Digital – or “cyber”, if you prefer – forensics today is a far different beast than it used to be. Forensics always has been about investigations, either supporting or conducting, and discovering hidden artifacts that can explain some activity. We were flying somewhere many years ago and as we settled down for a trans-Atlantic flight, the flight attendant noticed our forensic text and asked what it was all about. The best answer we could give was, “It’s the science of why things broke.” If you think about it that’s a pretty good lay description. In classic forensics – such as forensic pathology – we are interested in why someone died. A forensic engineer analyzes why a crane or pump fell apart unexpectedly. So why should we not describe cyber forensics in those terms?
The simple answer to that is that it is no longer that simple. Back in the day when we were interested largely in computers dying that might have worked but today tracking the actions of a criminal over the Internet would be a bit of a reach to describe as finding out why something broke. A lot of organizations have struggled with posing a good and fully comprehensive definition of digital forensics and we won’t attempt that here. The point, however, is that the digital forensics world no longer is just computers. It’s now complicated operating systems of multiple types, internetworking devices, networks, name servers, databases, software applications and, oh, yes, computers.
Another change is that, more and more – except in some law enforcement and government agencies – we see the forensic examiner also fulfilling the role of the investigator and, likely, the security professional. That means that these folks bring a different mindset to the task of solving security incidents. They see things form a different perspective than the computer forensic practitioner of yore. More to the point of this month’s reviews, it also means that they need a very comprehensive tool kit. Back in the day all the computer forensic examiner needed was a small set of computer forensic tools. That meant he or she needed to be able to make a forensic image of a hard drive and analyze it with a computer forensic tool. Perhaps there were some small peripheral tools, such as a tool to examine the registry, but, largely, those tools have been subsumed by the major computer forensics products.
Today, the “extra” tools likely are those necessary to analyze malware, examine the impact of users – good or bad – on the operating system of a computer, the logs of a server, social media accounts, traces through the Internet and, perhaps, the Dark Web, as well as being able to tackle a near universe of mobile devices. The corporate forensic lab is getting bigger and bigger and the forensic tool developers are getting better and better at anticipating our needs.
We are just beginning to see the merging of various digital forensic functionalities into single products that are multi-purpose and so tightly integrated that data collected in one environment – e.g., mobile devices – slips smoothly into the examination of a computer allowing normalization and correlation. But these tools,as yet, are rare. As well, we are seeing non-forensic tools such as SIEMs being pressed into forensic duties. And this helps us understand what the realm of digital forensics really looks like. In fact, we are concerned with any tool that can help us understand the activities that surrounded, participated in or impacted a digital event that had negative – or potential negative – consequences for our organization.
The most important tool, we would argue, in a digital forensic investigation is between the investigator’s ears. The purpose of the tools that we will examine this month is to collect and analyze the data that are present in devices surrounding a digital security event. It is left to the investigator to interpret those data.
With that in mind – along with the axiom that you can never depend on a single tool to do your job – this month we will look at the latest crop of some old standbys. We saw no new products this year but we did see some new functionality. A lot of the emphasis is on the computer but we also have a few mobile device tools. Triage is an important aspect of an investigation and we address that too. Finally, we have the most experienced digital forensic case management tool to look at this year as we have in years past.
So, sit back and join us in a trip into digital forensic tools. It well could be that we’ll have something here to add to your lab.