Home / papers / Digital Forensic Investigation: Research Paper

Digital Forensic Investigation: Research Paper


Digital forensic investigation is termed as the investigation of perceiving, isolating separating and demonstrating the propelled affirmation that has been secured in a large portion of the automated devices across the globe. The various computerized apparatus is now being utilized in the process of making sure that all forensic equipment is well coordinated. This paper focuses on giving a more clarification of forensic in the capacity media. There is a lot of information that has also been shrouded in the paper towards making sure that. Induced wrongdoing scene examination. The examinations oversee inestimable record cancellation and after that disassemble and organize data sources that can be basic in examining each case. The sources of information in a digital forensic investigation vary depending on the nature of the case. This paper talks about information sources that are used to pick up the confirmation for prioritizing of information that is broken down, the coveted data, and the nature of information about the occasion. The data earned from sources such as client recorded interviews, intrusion detection systems, virtual machines internet service providers among others are named as internet providers. The sorts of data that are put down concerns what information is required, and the estimation of that data concerning the event. The target of this paper is free three specific events; structure hindrance, malware foundation, and insider.


The data sources used to pick information from the crime scene varies depending on the nature of the case. The investigators manage a large amount of data to help the get tangible evidence from the the crime scene. The examiner’s experience drive the sought prioritization of information based on the convenient of the information and the data sought.  Digital investigations are based on the assumptions that the accumulation investigation and presentation of computerized information help to map out the evidence. The evidence must be useable for inside hearings and admissible in the court of law.in addition, be supporting information from other reports (Faheem, Le-Khac & Kechadi, 2014).

Computerized forensic investigation

Digital forensic investigation operates in several areas. First, digital forensic investigation utilizes computer crime scene investigations and network crime scene investigation. On the other hand, the digital forensic investigation uses the software to analyze vindictive codes and malware to help in the investigation. Various associations such as the military, law firms, corporate associations and government Organisations area concerned with the use of technology related to the digital forensic investigation (Garrie, 2014). Digital forensic investigations are concerned with digital evidence that shows ownership and maps out the course of events.  The digital forensic investigation also shows prove of approach. The data sources that are associated with digital forensic are the tapes, removable media, hard discs network framework logs, email, and other servers contend.  They are some challenges associated with digital evidenced. One of the challenges associated with the digital forensic investigation is that they are easy to demolish. Therefore, a suspect can easily redesign his computer memory and alter documents. Also, unpredictable memory can easily be slot when the machine fails to work.  The other challenge of digital evidence is that they hardly found. The legal requirements may prevent the collection of any digital evidence. It is a big challenge to track the digital evidence as there may be interruptions from various sources.

Digital forensic investigation is the practice of identifying, removing, breaking down and applying computerized techniques in advanced gadgets to get criminal information. Traditionally, different computerized methods and procedures were used to achieve this (Garrie, 2014). Our analysis focuses on the forensic examination of digital wrongdoing information, mining, legal systems shrouded information framework and capacity media. This framework is designed to uncover thought processes such as checks of assaults and digital assaults that happens during digital forensics. Furthermore, the proposed method empowers the framework overseers and reduces the framework vulnerability capacity.

Network Intrusion

Network Intrusion takes place when unauthorized, person invades the computer. System interruptions can also affect the records as they can be easily being erased, adjusted or even stolen by unsuspected persons. System interruption examinations help prevent the casualties in digital forensics. In March 2000, the office of the exploration framework, the director saw a record with the name transcended on their servers. The chairman instantly erased the records and advised the information security departments to act upon the case. This incident caused some lab to be down for some time to give room for investigation. After investigations, the culprit was found and charged (Haggerty, Haggerty, & Taylor, 2014).  There are four different data sources used in the digital forensic investigation. These sources are discussed below with the challenges in their collection and their examination. They include;

Account Auditing

Several strides have been taken by scientific investigators to track the gate crasher, remake the wrongdoing and protect conformation. The principle source information utilized was the audit both clients recorded supported by the routine checkups. Lack of routine audits of the client’s records and consents can easily give access to unwanted persons in the server. Such a situation epitomizes the significance of record keeping and evaluation. The federal agency data, information handbook, prescribes the access methods under authoritative controls. In addition, it provides mechanisms for verifying authoritative controls and gives relevant access to responsible data users (Haggerty, Haggerty, & Taylor, 2014). This paper provides further clarification on the shortcoming of the arrangements of one hub system and that of different hubs. Therefore, it is important to have uniform access control arrangement.

