Why might your organization need to have digital forensics experts at the ready? Folks with this expertise can help your team with a variety of situations including insider theft investigations, wrongful termination cases, human resource (HR) violations, data recovery, legal holds, data exfiltration, ransomware, business email compromise, intellectual property (IP) theft, malware, and more.
Digital Forensics, simply put, refers to the analysis of electronic evidence, including the collection and reporting on such evidence. This means digital forensics infers the intent that the data may be used in court proceedings. But what about when the methods that a digital forensics practitioner uses aren’t intended for court? The same methodologies of recovering data, analyzing content, and producing a report are also used in the field of Incident Response. Incident Response is the mitigation of harm from a computer security event. Together these fields are referred to by the acronym DFIR (Digital Forensics and Incident Response).
One of the most challenging aspects of Digital Forensics is that the landscape is always changing. This could be due to emerging technologies such as cloud data, Internet of Things (IoT) devices, Virtual Reality/Augmented Reality (VR/AR), Industrial Control Systems (ICS) and more. In addition to new technologies, everyday devices such as mobile phones and laptops are constantly receiving updated operating systems. Add the everchanging world of apps into the picture and there is a constant need to maintain the skills of digital forensics and incident response professionals in an organization. The challenges exist for both the acquisition of the data as well as the analysis of the data that has been collected.
Digital forensics and incident response professionals can be in house or external 3rd party analysts. What is important is that they are part of your response to legal queries that involve digital evidence and/or computer security incidents. Organizations sometimes rely on the internal IT team to handle the response to a computer security event, legal hold, or investigation. This has the potential to causedisastrous effectsincluding compliance issues, fines, loss of data, or loss in a judicial proceeding. In the event of power plants, hospitals, or other critical infrastructure – the loss could be devastating.
If one is not familiar with digital forensics tools and procedures, they may collect data in a manner that it is not suitable for examination or presentation in court. For example, I once worked a case where an internal IT team attempted to make a forensic image, but instead made the type of image one would use to clone a machine. This clone lacked the original metadata and references to user deleted content that would have existed in a forensic image. Because the wrong type of image was created, we were unable to proceed with the investigation as the trace artifacts were not available. It is key to either have folks in-house who are trained in digital forensics processes and tools or to utilize 3rd party digital forensics and incident response professionals when the need arises.
There is a plethora of resources for learning digital forensics. If anyone is interested in keeping up with all the content that digital forensics researchers and practitioners put out each week, I recommend Phill Moore’s ThisWeekIn4n6. If someone is looking to get started with Digital Forensics and Incident Response knowledge, Elan Wright maintains a site that shares free and affordable training for beginners in Digital Forensics and Incident Response on her site DFIR Diva. There are a variety of Digital Forensics YouTube channels such as 13 Cubed and DFIR Science that teach tactical skills. Additionally, there are paid training courses from organizations like SANS that deep dive different forensic topics such as Windows Forensics, Mac Forensics, Memory Analysis, Reverse Engineering, Mobile Forensics, and others. This is a great place to start. Is important to remember that there are several niche areas in the field of Digital Forensics and Incident Response. So even a trained examiner with years of experience may not be skilled in every area.
There are several skills that are necessary for digital forensics and incident response professional to have. These skills traditionally include an understanding of operating systems, collection, and the ability to utilize forensic tools, and the ability to communicate results in a written report. However, the skills necessary to conduct forensic examinations with the ever-changing landscape include being able to not only collect data and run forensic tools, but to be able to manually verify parsed results as well as find trace evidence and artifacts that tools do not support. Because of the constant changing of Operating Systems, new devices, and new applications, digital forensics examiners need the skills to be able to discover and test new types of artifacts. This requires knowledge of data structures such as SQL databases, JSON, LevelDB databases, XML, PLists, and more. It is also helpful for forensic examiners to be able to create code that can parse the newly discovered forensic artifacts. Python is the language that is compatible with most forensic tools. Just as an understanding of data structures, manual testing and validation of artifacts, and programing skills are now a necessity, there are skills that are emerging as necessary such as an understanding of cloud architecture, logs, and security settings and knowledge of YARA, a tool that uses rules to find Indicators of Compromise associated with malware, ransomware, and intrusions. Continuing education is critical for Digital Forensics Examiners as new technologies and methodologies for handling those technologies continue to occur from both an acquisition of data and analysis of the resultant data perspective.
Digital Forensics and Incident Response are critical parts of an organization’s security and legal infrastructure. It is important that organizations ensure that they have folks with these skills on their security teams or that they have partnered with an external service provider. Digital Forensics and Incident Response are constantly evolving fields as technology continues to emerge and will play a critical role in organizations big and small as they deal with cybercrime, insider threats, and more.