Dec 1, 2018 - with the appropriate forensic tools is recoverable (Haris & Salkic, 2016). .... is on which can get lost upon shutting down the computer as all data is unavailable ... Android phones of unique brands, forensic investigators can decrypt to .... Kaspersky Lab Researcher Creates Free Software Tool For Collecting.
Digital Forensics with Artificial Intelligence Internet of Things
F M Spencer December 2018
ii Table of Contents Abstract
Processing and Handling Digital Evidence
Privacy and Legal Issues for Acquiring Data or Device
Data Acquisition Methodology
Forensic and Investigative Tools
1 Abstract Criminals and investigators of criminals continue to race against each other. With advanced developments in technology, criminals believe they remain steps ahead of investigators. Digital forensic authorities may at times seem lagging behind sophisticatedly equipped criminals. The world of networks of the Internet of Things (IoT) appears to reduce this gap along with Artificial Intelligence (AI) expediting algorithms to corner perpetrators. Digital forensics, for the most part, will not fully automate as crime scenes and criminal activities do not always follow standard statistical patterns but are entirely random and diverse. AI incorporates advanced decoding skills for complex encryption leaving criminals exposed. Forensic investigators, despite digital and automated systems, will continue to follow stringent procedures for gathering evidence in compliance with legal jurisdictions, advance personal knowledge and train to work side-by-side with the emerging technologies of AIoT. Data scientists depend on the feedback of investigators to design algorithms for AIoT. To date and in the future, AIoT will carry out routine tasks as smart assistants for investigators to analyze the unpredictable criminal mindsets. Introduction Forensic investigators require advanced systems to examine the crime scenes, collect evidence and analyze data. IoT enhances AI through linking, signaling, and exchanging data (Woods, 2018). Use of IoT and AI, collectively AIoT, for automating forensics in crime scenes is no longer an option but a viable mandatory procedure. Current developments in AIoT for forensic investigations continue to evolve synchronously to the advancing technologies. AI investigations virtually increase efficiencies of forensic methodologies for data acquisition, sight analysis, devices, encryption, storage, and investigative tools. Humans program AIoT algorithms to generate specific results. Henceforth, AIoT cannot wholly replace human investigators to gather evidence at crime scenes. AIoT merely represents patterns of data mechanism training steered with application-based manually tweaked algorithms and workflows (Leetaru, 2018). Crime scenes and criminals do not embody predictable patterns analogous to programmable algorithms for AIoT functions. Human investigators, alternatively, analyze the full picture to identify evidence germane in legal proceedings. AIoT and humans must together for evidence identification and amassing from crime scenes by applying investigative intricacies of processing and handling digital evidence, maintaining privacy and legal issues for attaining device(s) or data, decoding encryption entirely, streamlining data acquisition in cloud and device(s), and applying optimal forensic investigative tools both hardware and software. Processing and Handling Digital Evidence Investigations must have untainted and uncompromised evidence for legitimacy in legal proceedings. Uncompromised proof in untampered crime scenes, the first rule of investigations, depends on understandings of investigators to customize evidence gathering strategies and suspect devices leading to the criminal activities. Plausibly, as digital technologies advance so do the digital crimes, thereby making it necessary to assemble evidence from multiple venues for practical use in legal proceedings (Soltani & Seno, 2017). With the extensive use of smartphones, internet, and storage, criminals leave traces that investigators must retrieve appropriately to refrain from disregarding it in court as indiscriminate evidence. Digital evidence, virtually present in all criminal investigations, even as smidgens of stored or deleted data, with the appropriate forensic tools is recoverable (Haris & Salkic, 2016). Investigators have accountabilities to comply with the procedures in handling digital evidence. Responsibilities stem from recognizing evidentiary digital information, gathering, containing, recording, assessing, ordering, and verifying the ability to recreate exact outcomes multiple times (Nelson, Phillips, & Steuart, 2019). Investigators must preserve the veracity of the digital evidence all the way from the crime scene to a digital forensics’ lab. Specific methods for producing image files emanate from creating a forensic image of captured digital evidence to storing on an approved hard drive or RAID, getting a digital hash by running hashing algorithms MD5 or SHA-1 on the image file, separately safeguarding original media, and analyzing with appropriate forensic tools (Nelson, Phillips, & Steuart, 2019).
