Incorporating Automation Into Digital Forensics

By Author: Wisemonkeys
Total Articles: 277
Comment this article

Abstract: The alarming growth of cyber crimes makes it essential that preventive measures be taken and post attack analysis must be done to identify the culprit. Cyber forensic or digital forensic applies science to maintain a strict chain of custody during the identification, collection, examination, and analysis of digital data while preserving integrity. AI-powered software, programs, operating systems, and devices are developed on a massive scale to automate a wide variety of processes and operations. The principal aims of integrating AI and automation include efficiency, accuracy, and cost-reduction. This paper explores the utility of AI-powered technology to make the job of digital forensics more impactful. This trend can maximize the accuracy of digital forensic investigations, enabling the resolution of more digital investigations.

Introduction
Nowadays most of us are habituated to carry our cell phones everywhere we go. In 2023, including both smart and feature phones, the current number of mobile phone users is 7.33 billion, which makes 90.04% of people in the world, cell phone owners. From computers to ...
... phones to wearable devices, a large volume of data is collected for an individual user and thus a digital footprint of that user is created. Technology is progressing but so is the crime related to it. Hence Digital Forensics can be used to extract information and use it to unveil the truth.

Forensic science is the application of science to matters of law. The field of forensic science has existed for over 100 years but computer forensics emerged after computers became popular around the 1980s. The first computer forensic technicians were the law enforcement officers who were also computer hobbyists. Some of the earliest tools used in digital forensic investigations were created in FBI labs circa around 1984, with forensic investigations driven by the FBI's specialist CART (Computer Analysis and Response Team), which was responsible for assisting in digital investigations. It is believed that digital forensics grew substantially in the 1990s as a result of the collaborative efforts between several law enforcement agencies and heads of departments and even regular meetings to bring their expertise to the table.

Digital forensic science is a branch of forensic science that focuses on the recovery and investigation of material found in digital devices related to cybercrime. The term digital forensics was first used as a synonym for computer forensics or cyber forensics. Since then, it has expanded to cover the investigation of any devices that can store digital data. Digital forensics includes providing context for the recovered data, such as explaining the source and purpose of it for civil or criminal proceedings and internal investigations. Some of the popular cases that were solved using digital forensics are The BTK Killer, Dennis Rader where a floppy disk Rader sent to police revealed his true identity. and The Craigslist Killer, Philip Markoff who was tracked through the IP address from the emails used in the Craigslist correspondence.

A Times investigation in 2019 confirmed the awaiting examination of 12,667 devices from 33 police forces across the UK. The long-pending investigations show how overwhelmed a digital forensic team is due to the sheer volume of digital evidence collected. Digital Forensics investigators have to follow certain standards and procedures to conduct an investigation.

This paper tries to resolve the burden from the investigators and proposes using automation to take the bulkload of the investigation process.

Digital Forensics
Essentially, digital forensics (or cyber forensics) involves collecting, examining, analyzing, and reporting electronic evidence when it comes to detecting digital criminal activity. Forensics investigators must make sure to analyze storage media, hardware, operations systems, networks and applications to locate the point of compromise.

To preserve evidence, computer forensics may rely on a disc image, or virtual drives may be utilized to imitate an entire machine. Network forensics is concerned with the monitoring and analysis of computer network traffic. Care should be taken while handling and processing evidence as well as adherence to the recorded chain of custody, to secure and preserve the evidence. Mobile devices have their own set of issues, such as memory volatility, since low powered DRAM used in smartphones can lose data when turned off, necessitating correct handling.

Any aspect of an enterprise system is subject to criminal activity, data theft, or unauthorized access. The level of inquiry required is governed by the mission criticality of the compromised application, system, or network. The first plan of action is to determine whether there is a need for investigation. If the need is confirmed then phases of Forensic Investigation must be followed.

Phases of Digital Forensic Investigation
First Response:
The action performed right after the occurrence of a security incident is known as the first response.

