Nisar Ahmed | Freelancer Portfolio Item #148735

Digital Forensics and Anti-Forensics Student’s Name Institution Date Introduction Over the past decade, technology has been evolving at a significant rate and at a quicker pace than anticipated. With the increasing penetration of technology, the instances of frauds using technology have also increased at an alarming rate (Yaqoob et al., 2019). Facilitating forensic investigations and collecting digital evidence has been a critical issue in recent years. While a wide range of software tools for collecting technology-based evidence and conducting investigation have emerged while numerous challenges remain. This paper will analyze the anti-forensic issues and effective ways of minimizing the impact. Major anti-forensic issues The recent studies by Forensic Focus revealed that encryption and cloud focus are the two major concerns for forensic investigators. The cumulative data volume per investigation (Triage) was another concern as the number of reported digital crimes continues to rise as training and resources become scarce in the field of investigation. While discussing the difficulties encountered while investigating a case, mobile and IT devices apply a wide range of operating systems, communication standards, and file formats, all adding up to the complexity of forensic investigations. Moreover, embedded storage devices are not easily transferrable from their host device, unlike the server computers and desktops that were being used traditionally. In some circumstances, the storage device might lack persistent storage, the consequence being the expensive RAM forensics. When doing investigations for multiple devices, correlation difficulties and consistency problems may be experienced where evidence collected from separate sources ought to be correlated for logical and temporal consistency. In some situations, the absence of resources and inadequate training in the investigative field is another challenge that causes more workload to investigators as they are forced to perform a manual examination of various devices. The concept of “push-button” forensics that involve the provision of the most basic training in the application of specific tools is another anti-forensic factor. The investigators do not attain a thorough understanding of deeper functionality and methodology for the tools. Interestingly, the main factors affecting Forensic Focus were cloud forensics (23%), and encryption (21%), while the minor factors were triage (11%), and device proliferation (5%). The UCD study paper approves that there is a big challenge in using the cloud-based storage for information (Lillis et al., 2016). Usually, the information in the cloud is transferred over several distinct nodes as opposed to the old-fashioned scenarios where data could be stored inside a single machine. As a result of the distributed behavior of cloud services, information can be stored in manifold legal jurisdictions. This subjects investigators into depending on local regulations and rules as they gather evidence. This might potentially increase the cost, difficulty, and time of completing a forensic investigation. With the current development of technology, a single file of data can be separated into independent blocks of data that can be stored on different remote nodes that add into complexity thereby causing the traditional forensic tools redundant. Cloud forensics have the usual difficulties when one tries to understand how to access the stored information. Apart from that, there are legal concerns about doing cloud-based forensics. The cloud forensics investigations are international-based investigations with information being stored in various physical locations, with some requiring legal procedures for authorization. Cloud services might also be applied for genuine means, but the increase of distributed information storage and anonymizing tools makes it easy for criminals to hide their tracks and go unrecognized. Application of easy-to-use features and IP anonymity of most cloud systems, like those that demand minimal data when signing up for the cloud-based service can result to situations where the chances of recognizing a criminal are virtually impossible. When dealing with cases of covering one’s trails and anonymity, the matter of encryption is a delicate one in the modern digital forensics. With the latest disagreement between the FBI and Apple and the ensuing decryption of iPhone by a stranger, encryption has been the main talking point in the headlines, uncovering in the public sphere than ever before. According to Rocha et al. (2011), an encrypted device presents some sets of challenges when doing investigations. Those challenges vary significantly depending on the devices. For instance, on Windows computers, full-disk encryption may be attacked only by seizing a memory dumb through the Kernel-mode tool with the volume being mounted and extracting the binary decryption key by just analyzing the memory dump. On Android devices, it would only depend on the manufacturer and the version of Android that is running. In most cases, dumping and decryption of Android devices are possible for passwords that are not known. For Apple tablets and smartphones, encryption is exemplary since Apple was established using the Secure Enclave inside the 64-bit hardware. For that kind of devices, optional acquisition paths can be applied, e.g., cloud acquisition. Another challenge comes in when a section of information is encrypted because discovering the encrypted information is a real trial. The encrypted file location module availed from Belkasoft Evidence Center provides a proprietary technique implemented to separate compressed files and encrypted information. Ways in which forensic investigators can minimize the challenge In situations where encrypted devices are crucial for evidence, exploits and workarounds might be a useful solution. The majority of encryption devices are intended to withstand brute-force attacks such that reckoning encryption keys or passwords are complicated unless a similar password was applied on multiple accounts. To get rid of encryption, investigators are encouraged to use several workarounds. For instance, one can unlock a BitLocker volume if the Microsoft Account password is correctly known. In such a case, it is easier to retrieve the respective escrow key from the Microsoft account. Password recovery is another milestone although there are additional tools and methods of doing it. Another technique would be seizing a memory dump using Belkasoft Live RAM Capturer although there are still other similar tools and after that extracting a binary key from the dump. Android Smartphones requires one to understand the weaknesses of every android release to help overcome the defense. If overcoming the defense is not possible, it is still possible to extract big amounts of data from the Google account that may be storing more information than the smartphone itself. Smartphones from Apple are normally configured to create data backups into the cloud automatically. Those backups can, later on, be retrieved and analyzed as opposed to trying to break down the device. The ability to retrieve all the evidence is not the only difficulty of a forensic investigation. Despite getting all the necessary information, there is need to take a thorough analysis of the data, select what information is critical or useful for a particular investigation, and write a report that can be taken to court for the presentation of evidence. The backlog of digital proof has been conventional for law enforcement departments. The projected ballooning of case volume in the upcoming future is expected to compound the backlog problem further, particularly as evidence volume from internet-of-things and cloud-based sources increases. In general, digital forensics investigation field is experiencing a lot of challenges that are almost impossible to overcome. In a world of developing technology, digital investigators are finding themselves striving to keep up. The best solution to the existing challenges is to keep cross-collaboration between corporate entities, law administration agencies, and academic institutions whenever necessary. With the continuous growth of a globalized society that stores much of the information online, the forensic field has an excellent chance to apply this trend to collaborate more effectively and help build effective and lasting solutions. Conclusion Encryption and cloud focus are the two major concerns for forensic investigators. Cloud forensics have the usual difficulties when one tries to understand how to access the stored information. Apart from that, there are legal concerns about doing cloud-based forensics. An encrypted device presents some sets of challenges when doing investigations. Those challenges vary significantly depending on the devices. In situations where encrypted devices are crucial for evidence, exploits and workarounds might be a useful solution. The backlog of digital evidence has been conventional for law enforcement departments. The best solution to the existing challenges is to keep cross-collaboration between corporate entities, law administration agencies, and academic institutions whenever necessary. References Lillis, D., Becker, B., O'Sullivan, T., & Scanlon, M. (2016). Current challenges and future research areas for digital forensic investigation. arXiv preprint arXiv:-. Rocha, A., Scheirer, W., Boult, T., & Goldenstein, S. (2011). Vision of the unseen: Current trends and challenges in digital image and video forensics. ACM Computing Surveys (CSUR), 43(4), 26. Yaqoob, I., Hashem, I. A. T., Ahmed, A., Kazmi, S. A., & Hong, C. S. (2019). Internet of things forensics: Recent advances, taxonomy, requirements, and open challenges. Future Generation Computer Systems, 92, 265-275.