When something goes wrong in a digital environment, the people who specialize in digital forensics can diagnose the cause and offer solutions. The field, sometimes known by the acronym of DFIR for “Digital Forensics, Incident Response,” involves searching through the often hidden layers of a computer, like the file system or the event logs, for clues that identify just how a bad actor may have broken in and just what happened afterward.
At its core, digital forensics involves a combination of understanding the foundational computer science with an eye for spotting how bad actors may misuse or abuse it. The practitioners begin with a solid education in the principles used by the programmers and architects who built the machines. Then, they study just how similar attacks were done in the past to learn where to look for digital footprints or other indications of what went wrong.
As the digital world grew more complex, so did the field of digital forensics. The practitioners often specialize in particular areas like understanding security failures in the communication layer or reconstructing the past actions of a mobile phone user. Every section of the tech world supports a subfield of digital forensics that can address problems in it.
Mobile Phone Forensics
Now that smartphones are manufactured by the billions and a large fraction of the world carries one constantly, understanding what happens to these handheld computers is one of the subfields that is in the most demand. Mobile phone forensic specialists can often answer questions about who used a mobile phone, where the phone traveled, which pictures were taken and what the phone may have heard. Details about all of these actions are often recorded inside the tiny machine.
One major difference is that mobile phone forensics can often be used to investigate crimes where the phone was a witness or even an assistant. Many of the other subfields focus on defending the machines against cyber attacks like digital viruses or malware. These challenges are still important for mobile phone experts, but much of the focus is often on understanding just what the legitimate user did while the phone was right alongside.
Mobile phone forensics is different because the phone is often moving, sometimes quickly, and the location information can be the most important data. Some of this is stored inside the machine in places like the EXIF values attached to digital photographs, but some of it may also be found inside the logs of cell phone service providers who must also track the location of each handset.
Much of the infrastructure used to support the Internet is now stored in computers that live in vast data centers run by cloud computing companies. The centers are specially designed to support the servers with a stable climate and power source. The cloud companies also offer flexible contracts that allow companies to rapidly scale their consumption based on demand.
In some cases, cloud computing forensics isn’t much different from forensics for any computer running in an office. Cloud computers often run the same operating system that stores the event logs in the same location in the same format. The analysis is often exactly the same.
But in some cases, the challenges are different, often wildly so. Some cloud services are sold in small slices as needed. An S3-compatible storage bucket, for example, will just store one file through an API. The users don’t have access to the underlying layers that handle the chores.
In these cases, cloud forensic specialists must be well-versed in the different architectures used in cloud systems. They must understand how software is often broken into microservices that run as lambda functions. When the operations are split up between multiple services in different data centers sometimes operated by different companies, the specialists must be knowledgeable about all of the possible options.
The software layer that handles communication between machines, especially the parts that are open to the general Internet, are one of the most important areas for DFIR teams to study. The network logs and other details from TCP and UDP stack often reveal how and when any attacker first arrived. They will also show the IP addresses of any source which can help identify the location, although this is often easily spoofed.
The forensics research that studies the communication layer often will integrate data collected from any targeted machine and the larger local network. Often routers and network hardware may retain enough information to explain how and when any attack unfolded. While these logs often only show the time and perhaps size of any data transfer, the patterns can help pinpoint the type of the attack and the size of any data breach.
Many techniques for studying any incursions into the desktop operating system are not much different from those studying the servers or mobile handsets. Many of the core protocols and software layers are exactly the same.
Some of the important differences come from the users. While servers often interact with large sets of users who are often spread out throughout the globe and often anonymous, desktops (and laptops) are often used by one person or a small group. This person’s actions are easier to understand and often, the person may be able to offer significant guidance.
In some cases, the user is the target of the investigation. Perhaps the person is accused of accessing illicit information or attacking other parts of the software layer. The forensic teams analyzing the desktop can often find digital footprints from any tools that the user deployed. They may also be able to locate past fragments of files that were deleted.
Many investigations only begin after the event, sometimes long after. Many of the forensics tools are designed to reconstruct details from the past. They’re designed to collect evidence after the dust has settled.
Some investigators, though, are able to start work when the attack is still in progress. Perhaps they received a quick report from a sharp eyed user. Perhaps the attacker keeps returning and the DFIR team was able to plan.
Live forensic investigations can use different tools. While they can still use log files, sometimes generated just seconds before, some tools are able to watch and even control events as they occur. Some routers, for example, can make copies of all packets and even delay or alter some packets as they travel. Forensic investigators can often influence any attack and sometimes limit the scope of any damage.
This category focuses on the collection, preservation, and analysis of digital evidence from computer memory. This is useful when the malware is able to install itself as a running software, taking a position in the computer memory. It can also be used to capture information about running software that was explicitly designed to avoid using the storage system, which is usually the focus of digital forensics.
Memory forensics is naturally more complex and difficult to do well. A computer’s random access memory is used for short-term storage and many of the software programs treat it as ephemeral and somewhat unstable. As a result, most of the information is rarely as structured or as easily interpreted as file storage because the programmers never intended it to be.
While memory forensics often fails when data is overwritten, or the computer is turned off, it can still be useful for identifying particularly dangerous malware and some forms of misbehavior by the user.
Defensive or Proactive Forensics
Not all digital forensics is done after an incident is detected. Some teams will use their tools to search out weaknesses, identify potential problems and search for undetected backdoors or malware. This defensive work can be a useful way to prevent attacks and misbehavior.
Many of the same techniques are part of defensive work. A team might choose a machine at random and then run the tools like Autopsy or Cyber Triage to analyze the disk as if some incident occurred. The same mechanisms for identifying malware or digital footprints could find an undetected intrusion.
Many areas of digital forensics are aimed at detecting, mitigating and recovering from attacks from external forces. Internal forensics focuses on the often politically charged problem of searching for misbehavior by normally trusted users. The process can often track the user’s behavior and uncover which data was accessed and which programs were used.
This can include investigating violations of company policy, such as unauthorized access to confidential data, or criminal activity, such as embezzlement or sabotage. Internal forensics can help organizations to protect their assets and to deter and investigate employee misconduct.
The process can often be combined with some other specialized investigative techniques like forensic accounting when misappropriation of funds is suspected.
Key Takeaways for Leadership
Digital forensics involves a number of subspecialties that focus on particular areas of the computer architecture or types of attacks.
When resources are large enough, teams may invite specialization because of the complexity of modern computer and network architectures.