Digital Forensics Investigations: Data Sources and Events based Analysis


In digital forensics, data sources tend to vary and may need varying knowledge bases to understand, analyze, and report on the same. However, the use of data sources in digital forensic much is founded upon well-delineated procedures for digital forensic investigation. Three major events inform prioritization of different data types. For example, malware installation, insider files deletions, and network intrusion. Once these events are prioritized, they can easily be analyzed based on the desired outcome or investigation objectives. For example, the data are analyzed to help solve criminal or civil case, to determine the nature of network intrusion, and the kind of malware installed in a network system or a remote computer. It is the understanding of the nature of the intrusion, and the data sources that aides successful refuting or supporting hypothesis in civil cases. The fundamental focus on such investigation is mainly access to user accounts, data breaches, virtual system, networked devises as well as malwares.

Digital Forensics Investigations: Data Sources and Events based Analysis


The fact that digital forensic offers a sound basis for refusing or court case makes it one of the most sensitive disciplines. It is on this premise that digital forensic investigators are offered a platform to provide their qualified and objective verdict in cases involving data breach and evidence analysis. However, prioritization of data types can be challenging such that if not done well, cases are likely to fail and the wrong decision will be made that are detrimental to parties in a court case. This paper posits that network intrusion, malware installation, and insider file deletion can only be analyzed based on specific promised criteria and the prioritized data sources must be investigated beyond reasonable doubt. This paper will prioritize the data sources based on predetermine criteria

Network Intrusion

Computer system may be vulnerable to hacks, or unauthorized access, which are mainly one in retaliation, for profit, or even to pose a challenge. While network intrusion include such as white hat, grey hat, black hat and script kiddie, it may results in data loss, compromise, or access to sensitive information. In most case, hard ware and software’s are highly affected or even damaged and may not work efficiently. In number of case, network intrusion, the bottom line is corporate espionage (Teng, Kaihu, Stephen , 1990).

Prioritized data sources

Account Auditing

Data sources must be prioritized. However, in this case, the paper will analyze various data sources in a case in which network intrusion could be suspected For example, an intrusion into a corporate computer network system. In most cases like this, it is important to first understand that nature of networking and the objective of the company for networking. For example, a corporate network comprises of various user accounts with varying levels of authority and access. User accounts are likely to be affected and even encryption in the event of network intrusion may not be effective. Therefore, it is important to first analyze and determine the accounts the introduced used to access the companies server whether within the company or remotely. Based on this, it is important to determine the level of access, the nature of intrusion and audit the file s accessed. After network audit, it is important to determine whether there were both technical and administrative controls such as routine password upgrade. Never the less, all organizations must have in place policies geared at ensuring that access controls are audited and upgraded periodically. Never the less, all nodes or computers in a networked system must have a uniform policy in order to avoid exploitation by intruders. (Peterson, & Shenoi, 2009, pp. 17–36).

Apart from user accounts, there should also be security measures both technical and administrative for the server or central system accessed by all. In a company such as GE, administrative control overrides system control because all access are controlled centrally be a designated personnel. All companies just run an intelligence system, encryption with high encryption codes that can evaluate attempted access and incorrect login attempts are limited to four and account terminata5tion in the event of failed attempts (Palmer, Scientist, (2002).

Live System log data

The live systems may include all real time system access. For example, a computer access log can be useful for determining the nature of access and the level of intrusion. There should be a system firewall and possible advanced system for capturing all login data, attempted entry. One of the most important things to know about live system data include ghost workers, and system users who piggy back on the other permitted users. For example, system such as encase forensic can be used for digital investiogation as it provides an efficient and forensically sound data collection as well as investigations. Hard drives, removable media and other gadget such as tablet and smart phones can be investigated easily. The encase system has been used by corporate bodies to acquire data from a number of networked system and mobile devices and determine if there are potential disk level threats. All organization must be able to provide a court referenced digital forensic standards. A company must be able to provide reports degenerated by using automated investigative task (Sammons, 2012; Palmer, 2001, pp. 27–30;Wilding, 1997, pp. 236)

It is easy to capture all illegal access. Live forensics is one of the industry standard system process that help identify real time threats ad in most cases, it is assumed more accurate for digital forensics. In fact, as and industry, standards there are a number of insurance companies and courts propose SafeBack, livedata, encase, MDUMP, and WindowsSCOPE, XRY and Radio Tactics Aceso. All organization is currently trying to use different digital forensic tools that are currently used to examine the computers while they are still within the operating system because the digital forensic tools have the capability of extracting the actual forensic evidences. However, it is important tom note that this approach can modify the stared data thereby tampering with the evidence.ths is why the system such as Memory forensics, Mobile device forensic, Hash Keeper, Evidence Eliminator, DECAF, Detect and Eliminate Computer Acquired Forensics (DECAF),, and Computer forensics such as SANS Investigative Forensics Toolkit – SIFT and Encase (Daniel, 2012; McDougal, 2006)

