hypothesis, the evidence must be validated to ensure its admissibility.52 It is this role that has particular relevance to RA Sigs personnel. No other corps’ skill set is as suited to digital evidence validation. Formally enhancing the tacit knowledge of RA Sigs personnel would represent a relatively small evolution of their skills and knowledge. The key limitation would lie in ensuring the skill set is developed through an understanding of the broader legal implications.
During the validation stage, the investigator seeks to prove that the evidence that has been located and selected is actually authentic.53 The processes for validating (physical) documentary evidence are well established. However, due to the difference between physical documents and digital records, these established processes are not necessarily suitable for digital validation:
There are two main problems inherent with electronic documents that make them more difficult to analyze than paper documents. First, they are easy to copy and modify. If a blackmailing letter is stored as a file on a suspect’s personal computer, the suspect may argue that the document was planted into their computer after the computer had been seized by the law enforcement agency. Secondly, it can be argued that the document had been modified by the law enforcement agency. One solution to this problem is to use special purpose computer forensic software tools to verify the file system integrity of the suspect’s computer, after it has been seized by the law enforcement agency [author’s emphasis].54
For these reasons, the ability to prove the authenticity of the evidence is crucial. To achieve this, the cyber forensic investigator can rely on readily available evidence on the system or employ a range of automated specialist tools. In doing so, the cyber forensic investigator is proving that the evidence was retrieved from the suspect system without alteration, or that a particular file was created using a particular device. To prove the latter, the investigator may examine the metadata associated with the file type and employ fields such as the date created or modified to prove that the file was created on the suspect system. Another method to prove that the preserved crime scene is an exact replica is to conduct a hash analysis.55 This involves comparing an extracted hash sequence (mathematical representation of a data sequence) against known reference datasets to determine whether alterations have been made.56
Stage 6 — presenting the evidence
Regardless of the compelling nature of the evidence collected, it is likely to be worthless if it is not presented in a manner that is clear, concise and convincing to juries. Military Police and Army lawyers will retain their specialist role in this area because:
being able to write a clear, concise, and factual report is one of the more difficult aspects of the job for a technically orientated person, because your audience is not technical, so they will not understand all the terms and technology that you have employed in your investigation and may not be able to understand the impact of the “smoking gun” you found.57
While there are a number of report templates available for reference, the format of an ‘internal’ report should be used in training.58 A brief is also a suitable document. This method calls for the investigators to compile their evidence for submission to a legal expert or the chain of command for subsequent legal analysis and preparation. The strength of this method is that the technical cyber forensic investigator is (often) untrained in legal processes and, as such, does not have to consider the fundamentals of law or the legal argument.59 This practice would considerably reduce training overheads.
Cyber investigative techniques unravelled
Research into cyber forensic investigative techniques presents a multitude of technical documents and vendor websites advertising the functions and performance of proprietary tools. For clarity, this section will focus on some key tools that are available to support the core functions of cyber forensics identified within this article. A snapshot of capabilities for professional development will also be included.
Research has found that the emerging standard, solid-state drives can completely remove stored data without instructions from the computer.60 This presents a significant hurdle for cyber forensic investigators because tools commonly used to carve deleted data will require redevelopment or may in fact become obsolete. File carver programs are identified as ‘a mainstay of modern forensics’ that ‘attempt to reconstruct the disk contents without using the OS’s meta-level information.’61 With the advent of solid-state drives and their eventual integration into mainstream computing, cyber forensic investigators are likely to lose a key tool of their trade.62
Some experts argue that the best method to ‘quickly and efficiently screen data’ is through hash-based techniques.63 Hash-based tools account for the single biggest issue in cyber forensic investigations — scale. Using software, the ‘approach validates the forensic target’s integrity by comparing before-and-after results at important points in the investigation and, in doing so, can be used to eliminate known files (such as the OS and applications) or identify suspect files.’64 These tools are very useful for investigators handling large volumes of data, a live network analysis or during the preservation phase.