The support system should provide a way by which the clients have a secret password and change those passwords accordingly. A proper evaluation should be set up taking into customer account records and those records which are out-dated ought to be deleted. Off-kilter login attempts additionally, ought to be compelled and catapulted taking after various mistaken passwords insertions. While dealing with various sorts of working systems part checking on should be done given the customer’s record. It can be troublesome for association with a significant pool of customers to dispose of the base or inactive records (Jang, Koh, & Choi, 2012). Organizations can outsource their IT administrations to support quality information management. This would enable experts to review troublesome procedure and deal with it accordingly.

Life system data

To acquire a relevant proof, the experts utilize the encase projects to catch live information from the framework before keeping a review log by use of script summon. In this search, the experts find that the gate crasher was assessing their system through a dialler-up in Texas. The gate crasher introduced a sniffer to substitute a rendition with indirect access to the defenseless remote mechanism. On the other hand, the investigators found that the gate crasher had made his Telnet secret word to access their remote systems (Jang, Koh, & Choi, 2012).

One of the reasons why an episode handler would utilize an instrument is to catch love information and to configure how a scenario has happened. In this case, the handlers utilize encase to catch live, unstable information that had been used by the gate crashers to access their PC. In addition, they were prepared to see live system logs to figure out which passwords had been utilized to get to their servers. Getting data from the live system is known as live legitimate sciences. Live legal science investigations help to get unpredictable information or catch framework data that vanishes after the gadget is shut down (Jankun-Kelly et al., 2011). The difficulties that come with live crime scene investigations is safeguarding the framework condition and getting the data forensically solid. To achieve this, the experts need to use scientific tool box such as in the case to keep the procedures mechanized as possible. In the same situation, another unskilled worker in digital forensics missed the records on a few machines and failed to review the log. Such a case permitted episode handlers to figure out what information originated from which computer. All the information which were caught to be unacceptable for the situation left out.

Intrusion Detection System

The third data source used was the interference ID structure. After the subnet used by the gatecrasher as a piece of Texas was found the live system examination, the masters who had the ability to reconfigure the interferences recognized and structure functionalities (Jankun-Kelly et al., 2011). The third data source used was the piece ID structure. After the subnet used by the interloper as a touch of Texas had been found from the live structure examination, pros had the farthest point reconfigure the intrusion perceiving proof structure to screen framework improvement for these affiliations. After the reconfiguration, analysts had the most extreme screen framework movement and looked as the item design got to more machines not legitimately saw to be founded on using the Telnet optional area conundrum key.

Mechanized IDS and running with quantifiable frameworks use “mark masterminding,” which seeks after structure, affiliations and headway bothering on specific event tests and strategy for the trap. Shockingly, adjusted etching getting sorted out is not an unequivocal process and is determined on various pieces. Stamps reliably make false cautious in light of the way that they are pointlessly summed up, for instance, alarms for Port separating. Strike profiles can in like path move all things considered from most likely comprehended malware insertion tries to changed endeavours made to target specific structures and not yet known not open (Lim, Lee, Park, & Lee, 2014). Genuine sciences examination chairmen can start by sorting through like this made IDS alerts and from that point on use bits of data from the cautions to support separate less made system logs and information.

Criminological examination specialists can start by sorting through hence made IDS alarms after shrewd use bits of data to analyze the system information logs. Such a process is done with the goal of detaching prove of an interruption. The expert needs hacking techniques and incomprehensible learning to fathom on verification because; they have the capacity of catching the insights of rebel associations (Lim, Lee, Park, & Lee, 2014). In addition, the IDS help anticipates or square further associations and pinpoint movements where necessary.

Internet Provider Records

The final wellspring of proof is the Internet service Provider, which is utilized by the programmer to solicit logs and records joined with the case to be safeguarded. There are several essential data that can be gathered from ISP records after a subpoena is queried. The email address of the street numbers of the paid recorders holders could be named in the data. IP location can also be recorded with their dates and time (Lim, Lee, Park, & Lee, 2014). The taste of gathering data from an ISP is that the data may not be solid when the subpoena is required. Therefore, the ISP records provide the minimum source of information useful in such a situation.

Malware Installation

In the year 2008, a situation was displayed with the name ‘Martin Overton’. After that, the client called the help desk to access what it may be all about. The client was careful not to raise the errand administrator to make sense of what his abnormality was all about. How will the help desk determine whether the threat is brought on by malware or the client is not doing things correctly? On the other hand, what does the executive need to do in such a tricky situation? Overton presents a very recognizable situation that can be used to establish malware presence and establishment within an organization system (Lim, Lee, Park, & Lee, 2014).