The process or methodology is quire elaborate as the forensic investigator acquire the exhibits, analyses the exhibits and finally make a report. The acquisition process involves the extraction of the actual sector level duplicate of the system media under investigations. There are a number of software’s and hardware write blocking devices that can be used to prevent any changes in the original media/ data. Never the less, currently, the advances in technology and complexity of media type as well as storage capacity have made it necessary to use the love acquisition system where a copy of the data is made for evidence analysis and not the original copy which are then hashed using either SHA-1 and the MD5 . The analysis process is also elaborate as it involves the recovery of the evidence materials through various tools and methodologies such as key word search both in the allocated as well as in the sack space and the evidence is further analyzed and reported by professionals in the simplest language possible (Vaccaro, &, Liepins, 1989)

In torsion detection system

The intrusion detector system has become the novel approach to digital forensics. For example, hit the only data source that can be used to monitor the entire network system for any unusual or unauthorized activities such as security breach, or even policy violations. The system then generates a report (log). It is important to note that in as much as there are a number of IDS that can stop any intrusion attempt; it depends on the providers as the capability of these systems different provider. The IDS detects possible incidents, and keeps log of any access, or even intrusion. The ID S is also used by various organizations for a number of purposes. For example, any breach of security protocol, possible threats, future threats and also deter intruder and report any form of intrusion. Investigators rely on the capability of the IDS to reconfigure the IDS and monitor the traffic in the entire network. Any unauthorized access is logged ad later analyzed. This also led to the securing and processing of the critical systems after the IDS monitoring. One of the main features of the IDS include the fact that they can be modified by way of programming in order to enable them alert a system administrator whenever there are disallowed network activities and the system traffic is not normal. One of the kept techniques used by the IDS is signature matching as it searches the networked system for any activity

Signature matching is the process of determining when a library component “matches” a query. It is reasonable, to assume that a signature information is either provided with or derivable from code components, since this information is typically required by the compiler. One of the key weaknesses of signature matching is that it can create a false positive or a false negative through a false alarm/ alert (Anderson, 2001, pp. 387–388).

The methodology used by forensic experts include sorting the IDS generated alarm, analyzing he areas that alarms may have been prominent for vulnerabilities. This process required adequate information, knowledge and experience with a number of computer systems because different computer system has dissimilar vulnerabilities, and limitations. While IDS is considerably effective, it is prioritized third as the most useful forensic investigation source of data (unt, Teresa, 2009, pp. 110–121)

Malware Installation

Malicious software with the capability of disrupting or corrupting the script or codes of an online entity. The software is mainly attacked to messages, email, advertise and external links that that when a link is clicked, it is introduced onto the system (installed). There are many types of malware and the most come include Trojan horse, computer viruses, and spywares. Malwares slows down the computer, or makes a computer to provide false prompts about digital sinecure and passwords. Most malwares are updated regularly and so can beat any antivirus software and this is why most software’s are regularly updated to help improve their effectiveness against known vulnerabilities. In the case of malware, it is the duty of the administrator to investigate the system and if possible install updated antivirus because malwares are easily installed (Carrier, 2006, pp. 56–61).

Prioritized data sources

Live System Data

In event of malware suspicion or in the case of malware security alert, it is important to start monitor all the incoming data files foreboded malwares. It is also important to conduct a complete security scan. There are a number of tools that can be used to scan the entire computer network or even the standalone computer. For example, the Helix 3 is a very strong system for detecting live threats. However, there are many cases of false positives, which might require offline scanning for threats especially in the networking system, devices, antivirus (Brand, Valli, & Woodward, 2010; Cappelli, et al, 2005). \

Intrusion Detection System

The intrusion detection system is second to the live system data, Intrusion detection system can easily detect threats that were not detected by the live system data. One of the most commonly used IDS is the Wireshack. However, other such as ACARM-ng, AIDE, Bro NIDS, OSSEC HIDS, Prelude Hybrid IDS, Samhain, Snort and even Suricata all work under similar protocols. For example, they identify fishy incidents such as log in, collect adequate information about such events and report any fishy login attempts. They can also be used to identify any action that contravene the security polices as document any of threat detected (Scarfone, &, Mell, 2007,pp. 800–94)

Virtual system/ machines

In the recent past, many companies use the virtual server and cloud storage for the sake of disaster recovery. However, the virtual systems are also not free from threats. For example, both private cloud system and public cloud system are all vulnerable to various kinds of threats. Many large organizations have deployed a private network, while any number of NGOs tends to prefer closed network system. There are virtual systems that have the capability to monitor a private networked system and allow for visualization of a threat in a virtualized system. There are VMware’s that can be used to create a mock network and monitor the entire network for threats that are then analyzed and necessary measures deployed to protected the system. However, despite the success with the virtualized system, it is important to note that they also have limitations and known vulnerabilities. For example, they cannot simulate or even detect the OS and this is one of the reasons for the unpopularity of the VM.