The authors of the article ‘Live Analysis – Progress and Challenges’ present an assessment of a number of approaches to live analysis.65 They claim that, for static analysis, ‘investigators commonly use free (often open source) offerings as well as commercial products such as Guidance Software’s EnCase or AccessData’s Forensic Toolkit (FTK). Both EnCase and FTK provide a wide variety of capabilities in one environment, while other products tend to focus on a limited number of specific tasks, such as detecting rootkits (malicious software designed to evade detection while providing an avenue of exploitation to a remote user) or identifying steganography.’66
Imported utilities are another option available to forensic investigators. Microsoft has developed a preloaded USB drive aimed at automating live analysis operations. While not a complete solution, the device — the Computer Online Forensic Evidence Extractor (COFEE) — represents another valuable resource for law enforcement agencies.67 The available research suggests that significant funds continue to be spent in the research and development of these tools.68
The Digital Evidence Search Kit (DESK) is the product of the Hong Kong Police Force and other law enforcement agencies. Its main value ‘is to assist the law enforcement agency to quickly examine a subject machine, and to make a quick decision of whether a full-scale and time consuming investigation of the subject machine should be carried out.’69 Some of the key capabilities of the system include a text pattern file search, hash value database, deleted file search and a logical search which ‘makes use of the information about the file system’.70
Recent research of particular interest is also contained in the paper ‘Lest We Remember: Cold Boot Attacks on Encryption Keys’, in which the authors claim that:
contrary to popular assumption, DRAMs (volatile computer memory) used in most modern computers retain their contents for several seconds after power is lost, even at room temperature and even if removed from a motherboard … we show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access.71
The researchers were able to construct a number of memory-imaging tools to boot a system and extract the contents of its memory from either a warm or cold reset state.72 In doing so, they were able to exploit the Preboot Execution Environment of most modern PCs, USB boot functions and Macintosh systems.73
However, what was most interesting was their ability to install ‘memory imaging tools on an Apple iPod so that it can be used to covertly capture memory dumps without impacting its functionality as a music player. This provides a plausible way to conceal the attack in the wild.’74 The paper also presents the authors’ findings on encrypted disks.
Of particular note is the researchers’ ability to exploit TrueCrypt, ‘a popular open- source disk encryption product for the Windows, Mac OS, and Linux platforms.’75 Their techniques provide valuable insight for the cyber forensic investigator who may be challenged by popular open-source encryption platforms. Although too lengthy for reproduction here, the research indicates that these commonly employed encryption techniques can be exploited with the right tools and techniques, including the hypo-cooling of RAM chips to below -50 degrees Celsius for the purposes of transfer and exploitation.76
These tools and techniques provide a brief snapshot of the increasing number available on the internet. They are all open source or readily available at a price. Their prevalence and relative ease of use provides further weight to the call for professional training and certification of cyber forensic competencies within RA Sigs.
Conclusion
The global reliance on ICT systems is unlikely to diminish in the near future. Criminal elements (both domestic and threat forces) are adapting and increasingly utilising technology as a means to both conduct business and cover their tracks. As the research suggests, ‘for many organisations, identifying, tracking and prosecuting these threats has become a full-time job’.77 There are no signs that this trend will abate — clearly this is a discipline that is likely to continue to experience significant growth.
Cyber forensics remains a young but growing discipline. ICT systems are continuing to pervade modern societies and militaries often at a rate faster than training and adaptation can accommodate. The reliance on digital evidence in the legal system has generated greater demand for professionally trained practitioners. The private sector, like the military, has been particularly slow to embrace cyber forensic capabilities.78 This is due to issues of perception and the associated costs involved with large-scale network analysis.
This article has sought to provide an understanding of the relevance of cyber forensics to Army in general, and to RA Sigs in particular, as potential subject matter experts. Fundamental aspects have been researched, described and discussed. The vehicle for this consideration has been the processes and challenges involved in identifying, recovering, securing, examining, analysing and preparing digital evidence from a crime scene as part of a cyber forensic investigation. It is time for Army to understand and embrace these capabilities. With greater awareness and understanding, these techniques can be incorporated and developed into a potent capability for the future.
Endnotes
1 The Macquarie Library, The Macquarie Concise Dictionary (3rd edn.), McPherson Printing Group, Sydney, 2000.
2 Lieutenant Adrian Miller, ‘Beyond the Battle’, Army News, 16 February 2012, p. 10.
3 Ibid.
4 See, for example, Gavin W. Manes and Elizabeth Downing, ‘Overview of Licensing and Legal Issues for Digital Forensic Investigators’, IEEE Security & Privacy, Vol. 7, No. 2, 2009. pp. 45– 48; Timothy J. McGuire and Karon N. Murff, ‘Issues in the Development of a Digital Forensics Curriculum’, Journal of Computing Sciences in Colleges, Vol. 22, Issue 2, 2006, pp. 247–80.
5 See, for example, Debra Shinder and Michael Cross, Scene of the Cybercrime (2nd edn.), Academic Press, 2008; S. McCombie and M. Warren, ‘Computer Forensics: An Issue of Definitions’, Edith Cowan University – secAU Conferences, 2003. Retrieved from: http:// scissec.scis.ecu.edu.au/conferences2006/proceedings/2003/forensics/pdf/14_final.pdf (accessed 14 March 2012).