Search and Seizure:
The personnel examine the tools used to commit the crime. These gadgets then are methodically seized in order to retrieve information from them.

Collect the Evidence:
The devices acquired are used by experts to gather data. They handle evidence using clearly defined forensic procedures.

Secure the Evidence:
The forensic staff should have access to a safe environment where they can secure the evidence.

Data Acquisition:
Data acquisition is the process of retrieving Electronically Stored Information (ESI) from suspected digital assets. It helps to gain insights into the incident.

Data Analysis:
The accountable staff scan the acquired data to identify the evidential information that can be presented to the court. This phase is about examining, identifying, separating, converting, and modeling data to transform it into useful information.

Evidence assessment:
The process of evidence assessment relates the evidential data to the security incident.

Documentation and Reporting:
This post-investigation process includes summarizing and recording all findings. Additionally, the report must contain sufficient and legitimate proof as determined by the court of law.

Testify as an expert witness:
In order to confirm the veracity of the evidence, the forensic investigators must also speak with the expert witness. An expert witness is a professional who looks into a crime to retrieve evidence.

Automation
Automation is the development and use of technology to manufacture and provide goods and services with little or no human intervention. It essentially replaces manual steps with automatic ones reducing the workload of the person involved. Technological advancements have made human work easier and spiked productivity. According to a 2013 study, almost half of all jobs can potentially be automated in the next few decades.

One way in which automation manifests itself in digital forensics is through the creation of specialized software apps that perform difficult investigative activities with the press of a button. This is referred to as "push-button forensics" (PBF).

Push-button forensics (PBF):
In response to evolving cybercrimes and the need to gather new forms of evidence, specialized software and hardware tools have also emerged to assist investigators with the capture, analysis, and preservation of evidence. These software suites allow investigators to perform complicated analysis functions, purely by knowing which buttons to press. Thus, automation could have considerable impact on investigation costs.

Ad-hoc tools, those that are fully automated enterprise products and everything in between, are precisely adapted/suited for the specific individual investigator or organization. They provide a wide-ranging set of features that forensics investigators need. These features include abilities to acquire and process storage devices, conduct searches, generate reports and more, depending on how much automation is built into the suit.

Digital investigations, whether the crime is a cybercrime or crime that involves digital appliances, require investigators to parse through massive troves of data in a short amount of time. The complexity and amount of data in addition to time constraints reinforces the importance of Artificial Intelligence and automation on digital forensics and particularly in informing the global community about methods, frameworks, and approaches through which AI and automation-based digital forensic systems can be developed on a commercial scale. Unless resilient digital forensic systems are designed, it is evident that the size and number of computer-aided crimes will only grow and reach a point of inflicting lasting collateral damage to the industry.

Artificial Intelligence (AI):
The purest definition of AI is the development of computer systems and programs that can act intelligently. AI-enabled automated processes ultimately allow for autonomous decision making, which results in additional automation when the system takes action on the decisions it has made. It is a field of study, which aims to simulate humanlike intelligence and behaviors. AI can allow computers to reason to acquire new knowledge about the world, plan and to learn from these experiences. Aspects of AI are already being used in malware and digital forensics to help the software hide or discover more effectively.

In cyber forensics the goal is to construct the knowledge that an examiner applies when doing an investigation, in the form of knowledge representation where digital forensic information can reason.

Machine Learning (ML):
ML is the means by which a computer system or algorithm can consume large amounts of data and ultimately make predictions or draw conclusions. Instead of giving a computer a set of rules to follow, we give it enough data, a model structure with a learning algorithm and enough time to comprehend the data and it will find the right parameters for the model to establish the correct solution we wish to have.

The benefits of machine learning include the capability of automation, being unbiased and being able to become better over time. These characteristics are valuable in a digital forensics environment, for example, if you look at a file, can we identify if it is malware or not based on historical examples of other files.

