When finding evidence, it is necessary for the investigator to examine and research facts and information found, to confirm whether it is true or false. There are two main categories of investigation. It is the OSINT Investigation and Digital Forensic Investigation.
The role of OSINT in information security operations includes the assessment, collection, and exploitation of information in support of corporate and public-sector technical intelligence requirements specifically in IT/IS operations.
Investigation differs in difficulty and the scope. The role of the investigation is to help examine and build a case for individuals or companies that are accused of an offence. To provide decision makers with independent and unbiased information through a clear understanding of topics which is relevant, sensible, accurate and confirmable, answer a question and allows provident decision making.
Open Source Intelligence (OSINT) is publicly accessible information and an exceptional tool of criminal intelligence which originates from security and law enforcement agencies and refers to intelligence resulting from publicly available information sources. These sources include global media, website, newspaper, and a range of other information via the Internet and other media resources. Open source intelligence which utilised by a variety of agencies, including the United States Federal Bureau of Investigation, United States Central Intelligence, Royal Canadian Mounted Police and Europol’. Governments also use OSINT to obtain every piece of data needed for Non- Military Applications and Military Applications. When most of the people searches and compare offers for flights and hotels, they do not even realise that they are doing personal OSINT. Business Intelligence can use OSINT to do background checks of employee and executive, commercial self-analysis, opponent business analysis. Individual intelligence can use ONIST for finding people via their name, address, phone or mobile number and email address.
Some of the OSINT tools are The Wayback Machine, Who.is, Maltego, Translation Services, Jigsaw, IP2Location, NewsNow, and Socialmention.
The benefits of using Open Source Intelligence (OSINT) are it is significantly less expensive than gathering information through classified means. The people that are working in this field such as journalists and researchers are a valuable source of human intelligence. Many newspapers, forums and blogs that dedicated to international affairs formed because of valuable communication intelligence. Through the help of google earth and similar services, high-quality/excellent images are freely available. OSINT offers a potentially more significant return on investment than other classified sources and satellites are particularly relevant for countries that are operating on tight intelligence funds and resources.
OSINT has other significant advantages, and it is shareable and accessible such as the information collected through an organisation can be legally and easily shared with others at no cost or little cost, and it is continuously up to date on any topic. Second, OSINT gathered via ethical means used in legal proceedings without endangering the exposure of sensitive intelligence assets and establishes nearly zero risks compared to intelligence operations using spies. Lastly, the most important benefits are, it offers awareness and context that is critical to the understanding of the global security program. The increasing difficulty and interconnectedness of our world and the declining degree of certainty and predictability have featured the importance of horizon scanning and long-term strategic intelligence assessments that draw on the knowledge of multiple sources and disciplines.
But OSINT has some limitations as well such as it takes a lot of time to investigate and find a data that is useful to you. While doing the research, you must validate the information from the misleading and inaccurate news, again which leads to being time-consuming.
Digital Forensic Investigation
A digital forensic investigation is a case of digital investigation where the procedure and techniques are used in the process of recovering data from various digital/electronic hardware storage devices like a compact disk, HDD, floppy disk and so on that allows the result to get into a court of law. The digital forensic investigation is an exact science which deals with proof, not just a presumption. The rules from the ACPO ensure that evidence gathering is of internationally approved procedures and our “Expert Witness” services may use and present in a ‘court ready’ statement.
Different agencies use digital forensic technologies such as military and government agents to get help with terrorism case; Law enforcement agents to get help with criminal, and civil affairs; law firm uses it to get help for cases concerning (legal discovery) data recovery firms and corporate organisation. There are some demands from human resources, legal departments, Intellectual Property, IT, local and federal law enforcement, and other corporate investigative bodies.
Whenever digital forensic investigator starts their case, the computer forensic investigation must follow some basic rules which include following ACPO (Association of Chief Police Officers) guideline. Currently, in the UK, much of the computer forensics work is conducted by law enforcement agencies (Police, UK Border Agency, Customs, and Excise) and the process models reflect a law enforcement code. Police forces in the UK follow a guide that requires the procedure and principles that should pursue when dealing with incidents concerning digital evidence.
ACPO Good Practice Guide for Digital Evidence updated in March 2012 defines the practices that need to be followed to each stage in a computer forensic investigation. Four main principles of this guide are:
· Principle 1: No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.
· Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
· Principle 3: An audit trail or another record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
· Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
Digital Forensic investigation efforts can involve the following steps:
· Collection: It is the process of gathering the data by searching and seising of digital evidence, and acquisition of data.
· Examination: Applying a range of tools and techniques to identify and extract data from the evidence to confirm that as much of data is available to review.
