Just as in the physical world, we leave traces of ourselves – fingerprints, hairs, clothing fibers, DNA, etc. – when we move and interact with people, places, and objects, so too do activities in the digital realm leave pieces or echoes of themselves. These virtual or digital traces – think file fragments, activity logs, timestamps, metadata, and so on – may be deemed to be of value, for any number of reasons.
They may be useful as evidence in establishing the origins of a document or piece of software, for legal purposes in determining the activities of the parties involved in a criminal case, or even as a resource for cyber-criminals looking to reconstruct information or identifying credentials on their victims.
Whatever the motivation, the examination, interpretation, or reconstruction of trace evidence in the computing environment falls within the realm of digital forensics.
What Is Digital Forensics?
To give a formal definition, digital forensics (also referred to as computer forensics or cyber-forensics) is the practice of collecting, analyzing, and reporting on information found on computers and networks, in such a way that this process is deemed admissible in a legal context – whether that be as evidence in a criminal or civil investigation, or as documentary proof in a commercial or private setting.
As this definition suggests, digital forensic operations may be applied in law enforcement and investigations, in commercial, private, or institutional applications, and in the context of cyber-security.
Given the huge numbers of mobile and IoT (Internet of Things) devices in the world, it should come as no surprise that there’s a whole sub-section of the digital forensic discipline, dedicated to this sort of hardware.
Commonly known as cellphone forensics, this field embraces a number of areas including the recovery of lost cellphone data and text messages, the analysis and extraction of detail from call records, the analysis and extraction of customer data and information from commercial digital transactions, and the detection and removal of mobile malware (including spyware, adware, and ransomware).
This last point speaks to the “double-edged sword” aspect of digital forensics. Strictly speaking, those same techniques used by cyber-security professionals and digital forensic investigators to root out malware on mobile devices may (in the hands of hackers and cyber-criminals) be turned around and used to assist them in better extracting data from their victim’s devices.
Forensic Digital Evidence
Activities conducted on individual computer systems and networks routinely leave some kind of “digital fingerprint”. These may range from web browser history caches and cookies, through to deleted file fragments, email headers, document metadata, process logs, and backup files.
For the security professionals protecting an enterprise – or the investigators working to trace the origins of a breach – any or all of these aspects of forensic digital evidence might be key in documenting an incident, formulating a response, or building a strategy for future operations.
From a scientific standpoint, a study of the activities and methodology of hackers and cyber-criminals, together with a digital forensic analysis of the tools and techniques that they employ, may yield insights into prevailing or future attack trends, the workings of cyber-criminal networks, and emerging strains of malware. These can add considerable input to knowledge and best practice resources, and threat intelligence databases.
In terms of enterprise security, the evidence gleaned from digital forensic analysis aids in incident response and remediation activities, once a successful cyber-attack or data breach has been detected. Information may be obtained on attack vectors, new or specialized forms of malware, and Advanced Persistent Threats (APTs). These are the kind of sustained and subtle cyber-attacks that can take place undetected over a period of months, or even years, with the assailants deploying a number of different techniques to gain network access, spread through a system, then hone in on their desired objectives.
Digital Forensic Collection
As with the gathering of evidence in physical investigations, care must be exercised in digital forensic collection to ensure that the data being collected for analysis is as pure and undisturbed as possible.
Bearing in mind that files on a computer are altered in some way even if you just open them in their related application without saving them, a system that’s suspected to hold forensic evidence which might be relevant to a case should remain untouched until that information can be extracted in a non-disruptive manner. This also holds true for incidents where the authentication of certain files, the ways in which they’ve been accessed or used, and the timelines of critical events have to be established.
Digital forensic collection (the process of gathering data before it can can be analyzed forensically) typically begins with the taking of a “bit-level” image of the hard drive or storage media of the system involved. As the name suggests, this is an exact duplicate or clone of the storage drive at the time the image is taken. It’s achieved by using a device known as a write-blocker, which is capable of making a copy of information from a device that’s turned off.
On occasions where it’s necessary to examine a device and read information from it while it’s still in operation (if for example turning off the device would cause valuable evidence to disappear from memory, or cause damages or losses to the owner), what’s known as a “live acquisition” may be performed. This involves running a small diagnostic program on the target system, which copies information over to the forensic examiner’s hard drive.
For legal purposes, such a live acquisition may still produce digital forensic evidence that’s admissible in court – so long as the examiner can adequately prove that their intrusive intervention was absolutely necessary.
Digital Forensics in Law Enforcement
Since computers, mobile phones, and the internet represent the largest growing resource for criminal perpetrators, digital forensics has assumed a key role in the law enforcement sector. With cyber-crimes offering a high-yield and relatively low risk opportunity that doesn’t require physical violence, law enforcement agencies are now continually engaged in digital forensic activities to curb the exploits of fraudsters, identity thieves, ransomware distributors, and others in the cyber-criminal ecosystem.
Digital Forensics in Commerce
In the commercial sector, business organizations routinely use digital forensics in the resolution of cases involving industrial espionage, intellectual property theft, fraud, forgery, employment disputes, bankruptcy investigations, the inappropriate usage of digital resources such as email and messaging services in the workplace, and issues relating to regulatory compliance.
Returning to the “double-edged sword” analogy, those looking to counteract the activities of digital forensic investigators may engage in the practice of “anti-forensics.” This involves a number of techniques, including the use of encryption, modifying a file’s metadata, or otherwise disguising files and documents (file obfuscation).
It’s a risky strategy, as the tools of anti-forensics themselves also leave traces of what they’ve done on the perpetrator’s own system, or other systems to which they have access.
Digital Forensics Consultants
Finally, as with other assets and techniques in the cyber-security sector, there are commercial organizations offering digital forensics services on a paid commodity or consultancy basis. These range from licensed private investigators with a digital forensics qualification through to online resource bases and advisories, to enterprise-level consultants and specialist contractors.
Share this Post