Deep Learning (DL):
DL is a specialized subset of ML technology, which solves complex datasets using artificial neural networks (ANN). A standard ML algorithm with complex data sometimes needs a developer to correct incorrect learning. DL algorithms do this correction themselves by validating what was learned. Additionally, due to system hardware limitations, a standard ML algorithm may not process complex datasets. To overcome this, DL utilizes ANN to simplify the data in ways that are not possible with standard ML algorithms. Utilizing unsupervised learning networks such as the Restricted Boltzmann Machine and Convolutional Neural Networks, a DL algorithm simplifies the dataset and verifies what it has learned. DL and ML are similar, but DL has automated feature extraction, and model selection is continually being self-evaluated.

How can we prepare against unknown, newly created malware, sometimes even based on mutation of existing ones? One of the approaches that are used with artificial intelligence is to create a self learning system that generates an autonomous response to threat, fights back and assimilates the newly required information to improve itself. Unlike ML, the more data we pump onto these deep learning systems the better they get. With DL, we can instinctively detect and prevent a threat before execution. Now we can analyze malware data faster, with a far smaller footprint and with better detection rates. Forensic investigations benefit from the use of DL in data-driven malware investigations, malware classification and malware analysis, which includes convolutional Neural Networks and recurrent neural networks .

depicts an example of how AI,ML and DL can work together to provide security. The incoming traffic from an unknown source is seen, that traffic is then stored in a database so that the Intrusion Prevention System (IPS) system can determine whether or not that traffic is malicious or not. If the traffic is malicious, the requests are blocked via the firewall. The IPS system can determine whether or not traffic is malicious by utilizing IA technologies. Automation enables the process while ML/DL learns from the logged data and teaches the AI what traffic is good or malicious based on traffic patterns or signatures.

Automation in Digital forensics
The objective is to assist forensics investigators with an automation tool that will deliver significantly better and faster results in comparison with those tools presently used. Three aspects should be considered:

(1) reduction of routine and repetitive analysis while also reducing the amount of evidence that must be personally reviewed by the expert, (2) correlation of evidence,

(3) distribution of processes

Automation and AI are independent concepts that can be utilized together to develop IA systems. The use of Self Organizing Maps (SOMs) and Automated Evidence Profiling (AEP) have been recognized as highly effective by Al Fahdi et al. The researcher conducted a series of experiments and landed on the conclusion that automation of standard digital forensic procedures is possible through techniques such as SOM and AEP, thereby making the entire process more efficient and less costly.

In a research study completed by the CARI Institute, the applicability and potential of automation to digital forensics was explored from a multifaceted perspective by Butterfield. First, the study provided a comprehensive review of ontological related data. This data was coupled with the collection of primary data directly from the Digital Forensics Units (DFUs). The DFUs were tasked to gather this data and the various trends and interrelationships that were drawn from the data to solve criminal cases. The researchers developed a solution to how automated software can perform the same trend analysis and relationship–identification activities. This software could result in a fraction of the time being spent on drawing the same conclusions as the DFUs obtained.

A multiagent system (MAS) is a computerized system that comprises more than one agent. Garfinkel, has identified Forensic Feature Extraction (FFE) and Cross-Drive Analysis (CDA) as two methods to analyze large amounts of forensic data. The MultiAgent Digital Investigation toolkit (MADIK) is a multi-agent system that assists the computer forensics investigators with their examinations. This also allows the agents to reason about the evidence in a way that is more adequate to the specific case in question. These include agents that automate searches for matching files and file names, creation and access dates, extractable files, browser usage and credit details.

Endpoint Detection and Response (EDR) software focuses on monitoring endpoints to detect suspicious activities and capture data for forensics and security investigations. It can also provide more granular control and visibility into an attack. IT professionals can now mediate quicker because they know more about the attack. It is very impressive because EDR gets smarter as you use it. That is because these products’ algorithms rely on data and artificial intelligence (AI). AI builds up a database of what is happening specifically within the organization as well as what is happening generally within the world.

Computer crime profiling is one prominent area where AI is being utilized. AI-powered software is being used to facilitate the examination and analysis phases of digital forensics. As such, it enables forensic experts to examine and analyze digital evidence across a wide variety of computer crimes, including but not limited to malware, spyware, hacking, data theft, and identity theft.

A more modern digital forensic investigation tool has recently been launched by Magnet Forensics. The company recently announced the Magnet AUTOMATE system with the motive of enabling digital forensic experts to investigate and solve cases much faster than before (Magnet Forensics, 2019). The newly launched tool is based on the repeatable forensic workflow mechanism. According to Magnet, AUTOMATE is a flexible platform to quickly build custom automation around a standard workflow. The tool is worthy of consideration due to its claims to deliver critical evidence on complex criminal cases within 48 hours.

Challenges Of Automation
Researchers identify five vital challenges in the digital forensics’ investigation process: complexity issues, diversity issues, consistency and correlation, quantity or volume issues and unified time-lining issues. Pre-programmed tools neither have the comprehensive knowledge, nor the ability to process the information for unique scenarios.

Forensics experts differ in the amount of automation they prefer to use, and PBF is considered as a highly automated practice. It receives a considerable amount of condemnation from cyber forensic investigators. Their concerns revolve around a decline in expert knowledge when relying too much on PBF, which is perceived as inferior quality or less thorough. In contrast, the investigators also welcome a certain amount of automation to assist them in their daily tasks. It is evident that some level of automation is needed to execute the cyber forensics process, but that PBF would be an ill replacement for all activities.

Intelligent Automation (IA) based technology can only serve as tools to facilitate investigations, which still requires oversight by expert human investigators. The accuracy of the forensic outcome, to some extent, is dependent on the abilities of the human investigator, since IA enabled tools are still under development and may not always yield accurate, complete, or robust information necessary for forensic cases. In a study, the complex and unpredictable mindsets of criminals was discussed and consequently formulated the theory that complete automation of digital forensics is potentially impossible. As a result, many criminal cases fail to abide by a standard pattern or historical trends. Furthermore, evolving technologies and techniques pave the way for criminals to adopt new and improved methods of committing crimes.

Future Scope
Because automation can speed up investigations, it can minimize case backlogs while eluding bias and preconception. To re-evaluate these automation processes, investigators need to consider faster ways to establish a comprehensive analysis, such as profiling, or automatic event reconstruction. Forensics tools are currently developed to detect digital evidence, but offer little to no help with investigations, therefore, most of the analysis is orchestrated manually. Researchers are exploring numerous attempts to automate the analysis process that will disclose what the information means and even come to conclusions about the data.

Thirty-nine percent of businesses and organizations have agreed that they rely on automation, 34% use machine learning, 32 % depend highly on artificial intelligence, and 92% of security professionals also trust behavior analytics to identify threats. In parallel to the technological advances in the field, skills required from cyber forensic professionals are also changing. The legal system surrounding cyber investigations has also experienced positive developments. Because of today’s smartphone capabilities and due to mobile forensics experts’ use of specialized hardware and software, mobile phones are very much like ‘Digital DNA’. Incorporating IA into traditional digital forensics can facilitate the spotting of elements in videos, photos, and other forms of digital evidence to make highly accurate decisions regarding where and make informed decisions regarding the possible time and location of future crimes based on identified commonalities.

Conclusion

The study finds that there is a need for automation in digital investigation as there are a large number of backlogs and cases and few professionals to tackle them. Incorporating automation in the system will take the burden away from the forensic investigators.

Technological advancements are at an all time high but so are the cyber crimes and cyber criminals are also upgrading themselves. Hence ML can be used to predict possible attacks and investigate them. There has been significant research on the topic however the practical implementation is low in comparison.

At Wisemonkeys(https://wisemonkeys.info/), we are bunch of young minds trying to develop an environment to deliver knowledge to the society. From article submissions to blog writing and sharing to even question and answers. Post a question and get instant responses from experts online.

REGISTER NOW for FREE!(https://me.wisemonkeys.info/login)