Digital Forensics

What Is Digital Forensics?

Digital forensics is the practice of identifying, acquiring, and analyzing
electronic evidence.
An important part of digital forensics is the analysis of suspected
cyberattacks, with the objective of identifying, mitigating, and eradicating cyber
threats.

Digital forensics is also useful in the aftermath of an attack, to provide

information required by auditors, legal teams, or law enforcement.

Electronic evidence can be gathered from a variety of sources, including

computers, mobile devices, remote storage devices, internet of things
(IoT) devices, and virtually any other computerized system.
Why Is Digital Forensics Important?

Digital evidence can be used as evidence in investigation and legal proceedings for:

● Data theft and network breaches

—digital forensics is used to understand how a breach happened and who were the
attackers.

● Online fraud and identity theft

—digital forensics is used to understand the impact of a breach on organizations

and their customers. Violent crimes like burglary, assault, and murder
● —digital forensics is used to capture digital evidence from mobile
phones, cars, or other devices in the vicinity of the crime.
● White collar crimes —digital forensics is used to collect evidence that
can help identify and prosecute crimes like corporate fraud,
embezzlement, and extortion.
What Are the Different Branches of Digital Forensics?
Computer Forensics

Computer forensic science (computer forensics) investigates computers and

digital storage evidence. It involves examining digital data to identify, preserve,
recover, analyze and present facts and opinions on inspected information.

Mobile Device Forensics

Mobile device forensics focuses primarily on recovering digital evidence from

mobile devices. It involves investigating any device with internal memory and
communication functionality, such as mobile phones, PDA devices, tablets,
and GPS devices.
Network Forensics
The network forensics field monitors, registers, and analyzes network activities.
Network data is highly dynamic, even volatile, and once transmitted, it is gone. It means
that network forensics is usually a proactive investigation process.

Forensic Data Analysis

Forensic data analysis (FDA) focuses on examining structured data, found in
application systems and databases, in the context of financial crime. FDA aims to
detect and analyze patterns of fraudulent activity.
Database Forensics
Database forensics involves investigating access to databases and reporting changes
made to the data. You can apply database forensics to various purposes. For example,
you can use database forensics to identify database transactions that indicate fraud.
The Digital Forensics Process
The digital forensics process may change from one scenario to another, but it
typically consists of four core steps—collection, examination, analysis, and
reporting.

Collection
The collection phase involves acquiring digital evidence, usually by seizing
physical assets, such as computers, hard drives, or phones.

Examination
The examination phase involves identifying and extracting data. You can split
this phase into several steps—prepare, extract, and identify.
Analysis
The analysis phase involves using collected data to prove or disprove a case built by the
examiners. Here are key questions examiners need to answer for all relevant data items:
● Who created the data
● Who edited the data
● How the data was created
● When these activities occur

Reporting
The reporting phase involves synthesizing the data and analysis into a format that
makes sense to laypeople. These reports are essential because they help convey the
information so that all stakeholders can understand.
Digital Forensic Techniques/Methods

Digital forensics involves creating copies of a compromised device

and then using various techniques and tools to examine the
information. Digital forensics techniques help inspect
unallocated disk space and hidden folders for copies of
encrypted, damaged, or deleted files. Here are common
techniques:
Reverse Steganography

Cybercriminals use steganography to hide data inside digital files,

messages, or data streams. Reverse steganography involves
analyzing the data hashing found in a specific file. When inspected in
a digital file or image, hidden information may not look suspicious.
However, hidden information does change the underlying has or string of
data representing the image.
Stochastic Forensics

Stochastic forensics helps analyze and reconstruct digital activity

that does not generate digital artifacts. A digital artifact is an
unintended alteration of data that occurs due to digital processes. Text
files, for example, are digital artifacts that can context clues related to a
digital crime like a data theft that changes file attributes. Stochastic
forensics helps investigate data breaches resulting from insider
threats, which may not leave behind digital artifacts.
Cross-drive Analysis

Cross-drive analysis, also known as anomaly detection, helps find

similarities to provide context for the investigation. These similarities
serve as baselines to detect suspicious events. It typically involves
correlating and cross-referencing information across multiple
computer drives to find, analyze, and preserve any information
relevant to the investigation.
Deleted File Recovery

Deleted file recovery, also known as data carving or file carving, is a

technique that helps recover deleted files. It involves searching a
computer system and memory for fragments of files that were partially
deleted in one location while leaving traces elsewhere on the inspected
machine.