Digital forensics describes a scientific investigation process in which computer artifacts, data points, and information are collected around a cyber-attack.
A digital forensic examiner’s job is to provide information such as:
- Identify an entry point used by the attacker into the network
- Identify what user accounts were utilized by the attacker
- Identify the duration of unauthorized access on the network
- Attempt to geolocate the logins and map them on a world map
The forensics investigator can then provide you with a written report in layman’s terms that outlined what the attacker did and the steps they took.
Cybercrimes are not easy to investigate because the crime scene exists in the digital world. In the cyber world, the evidence is much less obvious, then say, in a home burglary. It might even be difficult to determine how the cyber threat entered your network if the attackers attempted to hide their tracks.
There are several steps involved in a digital forensics investigation. The first one, identification, establishes the scope of the investigation and what goals and objectives need to be met. Identifying what evidence needs to be collected and the devices used (computers, network traffic logs, storage media devices) will guide the investigation and must be analyzed.
Another important step is preservation. Preservation is typically performed in the form of an image backup file. It is critical to use imaging software which utilizes “write blockers” to ensure there are no additional digital footprints left by the forensic examiner who is creating the image.
Once the image backup is created, all the evidence before the image has been captured.
Computers are constantly receiving and changing the information they store in the form of access logs, data backups, etc. If you don’t preserve these logs as soon as possible, the important information needed for the forensic investigation may be overwritten.
Performing digital forensic examinations is the specialty of the Regional Computer Forensics Laboratory (RCFL) program.
Want to learn more? Tonex offers Digital Forensics Training Bootcamp, an intense 2-day course designed to train digital forensics examiners, analysts and fraud investigators. Students are taught electronic discovery and advanced digital forensic techniques. This course is essential to anyone encountering digital forensic and evidence while conducting an investigation.
Additionally, Tonex offers nearly 400 classes, seminars and workshops in close to four dozen categories of systems engineering training.