Computer Forensics
Understanding the role of computer forensics in investigating and analyzing data breaches and cybercrimes.
Understanding the role of computer forensics in investigating and analyzing data breaches and cybercrimes.
Computer forensics is the science of identifying, preserving, and analysing digital evidence. This evidence is critical in solving crimes, corporate disputes, and even national security cases.
Just as detectives gather clues at a physical crime scene, computer forensic investigators analyse digital devices to uncover evidence, ensuring it is handled properly for use in court.
Computer forensics are closely related to cybersecurity. Computer forensics findings can help cybersecurity teams speed cyberthreat detection and resolution, and prevent future cyberattacks. An emerging cybersecurity discipline, digital forensics and incident response (DFIR), integrates computer forensics and incident response activities to accelerate remediation of cyberthreats while ensuring that any related digital evidence is not compromised.
There are four main steps to computer forensics.
The first step is identifying the devices or storage media that might contain data, metadata or other digital artifacts relevant to the investigation. These devices are collected and placed in a forensics lab or other secure facility to follow protocol and help ensure proper data recovery.
Forensic experts create an image, or bit-for-bit copy, of the data to be preserved. Then, they safely store both the image and the original to protect them from being altered or destroyed.
Experts collect two kinds of data: persistent data, stored on a device's local hard disk drive and volatile data, located in memory or in transit (for example, registries, cache and random access memory, RAM). Volatile data must be handled especially carefully since it's ephemeral and can be lost if the device shuts down or loses power.
Next, forensics investigators analyze the image to identify relevant digital evidence. This can include intentionally or unintentionally deleted files, internet browsing history, emails and more.
To uncover "hidden" data or metadata others might miss, investigators use specialized techniques including live analysis, which evaluates still-running systems for volatile data, and reverse steganography, which exposes data hidden by using steganography, a technique for concealing sensitive information within ordinary-seeming messages.
As a final step, forensic experts create a formal report outlining their analysis, and share the investigation findings and any conclusions or recommendations. Though reports vary by case, they are often used to present digital evidence in a court of law.
To dive deeper into the field of computer forensics, check out these resources: