Cyber security breaches have become rapidly one of the main concerns among all kinds of organizations. Even though companies are investing in complex new solutions against undesired guests, the task has never been easier. The various backdoors, loose ends and interconnected computer systems, mean that these intrusions are sometimes… inevitable. If unfortunately that happens, companies are left with little options but to quickly spot where the vulnerability was, fix it and learn from it, to prevent future attempts. Once the hysteria has passed and functionality has been restored, it is about time that investigators jump in, to gather all possible evidence to find out who the perpetrators were and what they were after.
To do so, investigators can make good use of an impressive solution: Digital Forensics. This new field can make the tides change completely in an investigation. The shift to the digital world brings many challenges for justice seekers, but it also opens up new opportunities in the shape of traceability and records hidden within the malware software used to break through a system. Everything that is done in an electronic device leaves watermarks, inputs that can be traced down and followed if needed. Digital Forensics, therefore, is the science responsible to crack those marks.
What is Digital Forensics
Academically, according to the US-CERT forensics publication, “Digital forensics is the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence whether during an investigation inside any organization or in a court of law.”
What Digital Forensics sought after is digital evidence when a crime/security breach is committed. This digital evidence is information stored or transmitted in binary form that may be relied on, in court. It can be found on a computer hard drive, a mobile phone, a personal digital assistant (PDA), a CD, a flash card in a digital camera, and many other places. “Digital evidence is commonly associated with electronic crime, or e-crime, such as child pornography or credit card fraud. However, digital evidence is now used to prosecute all types of crimes, not just e-crime,” as the USA National Institute of Justice described it.
In digital forensics, it is super important not only to trace the data, but also to look at the means followed to do so. Not everything is allowed when cracking down other people’s devices, as data can be easily manipulated along the way. That is why there is a really strict procedure that cannot be skipped or omitted, called Chain of Custody. This basically lays down all the steps that an investigator must follow to make sure the that data is genuine and as such can be used in a court of law. It is a must-do procedure to record evidence documentation in chronological events.
What is Chain of Custody
Chain of Custody is a critical step in gathering digital evidence as it holds information about all individuals that participated in the whole digital forensics examination process. The chain of custody process is therefore critical in gathering evidence for Digital Forensics experts.
Although it might be a complex task, there are guidelines that might ease the endeavour greatly. A good investigator needs to follow these guidelines strictly, to preserve the integrity of the final digital evidence and the whole forensic process overall. Those processes are the following:
- Preparation of tools and techniques
- Approach Strategy. Collect maximum number of evidence
- Preservation of physical and digital evidence and isolate them to ensure their integrity
- Collection and duplication of all digital evidence
- Examination. In-depth search of evidence
- Analysis of all evidence
- Presentation. Explanation and a summary of the whole process
- Returning Evidence and lessons learned. Final step of the investigation process.
What are the challenges companies face in the dawn of new technological developments and how a Digital Forensics Lab can tackle each one of them?
Today, many organizations rely mainly on information technology to process or handle their services internally and externally, and as such, they have become more exposed to e-crime. New technologies and applications that aid companies in their day-to-day functionality comes with a great risk too. Internet of Things, the use of computing Cloud to store private information, Artificial Intelligence within software or new complex databases are just a few of the whole array of new technologies that companies rely on to run their businesses. However, these techs are by definition relatively new and so are the security they are provided with.
Companies face here important challenges that Digital Forensics can help sort out, by setting up an in-house lab. The huge amount of data roaming across a business’ databases, the implementation of underdeveloped new technologies mentioned above, the need of trace information through multiple devices and the increase of threats and variety of malware software, have made the job of an investigator even tougher. The process of properly extracting digital evidence in case of a security breach is now more complex then ever.
Setting up a Digital Forensics Lab is then key to truly become protected if an unintended trespasser is spotted. The heads of the lab must understand the threats a company face to invest the available resources wisely. That regards quantity and quality of installations and equipment; the level of training for new staff; standard compliance and Lab accreditation according to current law regulations; and budget plans for the mid and long terms.
If properly set up, a Digital Forensics lab can quickly act to seize, preserve, and analyse evidences and it keeps the examiner on track by ensuring a proper and effective presentation of findings.
Part 2 will be posted soon