Glossary

An open-source format developed by Simson Garfinkel and Basis Technology that is designed to support precision forensics using compression, encryption, and segmentation.

Software that’s makes money for its creators by showing advertisements to the end user. Some packages disclose this business model from the beginning so the user can accept the ads but some do it surreptitiously. Some viruses or other forms of malware may inject ads without the end user’s consent.

When a forensic investigation flags a file or part of a file, it becomes an artifact. The investigation software works with a list of known problematic files as well as lists of short segments associated with known malware. Learn more about specific artifacts in our artifact library.

A process for preserving the integrity of any evidence try tracking responsibility. This can be helped by recording hash values of data blocks at each stage.

When data is scrambled or encoded, the unreadable result is the “ciphertext.” Many malware programs hide their actions by encrypting some of their code. Users can also defend their data by turning it into a ciphertext that can’t be read by any attacking software.

This is a technique used in digital forensics to reconstruct the stored data without using the assistance of the operating system.

Protecting some crucial bits is an important role for IT teams. Digital forensics can help recover data that may be lost through hardware failure or outside attack.

Was a computer used in a crime? Did someone break into it? Did it malfunction or fail? The process of Digital Forensics & Incident Response or DFIR emerged when computer scientists needed to understand what happened with the machine in the past. Digital forensics involves analyzing the data stored inside the computer and Incident Response is the strategy of the best way to handle any breach that’s been detected. Together the processes formalized the best possible approaches to answering the questions of how and when someone accessed the data inside a computer.

Digital forensics researchers use low-level tools that capture all of the information that’s stored in a disk. This low-level process records not just of the currently available files but also any scraps that are left over from deleted files. The disk images are often stored for later analysis or use as evidence in any investigation.

The disk log is a low-level record of how data is stored and retrieved. In some cases, it can reveal when an attack began or progressed.

Computers often save time by not erasing the data completely. They just mark a disk block as free and wait for the next file to overwrite it. Wiping a disk deliberately writes random noise to the disk blocks to completely destroy any old data that may be left.

A proprietary format developed by Guidance Software that is similar to EWF with additional support for compression to save space and encryption to add security.

Attackers who want to steal information must find a way to get a copy. This exfiltration can be made more difficult with strong networking and storage security policies.

A proprietary format developed by ASR Data that bundles a sector-by-sector copy with metadata tracking the process.

A disk image is composed of a number of blocks. File carving reassembles these fragments into as many complete files as possible. Sometimes a missing block or a corrupted file table will leave holes but whenever the complete data is possible the algorithms will reconstruct all of the files.

A forensic imager is a special program designed to create disk images with enough care to make the evidence usable in any legal investigation.

Forensic researchers create digital fingerprint of files with an algorithm often called a “hash function” or a “message digest.” This mathematical process takes a file as input and returns a short binary value that’s often 64, 128 or 256 bits.

When data is captured from a target computer, it must be stored in a particular format that’s useful for later analysis.

The various records kept by computers can often be a good place to look for forensic hints about what happened to a computer. The records kept by the software can reveal anomalies and sometimes details that identify the attacker.

A catch-all term for dangerous software that includes viruses, rootkits, worms, phishing attacks and all forms of subverting the computer’s logic.

Some forensic investigators are able to capture a partial or complete record of the data in the computer’s memory. This can reveal malware or other malicious actions that are unfolding currently.

The subspecialty of understanding what happened to a computer by focusing on logs of network data traffic.

Some attackers are able to breach computer security from outside using the network connections. While they are often masquerading as others, the record of when and how the data arrived can offer crucial clues for any investigator assembling a time line.

Data that is stored on a hard drive or other permanent storage device.

Some attackers present the user with legitimate looking messages or emails that contain links that appear trustworthy but really trigger dangerous software. These messages may appear to come from banks, workplaces or other places of trust that end up fooling the user.

The goal of any ransomware author is to find a way to create enough inconvenience for anyone who will be able to pay. The more pain, the larger the demands and the greater the profits. It’s often just a business. A criminal one, of course, but one that’s often aimed at making money.

An exact copy of the data with no extra metadata to guide analysis.