6 Jerry Wegman, ‘Computer Forensics: Admissibility of Evidence in Criminal Cases’, Journal of Legal, Ethical and Regulatory Issues, Vol. 8, No. 1, 2005, pp. 1–13.
7 Aaron Philip, David Cowen and Chris Davis, Hacking Exposed – Computer Forensics (2nd edn.), McGraw Hill Companies, US, 2007.
8 Ibid.
9 See, for example, Shiuh-Jeng Wang, ‘Measures of retaining digital evidence to prosecute computer-based cyber-crimes’, Computer standards and interfaces, Vol. 29, No. 2, 2007, pp. 216–23; Wegman, ‘Computer Forensics: Admissibility of Evidence in Criminal Cases’, pp. 1–13.
10 See, for example, Marcus K.. Rogers and Kate Seigfried, ‘The future of computer forensics: a needs analysis survey’, Computers & Security, Vol. 23, Issue 1, 2004, pp. 12–16; Wegman, ibid.
11 K.P. Chow, C.F. Chong, K.Y. Lai, L.C.K. Hui, K.H. Pun, W.W. Tsang and H.W. Chan, ‘Digital Evidence Search Kit’, International Workshop on Systemic Approaches to Digital Forensic Engineering, 2005, p. 187. Retrieved from: http://0-ieeexplore.ieee.org.prospero.murdoch.edu. au/stamp/stamp.jsp?tp=&arnumber=1592532 (accessed 15 March 2012).
12 Vasilios Katos and Peter M. Bedner, ‘A cyber-crime investigation framework’, Computer Standards & Interfaces, Vol. 30, Issue 4, 2008, pp. 223–28.
13 See, for example, Brian Carrier and Eugene Spafford, ‘Getting Physical with the Digital Investigative Process’, International Journal of Digital Evidence, Vol. 2, Issue 2, 2003; Orin
S. Kerr, ‘Digital Evidence and the New Criminal Procedure’, HeinOnline, 2005. Retrieved from: http://heinonline.org/HOL/LandingPage?collection=journals&handle=hein.j… clr105&div=16&id=&page (accessed 27 April 2012).
14 See, for example, Katos and Bedner, ‘A cyber-crime investigation framework’, pp. 223–28; Wang, ‘Measures of retaining digital evidence to prosecute computer-based cyber-crimes’, pp. 216–23; Kerr, ibid.
15 Shinder and Cross, Scene of the Cybercrime.
16 Ibid.
17 Philip, Cowen and Davis, Hacking Exposed – Computer Forensics, p. 57.
18 Ibid., p. 198.
19 See, for example, Brian Hay, Kara Nance and Matt Bishop, ‘Live Analysis – Progress and Challenges’, IEEE Security & Privacy, Vol. 7, No. 2, 2009, pp. 49–55; J. Alex Halderman, Seth
D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum and Edward W. Felten, ‘Lest We Remember: Cold Boot Attacks on Encryption Keys’, Communications of the ACM, Vol. 52, Issue 5, 2009, pp. 91–98.
20 David Chalkin, ‘Network investigations of cyber attacks: the limits of digital evidence’, Crime, Law, and Social Change, Vol. 46, 2006, pp. 239–56.
21 Wang, ‘Measures of retaining digital evidence to prosecute computer-based cyber-crimes’, pp. 216–23.
22 McGuire and Murff, ‘Issues in the Development of a Digital Forensics Curriculum’, pp. 247–80.
23 Hay, Nance and Bishop, ‘Live Analysis – Progress and Challenges’, pp. 49–55.
24 Rodney McKemmish, ‘What is Forensic Computing?’, Australian Institute of Criminology Trends & Issues in Crime and Criminal Justice, No. 118, 1999. Retrieved from: http://www.aic.gov. au/documents/9/C/A/%7B9CA41AE8-EADB-4BBF-9894-64E0DF87BDF7%7Dti118.pdf (accessed 27 April 2012).
25 Ibid.
26 Brian D. Carrier, ‘Digital Forensics Works’, IEEE Security & Privacy, Vol. 7, No. 2, 2009, pp. 26–29.
27 See, for example, Shinder and Cross, Scene of the Cybercrime; Wegman, ‘Computer Forensics: Admissibility of Evidence in Criminal Cases’, pp. 1–13; August Bequai, ‘A Guide To Cyber-Crime Investigations’, Computers & Security, Vol. 17, No. 7, 1998, pp. 579–82.
28 Vassil Roussev, ‘Hashing and Data Fingerprinting in Digital Forensics’, IEEE Security & Privacy, Vol. 7, No. 2, 2009, pp. 49–55. .
