Glossary / Forensics

Forensics

The practice of collecting and analyzing data from computer systems, networks, wireless communications, and storage devices that supports an investigation.

What is Digital Forensics?

Digital forensics is the practice of collecting and analyzing data from computer systems, networks, wireless communications, and storage devices that support an investigation.

Cybersecurity vs Forensics

Cybersecurity and computer forensics are similar, but not the same thing.

Both focus on protecting digital assets and intelligence from cybercriminals. Both types of professionals are employed in virtually all industries and sectors. As more and more companies realize the importance of securing their networks and technology, both cybersecurity and computer forensics professionals are in high demand. However, there are differences between the two disciplines.

Cybersecurity is about preventing attackers from taking control of your computers or networks. Computer forensics is about finding out what damage was done in the wake of an attack. Both are important parts of an organization, as these teams work together to protect your business from attacks.

Here are some further differences between the two:

  • Cybersecurity is about preventing breaches from happening. A cyber attack can be defined as an illegal attempt by a person or group to gain unauthorized access to computers connected to the Internet or other computer network, usually with the intent of committing fraud or causing damage.

  • Digital Forensics is an investigation process of gathering, analyzing, preserving, reporting, and presenting this digital evidence of cyberattacks found on computers, mobile phones, tablets, hard drives, memory cards, USB sticks, or other electronic devices.

How Does Digital Forensics Work?

Digital Forensic investigators typically follow standard procedures with analytical skills. These procedures involve collecting data electronically, and creating a digital copy of the electronic data - then locking the original data away in a safe or other secured location.

The investigator conducts the investigation using a digital copy. In some cases, publicly available information about an individual may be used for forensic investigations. For example, the Vicemo website displays publicly available information about individuals who purchase illegal items.

Forensic investigators use various tools to examine digital files. They also sometimes use a mouse jiggler to prevent computers from sleeping and losing important data. When presenting evidence, they must be careful not to reveal any confidential information about the defendant.

What techniques do forensic investigators use?

Investigators use a variety of security measures and techniques to examine the copy they have made of a compromised device, including searching hidden folders and unallocated disk space for copies of the deleted, encrypted or damaged information. Evidence is carefully documented in a report and verified with the device before any legal action takes place.

Computer forensic investigations use a combination of techniques and expert knowledge - such as:

  1. Steganography: Data hiding is a common tactic used by criminals to hide data inside any kind of digital file, message, or stream. A computer forensic expert reverses a data hiding effort by analyzing the data hashing contained within the file. If a criminal hides important information inside images, it may seem the same before and after, but the underlying hash changes.

  2. Stochastic forensics: Security experts analyze and reconstruct digital activity by looking at what happened before, during, and after the network security attack. Digital artifacts are left behind by attackers, but they may also be found by forensic examiners.

  3. Cross-drive analysis: Anomaly detection is a method used by investigators to detect suspicious activity. Investigators compare events that raise suspicions with information on other drives.

  4. Live analysis: Volatile data is stored in memory. This means that the data can be retrieved even if the computer is turned off. Tools used to retrieve volatile data include system tools such as Process Monitor (PST) and Volatility.

  5. Deleted file recovery: Data carving is used by law enforcement to search computers for evidence of a security breach. In this case, the police use it to try to recover some missing data from a hard drive.

Digital Forensics and Preventing Viruses

Antivirus software is an essential part of computer security. It helps prevent hackers from infecting your system, and also helps you identify malicious programs. Software that detects spyware and malware can be used to remove these files before they do any harm.

Antivirus software is an important and essential part of computer security for business and personal use. Viruses are often spread via email or other electronic means, and antivirus software can detect these threats before they cause damage.

Digital Forensics and Preventing Attacks

Digital forensics has found valuable info that allows cyber security companies to create technology that prevents hackers from hacking into devices or networks. Hackers and hijackers are skilled at making their way into a network, but cyber security has collected data that cyber security companies can use to prevent hackers and hijackers from getting into a device, network, or computer.

Hackers and hijackers steal, erase or exploit information by using malware. Cyber security software detects relevant data to protect and scans networks to make sure no outsiders are present.

Examples of digital crimes uncovered by forensic investigations

Computer forensics has been used by law enforcement agencies and courts since the 1980s. Here are some notable cases:

  • Apple

Apple’s iPhone trade secrets were stolen by a Chinese man, Xiaolang Zhang, who worked for Apple’s self-driving car team. He told reporters that he was going back to China to look after his sick mother. According to an FBI affidavit, Apple’s security team reviewed Zhang’s activities on the company network and discovered, in the days before his resignation, he downloaded sensitive corporate documents to which he had access for personal use. He was charged with fraud in 2018.

  • Enron

One of the biggest accounting frauds ever occurred when American energy, commodities, and services firm Enron falsely reported $9 billion in revenues for 2000 alone. It caused massive losses among its investors and employees. Forensic investigators analyzed thousands of gigabytes of data to uncover the intricate fraud scheme. The scandal was one of several factors leading up to the passage of the Sarbanes–Oxley Act of 2002 (SOX), which established new accounting standards for publicly traded corporations. Enron went bankrupt in 2001.

  • Google

Former Google employee Anthony Scott Levandowski has been accused of stealing 14,000 files from its self-driving car project before he left for his own startup Otto LLC. From 2009 to 2016, Levandowski was employed by Google working on its autonomous vehicle project. During his time at Google, he downloaded thousands of documents relating to the project from a secure internal network. After leaving Google, he founded Otto, an autonomous vehicle startup, which was acquired by Uber in 2016. According to The New York Times, he left Google after having disagreements with its management. After pleading guilty to one count of stealing trade secrets from Google’s self-driving car project, Anthony Levandowski received an eighteen-month sentence and has been ordered to pay $851,499 for his crimes.

In Conclusion

Cybercriminals never sleep. Digital forensics teams need round-the-clock threat intelligence to anticipate and track bad actors’ every move, and how they might attack your business.

Intel 471 customers rely on TITAN, an intuitive intelligence SaaS platform built by intelligence and security professionals for intelligence and security professionals. It enables them to access structured information, dashboards, timely alerts, and intelligence reporting via the web portal or API integration.

But TITAN doesn’t stop there. Use TITAN’s programmable RESTful API to power numerous connectors and integrations, integrating and operationalizing customized intelligence into your security operations.

Intel 471 cybercrime intelligence empowers digital forensic experts and analysts to monitor and respond to threats in near real-time — enabling them to support the cyber defense mission with timely and actionable intelligence. These analysts can also explore the alert context in our intelligence reports and data collection giving them a richer understanding of your organizational risk to better mitigate threats.