Methods for collecting digital evidence
Contemporary information systems, such as eLearning, eGovernment, eUniversity, eVoting, and eHealth, are frequently used and misused for irregular data changes (data tampering). Those facts force us to reconsider our security measures and find a way to improve them. Proving a computer crime act occurred requires very complicated processes that are based on digital evidence collecting, forensic analysis, and an investigation process. Forensic analysis of database systems is very specific and demanding task, and it was main inspiration for writing this article. In this article you will find information about what digital forensic is and what kind of methods you can use for collecting digital evidence on SQL Server. Some of them are efficient and some are less efficient. Also, I will cover SQL Server Audit feature
Business processes produce a large amount of data in government agencies, universities, and enterprises on daily basis. Therefore, having a secure environment for storing a data is imperative. Cases in which data is maliciously modified (e.g., data tampering, data fraud, unauthorized data gathering) can produce serious, long-term consequences. Data tampering can be done with unauthorized access, and in some cases through authorized users. Results of that action can be unpleasant for both businesses and their clients.
For example, a highly “motivated” candidate for data tempering can be a medical person. A physician gives a diagnosis and prescribes therapy with or without the use of medications. Unintentional or intentional mistakes in that process can produce serious complications and can even result in the death of a patient. In order to cover his actions, the physician might try to modify a patient’s medical record and add some extra notes or prescription.
In this case, malicious data modifications could result in police actions and involve justice. The final goal of the investigation process is to reveal the identity of the criminal.
Digital Forensics and Digital Evidence
The first steps taken in the investigation of a crime is collecting and analyzing the evidence. Products of that process are facts that can help in solving a crime. From the aspect of “classic” crime actions that process is based on forensics. Computer crime is also a crime, but with different range of consequences. In those cases, we use digital or computer forensics to collect and scientifically examine information systems from all aspects. The outcome of that process is to determine the details about digital criminal activity.
Digital forensics is the most important part of investigation process because the collected facts need to be presented in a court of law. It’s based on the confiscation of digital devices, including PCs, laptops, cell phones, hard drives, and USB memory modules. The goal is to preserve, overview, analyze, and report the facts, therefore, the process of collecting, analyzing, and preserving digital data is based on scientific methods. Only evidence collected in this way is valid. Figure 1 shows the four phases of digital forensics. Now let’s look the types of problems you might encounter during the process of collecting data.