29 Peter Stephenson, ‘Analysis and Correlation’, Computer Fraud & Security, Vol. 2, Issue 12, 2002, pp. 16–18. .
30 See, for example, Philip, Cowen and Davis, Hacking Exposed – Computer Forensics; Shinder and Cross, Scene of the Cybercrime.
31 Wegman, ‘Computer Forensics: Admissibility of Evidence in Criminal Cases’, pp. 1–13.
32 Cowen and Davis, Hacking Exposed – Computer Forensics; Shinder and Cross, Scene of the Cybercrime.
33 Shinder and Cross, Scene of the Cybercrime.
34 Kerr, ‘Digital Evidence and the New Criminal Procedure’, p. 287.
35 Hay, Nance and Bishop, ‘Live Analysis – Progress and Challenges’, pp. 49–55.
36 Ibid.
37 See, for example, Philip, Cowen and Davis, Hacking Exposed – Computer Forensics; Shinder and Cross, Scene of the Cybercrime; E. Casey, Digital evidence and computer crime (2nd edn.), Academic Press, London, 2004; Brian Carrier and Eugene Spafford, ‘Getting Physical with the Digital Investigative Process’, International Journal of Digital Evidence, Vol. 2, Issue 2, 2003.
38 Philip, Cowen and Davis, Hacking Exposed – Computer Forensics.
39 Ibid.
40 Hay, Nance and Bishop, ‘Live Analysis – Progress and Challenges’, pp. 49–55.
41 Halderman et al., ‘Lest We Remember: Cold Boot Attacks on Encryption Keys’, pp. 91–98.
42 Stephenson, ‘Analysis and Correlation’, p. 16.
43 Philip, Cowen and Davis, Hacking Exposed – Computer Forensics.
44 See, for example, Michael G. Noblett, Mark M. Pollitt and Lawrence A. Presley, ‘Recovering and Examining Computer Forensic Evidence’, Forensic Science Communications, Vol. 2, No. 4, 2000; Casey, Digital evidence and computer crime; Carrier and Spafford, ‘Getting Physical with the Digital Investigative Process’.
45 Noblett, Pollitt and Presley, ibid.
46 Shinder and Cross, Scene of the Cybercrime.
47 Hal Berghel, ‘Hiding Data, Forensics, and Anti-Forensics’, Communications of the ACM, Vol. 50, No. 4, 2007, pp. 15–20.
48 Shinder and Cross, Scene of the Cybercrime.
49 Carrier, ‘Digital Forensics Works’, pp. 26–29.
50 Wegman, ‘Computer Forensics: Admissibility of Evidence in Criminal Cases’, pp. 1-13.
51 Stephenson, ‘Analysis and Correlation’, pp. 16–18.
52 Wegman, ‘Computer Forensics: Admissibility of Evidence in Criminal Cases’, pp. 1–13.
53 Philip, Cowen and Davis, Hacking Exposed – Computer Forensics.
54 Chow, et al., ‘Digital Evidence Search Kit’, p. 1.
55 See, for example, Roussev, ‘Hashing and Data Fingerprinting in Digital Forensics’, pp. 49–55; Philip, Cowen and Davis, Hacking Exposed – Computer Forensics.
56 Philip, Cowen and Davis, ibid., p. 92.
57 Ibid., p. 342.
58 Ibid.
59 Wegman, ‘Computer Forensics: Admissibility of Evidence in Criminal Cases’, pp. 1–13.
60 Graeme B. Bell and Richard Boddington, ‘Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?’, The Journal of Digital Forensics, Security and Law, Vol. 5, No. 3, 2010.
61 Berghel, ‘Hiding Data, Forensics, and Anti-Forensics’, pp. 15–20.
62 Bell and Boddington, ‘Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?’
63 Roussev, ‘Hashing and Data Fingerprinting in Digital Forensics’, p. 49.
64 Ibid., p. 50.
65 Hay, Nance and Bishop, ‘Live Analysis – Progress and Challenges’, pp. 49–55.
66 Ibid.
67 Ibid.
68 Ibid.
69 Chow, et al., ‘Digital Evidence Search Kit’, p. 6.
70 Ibid., p. 3.
71 Halderman et al., ‘Lest We Remember: Cold Boot Attacks on Encryption Keys’, pp. 91–98.
72 Ibid.
73 Ibid.
74 Ibid., p. 6.
75 Ibid., p. 12.
76 Ibid., pp. 91–98.
77 Cited in McCombie and Warren, ‘Computer Forensic: An Issue of Definitions’, p. 1.
78 See, for example, Bequai, ‘A Guide To Cyber-Crime Investigations’, pp. 579–82.; Wegman, ‘Computer Forensics: Admissibility of Evidence in Criminal Cases’, pp. 1–13.