· Analysis: This is the process of putting different bits and pieces of data and resources of evidence to prove a case. It must be accurate, thorough, impartial, recorded, repeatable and completed within the timescales available and resources allocated.
· Reporting: Presenting the information that was gathered during examination and analysis steps to other people in the investigation or the legal process. (e.g., written case report)
The advantage of using digital forensic investigation is that it can search and analyse a vast amount of data in a short duration of time, making it very efficient. In addition to this, using this method allows the user to change the data in different language settings, allowing them to look up and search for keywords and data if it were required in a foreign country. Also, if there had been any data that had been previously lost or deleted by criminals, then it still can be retrieved from the computer memory, which can now be considered as a significant piece of evidence in the court.
At the same time, the digital forensic investigation has its limitations as well. Some of the drawbacks of this type of process are that the data can be easily modified, and so the data must abide by the law such that the data has not been tampered. Hence, the data must always be recognised, and the forensics must have the knowledge or thoroughly trained in the legal standard procedure on how to handle the evidence.
Finally, the main disadvantage of using this method is the cost. Especially, when retrieving lost or original data, computer experts may require being hired on an hourly basis, causing an enormous amount of money to be salaried for long hours of service provided.
The people that are involved which include legal practitioners, solicitors, judge and barristers in the case must know about computer forensics otherwise they will not be able to cross-examine an expert witness.
Computer forensics is still new, and some may not understand it. The analyst must be able to communicate their findings in a way that everyone will understand.
Use of Investigation method and Case study:
For Practical Lab assessment – CSD2217, digital forensic investigation method was required to be used to record information of the media provided. The primary aim of this investigation was to “image the provided media and record details from the imaging and verification process”.
For the hypothesis; by using the digital forensic investigation, the examining process would be much faster in comparison to using the OSINT investigation method.
Within the Practical assessment, vital information to be recorded shown in Picture 1:
For the forensic investigation, the following method was used in the order shown below:
· Collection: By using the Contained media form and Recipient form, all the factual data were filled in for further analysis and verification. Any other extra information were noted down on writing paper for contemporaneous notes if it were to be recalled in future.
· Examination: To examine the image for the fragment size, compression ratio and hash value, we used the FKT imager software from the desktop. Which can be now stored in hardware device from the computer, such as HDD, Compact Disc, and another storage device.
· Analysis: To make sure the data was impartial, the data recorded were repeated over three times, and putting together the results within the comparison timescale.
· Reporting: As a form a legal reporting, the form was presented to the teacher, who will then verify our results and methods of the forensic investigation.
Note: The overall time taken to complete this forensic investigation was roughly under 90 minutes.
For this scenario, using the forensic investigation was the better option compared to the OSINT investigation method, as there were forensic hardware and software already available hence, the budget was not an issue. Additionally, the investigation had an overall time limit. Therefore the method required had to be fast and as precise as possible regarding the image size, ratio, and hash value as they are a form of factual data, which can be stored in the storage device if it is required to be present in the court.
Though, if the scenario had been different such as finding facts that are not numeric value or code-based, and slightly less demanding of time, OSINT investigation would be the alternate choice. For example, for the US wildfire; to which the following method would be used as the digital forensic investigation;
· Collection – Monitoring of the wildfire cause and the state of after effects
· Examination – the intelligence and the authority in charge will look at the damage and injury caused by the fire to be recorded within the assessment
· Analysis – background research on the previous archive and disseminating and amplifying of the evidence for further analysis
· Report – A final action report would be submitted of the wildfire to the authority in this case the mayor and the health and safety intelligence.
In this investigation, the computer may have been used as a hardware store for saving files, but
older files would be stored as documents in the archives securely of previous fire reports in the area to refer to the action which the investigator and the authority will have to take care of. In
addition to this, the investigator will also, must look for the primary cause of the fire, or whether
it was natural or by humans. If it is human, then they will have to investigate on how it was caused and further investigation to find evidence and the culprit. To refer to they may also go through a previous similar incident of wildfire in different countries or states to get a reference and an outlook. While doing this, they must make sure the site they are referring to has to be reliable.
During this investigation, a forensic investigation would be of some help when collecting
evidence but as an overall, it will still be considered to be an OSINT investigation as much of
the evidence collection process used is the open source from the online, where people
can easily access and does not require a tremendous amount of money expenditure on the investigation itself.
In conclusion, both investigations have their advantages and limitations, making them efficient in a different scenario. Though, as an investigator to collect and examine evidence, it is best for them to know both the methods. It would have an understanding and upper hand within an investigation for the investigator if either of the situations were to occur.