2 Investigators must maintain excellent standards and quality while collecting evidence to avert any countersuits. Department of Justice website has details of evidence processing and handling including the FRE (Federal Rules of Evidence), 803(6)1: Section V which refers to seizing electronic proof. Besides following legal paths of warrants for searches, investigators must comply with guidelines for each type of evidence gathering. Authorities have established evolving2 standards and bylaws for best practices derived from ISO/IEC 27037:20123 and Digital Forensics Research Workshops model (Haris & Salkic, 2016). High Technology Criminal Investigators Association and International Association of Computer Investigative Specialists insist on methodologies of disk imaging to ascertain trustworthiness, inclusiveness, precision, and certifiability of evidence from computer disk comply with legal procedures (Kenneally & Brown, 2005). Disk imaging, however, is coupled with financial and legal burdens as alleviating associated risks is cumbersome on investigative organizations concerning the cost-benefit inquiry. Data and device from the crime scenes cannot become hindrances to appropriate legal proceedings so investigators must comply with standards and handling processes. In cybercrimes, an age-old unease amid forensic examiners is costly travels to gather compelling proof of tampered devices thereby deferring investigations, a pronounced hindrance to safeguard victims and capture rogues. Other possibilities involve high-cost tools and operational know-how which again expose the evidence to adulteration and losing information if relocated to other computers (Kapersky Lab, 2017). The merging of AI and IoT technologies and solutions, AIoT, develop into discerning links, structures, and answers skilled in resolving issues of extensive ranges via machine learning and enhanced decision making (Woods, 2018). Data scientists can program AIoT with algorithms for routine procedures, detailed previously, according to the legal bindings of DOJ rules for crime scene investigations with minimal human interventions. Present apparatuses instill object-recognition arrangements for detecting occurrences in manipulated images or sections. Accepting neural-network guesses is exceptionally challenging. Guesses stem from several hundred to thousands of individual nodes making decisions, a route underway to increasing transparency. Picturing the objectrecognition method permits software developers to get a more fine-grained comprehension of learning mechanisms of networks. Human intelligence, with all its imperfections in comparison to machines, has flexibility and aptitude to comprehend in multifaceted milieus (Martineau, 2018). Investigators can initially assess the crime scenes, identify evidence, as well as allow AIoT to handle, process, and record forensic details to alleviate potential human errors. Privacy and Legal Issues for Acquiring Data or Device Investigators, legally bound to local and federal laws, must appropriately acquire data and devices at the crime scenes. Each state has specific guidelines for gathering and storing evidence which investigators must comply with as well as follow controls of Federal Rules of Evidence (Nelson, Phillips, & Steuart, 2019). To prevent countersuits of mishandling or to raise doubts during trials can have severe legal ramifications with the culprit possibly getting away with the crime as well as investigators defending their actions in cumbersome lawsuits. Authorities must train and certify as digital forensic investigators even if it is a financial burden as amateurs can destroy crucial evidence. The prime example is the case of Bradley Cooper where marginally trained investigator unintentionally obliterated data from the smartphone because of his ignorance (Lynne, 2011). Certified investigators must know the relevant search warrants, subpoenas according to the respective domestic and international laws as, without legal documents, investigators cannot tamper with the crime scene data and devices. Everyone has the right to privacy according to the
www.uscourts.gov/uscourts/rules/rulesevidence.pdf Evolving as technologies continue to develop 3 ISO/IEC 27037:2012 (ISO, 2012) 2
3 Fourth Amendment4 of the US Constitution (Cornell, 2018). Computers, network logs, emails, image and word processing files, relevant evidence of criminal activities, which investigators can retrieve even if deleted from electronic devices. Most crimes leave digital traces; investigators need this evidence to implicate the perpetrators. For respective privacies of all persons, investigators are bound to the Fourth Amendment, as well as the statutory privacy laws codified at 18 U.S.C. §§ 2510-22, 18 U.S.C. §§ 2701- 12, and 18 U.S.C. §§ 3121-27 (Brattain, 2016). The government cannot wiretap anyone without a judge’s warrant, which the FBI and IRS avoid as both organizations prefer to spy on private individuals by gather data from digital traces. Authorities do not need to prove probable cause to collect information from internet service providers, phone companies, and or online applications such as Google (Meyer, 2014). However, if authorities suspect a crime and authorities want to track