What are Digital Forensics & Digital Forensics and Incident Response?
Digital Forensics | Sep 15, 2017
Digital forensics is the collection and examination of digital evidence residing on electronic devices and the subsequent response to threats and attacks. As Lesley Carhart (@hacks4pancakes) puts it on her blog, “the exciting science of taking all manner of digital ^stuff^, and finding out what it’s done, when it was done, and who did it. Seen weekly on your average episode of CSI or NCIS… it is nothing like CSI or NCIS.”
Digital Forensics and Incident Response (DFIR) is the application of forensics for cybersecurity use cases to examine data breaches, malware, and more.
Guidance Software created the category for digital investigation software with EnCase in 1998 as a tool for law enforcement to solve criminal cases. Today, digital forensics practices have made their way to the corporate world for cybersecurity, corporate investigations, and e-Discovery. Just as federal and state authorities look for used digital evidence to convict lawbreakers, IT managers, security, and legal teams can use digital forensics to collect and preserve evidence to analyze and defend against a cyberattack, stop an insider threat, or complete an internal investigation.
Digital forensics solutions typically include the following capabilities
- The ability to acquire data from a wide variety of devices, including traditional computers and systems, and mobile devices, etc.
- Deep visibility into processes and actions that occurred on devices and operating systems
- The ability to complete a comprehensive, forensically-sound investigation
- Extensive reporting features
How does Law Enforcement use Digital Forensics?
The law enforcement community uses forensic software and hardware to collect, triage, investigate, and report on evidence from devices and networks. Digital forensics helps investigators find evidence directly related to a criminal investigation. It also helps confirm statements, authenticate documents, create timelines, etc.
As the number of digital devices and services explodes, so do the digital footprints we all leave behind. Forensic tools allow investigators to examine and understand these digital footprints as they try to prove the facts of the case. Many famous criminal prosecutions include the use of digital forensics. Investigators worldwide use EnCase Forensic from Guidance software today, and did so for many famous prosecutions including the shoe bomber Richard Reid, the BTK Killer, and Scott Peterson.
How do Digital Forensics Aid in Investigations in a corporate setting?
Every organization will face the need to conduct a digital investigation. Litigation, data breaches, fraud, insider threats, HR issues, and other cybersecurity manners are unavoidable.
Litigation concerns focus more on e-Discovery, while for this blog we will focus on security applications with DFIR. DFIR teams use digital forensics to identify suspicious activity on their networks, determine who is creating the problem, contain the incident, and take steps to safeguard their infrastructure to prevent similar attacks in the future.
When an incident is suspected, experienced security pros will likely have a process workflow already outlined to help guide them along the steps needed to take to manage the problem. Typically, this begins with a discrete collection of all possible sources, such as physical hard drives, tracked web browser and email history, file registry logs, and even off-network endpoints. Traditional corporate endpoints, such as desktop computers and laptops, are not the only devices that can be subject to forensic analysis. As smartphones and tablets increase in daily work usage, strong demand for mobile forensic capabilities has come along with it.
Nearly every action taken on a device will remain on the machine as an “artifact,” which can be examined through digital forensics. It is important to preserve all data and prevent any possible tampering to ensure the eventual outcome of the investigation can be deemed credible.
Once the information sources are gathered, technical investigators will typically use a verifiable digital forensics tool. Guidance Software’s EnCase Endpoint Investigator and EnCase Mobile Investigator are examples of tools used to analyze the evidence, piecing together the mystery of the initial cause of the problem, who is to blame, what actions were taken, and what the impact is. It’s crucial now that security responders are using state of the art digital forensics technology to accurately assess the incident. Since infosecurity pros are dealing with a high volume of possible threats, efficiency is also a valuable characteristic in a quality DFIR tool.
What is the “Incident Response” Part of DFIR?
After examining the evidence and putting together the puzzle, incident response comes into the equation. The goal is to first contain the problem so it doesn’t spread to other devices, minimizing the number of endpoints that are affected. The next step is to eliminate the cause of the problem - this could include malware, unauthorized access to the network infrastructure, or compromised accounts, among other malicious tactics.
With the threat taken care of, DFIR pros need to determine the best path forward. This includes thoroughly reviewing and assessing the incident, then taking those learnings and implementing processes and strategies that will prevent the attack from happening again.
By using digital forensics tools, security teams can take the necessary steps to respond properly to a possible threat. Those who are able to collect the data, analyze the situation using advanced tools and technologies, and respond to the incident quickly will set their organizations up for safe and secure operations while also reducing future risk.
Additional reading and resources on Digital Forensics:
- What is ‘DFIR’? And how do ‘Digital Forensics’ roles vary?
- SANS DFIR - https://digital-forensics.sans.org/
- Guidance Software Digital Forensics Blog.