Fans of TV shows such as “CSI: Miami” are familiar with the forensic tools and procedures used to investigate crimes. Digital forensics employs similar techniques to gather evidence involving information technology.
Where crime scene investigations might involve fingerprints, ballistics and blood samples, digital forensics focuses on the careful examination of computer systems, applications and data. However, the two fields share a key constraint — evidence must be retrieved and examined in such a way that it is admissible in a court of law.
The digital forensics field dates back to the 1980s, when the increasing availability of PCs brought an associated increase in white collar crimes involving computers. Federal law enforcement officials began developing techniques to obtain digital evidence associated with these crimes. By 1985, the U.S. Federal Law Enforcement Training Center was training agents in such investigations and, by 1989, had begun developing software tools and procedures. The field of digital forensics was born.
Today, law enforcement agencies employ digital forensics to investigate crimes ranging from fraud to homicide. In fact, experts estimate that more than 85 percent of crimes leave a trail of digital evidence.
At the same time, digital forensics is a vital tool for organizations responding to security incidents. Organizations can also use digital forensics to look for evidence related to theft of proprietary information, embezzlement and harassment, as well as misuse of computing resources and other policy violations. In addition, digital forensics helps organizations maintain and document compliance with government and industry regulations that mandate data security and privacy.
Digital forensic methodology begins with the identification and collection of information relevant to the investigation. Data sources may include internal storage devices, external storage media and, increasingly, the cloud and mobile devices. Investigators will search for evidence in system logs, security event notifications, and files that have been added, deleted or modified.
The Windows system registry is an important source of clues. It contains information on the system owner, passwords, the operating system version, programs that were used and devices that were connected to the computer. Windows Prefetch files contain valuable data about any applications that were running on the system. Prefetch files provide a timeline of when an application was executed, helping investigators analyze user activity and detect when malware was downloaded or created.
Because low-level system data is highly volatile, a digital forensic investigator should be engaged as quickly as possible once a security incident is detected. However, investigators must also proceed carefully to ensure that the evidence is not altered in any way, and maintain strict “chain of custody” to avoid allegations of tampering or mishandling.
Each investigation should start with the seizure of systems and storage media using protocols established by the U.S. Department of Justice. Forensic tools are then used to make bit-by-bit images of the media, and the data is examined and analyzed in a methodical way.
Given the rigorous processes surrounding digital forensics, organizations should have an incident response team familiar with these protocols. IT personnel need to understand what steps they can take to contain an incident while preserving as much evidence as possible.
Digital forensics plays an important role in security incident response, regulatory compliance, and the investigation of criminal activity and IT policy violations. SageNet does not currently offer digital forensics, but our security monitoring team reviews client data 24 hours a day, 365 days a year to ensure timely incident response. In the event that SageNet observes an incident, our teams serve as the first line of defense in security through our ability to provide key evidence for digital investigations.