What is digital forensics?
February 6, 2019Call it digital-era detective work.
Just as crime-scene investigators examine physical evidence -- such as blood, hair, fingerprints, or fibers – their counterparts in the cyber domain collect digital clues that shed light on breaches, data theft, and other types of cyber crime.
“Every time you commit a crime, you take something with you, and you also leave something behind – whether you mean to or not,” says professor Rick Hansen, who teaches at Capitol Technology University and coaches cyber competition teams at the school. “In digital forensics, we’re looking for what’s been left behind.”
“Just as with physical crimes, such as evidence helps us answer the important questions about an incident – what happened, and why? Was it malicious? Was it just an accident?”
As they investigate breaches and cyber attacks, professionals in the field have sophisticated tools to help them – for example, specially configured devices, known as Write Blockers, that provide access to a computer’s hard drive without interfering with the contents. After all, whether the crime is physical or digital, it’s crucial not to destroy – or tamper with – the evidence.
Memory forensics tools, meanwhile, are used to prevent important clues from vanishing like a set of disturbed fingerprints. When a computer is powered off, data stored in temporary memory vanishes. That can include unsaved text or images on the computer’s clipboard, chat messages, or the user’s browsing history. Digital forensics often involves the use of tools that will capture this data for analysis before it disappears.
Investigators also scour log files. “Every time you take a significant action on a computer, it’s written to an electronic log,” Hansen says. “The bad news is that sometimes people erase those logs. Even if you erase something off of a hard drive, there are very smart people who can pull out the data, even if you’ve erased it three or four times.
Fictional depictions of the crime investigation process – such as TV’s CSI series – have been criticized for over-glamorizing what is in fact a methodical, painstaking, and sometimes tedious process. Likewise, uncovering malicious activities on a network often requires a great deal of patient, systematic work.
While being a digital forensics examiner can be a career in and of itself, knowledge of the techniques and tools involved is important for nearly any cybersecurity and cyber analytics professional – and it’s an essential part of the curriculum in the cybersecurity and cyber analytics programs at Capitol Tech. Students also gain hands-on experience with forensics techniques through the university’s on-site Security Operations Center (SOC).
Dave Mathisen, a senior who manages the university SOC, spends much of his day scrutinizing logs and processes. He also creates rule sets for a security incident event management tool, Splunk, that enables it to automatically detect suspicious anomalies that occur in an operating system.
“It’s like being a detective,” he says. “You see something that you don’t understand. Most of the time you’ll go look it up and it will just be something normal in an operating system.”
“But there are times when you’ll actually find something that is bad,” he says. “Then you have to start at the beginning and try to identify what process on the computer is involved. What user is running it? Where is the IP address? What country is this coming from?”
“You start working further until you can either say with high certainty either that it’s not malicious – or that it is.”