About two weeks ago, InterWorks was once again asked to speak at a lunch and learn event where I presented on digital forensics and its application at an organization level. But what exactly is digital forensics?
Digital forensics, also known as computer forensics, is probably a little different than what you have in mind. When people hear the term, they instantly think of shows like “CSI” where a crack team of computer whizzes use top-secret, super-advanced technology to solve crimes in a half hour. Unfortunately, that’s far from reality.
So, if digital forensics isn’t the magic TV would like us to believe, then what is it? I’ve found the following definition to be the best description:
The science of identifying, preserving, recovering, analyzing and presenting facts about digital evidence found on computers or digital storage media devices.
I like this definition because it’s simple enough to grasp and breaks digital forensics into five functional areas. I’ll explain each a little further down in the post. But first, let’s take a look at some common applications of digital forensics in the business world.
Common Applications of Digital Forensics
Using the term “forensics” certainly implies that digital forensics is used to recover digital evidence to be used in court of law against some nefarious offender. This is true in many instances. Perhaps a disgruntled employee stole valuable data after getting fired or maybe a company fell victim to corporate espionage. These criminal cases definitely rely on digital forensics to provide evidence pertaining to such crimes.
Digital forensics isn’t just limited the court of law. Often times, a company may be handling some sort of internal affair like a violation of a corporate policy, which doesn’t necessarily fall under the “crime” category. In the same way, however, digital forensics is used to find evidence that either backs or disproves some sort of assumption.
With those applications in mind, let’s break down digital forensics into its five parts:
Identify
All digital forensics starts with identification. Before doing anything else, it’s important to identify where data is stored. In the old days, investigators found the data they needed in filing cabinets. Today, it’s pretty much all electronic. Data is stored on the hard drives of computers and servers, flash drives, network equipment – you name it, there’s data on it.
Whenever I first arrive on the scene, I always evaluate the environment I’m in and think of all the potential devices on which data might be stored. Understanding the whole environment and what is contained within it helps me to understand what evidence, known as “artifacts,” we’re dealing with. As you can imagine, different devices and means of storage or data transfer leave different types of artifacts. The more of these you uncover, the clearer the picture becomes.
Preserve
Preservation is a crucial part of the digital forensics process, and it largely rests on the shoulders of investigators like me. Why is preservation so important? Because without integrity, a piece of evidence loses its value or “admissibility” in the court of law. That’s why it’s so important to ensure that the artifacts are unaltered and preserved in their original state.
Personally, I preserve these artifacts by completing chain-of-custody paperwork and documenting every aspect of a case from start to finish. This serves as a detailed written account that I can reference when evidence is ready for presentation. Maintaining this paperwork is immensely helpful in explaining to a court or legal team why you performed a certain action or treated evidence in a certain way, even when you have to defend those findings.
One incredibly useful piece of technology is Write Block. Write Block allows an investigator access data on hard drive but blocks the ability to alter or “write” to that existing data.
Another common practice during an investigation is to create a forensic image of the data or device being examined. In short, it creates a copy of the data found on the drive. I can then perform investigation and analysis on that copy while preserving the integrity of the original.
Recover
In just about every case, there is some sort of recovery process. This can include recovering deleted files from normal OS processes, intentionally deleted files, password protected files and even damaged or corrupted files. There are many methods of recovering these artifacts, and I try to use as many as possible to, as mentioned earlier, paint the fullest picture possible. Once you’ve identified and recovered (while preserving integrity throughout), you can start analysis.
Analyze
Analysis is the guts of the investigation. This is where all the expertise and elbow grease comes in. I use several apps and programs to look at common artifact locations such as the memory, registry, event logs and browser history. Additionally, I can use other scripts and manual analysis to look at obscure shellbags or even the operating prefetch files.
Again, the key here is to gather as many artifacts as possible, and there are often many artifacts to be found. In fact, any action performed on a computer can create up to five artifacts in different locations. A good example is a simple Google search. Whenever you search for something, it’s not just logged in your browser history; there’s also a coordinating registry artifact that points to that search. Depending on the configuration of your devices, this search may be present across every device you own. A device like Skype, for instance, will sync chat history across all devices. Using these various artifacts that all point to each other, we can really develop that clear picture we’re after.
Present
Finally, once examination is complete, it’s time to present the findings in the form of a case report. All that documentation that we recorded makes creating this report a hell of a lot easier in the end. And all of the information we collected hopefully leads to some definitive conclusion. Even so, what happens next isn’t up to the investigator. Will the evidence be enough to prompt some action? Will the case make it to court? Will the company you worked for terminate that disgruntled employee? The truth is, as an investigator, it doesn’t matter. The only thing that does matter is presenting facts clearly and concisely. That’s the end goal of digital forensics.
Interested in learning more about digital forensics and how they might help your business? Get in touch with us today.