Explained: digital forensics

Explained: digital forensics

What is it?

Digital forensics is a modern day field of forensic science, which deals with the recovery and investigation of material found in digital devices. When needed, this is often because of a (cyber) crime, whether suspected or established. The most common reasons for performing digital forensics are:

  • attribution
  • identifying a leak within an organization
  • assessing the possible damage that occurred during a breach

The field of digital forensics is divided up into several subdivisions, depending on the nature of the digital device that is the subject of the investigation:

  • computer forensics
  • network forensics
  • forensic data analysis
  • mobile device forensics

What does it take?

Working in this field combines the excitement of solving a puzzle with the data at hand and requires a deep understanding of the software and hardware involved. The most important skill is to be able to find and interpret the data involved in the crime while minimizing the changes made on the investigated device.

Cause and effect can be difficult to determine without a clear timeline, which adds another dimension to the puzzle of trying to figure out what the initial breach factor was and how the attackers proceeded from there.

What does it have in common with cybersecurity?

Cybersecurity and digital forensics are two fields that have a lot in common. They also provide information to each other. Analyzing a breach may lead to new insights about preventing such a breach, and knowing how certain threats work makes it easier to create a timeline and look for a possible attack vector.

fingerprint in code

Is attribution always possible?

If anything, attribution is always tough. Sometimes, you can recognize a certain way of programming, but there is no way of telling whether that person wrote that piece of code for this purpose or if someone simply copied it. Attribution by meta data is sometimes possible, but experienced cybercriminals are often times too smart to leave evidence behind. Who benefits from the data that were stolen or destroyed is usually a better indicator of who might be responsible, but motive alone does not count in court.

Conclusion

Digital forensics is a science that is closely related to cyber-security. Digital forensic analysts examine data and devices to find out as much as possible about a breach or crime that involved digital devices.

 

Pieter Arntz

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.