digital footprints, then they must obtain proper legal documents. Therefore, authorities can retrieve IP addresses and GPS for locations, with a court order for real-time access as well as with a subpoena, authorities can get historical records of IP addresses, locations, including 180 days old text messages and emails (Meyer, 2014). Authorities do not apply the same laws to data gathering on public postings on social media. Conversely, authorities can issue time-constrained subpoenas to social media providers in compliance with the Fed. R. Civ, P. 26(b)(1)5, if it is necessary to trace the posts and users of the social media platform (Lee, 2015). Social media companies initially refused to disclose data for user privacies. Authorities applied section 2702(b)(3)6 as valid consent where defendants use social media’s public posts as evidence in criminal proceedings (Vogeler, 2018). Whether public or private, retrieving data without permission or probable cause is against the law. Investigators must take extra steps to obtain necessary legal documents for gathering information and evidence at crime scenes. Artificial intelligence merger with the internet of things or AIoT presents the ultimate solutions for readiness as legal repercussions may minimize with ongoing data collection. Possibilities of human errors minimize, and people under surveillance will need a different set of laws to counteract privacy issues. Laws alter very slowly even if technologies continue to develop. Algorithms for AIoT functions as smart assistants to principal investigators cover routine tasks of automation of data collection and storage. AIoT use may create additional legal frameworks similar to the General Data Protection Regulation (US SEC, 2018). AIoT support will identify appropriate legal requirements and fulfill the necessary steps which may virtually minimize any countersuits. Decoding Encryption Encryption protects data from sophisticated digital forensic investigators as they need a key or phrase to decrypt. Live forensic retrieval and virtualization may be viable options for forensic investigators to recover data (Casey & Stellatos, 2008). Criminals are quite advanced in safeguarding data with encryption. Forensic investigators must use tools to decrypt data mount file preferably when the computer is on which can get lost upon shutting down the computer as all data is unavailable in static memory dump (Rafique & Khan, 2013). Forensic investigators use multiple tools and solutions to prevent data loss during decryption to unravel criminal activity. Encryption technology can lose a significant amount of data when forensic investigators attempt to retrieve it in crime scenes especially during static acquisitions (Balogun & Zhu, 2013). Lost data may include passwords, clipboard contents, and encryption since the volatile RAM loses information when the system is shut down (Nelson, Phillips, & Steuart, 2019). Criminals remain steps ahead of authorities using the latest technologies, and authoritative bodies may lag in updated
Fourth Amendment: Prevent unreasonable searches of persons and their property
Federal Rules of Procedure Rule 26: Duty to disclose; general provisions governing discovery (Cornell, 2018). 18 U.S.C. § 2703 - U.S. Code - Unannotated Title 18. Crimes and Criminal Procedure § 2703. Required disclosure of customer communications or records (Vogeler, 2018). 6
4 developments. Criminals know how to hide information from authorities with the use of Kryptos, ciphers, and encryption with complex decoding requiring cumbersome hours to retrieve data (Higgins, 2012). Encryption continues to become more complex with long and involved algorithms, so forensic investigators need better solutions and tools to retrieve data for criminal proceedings. As of date, questionable solutions and tools exist to retrieve data from IoT devices which present challenges to forensic investigators specifically with encryption technologies (Watson & Dehghantanha, 2016). With chat encryption on androids, forensic investigators will have a plethora of additional issues of data retrieval. By using two Android phones of unique brands, forensic investigators can decrypt to retrieve information with rooting one android phone (Zhang, Chen, & Liu, 2018). For now, encryption may represent a choice data preservation mode; however, with rapid advancements in forensic investigations, data acquisition from encrypted devices also present a threat of criminal inquiries to the perpetrators. AIoT will log in details of encryption with accompanying passphrases and keys. Authorities can retrieve later if investigations become necessary due to illegal activities. AI linked to the output of bombe can distinguish German-language features and flag message to decode (Allen, 2017). AIoT algorithms will decrypt the most complicated encryption as advanced systems development. Data Acquisition Methodology Data acquisition, imperative for forensic investigators, remains a possibility and a challenge. As discussed earlier, for encrypted data, live acquisition of data mandates preventing losing information due to RAM volatility when the system is shut down. For live acquisition of data, the sequence of instability depends on the length of