The malware had distinctive sort of programming projects that can ascend out of scripts or codes concealed in urban areas and embedded in web promotions. It contains the framework when the client taps on the hyperlink, opens an email or visits the site. Most of the malware that exists are infections, worms, spyware or rootkits. Every one of them taints the framework in different ways. Malware is risky due to their wide number of arrangements and these make them difficult to track. Despite their wide range of hostile infection, the framework for guarding the malware should be upgraded from time to time (Matarneh, Moneim & Al-Nimer, 2015).

Prioritized Sources of Data

Live system Data

Just like the network intrusion, the gathering of the live framework has been an important establishment. After the suspect system is recognized all the development coming to and looking so as to leave the structure can be gotten at the covered records. The inserted malware will effectively be seen arranged in return data streams (Matarneh, Moneim and Al-Nimer, 2015). The gadgets may not be available to lead a cautious, examination to test climate the malware is presented in the live structure. Such gadgets numerous give a false positive, or the malware might be stealthy to the point that it might be unnoticed until it causes some harm.

Interruption Detection framework

This framework is the second profitable gadget utilized as a part of malware foundation. After the beginning, the examination is finished, and the specialists have regarded an illness the workstations should be ousted from the framework to keep the spread of malware to the various framework. The tradition accumulated must lose be separated further using IDS or different frameworks instruments.The second stage involved in finding malware is through examining and identification. Identification is made with the information of marks made given data caught in past assessment before the marks are established until hostile project are upgraded (Matarneh, Moneim & Al-Nimer, 2015). The third data source used was the impedance area structure. After the subnet used by the intruder as a touch of Texas was found from the live structure examination, experts could reconfigure the interference zone structure to screen framework traffic for these affiliations. After the reconfiguration, overseers could screen sort out, headway and look as the item design got to more machines not as of now saw to be founded on using the telnet devious access riddle key. Crucial structures could be secured and sorted out accreditation as an aftereffect of these divergences.

Intrusion Detection Systems (IDS) are principal in seeing structure impedances since they can be changed to along these lines masterminded boss when odd structure advancement happens. Evening out IDS with a criminal prepared up ’till now one watches the web and the other physical space–both give alarms when the unexpected happens.

Automated IDS and running with real procedure use “signature organizing,” which looks framework affiliations and change, aggravating on the specific scene outlines and method for a strike. Wretchedly, altered imprint organizing is not an unmistakable process and is determinant on various parts. Checks dependably make false cautious since they are a great deal of summed up, for the case, alarms for Port looking at (Pearson & Singleton, 2008). Strike profiles can moreover move stunningly from most likely got a handle on malware insertion tries to re-endeavor programs made to target specific structures and not yet known not open. The last changed ambushes are not got by IDS since engravings don’t yet exist for this circumstance and are not made open until after the strike. The inconvenience of using IDS as a part of this condition is that, without the most recent redesigns, IDS is not about as valuable.

Criminology pros can start by sorting through along these lines made IDS cautions and a brief period later uses signals from the alarms to seclude less made structure logs and information. Remembering the finished objective to bind request of interference, the screen needs immense learning of various working structures and hacking techniques and must comprehend logs of trademark mechanical social occasions and systems (Pearson & Singleton, 2008). The IDS can get experiences about the dissenter Association and keep up a fundamental division from or piece further affiliations furthermore pinpoint where the improvement is pointed.

Virtual Machine

This is the third most significant information hotspot used in malware establishment. This method involves shutting the system or lab environment to examine whether the malware is accessible. The virtual machines work by configuring different frameworks that run on the same equipment.

Insider File Deletion

Inside dangers originate from guests, contractual workers, merchandise, representative and another individual with the access to the organization’s resources. Inside dangers can be undermining considering the nature of their frameworks, procedures, and databases. Urgent documents can easily be erased and lost from inside dangers. A structure intrusion happens when a PC system is gotten to by an unapproved party. Structure interruptions can affect the adversity relationship as narratives can be stolen, changed or demolished, and mechanical assembly or programming can be hurt or devastated (Pearson & Singleton, 2008). In a condition study by went on in the Digital Investigation Journal, a framework impediment examination is portrayed. The circumstance showed up for this condition study will be the clarification of segregating data sources, the most key to the dedication of affirmation.

In March of 2000 at a pleasing examination office, a system administrator completing routine upkeep errands, saw another record with the name “all-amazing” on a server which he was only responsible for. The chief instantly eradicated the record and told Information Security work power (Garrie, 2014). The scene made a few labs be shut down for all that much quite a while, suspecting moving restorative examination recognizing affirmed cash related calamities for the alliance. Luckily, after a bona fide examination the at risk gathering was gotten and charged in 2004.

