304 North Cardinal St.
Dorchester Center, MA 02124
At the beginning of the DFIR blog series, we would like to share key terminology in digital forensics. Some terms may seem vague initially, but you can comprehend the meaning in time. We will explain digital forensics, digital evidence, investigation steps, and other standard terms in DFIR. If you find this post valuable, please share and provide feedback to us.
Digital forensics deals with cyber crimes. It is a combination of practices for uncovering evidence related to possible criminal activity or violation of a policy.
Digital forensics has three fundamental steps:
Forensic investigators are adequately trained, certified professionals who can collect, extract, analyze, report, and investigate cases that involve technology as the source or the victim of a crime. If you want to be a forensic investigator, there are quality materials, online and in-class training, and certifications. However, the best learning experience comes from conducting digital forensic investigations.
Digital forensics gained popularity with advances in IT and mobility. Incident response, detection, SOC operations, and treat hunting are closely related to digital forensics. Many use the same tools and analysis approaches.
There are two types of attacks: Internal and external attacks.
Internal Attacks: Breach of Trust by disgruntled or unsatisfied employees.
External Attacks: Attackers hired by internal or external entities to destroy the organization’s reputation.
Digital forensics is a challenging practice. The anonymity of attacks and attackers, the volatile nature of the evidence, anti-forensics, and differences in law and practices are common challenges against investigators.
In addition to these challenges, lack of skill to cope with advanced attacks, skill shortage in cyber, lack of coordination between authorities and enterprises, and slow reporting are the prevalent problems in general.
There are a couple of best practices and ways to cope with the abovementioned challenges. Training, sufficient resource allocation to digital forensics, well-documented and sound corporate policies, integrating digital forensics into the corporate cyber security ecosystem, and lateral and hierarchical coordination among the organizations are a couple of coping mechanisms.
Since digital forensics tries to reveal criminal intent evidence of the crime, we need to define different investigations in cyber incidents. Cybersecurity crime investigations are civil, criminal, and administrative. The most important and dangerous one is the criminal case. Civil cases are disputes between two parties. Administrative ones are non-criminal. They are limited to staff members. Examples are violating the organization’s policies, resource misuse or damage, etc.
Digital evidence is vital for investigations. It is “any information that is either stored or transmitted in digital form.“
Anyone or anything, entering a crime scene takes something of the scene with them, and leaves something behind when they leave.Locard’s Exchange Principle.
Types of digital evidence:
Digital evidence which is collected and analyzed during a DFIR must have the following characteristics;
During the investigations, you can collect evidence from the following locations and activities on the target system:
The table below provides a more detailed explanation of which physical media is an evidence source and what type of evidence can be gathered from where.
|Harddisk||User-created, computer-created files and text, media, database, executables, source code, program files, log data, Internet-based artifacts (many more evidence are stored at the harddisk)|
|Thumb Drive||Level of access, configurations, permissions, and authentication details of the user.|
|Memory Card||Configuration files, and devices themselves are the evidence source.|
|Smart Card, Dongle, Biometric Devices||[If used on a mobile device]|
Event logs, chat logs, text files, image files, picture files, Internet browsing history, etc.
|Digital Camera||Images, removable cartridges, video, sound, time and date stamp, etc.|
|Routers, Hubs, Switches||The devices themselves are the evidence source.|
|Network Cables and Connectors||The computer system is the evidence, a lot of evidence and artifacts.|
|Server||Evidence is found through address books, notes, appointment calendars, phone numbers, email, etc.|
|Printer||Evidence is found through previous destinations, waypoints, routes, travel logs, etc.|
|Removable Storage Device and Media||Usage logs, time and date information, network identity information, ink cartridges, and time and date stamps.|
|Scanner||Evidence is found by looking at the marks on the glass of the scanner|
|Telephones||Evidence is found through address books, notes, appointment calendars, phone numbers, email, etc|
|Digital Watches||Evidence is found through names, phone numbers, caller identification, appointment information, electronic mail, and pages.|
|Global Positioning Systems (GPS)||Evidence is found through previous destinations, way points, routes, travel logs, etc.|
Emre Caglar Hosgor
In this post, we give details about digital forensics, forensics investigations, digital forensic evidence, and cybercrime. The following post will explain digital evidence and digital forensic analysis. We hope you enjoy this post.