information on the network. Live acquisition starts from creating a bootable forensic drive, recording actions, using Forensic Tool Kit Imager for RAM dump or acquisition, and storing data on a sterile drive (Nelson, Phillips, & Steuart, 2019). Data acquisition in cloud presents yet another challenge to forensic investigators. Cloud data, virtual, short-lived, and spread geographically, raises legal and technical repercussions. Collecting and analyzing residual data from cloud storage applications such as Dropbox, One and Google Drives, streamlines forensic investigations (Ab Rahman, Cahyani, & Choo, 2016). Given the rapid transition of computing devices to mobile and IoT in the cloud, authorities will have to design another set of solutions and tools to retrieve data from the virtual system of cloud storage. Forensic investigators have to intercept servers behind SaaS to IoT devices to link to cloud-based CRM or proprietary source code repository for information retrieval (Shomo, 2018). An AIoT open-source digital tool can tenuously assemble crucial forensic resources, attain complete disk images from storage on the network or connected locally, as well as distantly help in malware occurrence handling in cybercrimes. Even data analysis can carry out remotely via dependable container-based seclusion for integral source data storage (Kapersky Lab, 2017). Remote forensics may cost less for data acquisition and may minimize the need for storage. Current building tools, as mentioned above, can distinguish the tampered image from the original image. Virtual storage systems may take another form in AIoT systems, so forensic investigators will require a new set of skills and tools to carry out investigations. Forensic and Investigative Tools As technology moves towards artificial intelligence and internet of things (AIoT), the forensic investigation continues to employ advance systems to gather data for criminal proceedings. While automation erases virtually all incidences of human errors, AIoT is not flawless. Live data acquisitions from hardware supersede static data acquisition for nearly full data retrieval as the volatile RAM loses data upon system shutdown. Tools for hardware and software in forensic investigations include Autopsy, OSforensics, WinHex, and IrfanView. Kapersky Lab’s (2017) BitScout, customizable to investigators requirements, comes with upgraded features and tailored software. BitScout, an open-source solution, free of charge, transparent, user-friendly, and self-contained functions as an instrument that even marginally trained investigators can use for incidence response to remotely carve and scan (Kapersky Lab, 2017). AIoT may minimize human errors but is not entirely foolproof as improved threat detections give rise to
5 numerous false positives thereby keeping responders busy unnecessarily (Shomo, 2018). As such, certified forensic investigators will continue to monitor data retrieval and storage by AIoT until its glitches resolve. In several incidences, human logic will override AIoT investigations to create a full scenario of the criminal activities. Since AIoT lacks gray areas, human forensic investigators will prevail in reverse engineering or modeling encryption keys from RAM in a ransomware case (Shomo, 2018). With the evolving forensic tools mechanizing incidence responses may reduce false positives. The Security Orchestration Automation and Response (SOAR) products, a forensic multiplier, mandate advanced skills for security professionals in forensic investigations. While AIoT appears to increase efficiencies and streamline investigative processes, human intervention is imperative to alleviate and improvise crime scene investigations (Shomo, 2018). Even with the use of Kapersky Lab’s (2017) BitScout, investigators need to intervene for distant examination of live systems without sabotaging or losing evidence. Future Strategies Bringing it all together, the use of AIoT, forensic investigators can eliminate human error, and detection machine learning will detect anomalies before and during criminal activities thereby alerting authorities. AIoT systems and solutions to refine, augment, and enhance network operations by extracting value from data with intensely amended, processes, analytics and results (Woods, 2018). With each development of AIoT systems, there is expedited acceptance of the technology to drive costs down and enhance operational efficiencies. AIoT bots will improve in responses and inspection of evidence as smart assistants to investigators, and AIoT chatbots will develop to broaden functions and become more efficient (Martineau, 2018). Human responders will continue to provide feedback for enhancement of AIoT to create more algorithms for automating forensic tasks to lower costs and increase efficiencies. New solutions incorporate AIoT as necessary elements for streamlining tasks and minimizing human errors (Press, 2018). AIoT continues to evolve and improve for automation of multiple functions including digital forensics.
