Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
At the beginning of the DFIR blog series, we would like to share key terminology in digital forensics. Some terms may seem vague initially, but you can comprehend the meaning in time. We will explain digital forensics, digital evidence, investigation steps, and other standard terms in DFIR. If you find this post valuable, please share and provide feedback to us.
Terminology
Digital forensics deals with cyber crimes. It is a combination of practices for uncovering evidence related to possible criminal activity or violation of a policy.
Digital forensics has three fundamental steps:
 | Acquisition Reporting Inspect/Analysis |
Forensic investigators are adequately trained, certified professionals who can collect, extract, analyze, report, and investigate cases that involve technology as the source or the victim of a crime. If you want to be a forensic investigator, there are quality materials, online and in-class training, and certifications. However, the best learning experience comes from conducting digital forensic investigations.
Digital forensics gained popularity with advances in IT and mobility. Incident response, detection, SOC operations, and treat hunting are closely related to digital forensics. Many use the same tools and analysis approaches.
There are two types of attacks: Internal and external attacks.
Internal Attacks: Breach of Trust by disgruntled or unsatisfied employees.
External Attacks: Attackers hired by internal or external entities to destroy the organization’s reputation.
Digital forensics is a challenging practice. The anonymity of attacks and attackers, the volatile nature of the evidence, anti-forensics, and differences in law and practices are common challenges against investigators.
In addition to these challenges, lack of skill to cope with advanced attacks, skill shortage in cyber, lack of coordination between authorities and enterprises, and slow reporting are the prevalent problems in general.
There are a couple of best practices and ways to cope with the abovementioned challenges. Training, sufficient resource allocation to digital forensics, well-documented and sound corporate policies, integrating digital forensics into the corporate cyber security ecosystem, and lateral and hierarchical coordination among the organizations are a couple of coping mechanisms.
Since digital forensics tries to reveal criminal intent evidence of the crime, we need to define different investigations in cyber incidents. Cybersecurity crime investigations are civil, criminal, and administrative. The most important and dangerous one is the criminal case. Civil cases are disputes between two parties. Administrative ones are non-criminal. They are limited to staff members. Examples are violating the organization’s policies, resource misuse or damage, etc.
Digital Evidence
Digital evidence is vital for investigations. It is “any information that is either stored or transmitted in digital form.“
- It is easy-to-tampered with
- Fragile in nature
- Locard Principle applies to it.
Anyone or anything, entering a crime scene takes something of the scene with them, and leaves something behind when they leave.
Locard’s Exchange Principle.
Types of digital evidence:
- Volatile data is lost when the machine is powered down. Examples are memory, clipboard, process-to-port mappings, and running processes.
- Non-volatile data is persistent data that is stored on the secondary storage. Examples are hidden files, slack space, swap files, index.dat, registry settings, and source code.
Digital evidence which is collected and analyzed during a DFIR must have the following characteristics;
- Admissible, not biased, non-prejudiced
- Authentic authenticity must be representable
- Complete
- Reliable, not altered by any means, timestamps and other metrics must align with the case.
During the investigations, you can collect evidence from the following locations and activities on the target system:
- User-created files contain address books, office documents, database management system files, databases, media (images, videos, audio, graphics, etc.), documents, Internet bookmarks, browser artifacts, content-sharing applications, IM applications, cloud storage software files, etc.
- User-protected files can be compressed files, misnamed files, encrypted files and folders, password-protected files, hidden files, and steganography.
- Computer-created files are backup files, log files, configuration files, swap files, system files, history files, and temporary files.
The table below provides a more detailed explanation of which physical media is an evidence source and what type of evidence can be gathered from where.
| Harddisk | User-created, computer-created files and text, media, database, executables, source code, program files, log data, Internet-based artifacts (many more evidence are stored at the harddisk) |
| Thumb Drive | Level of access, configurations, permissions, and authentication details of the user. |
| Memory Card | Configuration files, and devices themselves are the evidence source. |
| Smart Card, Dongle, Biometric Devices | [If used on a mobile device] Event logs, chat logs, text files, image files, picture files, Internet browsing history, etc. |
| Digital Camera | Images, removable cartridges, video, sound, time and date stamp, etc. |
| LAN/NIC | MAC address |
| Routers, Hubs, Switches | The devices themselves are the evidence source. |
| Network Cables and Connectors | The computer system is the evidence, a lot of evidence and artifacts. |
| Server | Evidence is found through address books, notes, appointment calendars, phone numbers, email, etc. |
| Printer | Evidence is found through previous destinations, waypoints, routes, travel logs, etc. |
| Removable Storage Device and Media | Usage logs, time and date information, network identity information, ink cartridges, and time and date stamps. |
| Scanner | Evidence is found by looking at the marks on the glass of the scanner |
| Telephones | Evidence is found through address books, notes, appointment calendars, phone numbers, email, etc |
| Digital Watches | Evidence is found through names, phone numbers, caller identification, appointment information, electronic mail, and pages. |
| Global Positioning Systems (GPS) | Evidence is found through previous destinations, way points, routes, travel logs, etc. |
| Modem | Device itself |
Emre Caglar Hosgor
Wrap-up
In this post, we give details about digital forensics, forensics investigations, digital forensic evidence, and cybercrime. The following post will explain digital evidence and digital forensic analysis. We hope you enjoy this post.