Insider File Deletion

Employees, contracted service providers and other player may also desire to sabotage the system or or even acci8dentklay delete files within the company has networked system or server. However, these are only people who have access both authorized and unauthorized access to the company’s files and can access the database. Additionally, in the event of access possibilities, it is important to have a system for data recovery. In the US alone, there are companies that have lost massively due to logic bombs implanted by estranged employees

Prioritized data sources

Hard Disk (Non-volatile system data)

Hard drives are the most stable storage devices in a computer system. However, they have been very vulnerable to insider file deletion. While most of this deletion occurs by way of installed viruses that corrupt the files beyond reading, there are measures that cane taken to prevent unnecessary loss of important company data? For example, it is important to make a copy that can be used for backup proposes. Additionally, it is important to note that there is much computer software that can be used to derive or restore compromised computer files

Network Storage

Local area networks, storage area network and other small-networked storage system can be a major target for inside file deletion. There are many organizations that have a windows file server used or remote collative working system. In such system, there are files that are centrally placed in networked system for easy access remotely. However, these files are easy to identify and delete. However, there is much software that can be used to undelete the deleted files from system, but this is limited to a few instances and days since deletion. It is important to understand the nature of the deletion because there are some events that lead to complete deletion or destruction of the storage devices


Digital forensics investigations can be the most difficult work especially considering the number of data sources, and the possible number of threats, breach instances and methodologies used doing digital forensic investigations. Prioritizing these data sources can be difficult. All of he discussed data sources have overlapping threats, but with time, advances in technology requires advanced systems. For each of the data sources, advantages and disadvantages are discussed.


Scarfone, Karen; Mell, Peter (February 2007). "Guide to Intrusion Detection and Prevention Systems (IDPS)". Computer Security Resource Center (National Institute of Standards and Technology) (800–94)

Anderson, Ross (2001). Security Engineering: A Guide to Building Dependable Distributed Systems. New York: John Wiley & Sons. pp. 387–388.

unt, Teresa F., "IDES: An Intelligent System for Detecting Intruders," Proceedings of the Symposium on Computer Security; Threats, and Countermeasures; Rome, Italy, November 22–23, 1990, pages 110–121

Vaccaro, H.S., and Liepins, G.E., "Detection of Anomalous Computer Session Activity," The 1989 IEEE Symposium on Security and Privacy, May, 1989

Jump up ^ Teng, Henry S., Chen, Kaihu, and Lu, Stephen C-Y, "Adaptive Real-time Anomaly Detection Using Inductively Generated Sequential Patterns," 1990 IEEE Symposium on Security and Privacy

GL Palmer, I Scientist, H View (2002). "Forensic analysis in the digital world". International Journal of Digital Evidence.

Carrier, Brian D. (February 2006). "Risks of live digital forensic analysis".Communications of the ACM 49 (2): 56–61.

Sammons, John (2012). The basics of digital forensics: the primer for getting started in digital forensics. Syngress.

Gary Palmer, A Road Map for Digital Forensic Research, Report from DFRWS 2001, First Digital Forensic Research Workshop, Utica, New York, August 7 – 8, 2001, Page(s) 27–30

Wilding, E. (1997). Computer Evidence: a Forensic Investigations Handbook. London: Sweet & Maxwell. p. 236

Peterson, Gilbert & Shenoi, Sujeet (2009). "Digital Forensic Research: The Good, the Bad and the Unaddressed". Advances in Digital Forensics V (Springer Boston) 306: 17–36.

Brand, M., Valli, C., & Woodward, A. (2010, November). Malware forensics: Discovery of the intent of deception. Originally published in the proceedings 8th Australian digital forensics conference, Perth, Australia. Retrieved from

Cappelli, D., Keeney, M., Kowalski, E., Moore, A., & Randazzo, M. (2005). Insider threat study: Illicit cyber activity in the banking and finance sector. (Technical Report, Carnegie Mellon Software Engineering Institute). Retrieved from

Daniel, L. (2012). Digital Forensics for Legal Professionals. Waltham, MA: Elsevier Inc. Retrieved from

McDougal, M. (2006). Live forensics on a windows system: Using windows forensic toolchest. Retrieved from


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s