Computer forensics, also known as cyber or digital forensics, is a set of investigation techniques used by forensics investigators to find, gather, analyze, and preserve digital evidence in the event of a cybercrime such as a breach or intrusion, when fraud has occurred, or if threats to the organization exist. The goal of a forensics investigation is to uncover information about the crime and create and preserve a documented chain of evidence that may be used in a court of law.
Through forensics, an investigator can learn what happened on a computing device or within a network, and discover clues about the perpetrator(s) and his/her actions. Most computer forensic investigations incorporate network forensics and memory forensics. A forensic investigator will use various tools and techniques to understand what happened during a crime and how it happened. Investigators, much to the surprise of many criminals, can uncover the adversary’s file access, hidden files and folders, deleted information, downloads, data exfiltration, portable device storage, cloud access, mobile networks used, internet histories, executed applications, social network connectivity, and other detailed system usage. Criminals often leave a digital trail that helps the investigator form a picture of the crime, even if the criminal attempted concerted efforts to cover his/her tracks.
An investigator must be diligent throughout the investigation and ensure the scene of the crime (i.e., the network, on a given computer or device) is not contaminated during the investigation, causing corruption of important evidence or making that evidence inadmissible in court. Poorly conducted forensics investigations can also potentially shift liability from the adversary to the organization if evidence is not preserved or presented correctly and therefore fails to meet compliance requirements.
According to US-CERT, “Adding the ability to practice sound computer forensics will help you ensure the overall integrity and survivability of your network infrastructure.”
Get the DeMISTIfying InfoSec newsletter every Tuesday!