A leaf out of Digital Forensics adventures- Part 1

What is digital forensics?

A specialized branch of forensic science that works to recover and investigate digital devices in the world of cybercrime. The aim of this work is to identify, preserve, analyze, and document digital evidence in order to present it to the relevant law authorities as and when required.

Who is a Digital forensics investigator? 

A person who has a mindset to discover evidence and trace back the storyline to solve the case. It can range from discovering: 

How attackers gained access to the network- or the point of breach

Lateral movement on the network- or affected systems discovery

Information stolen or backdoors planted- Corporate Espionage 

Recover data that were attempted for deletion, damage as well as manipulation.


Let’s now analyze the different phases across a digital forensics investigation:

Phases:

1. First-line incident response

The focal point right after a suspected breach /security incident is known as the first response. These initial steps lay the foundation of SLAs and a plan of action.

2. Collect and secure the evidence

Here the forensic investigator searches for the infected devices and takes custody of the systems to proceed with forensic methods for evidence gathering and ensure it is accurate, authentic, and accessible.

3. Perform data analysis

Under this phase, the acquired data is used to unearth the evidence and structured into a storyline having the observations as an output from thorough assessments

4. Reporting and lessons learned.

The post-investigation phase covering documenting the finding with adequate and acceptable evidence and the lessons learned.

To deep dive further into evidence analysis phases: 

1. Identification and Acquisition  – This phase is focused on capturing the current state of a system for detailed analysis and investigation. A major focus is to isolate, secure, and preserve the system for data extraction. This includes preventing people from possibly tampering with the evidence.

2. Analysis – Post having a copy of the system image (acquisition of the system state) the evidence needs to be investigated for the breach and the Indicators of compromise 

Three kinds of evidence emerge as a possibility:

Inculpatory Evidence –  These are the evidence that supports a possible theory.

Exculpatory Evidence – This is any evidence that negates a possible theory.

Evidence of Tampering – These are the traces on the system which point towards attempted tampered to evade identification. Forensic investigators draw conclusions based on evidence found.

3. Presentation – This phase presents the conclusions and their corresponding evidence that the digital investigator has deduced. The concept of “chain of custody” comes into play here. The chain of custody refers to the complete ownership and handling of evidence to ensure those are protected and preserved and any modification to the evidence is prevented or recorded.

What kind of career can you expect as a digital forensic investigator?

Cyber Forensic Investigator

Cybersecurity Forensics Consultant

Security Forensics Analyst (SOC)


Required skillsets as a digital forensic investigator

Knowledge of Incident response lifecycle phases (such as SANS, NIST, etc.)

Knowledge of anti-forensic techniques

In-depth knowledge of hard disks and file systems

Investigating email crimes (such as business email compromise)

Ransomware incident handling/ Malware analysis

•       Mobile device forensics and data acquisition

Part- 2 will focus on the tools and techniques of the trade.


Check out my other articles on incident response:

https://securitywarrior9.blogspot.com/2021/05/incident-response-handling-for.html

https://securitywarrior9.blogspot.com/2021/04/researching-difference-between-siem-and.html

https://securitywarrior9.blogspot.com/2021/01/network-forensics-overview.html



Comments

Post a Comment

Popular posts from this blog

Stored XSS in Wonder CMS- CVE-2017-14522

Host Header Injection In Wonder CMS - CVE-2017-14523

Cross Site Request Forgery- Intex Router N-150 | CVE-2018-12529