Abstract
During investigative activities in the field of contrasting tax evasion and fraud, it is known that law enforcement agencies are increasingly encountering digital documents, which are slowly replacing the paper ones. The chapter has the purpose to explain as data, extracted from an electronic device, turns into evidence in court. The authors describe how hidden data (metadata) can become forensic evidence. In particular, the chapter examines the metadata contained in digital photos, which conceal a mass of data whose existence is not normally suspected. The second part of the chapter consists of miscellaneous cyber-attack descriptions in which computer forensics can be applied. It is finally described how one can protect systems against a cyber-attacks.
TopIntroduction
The information required during investigation activity that once led to the production of photocopies, folders, paper documents to be examined now frequently ends with the acquisition of many data saved on CDROM or hard disk and a few paper documents.
It is equally known that there is no official methodology that describes the forensic acquisition procedures, still relying on best practices, ISO standards, RFCs and some legislative adjustments ratifying 2001 Budapest Convention (Council of Europe, 2001).
Computer forensics hardly finds a univocal and exhaustive definition that can correctly describe it in all its nuances. As a first approach, computer forensics could be defined as the technical-investigative activity aimed at identifying, acquiring, protecting, managing, analyzing and interpreting digital traces, found inside electronic devices and their correlation to the facts, circumstances, hypotheses and traces of any nature, related to the investigated fact (Osterburg & Ward, 2010). In addition, the heterogeneity of electronic media hides traces and clues, the constant technological evolution and every situation in which an investigator must confront, unfortunately does not allow to identify a univocal and universal procedure for digital evidence acquisition (Reyes et al., 2007).
The theme therefore clearly refers to the procedures and dynamics that some digital evidence can bring to the case resolution. An accurate application of digital forensics procedures ensures the integrity, authenticity, truthfulness, non-repudiation and completeness of the test, which are the basis of computer forensics itself.
The steps that characterize the computer forensics activity can be summarized in the identification, preservation, acquisition, analysis and correlation of the data assumed, as well as in a complete and exhaustive documentation of what has been done in the individual phases.
Before starting to deal with this topic, it is necessary to give some definition. We have to distinguish two fields in this subject. The first one is Digital Forensics (Reith et al., 2002) and the other one is Computer Forensics.
Digital forensics is the science that allows, through the use of specific methodologies (Beebe & Clark, 2004; Carrier & Spafford, 2003) and tools the identification, storage and analysis of digital evidence. An important concept before continuing to explain the topic is the definition of a “digital proof”. It’s an information, with probative value, that is either stored or transmitted in a digital format.
Computer Forensics is another point of view. It is the discipline that deals with the preservation, identification, study, documentation of computers, or systems information in general, in order to highlight the existence of evidence in the course of an investigative activity (Casey, 2009).
For lawyers, Digital Forensics means to examine digital media and technological systems in order to extract the evidence required to demonstrate or refute the question that has been asked.
We are going to describe which is the accurate application of digital forensics procedures ensuring the integrity, authenticity, truthfulness, non-repudiation and completeness of the test, which are the basis of computer forensics itself.
First of all, we characterize the computer forensics activity summarized in the identification, preservation, acquisition, analysis and correlation of the data assumed, such as a collection of a complete and exhaustive documentation of what has been carried out in every step of process.
Key Terms in this Chapter
Confidentiality: Private content in data communication between users.
Integrity: Non-corruptibility feature that a message has during transferring from source to destination.
Non-Repudiation: Non-repudiation is the assurance that someone cannot deny the validity of something.
SSL, TLS: Cryptographic data protocol that assures authentication, privacy, and integrity during transmission on TCP/IP networks.
Investigation Activity: Set of actions that investigator implements to find clues.
DNS: Hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It provides the translation of URL address into network IP address.
Availability: Characteristic of hardware or software systems to be always available.
Router: Device that routes data packets on a network.
Digital Evidence Acquisition: Data extracting from a device to provide an evidence.
Clue: A sign or some information that helps you to find the answer to a problem.
Completeness: The quality of being whole or perfect and having nothing missing.
Internet of Things: Every object is going to be connect to a network, so internet network becomes internet of objects (things).
Traces: Clues having significance for the investigation.
HTTP: Application protocol for distributed, collaborative, and data communication for the World Wide Web.