acm-header
Sign In

Communications of the ACM

Next-generation cyber forensics

Introduction


As with any discipline, changes in mind-set and technology are often met with resistance. Cyber forensics is no exception. With initial roots traced back to what may now be considered simplistic unsound post mortem data recovery methods, cyber forensics has quickly evolved into a series of complex controlled procedures ultimately allowing for near real-time analysis and subsequent timely responses based on accurate feedback. The advancement of forensic tools, training, and laws has contributed greatly to this advancement.

Cyber forensics has also become a key investigative component of law enforcement and businesses, often used by the military and intelligence communities in mission-critical operations. As technology continues to advance at an uncontrollable rate, adequately addressing tomorrow's perceived problem areas is extremely difficult; especially given the fact that many of today's challenges have yet to be overcome.

It is imperative that academic and research institutions continue to collaborate with the operational community so that together we can develop solutions for current roadblocks and work together in an effort to be both knowledgeable and technologically prepared for future challenges.

The articles in this section take an in-depth look at many of the challenges faced by forensics experts. Sophisticated hackers can conceal evidence of system break-ins relatively easily; therefore, investigators must have the right skills and techniques to recognize any sign of intrusion. Eoghan Casey discusses some of the methods experienced intruders use to hide their actions and then describes the challenges forensic investigators would face in those situations. He explains the reasons for investigators to act quickly and offers several procedures used in analysis of digital evidence. In advocating the integration of forensic principles into security tools, Casey contends that intelligence gathering and providing advanced training and tools to investigators will help in apprehending the perpetrators involved in many computer crimes.


It is imperative that academic and research institutions continue to collaborate with the operational community so that together we can develop solutions for current roadblocks and work together in an effort to be both knowledgeable and technologically prepared for future challenges.


Often computer forensics examiners must choose between turning a system off to examine it or performing live analysis when the system is running. Brian Carrier explains the risks of conducting a live forensic investigation. Offering a comparison between the physical world and the digital world, he details how rootkits can provide false or misleading information during a live analysis and what countermeasures can be used to deal with rootkits.

Some companies might find it more than a bit difficult to slow down business even for a day in order to conduct forensic examinations. Frank Adelstein makes a case for using live forensic analysis. By observing that forensic investigators may risk evidence contamination during live analysis, he claims that live forensics help gather evidence that cannot be reproduced at a later date. His article offers helpful information on what types of data can be accumulated during live forensics and how they can be collected and used.

To facilitate the presentation of results obtained through a forensic analysis, Robert Erbacher and Sheldon Teerlink have developed methods for incorporating visualizations that can reduce analysis time. Their techniques allow forensic examiners to search for specific types of files, perform pattern matching, and display file contents. By allowing the use of color coordinated illustration of data in their graphical representations, they claim it is easy to notice different patterns, which in turn can increase work efficiency.

As the number and complexity of computer crimes grow, investigators realize the need for better evidence acquisition techniques and advanced tools for automated data analysis. Golden Richard III and Vassil Roussev have observed the shortcomings in current evidence collection and analysis methods, particularly their failure in handling large targets. They discuss some shortcomings of the state of the art in cyber forensics tools and propose some research areas to overcome the deficiency.

In addition to these featured articles, there are several short pieces appearing throughout the section offering specific forensic experiences or tools. Chet Hosmer introduces the concept of Digital Evidence Bag (DEB), the need for which is driven by the fact that storing massive amounts of data in traditional forensic storage media is no longer viable. DEB would provide intelligent storage with functionalities such as authentication, integrity, access control, and non-repudiation/audit.

To assess the preparedness to investigate and recover the nation's cyber infrastructure from a catastrophe, which Rahul Bhaskar terms as "Cyber Katrina," he conducted of a survey of 530 law enforcement agencies. His results indicate that only a few of the personnel assigned to investigate computer crimes have formal training in computer forensics. Bhaskar suggests organization of a Computer Security Incident Response Team and defines a process that the team can adopt in case of a cyber disaster.

Members of the Common Evidence Format Working Group are working on development of a standard format for storing digital evidence. Here, they explain the problem with proprietary formats, which include probable generation of incorrect data and loss of time when the data is converted from one proprietary format to another. A standard format, they write, would aid in better evidence management and would allow better cooperation between both national and international agencies. And Simson Garfinkel introduces a new file format called Advanced Forensic Format (AFF). This open, extensible format allows image compression so that more data can be stored in the media. He discusses the working principles of AFF and notes its multiple benefits.

Cyber forensics is an area that will require increasing emphasis in the future. As all segments of society become more dependent upon networking and information technology, this same technology becomes an increasingly tempting target for malicious activity. To make our systems more robust and resilient against this threat, we need new and improved ways to diagnose malicious system events. The ability to gather credible and reliable digital evidence will help make critical information systems stronger in the long run and will also provide us with the ability to prosecute those who intrude upon and damage these critical systems. The future of cyber forensics is emerging from a discipline based on after-the-fact analysis of offline systems to one where diagnosis takes place on live, running systems. Cyber forensics will continue to mature into an area that is critical to today's high-tech environment and will become a key pillar of the information security posture of modern organizations.

Back to Top

Authors

Brajendra Panda ([email protected]) is an associate professor in the Computer Science and Computer Engineering Department at the University of Arkansas, Fayetteville, AR.

Joseph V. Giordano ([email protected]) is the technical advisor for cyber operations at the Air Force Research Laboratory's Information Directorate in Rome, NY.

Daniel Kalil ([email protected]) is a cyber forensics specialist at the Assured Information Security, Inc., Rome, NY.


©2006 ACM  0001-0782/06/0200  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2006 ACM, Inc.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account
Article Contents: