Digital Forensics: Sleuthing Against Cybercrime
Whether providing valuable evidence that assists in the investigation and prosecutions of crime perpetrators or proving their innocence or as part of the post-breach investigation and incident response process in organizations of all sizes, digital forensics is a widely used craft by investigators in all sectors.
The ever-growing advancements in information technology have potentially proven challenging to the branch of digital forensics, but its tools and techniques are continuously used to collect, process, preserve and analyze evidence from a range of digital devices, help uncover vulnerabilities and threats and ultimately help inform ways to mitigate them.
What is digital forensics?
Formally, digital forensics is defined as the branch of forensic science that is concerned with the identification, preservation, extraction and documentation of digital evidence using scientifically validated methods—evidence that will ultimately be used in a court of law.
The term originated from “computer forensics” which includes the investigation of computers and digital storage media, but it has separated into a discipline focused on handling digital evidence found on all digital devices that store data.
Digital evidence can be collected from many sources. These include computers, laptops, mobile phones, digital cameras, hard drives, IoT, CD-ROM, USB sticks, databases, servers, cloud, web pages, and more. Data sources like these are subject to digital forensics investigations, and must be handled with the utmost care to avoid any modification or contamination.
When it comes to different types of electronic evidence, these include media files (photos, videos, audio), text messages, call logs, social media accounts, emails, internet search history, user account data (usernames, passwords), RAM system files, digital files (PDFs, spreadsheets, text files), network device records, computer backups, and much more.
While in the past more commonly known as a practice used in legal cases, today the term “digital forensics” is also used to describe a process of cyber crime investigation in the private sector, even without the involvement of law enforcement or the court.
Once a security breach occurs, organizations leverage digital forensics professionals to identify the attack, determine how the attackers gained access to the network, trace the attackers’ movement through the network, ascertain whether information has been stolen, and recover compromised data. This can involve decryption, recovering deleted documents, files, cracking passwords, and the like.
What is digital forensics used for?
Digital forensics tools and techniques are used regularly by analysts and investigators in law enforcement, military, and government organizations as well as organizations in the private sector. Therefore the two main use cases for digital forensics are criminal cases or public investigations, and private or corporate investigations:
Government agencies and law enforcement use digital forensics to obtain additional evidence when a crime has occured, whether it’s cyber crime or another type of crime, to support allegations against a suspect. In cyber crime investigations, digital forensics investigators are employed by government agencies once an incident is detected, to find evidence for the prosecution of crimes.
Not only is digital forensics useful for solving different types of cyber crime such as data breaches, ransomware and data theft, but it can also be used to solve physical crimes—such as burglary, assault, fraud and murder. The evidence uncovered can lead an investigation toward motives behind the crime and can even connect the suspect to the crime scene or support an alibi.
In the private sector, digital forensics is used regularly in businesses of all sizes and in different capacities. In large organizations and corporations, it can be used as part of an incident response process or in general information security teams that deal with security incidents.
Digital forensics professionals can also be hired by organizations to investigate after a data breach, cyber attack, network compromise, intellectual property theft, cyber espionage, issues with regulatory compliance, and more. Not all incidents referred to digital forensics examiners are malicious in nature; there might be a server crash, network failure or even a natural disaster after which data needs to be recovered.
What is distinct for all private sector digital forensics investigations is that they use a more automated, tool-based approach with regards to business touch points rather than the strictly scientific approach used for solving cases within the legal frame.
Types of digital forensics
Due to different sources or specific processes in investigations, digital forensics has many branches or fields, with some of the most commonly applied being:
Computer forensics deals with evidence found in computing devices or digital storage media. Computer forensics examiners collect, identify, preserve, analyze and present facts about the digital evidence. This is done via a structured investigation of computer crimes to provide evidence acceptable by a court of law, as well as in civil cases or for data recovery.
Network forensics is, as its name indicates, involved with investigating security incidents at the network level. It’s defined as the monitoring, capturing and analyzing of network traffic in order to identify unauthorized access or network intrusion and to provide insight into the extent of an attack. It’s also used by law enforcement as part of a criminal investigation.
Mobile device forensics
Considering how widespread mobile devices have become over the past two decades, it’s no wonder that mobile device forensics is an important branch, especially in courtrooms that rely on acquired information to provide critical evidence. And with BYOB, it’s increasingly used in private cases as well. Mobile forensics specialists retrieve and collect audio and visual data, call logs and contacts from mobile phones, smartphones, tablets, GPS devices and the like.
Organizations of all sizes use applications that largely rely on databases to manage their data. And while many safeguards may be in place to protect them, cyber criminals still find ways to exploit missed misconfigurations or vulnerabilities, giving them access to database contents. Database forensics relates to the investigation of access to a database, actions by users, and changes to data. This particular branch of forensics is often used to provide insight into legal disputes—such as fraud, for example, by uncovering accounting data evidence.
Emails are often used in a variety of cyber attacks as well as phishing, cyberbullying and the transmission of malware. This is why email forensics is often used in investigations relating to companies that suspect such an incident. Being a commonly used communication channel, email can be a critical source of evidence for criminal cases. Email forensics itself refers to the extracting of data from email for the purpose of gathering digital evidence—such as the identification of sender and receiver, email contents, sources, and server logs, and the retrieval of removed email.
A large volume of computer intrusions include some type of malware as an attack vector. Malware forensics specialists analyze potentially malicious code in order to identify and investigate different types of malware. They’re concerned with identifying the activity of malware in the system, whether it spread (and if so, how), and finding similar information that helps them evaluate the damage of the attack.
Memory forensics is the branch of digital forensics that deals with the collection and analysis of volatile data that resides in random access memory (RAM) and cache. Such analysis is quite useful in cases when attackers don’t leave traces that can be detected on hard drive data.
Forensic data analysis
Forensic data analysis (FDA) is the branch of digital forensics that refers to the examination of structured data that can be found in application systems and databases. Usually used in investigating financial crimes and fraud, its aim is to uncover patterns of fraudulent activity in data, not in the systems and databases themselves.
Digital forensics investigation process
Just as with any branch of science, digital forensics has a number of processes and structures that guide forensic examiners through the investigation of data. While they can vary based on the context of the investigation and the source of collected data, digital forensics investigation generally consists of five stages while maintaining the chain of custody:
The first step in any investigative process is to identify the objective, sources of evidence, what type of devices are involved, what type of data is needed, and in what format.
When the digital devices that will be used in the investigation are identified and taken and the type of evidence is determined, digital forensics analysts will collect data using methods for handling evidence while ensuring authenticity.
Once sources of evidence are identified, electronic devices and stored information are collected and isolated to maintain their integrity and prevent any possibility of tampering. Digital forensics analysts make a forensic image of the device’s storage media and secure the original evidence in a safe environment, while conducting the investigation on the digital copy.
At this stage of the digital forensics investigation, collected and preserved data is examined with in-depth analysis to extract useful information and to draw conclusions to support or refute potential scenarios based on the found evidence.
When the in-depth analysis is completed, all found evidence and conclusions drawn from the digital forensics investigation are documented and summarized to support the overall investigation.
Attackers and (cyber) criminals are always searching for ways to make it hard to discover—and prove—that they’re the ones behind the incidents under investigation. This is why anti-computer forensics techniques have been used for as long as the forensics process itself has existed.
With concerns by the more technical public over the ease with which their private data can be collected for examination in potentially unfounded investigations, anti-forensics has gained popularity as a way of protecting users’ privacy. Some of its most common techniques include encryption, steganography, file wiping, and evidence tampering.
With such a wide scope of investigation, the field of digital forensics has an array of different tools used by its practitioners. These include file, email, mobile and internet analysis tools as well as disk and data capture tools and network, memory and database tools. Many of them arrive packaged in various OS distributions, platforms and frameworks.
From a variety of tools utilized to perform digital forensics investigation we found the 12 most commonly used resources:
The Sleuth Kit and Autopsy are easily the most popular open source digital forensics tools for disk and data capture used to recover data from file systems and raw-based disk images. The Sleuth Kit is a command-line tool that performs disk image and data recovery and Autopsy is its GUI as well as a digital forensics system used widely in private and public investigations.
CAINE is not only a digital forensics platform or tool, it is a complete Linux distribution for security research and digital forensics analysis. CAINE includes the best forensics software available, both command-line and GUI-based, and it allows analysts to extract data from multiple sources. Among the popular tools that CAINE contains are The Sleuth Kit, Autopsy, Wireshark, and PhotoRec.
ProDiscover offers a product suite that offers solutions for incident response and electronic discovery as well as a wide array of diagnostic tools. Their most commonly used product for forensic investigations is ProDiscover Forensics, which helps investigators uncover, collect, process, preserve and analyze data from a computer disk as well as create evidence reports.
Memory forensics is concerned with uncovering information stored in RAM—the volatile memory that needs to be collected carefully in order to maintain its authenticity. Volatility Framework is the most popular tool for memory forensics analysis of volatile memory.
FTK Imager is a data acquisition and imaging digital forensics tool that allows examiners to create forensic images of investigated devices without compromising original evidence. It allows for the customization of data criteria so that only relevant data is collected.
SIFT Workstation is another great Linux distro for digital forensics and incident response (DFIR) and contains a collection of DFIR tools and numerous forensics techniques. It’s a trusty distro for forensics examiners and incident response teams to examine forensics data on several systems.
The Windows registry is a common location where malware established persistence so its data can provide a wealth of information for a digital forensics investigation. You can open and view the Windows registry with a built-in Windows application and registry analysis is available in some forensics platforms, but there are also specialized tools such as Registry Recon. It acts as a computer forensics tools to retrieve and analyze registry data, as well as deleted parts of the registry from Windows OS
Wireshark is a popular ethical hacking tool as well as one of the most commonly used red team tools, but is also regularly utilized by digital forensics investigators. It’s an open source network traffic analyzer and is used for network forensics. Wireshark analyzes and captures network traffic in real time and it can help discover any threats on the network.
Exif Tool is a handy command-line based tool for digital forensics as it can extract EXIF data from different media files such as images and videos. It can provide analysis over different meta-data from those files such as file types, permissions, file sizes, device type, GPS coordinates and much more.
SurfaceBrowser™ can uncover the entire online infrastructure of any company and provide relevant intelligence data from DNS records, domains, subdomains, SSL certificates, historical WHOIS data and much more. Internet-facing assets can increase one’s attack surface and its risk of an attack, and can provide critical information that can be linked to a cybercrime.
From discovering clues that can serve as evidence to uncovering what type of malware attackers used to breach an organization’s system, digital forensics has permeated many different fields. While it may face some challenges in keeping up with technology advancements and the growth of anti-forensics techniques, it continues to play a vital role in the investigation of both criminal and civil cases involving technology, ensuring cybersecurity in the private sector.
Source of Article