While digital forensics encompasses monitoring and tracking data on all digital devices and networks – cellphones, computers, hard drives – the subworld of computer forensics deals pointedly with collecting and analyzing data stored on and transmitted by computers. Digital forensics and computer forensics are often synonymous, technicians in both fields work toward the same goal. Forensic technicians, also referred sometimes to as cyber or digital examiners, determine whether devices have stored or sent data illegally and whether it poses a risk. They also work to acquire the data regardless of whether it has been “deleted, encrypted, or damaged,” and present it to the court through expert testimony (Cybersecurity Education).
As we become increasingly dependent on our devices for information and information storage, they fall prey to criminal attacks and theft, increasing the vulnerability of our private data.
There are 6 main types of computer forensics: disk, network, database, malware, email, memory, and mobile phone forensics. Computer forensic investigations also follow a 5-step process – the identification of evidence, preservation of data, followed by the analysis, documentation, and presentation of the data. Database forensics examines data and metadata contained in databases. If trying to recover calendar, contact, or email information, email forensics would be used. Malware forensics examines and analyzes suspicious code and malicious programs, while network forensics investigates computer network traffic. Memory forensics retrieves information stored in a computer’s random-access memory (RAM), cache, or system registers. Mobile phone forensics collects all information on mobile devices, such as photos, videos, and messages. The process of recovering deleted files (as well as searching active ones) is largely a part of disk forensics.
Computer forensics is used both in law enforcement and in the corporate world. It is heavily utilized in identity theft cases, forgery cases (to understand whether and how much data was tampered with), financial fraud investigations, and regulatory compliance. It aids in “identifying vulnerabilities in computer network systems” to prevent future attacks, which enables companies protect their data against data breaches and improve security measures.
The most common techniques used in computer forensics include reverse steganography, deleted file recovery, cross-drive analysis, and live analysis. In reverse steganography, technicians compare edited files or data to the original ones, by examining the “hashing” of the file contents. A hash is any given key or a string of characters that represents data that is transformed into another value. This process essentially reverses the stenography used by a criminal to hide data in the file. Deleted file recovery searches a computer system, with the use of special software, to reconstruct parts of files and data or recover them entirely. Cross-drive analysis correlates and cross-references data found across several computers to find inconsistencies, anomalies, and more context for the data (hence it is also referred to as “anomaly detection”). Live analysis involves searching within the operating system (or OS) of a computer while it is running to analyze “volatile data,” which is stored in cache or RAM, to further cross-examine claims about the data.
With data breaches in 2022 costing a record-breaking average of 4.35 million dollars, digital and computer forensics have become a necessary part of cybersecurity. Computer forensics is applied to validate claims about security breaches, document the many forms of digital evidence, retrieve computer log files, and identify the operating system that was used to breach a network. Then, protected or deleted data is recovered, duplicated, and decrypted. As CSI: Cyber has shown, computer forensics has “tracked terrorists, located missing people, and found otherwise ordinary employees who were stealing millions of dollars” (ECPI University).
Within the intersection of digital forensics and cybersecurity lies DFIR, or Digital Forensics and Incident Response. This combines the tools of digital forensics with incident response, the collection and analysis of data specifically in response to a security threat, where “other steps such as containment and recovery are weighed carefully against each other” (Palo Alto Networks). Incident response entails a business plan and framework “designed to keep IT infrastructure running” in the face of a cybersecurity threat, and may involve “identifying, stopping and removing malware” (Palo Alto Networks). Together, digital and computer forensics work to mitigate cyber threats and improve data, computer, and network security.
Sources:
https://www.cisa.gov/careers/work-rolescyber-defense-forensics-analyst
https://careertrend.com/facts-6733855-difference-computer-forensics-digital-forensics-.html
https://www.geeksforgeeks.org/introduction-of-computer-forensics/
https://www.nu.edu/blog/what-is-computer-forensics/
https://datarecovery.com/rd/computer-forensics-what-is-it-and-how-is-it-used/
https://www.techtarget.com/searchsecurity/definition/computer-forensics
https://www.coursera.org/articles/computer-forensics
https://onlinedegrees.und.edu/blog/cyber-security-forensics/
https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me
https://heimdalsecurity.com/blog/what-is-digital-forensics-and-incident-response-dfir/
https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response
https://onlinedegrees.und.edu/blog/cyber-security-forensics/
https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me
https://heimdalsecurity.com/blog/what-is-digital-forensics-and-incident-response-dfir/
https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response
The Forensics Lens 
Leave a comment