Digital forensics: Detective work in cyberspace

Have you ever seen the movie live free and die hard? This was a movie that was made in 2007 that featured John McClane trying to stop a cyber terrorist. I remember some of my feelings when I was watching the movie. I was thrilled and excited because of what can be done with digital information. It can be used in many different ways, either for good or for evil. One of my favorite parts of the movie was seeing the actors roll out the rubber keyboards and start typing on a computer. Then all of this crazy hacking stuff started happening. This was the movie that pushed me to start studying information security and hacking. I first started studying ethical hacking, otherwise known as penetration testing. Then a little later on I discovered digital forensics. From that point on I was in love, I found my calling.

So what is digital forensics? It is a subset of forensic science that focuses on the recovery and examination of data or evidence found in computing devices. A great analogy would be that digital forensics is just like forensics that you see on shows like Law and Order or CSI but instead of a physical crime scene there is the hard drive that “contains” the crime scene. Digital forensics is used to unravel the events that have taken place on a computer system. Events may be criminal related and some examples of crimes that digital forensics deals with is:

  • Intellectual property theft
  • Network intrusion
  • Credit card theft

The last crime we have seen quite a bit of in recent months. Both Target and Home Depot have been victims of credit card theft on a massive scale. The only way to find out how the thieves breached their system is to examine what happened on the affected system.

There are three steps in the digital forensics process:

  • Acquisition
  • Examination of the evidence
  • Reporting

The first step is acquiring the evidence for future examination. Depending on the situation the investigator may be grabbing a physical hard drive, contents in RAM, CDs, DVDs, USB drive(s) or the contents of a computer’s hard drive. When obtaining the contents of a hard drive or RAM the best practice is to obtain a bit for bit copy of the original evidence called an image. After the image is taken a hash should be generated for the original evidence. This hash will later be used in the next step of the forensic process. This hashing process is similar to what I described in the passwords post. If the slightest bit is changed in a file then its hash will change dramatically. So when a hash is taken for both the original and the copy of the evidence if the hashes are the same then their contents are exactly the same. This is essentially preserving a crime scene exactly as the criminal left it so it can be examined for evidence.

The next step is examination of the evidence. As a rule of thumb an investigator should never examine the original or best evidence. So before examination a copy of the original evidence should be taken and a hash should be taken of the copy. Then the hash values for both the original and the copy are compared. If they match then the contents of both the original and the copy are the same. Depending on what the investigator is looking for he or she will use a series of tools that will comb through the contents of the working evidence to find what they are looking for.

The last step is the single most important step in the digital forensics process: reporting. After the examination a report explaining what was found during the investigation must be written and presented to upper management or the owners of the affected system. Most of the time these people will not be technically savvy so the findings of the investigation must be translated into language they can understand. After all if the report is not done well then proper action may not be taken and that will make the entire investigation process almost meaningless.

For my next few posts I’ll be focusing on each step of the forensic process. I’ll also be posting some of my own tests that I perform in my lab so you can see what happens to a computer when it is hacked and when evidence is analyzed. If there are any comments please feel free to leave a comment below.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s