There are many services offered by computer forensic experts, but one of the most important is digital forensic. But do we really know what this process, so common for these professionals, consists of? Here we want to provide the necessary information to be able to know the essential details and the procedure to follow.
What is digital forensics?
Digital forensics consists of a group of different techniques that share the goal of finding valuable information without modifying it. Coming from an electronic system or device. This gives us the option of finding secret, corrupted or even deleted data.
When conducting a digital forensic analysis, it is essential to maintain the integrity of the disk to the extent possible. Since the information that is extracted in the analysis can be fundamental in judicial processes.
Origin of digital analysis
The origin of this field is dated in the eighties. The first analyzes of electronic devices were carried out by the FBI, mainly in criminal investigations, within the US Department of Justice.
Later, the analysis of personal devices such as computers and servers began to become popular. Along with other electronic components that could store information.
Why is a digital forensic analysis necessary?
New technologies are booming, mainly those that include information and communication, which contain a huge amount of private data stored on the network. This has led to computer attacks over the Internet, or also known as cybercrimes.
The CNN National Christology Center has conducted studies that estimate that by the end of 2018 there will be almost 50% more cybercrime compared to the previous year. In 2017, about 20 thousand incidents were registered, of which 450 were highly dangerous, classified as “critical”.
It is responsible for guaranteeing the right to personal privacy. Where it has an explicit paragraph on the use of information technologies, to guarantee the honor and privacy of citizens. Cyber attacks often violate this right. And, thanks to the figure of a forensic computer expert, we will be able to collect evidence to be able to combat this type of crime.
Although it is impossible to guarantee 100% safety, we can count on the help of professionals. These help us to maintain and plan prevention strategies as well as security measures.
Phases of digital forensics
In this first stage, the prior analysis of the electronic device will be carried out. In order to determine the methodology to be followed during the process. When this point is being carried out, you can get to know the support in physical terms, that is, if there are damaged parts, or if on the other hand we are facing a possible deletion of data.
After diagnosing the device, a copy of the information stored must be made on a secure basis. This means that you must have an exact copy of the source disk. The person in charge of carrying out this process will copy all the information bit by bit to transfer it to a medium and analyze it.
The acquisition phase is one of the most important and most difficult. Since the support must be manipulated with the security of leaving it in the same state in which it was before starting to work with it.
In this phase, actions are carried out that are essential for the conservation of all the data, making sure they are not modified. The information can be used immediately or can be stored for the necessary period of time.
Due to all the above, it is completely necessary that the support where the copy is made is capable of storing everything in good condition for as long as it is needed.
Analysis is the most technical phase. After the previous phases, all the information obtained will be subjected to a software and hardware analysis from the original support. The professional will extract all the information and pass certain filters to keep the data of true value, always without eliminating anything.
Everything will be analyzed, from files, users, messages, conversation histories, encrypted documents, files uploaded to the cloud, connections with other devices, and so on.
After carrying out the previous phases, a report will be made. That he will write, in a completely objective and orderly manner, all the information collected on the device and all the steps followed during the process.
Digital forensics for attack prevention
Digital forensics gives us the option of detecting attacks or security flaws in computer systems when these are occurring or even before they do. This offers us the possibility of not having to recover all the information based on backup copies because we will have solved the problem in time.
If we have sufficiently effective security controls, we will avoid the negative impact on work that depends on computer systems. We are going to give certain tricks to be able to keep our systems safe:
- Have a good management of hardware and software updates.
- Keep the servers controlled and with restricted access according to the user. Also having notification systems to the managed when unauthorized access occurs.
- Keep the network safe by configuring the filters. This also includes counting firewalls, IDS (intrusion detection system), network monitors, VPNs (use of virtual private networks), and so on.
- Prevention methods against malware or other types of malicious programs using antivirus.
- Keep users informed to ensure that all security measures are applied. Information is power, since in the field of cyber security the biggest problems are mainly due to the lack of knowledge of the users themselves.
- Have a response plan against attacks and errors:
- Plan capacity, goals and rules.
- Structure a response team against errors or attacks that includes responsibilities, authority and the corresponding departments.
- Containment of the problem.
- Recovery of deleted files or systems.
- Carry out a damage assessment.
- Value having the authorities.
- In case it is necessary to hire specialized external staff.
- Establish an investigation.
- Study and monitor the operation of the systems. Such as IP traffic, consumption, users, and so on.
- Make a security copy.
- Have knowledge about possible attacks or incidents in order to differentiate an attack from a bug or technical problem.
- Volatile information: This type of information is that which, after turning off the electronic device, is lost. Although it is not completely true, since it is possible to recover it through RAM storage.
- Non-volatile information: On the contrary, this type of information remains on the hard disk even when the electronic device is turned off improperly.
Digital forensics for different operating systems
To carry out a digital forensic analysis as complete as possible, the main thing we must know is where to obtain all the possible information.
For Microsoft Windows
This operating system gives us the option to analyze the applications to know that we are safe. In order to acquire all the information we can consult the Microsoft database.
To collect information within Windows we have the regedit.exe system. This has a large amount of stored data. We can also have tools from the CD such as reg, which gives us the option of consulting the registry without changing it, or regdmp that gives us the registry in a plain text format.
Linux has a series of log files, known as logs, which can be found regularly under the desktop (/var/log). Which contain logs of general system messages, information about the authentication and security systems, start histories, failed attempts as well as inflationary on logout.
Apart from all this, applications and programs generally create their own log files, which can be found under the desktop (/var). We will find these files in text mode, so we can use any editor or viewer to search for possible problems or attacks.
Do a good digital analysis
Computer forensic experts are professionals trained and specialized in this type of service. They use software specialized in data recovery in order to obtain the information in its entirety, regardless of the device where it is located. To guarantee a good job you have to make sure you have a truly professional and experienced team.
Having the right tools is essential to be able to obtain the evidence that is valid in legal proceedings. For example, computer experts are able to extract information from images taken through mobile phones. Since they store information in Eif and in the metadata of each file. They also have the ability to calculate the hash of a file so that they can find out if modifications were made during the investigation.
Data recovery is a really delicate process, because in comparison, a digital forensic analysis is much more so. This is because this type of process can be used in lawsuits, becoming the most important thing to make a decision in the resolution.
In short, in order to obtain a satisfactory digital forensic analysis, it is necessary to have the right tools and qualified and experienced professionals.
Data acquired in the analysis
In digital forensic analysis a large amount of information is extracted, part of it can be classified into two groups:
The computer expert must make an image of the hard disk through specialized tools. If tools known as Ghost type are used, low-level information may be lost and will be practically irretrievable.
When suffering a cyber attack it is necessary to know its nature in depth, you need to be careful. Following a structure and being clear that the information we obtain must be detailed as precisely as possible.