Module 1: Introduction

04 January 2024 11:05

Module 1 Page 1
Module 1 Page 2
Digital Forensics
09 January 2024 23:22

What Is Digital Forensics?

Digital forensics is the practice of identifying, acquiring, and analysing electronic evidence. Today almost all
criminal activity has a digital forensics element, and digital forensics experts provide critical assistance to police
investigations. Digital forensic data is commonly used in court proceedings.
An important part of digital forensics is the analysis of suspected cyberattacks, with the objective of identifying,
mitigating, and eradicating cyber threats. This makes digital forensics a critical part of the incident response
process. Digital forensics is also useful in the aftermath of an attack, to provide information required by auditors,
legal teams, or law enforcement.
Electronic evidence can be gathered from a variety of sources, including computers, mobile devices, remote
storage devices, internet of things (IoT) devices, and virtually any other computerized system.

Why Is Digital Forensics Important?

Digital forensics is commonly thought to be confined to digital and computing environments. But in fact, it has a
much larger impact on society. Because computers and computerized devices are now used in every aspect of life,
digital evidence has become critical to solving many types of crimes and legal issues, both in the digital and in the
physical world.
All connected devices generate massive amounts of data. Many devices log all actions performed by their users,
as well as autonomous activities performed by the device, such as network connections and data transfers. This
includes cars, mobile phones, routers, personal computers, traffic lights, and many other devices in the private and
public spheres.
Digital evidence can be used as evidence in investigation and legal proceedings for:
• Data theft and network breaches—digital forensics is used to understand how a breach happened and who
were the attackers.
• Online fraud and identity theft—digital forensics is used to understand the impact of a breach on
organizations and their customers.
• Violent crimes like burglary, assault, and murder—digital forensics is used to capture digital evidence from
mobile phones, cars, or other devices in the vicinity of the crime.
• White collar crimes—digital forensics is used to collect evidence that can help identify and prosecute crimes
like corporate fraud, embezzlement, and extortion.

Defining Digital Risks

As organizations use more complex, interconnected supply chains including multiple customers, partners, and
software vendors, they expose digital assets to attack. Organizations also leverage complex IT environments
including on-premise and mobile endpoints, cloud-based services, and cloud native technologies like containers—
creating many new attack surfaces.
Digital risks can be broken down into the following categories:
• Cybersecurity risk—an attack that aims to access sensitive information or systems and use them for
malicious purposes, such as extortion or sabotage.
• Compliance risk—a risk posed to an organization by the use of a technology in a regulated environment. For
example, technologies can violate data privacy requirements, or might not have security controls required by a
security standard.
• Third party risks—these are risks associated with outsourcing to third-party vendors or service providers. For
example, vulnerabilities involving intellectual property, data, operational, financial, customer information, or
other sensitive information shared with third parties.
• Identity risk—attacks aimed at stealing credentials or taking over accounts. These types of risks can face an
organization’s own user accounts, or those it manages on behalf of its customer

What Are the Different Branches of Digital Forensics?

Here is a brief overview of the main types of digital forensics:
Computer Forensics
Computer forensic science (computer forensics) investigates computers and digital storage evidence. It involves
examining digital data to identify, preserve, recover, analyze and present facts and opinions on inspected
information.
This branch of computer forensics uses similar principles and techniques to data recovery, but includes additional
practices and guidelines that create a legal audit trail with a clear chain of custody.
Mobile Device Forensics
Mobile device forensics focuses primarily on recovering digital evidence from mobile devices. It involves
Module 1 Page 3
Mobile device forensics focuses primarily on recovering digital evidence from mobile devices. It involves
investigating any device with internal memory and communication functionality, such as mobile phones, PDA
devices, tablets, and GPS devices.
Network Forensics
The network forensics field monitors, registers, and analyzes network activities. Network data is highly dynamic,
even volatile, and once transmitted, it is gone. It means that network forensics is usually a proactive investigation
process.
Forensic Data Analysis
Forensic data analysis (FDA) focuses on examining structured data, found in application systems and databases,
in the context of financial crime. FDA aims to detect and analyze patterns of fraudulent activity.
Database Forensics
Database forensics involves investigating access to databases and reporting changes made to the data. You can
apply database forensics to various purposes. For example, you can use database forensics to identify database
transactions that indicate fraud.
Alternatively, your database forensics analysis may focus on timestamps associated with the update time of a row
in your relational database. This investigation aims to inspect and test the database for validity and verify the
actions of a certain database user.

Module 1 Page 4
The Digital Forensics Process
09 January 2024 23:19

The Digital Forensics Process

The digital forensics process may change from one scenario to another, but it typically consists of four core
steps—collection, examination, analysis, and reporting.
Collection
The collection phase involves acquiring digital evidence, usually by seizing physical assets, such as computers,
hard drives, or phones. It is critical to ensure that data is not lost or damaged during the collection process. You
can prevent data loss by copying storage media or creating images of the original.
Examination and preservation
The examination phase involves identifying and extracting data. You can split this phase into several steps—
prepare, extract, and identify.
When preparing to extract data, you can decide whether to work on a live or dead system. For example, you can
power up a laptop to work on it live or connect a hard drive to a lab computer.
During the identification step, you need to determine which pieces of data are relevant to the investigation. For
example, warrants may restrict an investigation to specific pieces of data.
Analysis
The analysis phase involves using collected data to prove or disprove a case built by the examiners. Here are
key questions examiners need to answer for all relevant data items:
• Who created the data
• Who edited the data
• How the data was created
• When these activities occur
In addition to supplying the above information, examiners also determine how the information relates to the
case.
Reporting
The reporting phase involves synthesizing the data and analysis into a format that makes sense to laypeople.
These reports are essential because they help convey the information so that all stakeholders can understand.

Digital Forensic Techniques

Digital forensics involves creating copies of a compromised device and then using various techniques and tools
to examine the information. Digital forensics techniques help inspect unallocated disk space and hidden folders
for copies of encrypted, damaged, or deleted files. Here are common techniques:
Reverse Steganography
Cybercriminals use steganography to hide data inside digital files, messages, or data streams. Reverse
steganography involves analysing the data hashing found in a specific file. When inspected in a digital file or
image, hidden information may not look suspicious. However, hidden information does change the underlying
has or string of data representing the image.
Stochastic Forensics
Stochastic forensics helps analyze and reconstruct digital activity that does not generate digital artifacts. A
digital artifact is an unintended alteration of data that occurs due to digital processes. Text files, for example,
are digital artifacts that can content clues related to a digital crime like a data theft that changes file attributes.
Stochastic forensics helps investigate data breaches resulting from insider threats, which may not leave behind
digital artifacts.
Cross-drive Analysis
Cross-drive analysis, also known as anomaly detection, helps find similarities to provide context for the
investigation. These similarities serve as baselines to detect suspicious events. It typically involves correlating
and cross-referencing information across multiple computer drives to find, analyze, and preserve any
information relevant to the investigation.
Live Analysis
Live analysis occurs in the operating system while the device or computer is running. It involves using system
tools that find, analyze, and extract volatile data, typically stored in RAM or cache. Live analysis typically
requires keeping the inspected computer in a forensic lab to maintain the chain of evidence properly.
Deleted File Recovery
Deleted file recovery, also known as data carving or file carving, is a technique that helps recover deleted files.
It involves searching a computer system and memory for fragments of files that were partially deleted in one
location while leaving traces elsewhere on the inspected machine.

Module 1 Page 5
location while leaving traces elsewhere on the inspected machine.

Module 1 Page 6