What is digital forensics?


Understanding digital forensics and other frequently asked questions about the investigative cyber service.

Blackpanda specializes in Digital Forensics and Incident Response (DFIR), a field within cyber security that focuses on the identification, investigation, and remediation of cyber attacks.

Although both digital forensics and incident response are typically employed in conjunction when responding to a cyber breach, each discipline has a specific use case that is vital to the work we do at Blackpanda.

While incident response tackles the immediate requirements of breach response (learn more about Incident Response here), digital forensics enables Blackpanda specialists to piece through the aftermath of an attack in order to better understand how the breach happened in the first place.

To better delineate this contrast, this article provides a brief overview of what digital forensics is and answers frequently asked questions about our favorite set of investigative cyber techniques.

What is digital forensics?

Digital forensics is the process of uncovering and interpreting electronic data from digital devices. Data collected from these devices help identify and preserve evidentiary materials in an organization’s digital infrastructure, and can be very important in an investigation relating to a cyber attack.

Digital forensics practices include:

  • File System Forensics - whereby file systems within the endpoint are analyzed for signs of compromise
  • Memory Forensics - whereby the computer memory is analyzed for attack indicators that may not appear within the file system
  • Network Forensics - whereby network activity  -including emailing, messaging and web browsing- is reviewed to identify an attack, understand the cyber criminal’s attack techniques and gauge the scope of the incident
  • Log Analysis - whereby activity records or logs are reviewed and interpreted to identify suspicious activity or anomalous events

On top of this, analysis from the digital forensics team can help shape and strengthen preventative security measures,  such as with compromise assessments. This can enable the organization to reduce overall risk, as well as speed future response times.

The history of digital forensics takes root in physical investigations carried out by the police and secret services, whereby digital forensics originated as a tool for data recovery and evolved into a critical capability for law enforcement as well as criminal and civil proceedings. It is one of many capabilities employed by advanced incident responders, serving as a critical tool to investigate cyber crime.

Image from iOS (5).jpg

How is digital forensics different from cyber security?

As cyber security continues to grow in awareness and understanding among the general public, terms such as cyber security and digital forensics have often been used loosely, without a clear distinction. They are however different concepts with digital forensics being only one part of the activities practiced in the world of cyber security. In particular, digital forensics focuses on the reactive component of cyber security, supporting the incident response process in reconstructing the chain of events that lead to a breach, as well as to understand the source of the attack and recover compromised data. On the other hand, preventive cyber security activities and tools include Endpoint Detection and Response (EDR), Vulnerability Assessments & Penetration Testing, and Compromise Assessments, to name a few.

How is digital forensics used in incident response?

By using their proficiency in computer networking and applying a thorough understanding of the factors that lead to compromised systems, cyber security incident responders can provide invaluable support in times of crisis. Acting as watchdogs and first responders against cyber crimes, these specialists apply digital forensics standards to collect, process, preserve, and analyze the digital evidence of a compromised system, looking for footprints and signatures left behind by cyber criminals.

While each case presents its own set of challenges, incident responders are able to identify, compile, and interpret large volumes of electronic data, largely through digital forensic techniques.

Additionally, the use of digital forensics assists in the recovery of lost or stolen data as part of cyber incident response efforts following a breach.

Upon being tasked to conduct incident response procedures on an endpoint or network, a digital forensics specialist will start by conducting data and security breach investigations. They will then attempt to recover and examine data from computers and electronic storage devices, as well as dismantle and rebuild damaged systems to retrieve lost data. As a last step, specialists will work to identify additional systems compromised by cyberattacks and finally begin the compilation of evidence for relevant legal cases. The end goal for a digital forensics investigator is to recover as much lost data as possible, identify the perpetrator of a cyber crime, and obtain hard evidence against them so that it can be used in a court of law.

Digital forensic practitioners are skilled in identifying and working to retrieve data that is intentionally hidden, password-protected or encrypted, while ensuring that data is not damaged or altered during the examination. Concepts such as Rules of Evidence, Chain of Custody, and Data Integrity (to name a few) are commonly used by professional digital forensic practitioners.

Is digital forensics reliable?

Digital forensics is a discipline that provides decision-makers with factual and reliable evidence of digital traces on any device under investigation. It is a collection of techniques that have been used in civil, corporate, law enforcement, and military applications globally.  

Digital forensic practitioners should be highly trained and experienced, as they must be able to attest that steps taken during the digital forensic investigation adhere to one or more regulatory frameworks and have produced the most reliable evidence given the available data, making it admissible in a court of law. Digital forensic practitioners that have their evidence examined in court are ultimately accepted as subject matter experts in certain jurisdictions.

However, investigative results and human interpretations depend on transparent access to client information as well as the proper use of specialist tools and applications designed to interpret and generate digital data. Tools may be used improperly by untrained responders, leading to faulty investigative conclusions. Where client data is limited (whether by lack of pre-breach preparation or unwillingness to disclose), investigative results may also be limited.

Critical to improving the reliability of investigative results depends on sufficient pre-breach incident response planning, including security event monitoring and logging, as well as ensuring your incident response team uses high-quality tools in which they are both properly trained and experienced.

Image from iOS (4).jpg

How Is Digital Forensics Used in a Business Setting?

Cyber threats are no longer solely external. The rise of phishing emails, inadvertent data leaks, and malicious insider threats remains a top concern of IT leaders across the globe, accentuating the need for accurate and efficient digital forensic investigations supported by a comprehensive cyber incident response plan.

The protection of Personally Identifiable Information (PII) is another aspect of business that requires vigilance as it includes financial and legal repercussions, often requiring highly valuable digital forensic evidence in a court of law.

As more companies turn to digital forensics experts to investigate their digital infrastructure following a breach or compromise, valuable insights into a company’s digital vulnerabilities are usually identified, which can then be acted upon to secure the enterprise.

— —

We hope these answers and insights have served as a helpful start to learning more about one of the many cyber security services a company like Blackpanda can offer your business. Blackpanda offers bespoke Digital Forensics and Incident Response services to organizations in the APAC region.

Our Digital Forensics specialists draw from decades of intelligence and military experience, employing effective and battle-tested approaches when dealing with cyber incidents. In the event that your organization suffers a cyber breach, or more simply, if you would like to assess your existing defences across your network, don’t hesitate to reach out to us via the contact form below or through our email hello@blackpanda.com.

Sign Up to Our Newsletter

Our weekly Asia Cyber Summary is a snappy, non-technical overview of regional cyber security news that helps you stay informed. Test it today, you can always unsubscribe.