In this blog post
Digital Forensics for Cybersecurity & Cloud
We have witnessed the rise in cyber-attacks such as Ransomware, hacking and multiple other types. Analyzing the attacks and taking preventive measures for such attacks are mandatory to avoid such circumstances in future. Let’s discuss Digital Forensics which focuses on the above.
What is Digital Forensics?
Digital forensics is the process of identifying, preserving, analyzing, documenting and presenting digital evidence. These five steps are done to collect and present the evidence where it is required.
Digital forensic science is a branch of forensic science that focuses on the recovery and investigation of material found in digital devices related to attacks and hackings. The term digital forensics was initially used as a synonym for computer forensics. Since then, it has expanded to cover the investigation of any devices that can store digital data.
It was only during the early 21st century that the national policies on digital forensics emerged. Although the first computer crime was reported in 1978, followed by the Florida Computers Act, it wasn’t until the 1990s that it became a recognized term.
Steps in Digital Forensics
Identification
Identify the evidence found on the devices
Preservation
Secure the evidence, Isolate, and preserve the same, this will help in evidence being destroyed by the third-party toxic users
Analysis
Analysis the obtained data, correlate the data evidence, derive the conclusion based on the available evidence
Documentation
Collate the obtained evidence and try replicating the crime in devices
Presentation
Finally recap the observation and conclude
Key differences between Cybersecurity and Digital Forensics
Digital Forensics and Cybersecurity are pillars of any organization where any technology is used in the networks.
How does Cybersecurity benefit from Digital Forensics?
Helps in identifying the vulnerable areas of the networks in the organization
Digital forensic services processes information that can highlight the typical areas of vulnerabilities in a network or website. Cybersecurity could then focus on these areas of vulnerability.
Specifically, a basic reason for vulnerability is simply the strength of the password of a network or account. Hackers try to gain access to network or devices through multiple combinations and permutations of the password. It’s important to make a strong password policy for the organization to have secured passwords across the network for all the user accounts.
Based on the compilation of Digital forensic on the networks, it is found that most of the users granted with access to the resources where it is not required, leads to hacking and data breaches.
Restore lost information
Recovering deleted information is crucial in a digital investigation. Digital forensics recovers information using complex tools and methods to recover the data.
Note: List of Digital forensics tools is discussed in separate section in this article.
Defend Hijacker and Hackers
Based on the compilation and execution of the five steps (Identify, Preserve, Analyze, Document and Present), Digital forensics have collected data that cybersecurity teams can use to prevent hackers from getting into a device or network. With this data, cybersecurity software can detect relevant data to protect and constantly scan networks to make sure no toxic user will gain access to the network.
Secure against Viruses
Software that has been developed from digital forensic information can detect spyware and malware and can usually remove it before any information is exploited or deleted.
Digital Forensics tools
- AutoSpy
- FTK Imager
- Digital Forensics Framework
- SIFT (SANS Investigative Forensics Toolkit) Workstation
- Volatility (The Volatility Foundation is a nonprofit organization whose mission is to promote the use of memory analysis within the forensics community)
Digital Forensics for Cloud Security
Cloud computing environment is becoming a potential target for cyber hackers where new security challenges are being posed. To address the security challenges of digital data threat, digital forensics methods are applied over the remote servers of cloud giving way to a new term called ‘Cloud Forensics’.
Based on NIST Cloud Computing Reference Architecture, a working definition of cloud forensics is, “Cloud forensics is the application of digital forensic science in cloud computing environments. Technically, it consists of a hybrid forensic approach towards the generation of digital evidence. Organizationally it involves interactions among cloud actors (i.e., cloud provider, cloud consumer, cloud broker, cloud carrier, cloud auditor) for the purpose of facilitating both internal and external investigations. Legally it often implies multi-tenant situations.”
According to National Institute of Standards and Technology, the major challenges of Cloud Forensics are categorized into the following nine major groups which are summarized as
- Architecture (diversity, complexity, provenance, multi-tenancy, data segregation, etc.)
- Data collection (data integrity, data recovery, data location, imaging, etc.)
- Analysis (correlation, reconstruction, time synchronization, logs, metadata, timelines, etc.)
- Anti-forensics (obfuscation, data hiding, malware, etc.)
- Incident first responders (trustworthiness of cloud providers, response time, reconstruction, etc)
- Role management (data owners, identity management, users, access control, etc.)
- Legal (jurisdictions, laws, service level agreements, contracts, subpoenas, international cooperation, privacy, ethics, etc.)
- Standards (standard operating procedures, interoperability, testing, validation, etc.)
- Lack of Training (forensic investigators, cloud providers, qualification, certification, etc.) This paper attempts to address the challenges related to Architecture and Incident first responders.
Proposed Model
Any attack can be successfully thwarted by collective teamwork and meticulous planning. For a cyber-attack to be recognized and to make it unsuccessful, a model based on collective actions of a group of authenticated members (actors) is provided below. The main actors and their roles in the proposed model are
- Cloud Customer (CC): Cloud customer is the end user who benefits from the cloud services.
- Trusted Third Party (TTP): TTP helps in ensuring identification and sorting out the security breaches with help from cyber forensics team.
- Cloud Service Provider (CSP): CSP is the registered service provider for the Cloud customers with mandatory infrastructures required for the cloud.
- Cloud Forensics Investigation Team (CFIT): TTP utilizes CFIT for handling suspicious activities in the cloud, CFIT could utilize the latest tools of cyber forensics software.
Digital Forensics is key part of Cybersecurity and Cloud to ensure Network Security from Viruses, Hackers, Malware, and Vulnerabilities.
Author
