In today's world we hear more and more often about cyber incidents, hackers and APT groups.
In this context, some terms have now become commonly used, others remain less evident and are not always known. The second category falls into this second category Digital Forensics (formerly known as "computer forensics"). Let's try to understand what it's about...
As always we start from some definitions, for example NIST says that "Digital Forensics" means it "the application of computer science and investigative procedures involving the examination of digital evidence - following proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possibly expert testimony" (The application of IT and investigative procedures involving the examination of digital evidence - following appropriate search authorization, chain of custody, validation by mathematics, use of validated tools, repeatability, reporting and, possibly, expert testimony).
In practice we are talking about the use of investigative procedures and computer science applied to the investigation of criminal facts to establish what happened.
In another NIST document we find another definition with some additional information: "The process used to acquire, preserve, analyze, and report on evidence using scientific methods that are demonstrably reliable, accurate, and repeatable such that it may be used in judicial proceedings".
From this second definition clearly emerges the need to employ, for the collection of evidence of a cybercrime, scientific methods that are reliable, accurate and repeatable, with the aim of using the evidence collected in judicial proceedings.
The above is of considerable importance for IT security teams that operate in the field of "defensive security" and that deal with the analysis of evidence of attacks in the digital field such as cyber espionage, identity theft, theft of property intellectual, patents, crimes committed online such as scams and so on.
The main activities carried out by those who do it Digital Forensics they are essentially the following:
- analysis of log of the offending network: the logs (event recordings) carried out on the networks affected by a crime or used to commit a crime can help to understand how a cyber attack took place and this sometimes also gives a clue as to who the author could be;
- analysis of file system: it is necessary to create a copy of the file system without causing damage or modifications to it and proceed to analyze the installed programs, deleted or overwritten files and attempt to restore them. The collection of this information can reveal evidence of the crimes committed and identify the time period of the incident.
- analysis of system logs: it is necessary to collect and analyze system logs, in which information is collected about what happened to the computer system or systems.
Some of these activities can be carried out while the systems are running, while users carry out their activities, others must be carried out with systems turned off, in any case the data collected must be carefully kept and following well-defined criteria as they could be relevant criminal.
Told like this it seems simple but it isn't.
To do Digital Forensics There are many useful software, both free and paid, that can lend a hand in collecting evidence, I will only mention a few, I am sure that your curiosity will lead you to discover many others:
- wireshark: network analyzer;
- Oxygen Forensic Suite: analyzer for mobile devices;
- Autopsy Digital Forensic: complete analytics suite.
And now it's your turn, have fun using these tools, they are free and freely downloadable.
As always, thanks to the friends of SICYNT!
To learn more:
- https://csrc.nist.gov/glossary/term/digital_forensics
- https://www.salvationdata.com/knowledge/digital-forensics-software/
- https://www.fastweb.it/fastweb-plus/digital-magazine/come-analizzare-il-...
