A U.S. manufacturer of consumer healthcare products suddenly started receiving complaints about the quality of its products. A primary investigation revealed that these sub-par products were counterfeit – cheap copies that closely mimicked the originals in name, packaging, trademarks, etc. Following a legal seizure order, a digital forensics specialist team was brought in to investigate the issue. They searched about 30 computers and other digital assets like cell phones, fax machines, telephones, and voicemail systems in 5 locations. This digital evidence enabled them to identify the storage locations for the counterfeit goods. They also built a strong case against the counterfeiters, forcing them to close up shop and face the legal music.
Digital forensics and digital forensics investigators played a critical role in solving this case. But tracing counterfeiters is just one of the many things digital forensics can help with.
This growing field has very close ties with business, cybersecurity and law enforcement. So whether you’re a cybersecurity professional, IT team leader, or C-suite executive – you’ll find this article helpful.
So what is digital forensics?
To answer this question, let’s get down to brass tacks – by starting with the basics.
What is Digital Forensics?
The modern world is increasingly digitized, connected and online. Crime is as much a feature of this online world as it is in the “real” world. In the ‘real world, crimes are investigated by boots-on-the-ground law enforcement or forensics investigators. But crimes in cyberspace require digital forensics.
Digital forensics – sometimes erroneously known as computer forensics – is the application of scientific tools, techniques and processes to the investigation of digital crimes and adverse events like hacking attempts, data breaches, fraud, espionage, etc.
What Do Digital Forensics Investigators Do?
Digital forensics specialists investigate cases where a computer or other digital device is used to enable a crime or is itself a target of the crime.
In almost every situation, they identify a hack, track its path, understand its source and recover any compromised or stolen data. To this end, they follow “digital footprints,” which are like electronic breadcrumbs that every person – bad actors included – leaves online. This enables them to retrieve the evidence to support or disprove a crime hypothesis and ultimately solve it.
Practitioners use numerous digital forensics tools to examine devices, extract evidence, and build a case. Some of these tools are single-purpose, i.e. focused on a particular area like network or mobile device forensics. Others are larger platforms that enable them to investigate multiple devices, triage evidence, collaborate with other investigators, etc. Many tools are open source and freely available. Read more about digital forensics tools here.
Investigators may work with organizations’ security teams to find the root cause and instigator of a criminal incident. This may be a hack, a data breach, or an attack on their IT assets using malware, phishing emails, DDoS techniques, social engineering, etc. This is why they are crucial to any organization’s Incident Response (IR) strategy. Digital Forensics and Incident Response (DFIR) enables affected companies to:
- Reconstruct adverse incidents
- Identify or recover compromised data
- Strengthen overall security controls
Often, these practitioners work with law enforcement to investigate digital crimes against government entities or the general public.
What is the Digital Forensics Process?
Modern digital forensics follows a structured process to investigate a digital crime. Many process models are available to guide examiners as they dig deeper into the event. These include:
- Digital Forensic Research Workshop (DFRWS)
- Abstract Digital Forensics (ADFM)
- Integrated Digital Investigation Process (IDIP)
- Enhanced Integrated Digital Investigation Process (EIDIP)
Along the way, investigators:
- Determine the incident type
- Formulate an investigative approach
- Gather the right tools
- Collect, isolate, secure, and if required, duplicate data
- Examine the evidence
- Develop a theory based on the evidence
- Reconstruct the incident
- Present the evidence to relevant stakeholders
This detailed and systematic process may involve several iterations of one or more steps. Throughout the investigation, investigators must maintain a proper chain of custody for the evidence, and ensure no tampering. In some cases, they may also be asked to identify or suggest improvements in the forensics process.
Here, it’s important to remember that “structured” does not mean “rigid.” Each case is unique, so a process model is not a mandatory checklist, but more like a set of best practices to support digital forensics specialists during investigations.
Digital forensics is a vital pillar of cybersecurity. Organizations that have experienced a cyber-attack or data breach rely on digital forensics specialists to get to the root of the issue, and (hopefully) minimize its impact. If cybersecurity is a “human arms race,” digital forensics is what keeps the bad guys from blowing up the digital world.