A piece of software designed to assume control of the computer, sometimes surreptitiously.

Some systems will deliberately run software and deny it access to the network, the file system, or other resources. These limits prevent it from causing damage. The process is often a compromise that allows untrusted code from questionable sources to run safely.

At the highest level, the goal is to keep the people and the organization safe and thriving. This usually involves protecting the personal information of clients and employees while guaranteeing that only the right eyes see the workflow of the enterprise.

Any unwanted or unsolicited data traffic. In the past, it was largely found in email but the abuse is now found in almost all forms of data transfer.

Traditional encryption locks the data in a mathematical safe. Steganography transforms it so it’s hidden and can’t be found. It appears to be something innocuous.

Investigators trying to understand what happened in a computer attack will assemble a timeline that lists all of the clues and snippets found inside the log files and other records. The structure and pattern of how this timeline can help identify when the computer was breached and, perhaps, which data was compromised.

Creating a list of the timestamps associated with each piece of evidence makes it possible to understand how a particular incident may have unfolded. Forensic researchers will construct a timeline that gathers all of the events with timestamps in order to reconstruct the history.

When a forensics team is called to investigate, one of the most important techniques they can deploy is to create a timeline of the events. The breach is often the result of several different failures or weaknesses and the timeline allows investigators to gather all of the evidence in a single chart.

Collecting all of the details in one coherent data structure can improve analysis. While some breaches have obvious causes, some can only be understood after all of the failures can be analyzed together. Timelines make it easier to understand causality and the relationships between the many moving parts of a modern enterprise stack.

The process of prioritizing digital evidence for analysis.

Digital forensic teams are called to investigate a wide range of incidents that range from active security breaches committed by aggressive outsider attackers to passive, unintentional leaks brought about by mistakes and misconfiguration.

KAPE is designed to analyze the storage and working hardware of computers running Windows, MacOS or many versions of Linux. It can run from a thumb drive and also access virtual machines.

A type of malware that can replicate itself and spread to other computers.

Data that is stored in memory and is lost when the computer is turned off.

At the highest level, the decision is between choosing a fast and efficient method that may not capture all material or spending the time and effort to create a complete record by capturing all information, including much that may never be needed. It’s a trade-off between speed and thoroughness.

The practitioners often specialize in particular areas like understanding security failures in the communication layer or reconstructing the past actions of a mobile phone user. Every section of the tech world supports a subfield of digital forensics that can address problems in it.

YARA rules are a powerful tool for digital forensic researchers…

Many applications use digital signatures to certify that someone approves…

One of the simplest ways for an enterprise to maintain a secure perimeter is to ensure that the users choose passwords that can’t be easily guessed by any attacker. The best way to do this is to ensure that the passwords are chosen from a large enough collection of possible passwords. In other words, to guarantee that the passwords have enough entropy.

Many businesses want to allow people to log in from outside their premises. Perhaps the sales team wants to access their files from the road. Perhaps some of the developers want to fix problems late at night. After the pandemic, many believe that working remotely is an important part of their company culture.

Many employees aren’t conscious of the dangers that threaten the modern enterprise computing environment. They don’t understand all of the possible threats that may lead to fraud, blackmail, extortion or worse. A good policy for training new employees and retraining existing employees can reduce the dangers dramatically.

Forensic investigators look for patterns and this investigation often takes two forms that complement each other. The first is a very focused and efficient search for the unique sequences of bytes found inside known malware. Finding these attack signatures is fast and effective.

The second part is more general. The patterns of events like API calls, or database queries offer a historical record of what happened in the computer. Deconstructing this data can reveal how and when malicious behavior began and an attacker gained access. This analysis is more complex and time consuming, but it can be more effective at detecting new or unknown attacks.

Deployed together, the approaches can speed detection, evidence collection and analysis.

Good digital forensics techniques can trace data ex filtration by finding clues buried inside log files, network traffic records, and other sources deep inside the operating system.

Computer security professionals use the word “malware” to refer to a wide range of software created with the intent of doing harm to others and their data. The scope of the term is changing as bad actors continue to create new packages for infiltrating computer systems to steal copies of protected data or maybe change it with new values.