Proactive Approach in Digital Forensics
Digital forensics in short deals with the application of scientific knowledge for collecting, analyzing, and presenting digital evidence. Such evidence in digital forensics are found by observing digital artifacts, such as computer systems, storage devices, network devices, related logs and dumps.
Challenges of Digital Forensic Investigations
The most common problems in digital forensic investigations (DFI) are that:
1) Organizations are not forensic ready - missing centralized system logging and no comprehensive backup arrangements.
2) First responders rush to contain the incidents and cyber attacks but at the expense of digital evidence.
3) Anti-forensic measures employed by perpetrators, and so on.
Counter Measures
Organizations
Be forensic ready
a. Tamper-resistant centralized system logging
b. Comprehensive backup arrangements
First Responders
Preserving evidence should be the incident response team’s first priority.
That means copying hard drives, network data, and operating system logs with the goal of creating a snapshot of the computing environment as it existed at the time of the attack.
Once the preservation process is finished, the organization can begin remediation, and the forensics team can continue its investigation without interference.
Digital Forensic Investigators
1) Know the context
It is to understand the background of the incident or legal case – civil or criminal proceedings involved and the focus of the digital forensic investigation. Also it is useful to sort out relevant time frame, key words to search, and relevant artifacts to draw conclusion. SANS artifact analysis and timeline analysis can then be applied for the desirable results.
See also:
https://digital-forensics.sans.org/blog/category/artifact-analysis
https://digital-forensics.sans.org/blog/category/timeline-analysis-computer-forensics
2) Avoid single tool dependency
Not all forensic tools are created equal and unlikely a single tool can cover all incidents and cases. It is important to know the job on hand and select the relevant tools to get the job done. Internet Evidence Finder is easy to use but it lacks the granularity of searches on unallocated space and volume shadow copies. Encase is more granular and power but it requires courses to master its skills and it does not directly access some key components and no live boot. The same issue happens in forensic recovery tools like R-Studio, Blade, EaseUS, Recuva, MailXaminer and Data Rescue, etc. When one runs those data recovery tools against the same target hard disk, there are different sets of recovery results. Blade is strong at customized data carving but average on general document recovery. MailXaminer is good at email recovery and analytics but not in data recovery. The investigator needs to know the capability of the tools and apply each to particular scenario accordingly.
3) Avoid brute-force
Unless with no other choices it is pointless to search sector by sector in the target hard disk spending enormous amount of time and resources.
Conclusion
Digital forensics is a rapidly revolving discipline that calls for dynamic, forward-looking and proactive approach. It is unlikely one can do the digital forensic job right relying upon one way and one tool. Cyber actors are working hard; we must be working even harder.