Forensics is the art of preserving a computing environment in a safe mode and recovering a digital trail of evidence on the hardware, software, networks, and related devices. There are plenty of methods to find data which is seemingly deleted, not stored, or worse, covertly recorded.
Forensics is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail. Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of legal evidence.
- Cross-drive analysis – A forensic technique that correlates information found on multiple hard drives. The process,
- Live analysis – The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence.
- Deleted files – Modern forensic software have their own tools for recovering or carving out deleted data (e.g., reconstruct data from the physical disk sectors).
- Stochastic forensics – Investigate activities lacking digital artifacts. Its chief use is to investigate data theft.
Steganography – Process of hiding data inside of a picture or digital image.
- Volatile data – Any data that is stored in memory, or exists in transit, that will be lost when the computer loses power or is turned off. Volatile data resides in registries, cache, and random access memory (RAM). The investigation of this volatile data is called “live forensics”.
- Cyber Forensic Process:
- Triage – Freeze the environment(s), review objectives, and start to identify data sources (ie, disks, memory, logs, DBs, etc.)
- Collect – Next, isolate, secure, and preserve a copies of the data (e.g., memory dumps, disk images, meta data, logs, etc.)
- Decrypt – Convert a copy of the data into a readable format
- Process – Reconstruct fragments of separate data sources into meaningful information.
- Investigate – Draw conclusions based on the evidence and pursue additional information as needed
- Report– Provide findings with supporting documentation
Types of Forensics
- Computer – examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts.
- Mobile – recovery of digital evidence or data from a mobile devices (e.g., phones, tablets, pda, etc.) under forensically sound conditions.
- Network – monitoring and analysis of network traffic for the purposes of information gathering, legal evidence, or intrusion detection
- Data Base – Forensic study of databases, related metadata and cached information.
- Cloud – Same as ‘computer forensics’ but performed in a virtualized environment.
- IoT (Internet of Things) – Same as ‘computer forensics’ but performed on IoT objects, embedded systems, sensors, software, and related technologies,
Tools and Techniques
An important part of Forensics is having the right tools, as well as being familiar with the following topics:
- File Formats
- EXIF data
- Wireshark & PCAPs- What is Wireshark
- Disk Imaging
- CTF 101 – Forensicshttps://ctf101.org/forensics/overview/
- Youtube: Overview of Digital Forensics (05:24)
- Youtube: Cyber Forensics (40:52)
- Youtube: All Things Entry Level Digital Forensics and Incident Response Engineer DFIR (19:14)
- Youtube: Getting started in digital forensics (1:02:00)
- Youtube: Live forensics demo: Extracting evidence from the cloud (18:51)
- Youtube: Internet of Things (IoT) Forensics (25:08)