Digital forensics has become an increasingly popular topic in the world of cyber security. We are seeing a slew of TV shows, with clever hackers working for the good guys to retrieve sensitive information, or to stop wily cyber attackers in their tracks.
By Simon Campbell-Young, MD of Credence Security
However, the popularity and value of digital forensics is growing rapidly in the real world too. As organisations across the board are increasingly digital and increasingly online, digital forensics is becoming a crucial element of the cyber security mix. When people think of digital forensics, they usually think of businesses who know a staff member has his hand in the proverbial cookie jar, but are not sure who it is, and need to track evidence down.
This isn’t surprising, as all research shows that the insider threat is one of the greatest threats faced by businesses today, and many organisations simply have no tools or measures in place to prevent insider attacks at all.
However, fraud and theft are far from the only areas that digital forensics can help combat. Incident response is one of the areas that simply couldn’t function without digital forensics. Think about the security team whose job it is to protect the business, and the investigators who are trying to find out exactly how an organisation was breached.
Digital evidence or the “footprints” we all leave behind with every action on the Web, is crucial here. These little increments of evidence piece together a picture of how the incident happened, who was behind it, and how to stop the company falling victim in the future.
Remember, that a thorough examination of the tools and methods an attacker used to breach your organisation will give invaluable insights into how these criminal groups work, what their motivations are, and any new tricks they have up their sleeves. All this data can be fed back into threat intelligence databases, to benefit the security community as a whole.
In addition, all evidence gathered from a digital forensic analysis is hugely helpful in incident response and remediation, once the organisation realises that a breach has occurred. Think about the data on new, advanced strains of malware that haven’t been seen before, or new attack vectors that previously weren’t known about. Without digital forensics, we’d still be in the dark.
The process isn’t simple, however. The first step in any forensic investigation is to review and scrutinise any current electronically-stored information (ESI) data maps and the locations where sensitive data is stored. Once the digital forensics practitioners have verified the integrity of the data that needs to be analysed, the data needs to be extracted.
After examiners verify the integrity of the data to be analysed, a plan is developed to extract data and identify any potential ESI sources. For each and every item that is extracted, the investigators must determine what type of item it is and if it is relevant to the forensics investigation.
Next, the investigators need to paint a picture from all the bits of data, by piecing together the puzzle. There is no room for error here. They must be 100% accurate, fully impartial and thorough. Everything must be recorded and documented in a way that is demanded by the legal system for presentation in court.
In this phase, examiners connect all the dots and paint a complete picture of all the potentially-threatening actions that were identified through the investigation. The analysis must be accurate, thorough, impartial, and recorded to provide proper documentation required by courts or legal entities.
Although digital forensics is a highly specialised skill, it is one that is moving into the mainstream, as every type of business needs these skills at one point or another. This is only set to be more true as the threat landscape evolves and businesses find themselves constantly under attack from advanced and sophisticated cyber attackers.