Digital Forensics is a field that is extremely deep, but at the same time highly focused. It is defined as the overall collection, processing, preservation, analyzing and presentation of computer-related evidence in support of network vulnerability mitigation and/or criminal, fraud, counterintelligence, or law enforcement investigations.
Whether there is a breach affecting your organization or a former employee is suspected of stealing proprietary data, there will always be a Digital Forensic Examiner involved. Digital forensics comes in all shapes and sizes, with different examination methods for each. The areas below give a glance to some of the main divisions :
- Computer forensics – Analysis of information contained within and created with computer systems and computing devices.
- Mobile device forensics – Analysis of cellular phones, smart phones and MP3 players.
- Network forensics – Analysis and monitoring of traffic on computer networks ranging from LANs to WANs and the Internet.
- Database forensics – Analysis of databases, including metadata, for incidents such as security attacks.
It’s important to note that digital forensics is not like what you would see on a CSI episode. Examiners do not sit at a computer all day and just “enhance” everything. Computer forensics involves a lot of work into determining when something happened based on the operating system’s artifacts. Mobile forensics is a fascinating look at just how much data the apps on your phone are really storing on you in small databases. Network forensics involves granular insight into not only the data you transmit over the internet but exactly what each bit you send does. Finally, Database forensics is much more involved as they are more often than not, extremely large repositories of information.
So now that you have an idea of what digital forensics really is, the question is how do they do it? For this, every examiner has their own set of tools. It is rare that one person uses the same tools as another person even in the same office. There’s a variety of flavors for even taking an image of a computer. We’ll note the most popular ones that you’re bound to encounter.
- AccessData FTK
- Guidance Software EnCase
- Magnet Axiom
- Cellebrite UFED
FTK, EnCase and Axiom are all fully featured forensic suites, capable of imaging disks as well as RAM memory in computers and then handling the subsequent processing of them. Wireshark is an open source packet analyzer that is capable of giving the user knowledge of a network down to the packet level. Cellebrite’s UFED product is a suite of tools that can not only make a complete copy of a phone, but can then dissect the information contained in it to give you a timeline of a user’s phone activity. Volatility is mainly used by examiner that like to get deep into memory forensics as its sole purpose is to provide an interface by which to search everything stored in a collected memory image.
No matter what type of digital examination needs to be done, there is a tool for it. The tools listed here are by no means exhaustive. Whether it’s a commercial product or open source, there’s bound to be a solution. Digital forensics is the field to get into if you’re the type of person with an inquisitive mind.
LIFARS has a solid work on Digital Forensic and Incident Response, contact us for a brief conversation on how we can assist you or your organization.