6 References Ab Rahman, N. H., Cahyani, N. D., & Choo, K.-K. R. (2016, May 19). Cloud incident handling and forensic‐by‐design: cloud storage as a case study. Concurrency and Computation: Practice and Experience. AI. Business. (2017). How IoT and AI are helping to fight crime. Retrieve from http://ai.business/2017/10/09/how-iot-and-ai-is-helping-to-fight-crime/ Allen, T. (2017, December 1). Cloud and AI used to break Enigma code in under 15 minutes. Retrieved from V3: https://www.v3.co.uk/v3-uk/news/3022322/cloud-and-ai-used-to-break-enigmacode-in-under-15-minutes Balogun, A. M., & Zhu, S. Y. (2013). Privacy impacts of data encryption on the efficiency of digital forensics technology arXiv preprint arXiv:1312.3183. Bouchaud, F., Grimaud, G., & Vantroys, T. (2018, August). IoT Forensic: identification and classification of evidence in criminal investigations. In Proceedings of the 13th International Conference on Availability, Reliability, and Security (p. 60). ACM. Brattain, B. (2016). The Electronic Communications Privacy Act: Does the Act Let the Government Snoop Through Your Emails and Will It Continue? North Carolina Journal of Law & Technology, 17(5), On-185. Casey, E., & Stellatos, G. J. (2008). The impact of full disk encryption on digital forensics. ACM SIGOPS Operating Systems Review, 42(3), 93-98. Cornell, L. (2018). Rules. Retrieved from https://www.law.cornell.edu/ Haris, H., & Salkic, H. (2016, February). The Basic Steps of Digital Evidence Handling Process. Vitez, Travnik, Bosnia, and Herzegovina. Haris, H., & Salkic, H. (2016, February). The Basic Steps of Digital Evidence Handling Process. Vitez, Travnik, Bosnia, and Herzegovina. Higgins, C. (2012). Kryptos. Retrieved from http://mentalfloss.com/article/12918/kryptos-cia-cipherhiding-plain-sight ISO. (2012, 10). Extracted from the International Organization for Standardization. Kapersky Lab. (2017, July 6). Kaspersky Lab Researcher Creates Free Software Tool For Collecting Remote Evidence After Cyber-Attacks. Retrieved from iSBuzznews: https://www.informationsecuritybuzz.com/news/kaspersky-lab-researcher-creates-free-softwaretool-collecting-remote-evidence-cyber-attacks/ Kenneally, E. E., & Brown, C. L. (2005). Risk-sensitive digital evidence collection. Digital Investigation, 2(2), 101-119. Lee, K. (2015). Social Media Subpoena Guide 2015 Edition. Retrieved from Associates Mind: https://associatesmind.com/2015/01/26/social-media-subpoena-guide-2015-edition/ Leetaru, K. (2018, December 15). Does AI Truly Learn And Why We Need to Stop Overhyping Deep Learning. Retrieved from Forbes: 2018 Lynne. (2011, November). Cary police destroy evidence in the Nancy Cooper murder investigation. Retrieved from Brad Cooper Case: https://justiceforbradcooper.wordpress.com/2011/11/08/cary-police-destroy-evidence-in-thenancy-cooper-murder-investigation/ Martineau, K. (2018, December 16). Aleksander Madry on building trustworthy artificial intelligence. Retrieved from Phys.org: https://phys.org/news/2018-12-aleksander-madry-trustworthyartificial-intelligence.html Meyer, T. (2014, June 27). No Warrant, No Problem: How the Government Can Get Your Digital Data. Retrieved from ProPublica: https://www.propublica.org/article/no-warrant-no-problem-howthe-government-can-still-get-your-digital-data
7 Nelson, B., Phillips, A., & Steuart, C. (2019). Guide to Computer Digital Forensics and Investigations. Cengage Learning US. Press, G. (2018, December 12). 20 More AI Predictions For 2019. Retrieved from Forbes: https://www.forbes.com/sites/gilpress/2018/12/12/20-more-ai-predictions-for2019/#105363334d74 Rafique, M., & Khan, M. N. A. (2013). Exploring static and live digital forensics: Methods, practices, and tools. International Journal of Scientific & Engineering Research, 4(10), 1048-1056. Shomo, P. (2018, Feb 12). 4 reasons forensics will remain a pillar of cybersecurity. Retrieved from CSO Online: https://www.csoonline.com/article/3254180/data-protection/4-reasons-forensics-willremain-a-pillar-of-cybersecurity.html Soltani, S., & Seno, S. A. (2017, October 26). A survey on digital evidence collection and analysis. ICCKE. Mashhad, Razavi Khorasan Province, Iran: ICCKE 2017: 7th International Conference on Computer and Knowledge Engineering. US SEC. (2018). Form S-I. Retrieved from https://www.sec.gov/Archives/edgar/data/1145057/000162828018003319/forescouts-1.htm Vogeler, W. (2018, June 15). Social Media Companies Must Comply With Subpoenas for User Communications. Retrieved from FindLaw: https://lp.findlaw.com/ Watson, S., & Dehghantanha, A. (2016). Digital forensics: the missing piece of the internet of things promised — Computer Fraud & Security, 2016(6), 5-8. Woods, L. (2018, December 12). Artificial Intelligence and Internet of Things Convergence (AIoT) Markets to 2023 - IoT Will Represent 83% of the Entire AI Chipsets Market by 2023. Retrieved from GlobeNewswire: https://globenewswire.com/newsrelease/2018/12/12/1666057/0/en/Artificial-Intelligence-and-Internet-of-ThingsConvergence-AIoT-Markets-to-2023-IoT-Will-Represent-83-of-the-Entire-AI-Chipsets-Marketby-2023.html Yakubu, O., Adjei, O., & Babu, N. (2016). A Review of Prospects and Challenges of the Internet of Things. International Journal of Computer Applications, 139(10). Zhang, H., Chen, L., & Liu, Q. (2018, March). Digital Forensic Analysis of Instant Messaging Applications on Android Smartphones. In 2018 International Conference on Computing, Networking and Communications (ICNC) (pp. 647-651). IEEE.