Prioritized Data Sources

Hard Drive

Hard drives and non-unpredictable framework information has been the subject of framework interferences and malware foundations. The live system data has been the most amazing required source, in light of unusual data. In the occasion of insider record eraser, it is prescribed to make a quantifiable copy of the hard drive to recover the data that has not been overwritten on the hard drive. The non-capricious data leaves in the specialists record table can without much of a stretch be recovered from outcast operation (Garrie, 2014). Subsequently, there is no compelling reason to stress following their steady data is not lost from the reuse compartment. The troubles of recovery of a framework hard drive are that the cached for reports might be overwritten after a time span. A challenging programmer might endeavor to use freeware, for example, the eraser to override killed data to make it unrecoverable.

Network Storage

The recuperation of a system stockpiling gadget can be examined in the insider document eraser situation. In most cases, the reports of importance to the association must be granted to a social event of individual and arranged in system stockpiling gadgets. The stockpiling gadget can consist of Storage Area Network (SAN), Windows file server and Network Attached Storage (NAS).  The most straightforward approach to recouping information is through past adaptations after a record is erased from the evolved system (Jang, Koh, & Choi, 2012). Additionally, SAN and NAS record framework provide recuperation of late preview from the managerial science interfaces. The stockpile gadgets are a duplicate of RAID, and this provides attest with the recuperating documents. Another framework Sacco may be substantial, and complex to break down to provide an additional test with the recuperating document. Insiders with regulated access can easily know how to demolish systems stockpiling volume and erase records.


Advanced legal examination, give the stage to overseeing an extensive number of data sources. In this paper, three events which drive the sort prioritization of data that are analyzed the kind of information looked for had the estimation of data in the event. Internet service provider records, detention intrusion systems, life framework information and record reviews provide critical information hotspots for system interruption. Stabling malware requires that there be a proper examination of life framework information, virtual machines, and intrusion detection system.   Recuperation of erased document depends on non-unpredictable information and most of the hard drive. Every information source has devices and focal points that make it communicate for the agent to consider subject to the current circumstance.



Faheem, M., Le-Khac, N., & Kechadi, T. (2014). Smartphone Forensic analysis: A case study for obtaining root access of an android samsung S3 device and analyse the image without an expensive commercial tool. Journal of Information Security, 5(3), 83-90

Garrie, D. B., Esq. (2014). Digital forensic evidence in the courtroom: Understanding content and quality. Northwestern Journal of Technology and Intellectual Property, 12(2), 121-128

Haggerty, J., Haggerty, S., & Taylor, M. (2014). Forensic triage of email network narratives through visualisation. Information Management & Computer Security, 22(4), 358

Jang, E., Koh, B., & Choi, Y. (2012). A study on block-based recovery of damaged digital forensic evidence image. Multimedia Tools and Applications, 57(2), 407-422

Jankun-Kelly, T., Wilson, D., Stamps, A. S., Franck, J., Carver, J., & Swan, J. E. (2011). Visual analysis for textual relationships in digital forensic evidence. Information Visualization, 10(2), 134-144

Lim, K., Lee, C., Park, J. H., & Lee, S. (2014). Test-driven forensic analysis of satellite automotive navigation systems. Journal of Intelligent Manufacturing, 25(2), 329-338

Matarneh, A. J., Moneim, U. A., & Al-Nimer, M. (2015). The intellectual convergence between the forensic audit and the external auditor toward the professionalism in jordan. International Journal of Business and Management, 10(11), 138-148

Pearson, T. A., & Singleton, T. W. (2008). Fraud and forensic accounting in the digital environment. Issues in Accounting Education, 23(4), 545-559

Reddy, K., Venter, H. S., & Olivier, M. S. (2012). Using time-driven activity-based costing to manage digital forensic readiness in large organisations. Information Systems Frontiers, 14(5), 1061-1077

Redi, J. A., Taktak, W., & Dugelay, J. (2011). Digital image forensics: A booklet for beginners. Multimedia Tools and Applications, 51(1), 133-162

Ruhnka, J., & Bagby, J. W. (2008). Forensic implications of metadata in electronic files. The CPA Journal, 78(6), 68-71

Selamat, S. R., Sahib, S., Hafeizah, N., Yusof, R., & Abdollah, M. F. (2013). A forensic traceability index in digital forensic investigation. Journal of Information Security, 4(1), 19-32

Smith, G. S. (2015). The past, present, and future of forensic accounting. The CPA Journal, 85(3), 16-21

Yasin, M., Kausar, F., Aleisa, E., & Kim, J. (2014). Correlating messages from multiple IM networks to identify digital forensic artifacts. Electronic Commerce Research, 14(3), 369-387