Here’s how cyber forensics go about cleaning up the mess after an attack

Cyber Forensics needs to be of paramount importance to individuals, corporations and government agencies.

Hacker stock image

In these times of high penetration, high accessibility and low rates, internet has reached all facets of our lives. But with this rise of the internet, there has also been a considerable rise in hacking attacks or cyberattacks on individuals, businesses, corporations and government agencies. Large scale cyberattacks can even be termed as acts of Cyber Terrorism.

Depending on the severity of the cyberattack, it could take weeks or even months to determine the answers to; ‘How it happened?’, and ‘How can it be prevented from happening again?’ This is where ‘Forensics’ comes into play. Any and all evidences left behind at the scene need to be collected very carefully and examined. From here onwards, questions of ‘who, what, where, when and why’ can be answered by forensic examiners and investigators.

Cyber Forensics is the process of uncovering and interpreting electronic data from devices used before or during a crime. The goal is to preserve any evidence in its most original form while performing a structured investigation by collecting, identifying and validating the data collected. Digital forensic services are commonly used in criminal and private investigations.

With the advent of cybercrimes, tracking malicious online activity has become crucial for protecting individuals and corporations, as well as preserving online operations in public safety, national security, government and law enforcement.

In order to gain access to digital evidences, a Cyber Forensic analyst might take a look at a device’s hard drive in order to gain access to all data that has been accessed on that particular device (even deleted files), or they might also analyze the system as a whole, taking the network and its structure into account.

Cyber Forensic Investigation Steps

There are five critical steps in Cyber Forensics, all of which contribute to a thorough and revealing investigation.

1. Developing & Documenting; Procedures & Policies

Whether related to malicious cyber activity, criminal conspiracy or the intent to commit a crime, digital evidence can be delicate and highly sensitive. Cybersecurity professionals understand the value of this information and respect the fact that it can be easily compromised if not properly handled and protected. Such procedures can include detailed instructions about when cyber forensics investigators are authorized to recover potential digital evidence, how to properly prepare systems for evidence retrieval, where to store any retrieved evidence, and how to document these activities to help ensure the authenticity of the data.

2. Assessment of Potential Evidence

A key component of the investigative process involves the assessment of potential evidence in a cybercrime. Central to the effective processing of evidence is a clear understanding of the details of the case at hand and thus, the classification of cybercrime in question. For instance, if an agency seeks to prove that an individual has committed crimes related to identity theft, cyber forensics investigators use sophisticated methods to sift through hard drives, email accounts, social networking sites, and other digital archives to retrieve and assess any information that can serve as viable evidence of the crime. Prior to conducting an investigation, the investigator must define the types of evidence sought have a clear understanding of how to preserve pertinent data.

3. Plan for Acquiring Evidences

Perhaps the most critical facet of successful cyber forensic investigation is a rigorous, detailed plan for acquiring evidence. Extensive documentation is needed prior to, during, and after the acquisition process. Detailed information must be recorded and preserved, including all hardware and software specifications, any systems used in the investigation process, and the systems being investigated. This step is where policies related to preserving the integrity of potential evidence are most applicable. Acquiring evidence must be accomplished in a manner both deliberate and legal.

4. Examination of the Data

In order to effectively investigate potential evidence, procedures must be in place for retrieving, copying, and storing evidence within appropriate databases. Investigators typically examine data from designated archives, using a variety of methods and approaches to analyze information; these could include utilizing analysis software to search massive archives of data for specific keywords or file types, as well as procedures for retrieving files that have been recently deleted. Data tagged with times and dates is particularly useful to investigators, as are suspicious files or programs that have been encrypted or intentionally hidden.

5. Documenting Information

In addition to fully documenting information related to hardware and software specs, forensic investigators must keep an accurate record of all activity related to the investigation, including all methods used for testing system functionality and retrieving, copying, and storing data, as well as all actions taken to acquire, examine and assess evidence. Not only does this demonstrate how the integrity of user data has been preserved, but it also ensures proper policies and procedures have been adhered to by all parties. As the purpose of the entire process is to acquire data that can be presented as evidence in a court of law, an investigator’s failure to accurately document his or her
process could compromise the validity of that evidence and ultimately, the case itself.

Cyber Forensics needs to be of paramount importance to individuals, corporations and government agencies. There is often the thought among intellectuals that simply fortifying the lines of defense with firewalls, routers, etc. will be enough to stop or prevent cyberattacks but security professionals will know this is not true, given how sophisticated today’s Cyber hackers are. In Cyber Forensics, it is important to implement a dynamic investigation methodology as each cyberattack is very different from one another.

The article is written by Rahul Dwivedi, CEO, Pelorus.

  • Published Date: February 20, 2019 4:30 PM IST