Brief introduction to digital forensics investigations and what digital forensic investigators actually do
Digital forensic investigators investigate and reconstruct cybersecurity incidents, suspicious events by collecting, analysing and preserving digital evidence otherwise known as digital footprint left behind by threat actors or attackers such as malware, trojans, malicious scripts and embedded malicious code. These reconstructions allow investigators to pinpoint the root causes of attacks and potentially identify the culprits.
The involvement of digital forensic investigators is not limited to discovery and analysis of cybercrime. The can also be engaged to examine, analyse and extract dates, times, metadata and GPS information of certain computer artefacts such as files, images, documents, logs and events contained within and/or recorded by a mobile phone, tablet, computer, CCTV, drone, car or any other digital device which will be relied upon by solicitors, courts, law enforcement and other stake holders. The search results plus expert analysis are then documented and presented in the form of an admissible, court-compliant digital forensics report.
Digital Forensics Rules of Engagement
Digital forensics investigations follow a strict chain of custody or formal process for tracking how evidence is gathered and handled. The chain of custody allows investigators to prove that evidence wasn’t tampered with and can be replicated if another expert follows the same procedure and tools. As a result, evidence from digital forensics investigations can be used for official purposes like court cases, insurance claims, compliance, dispute resolution and regulatory audits.
The National Institute of Standards and Technology (NIST in the US and Forensic Science Regulator in the UK) outlines four steps for digital forensic investigations:
1. Data collection
After a breach, digital forensic investigators collect data from operating systems, user accounts, mobile devices, tablets and any other hardware and software assets that are the subject of the digital forensic investigation. Common sources of forensic data include:
- File system forensics: Data found in connected disks, files and folders that are stored on endpoints(devices).
- Live Memory forensics: Data found in a device’s random access memory (RAM).
- Network forensics & internet traffic analysis: Data found by examining network activity like web browsing and communications between devices.
- Application forensics: Data found in the logs of apps and other software.
To preserve evidence integrity, digital forensic investigators must make read-only copies of data before processing it. They must secure the originals so that they cannot be altered and the rest of the investigation is carried out on the forensic read-only copies. This will ensure data integrity in digital forensics investigations.
3. Examination
Digital forensic investigators should comb through the data for signs of cybercriminal activity, such as phishing emails, altered files and suspicious connections. If the case is in litigation, the forensic examiners must look for any evidence based on the instructions given by the commissioner of the report.
4. Analysis
Digital forensic investigators are expected to use forensic techniques and tools to process, correlate, and extract insights from digital evidence. Investigators may also reference proprietary and open-source threat intelligence feeds to link their findings to specific threat actors and provide relevant expert analysis and commentary.
5. Reporting
Digital Forensic investigators will need to compile a report that explains what happened during the security incident and, if possible, identifies suspects, threat actors or culprits. The report may contain recommendations for thwarting future attacks. It can be shared with law enforcement, insurers, regulators and other authorities. If the digital forensic investigation is related to a legal case, the final report will present all the findings while referencing the digital evidence and provide expert commentary on them while complying with UK Ministry of Justice regulations governing digital forensic investigations in criminal and civil litigation.