IT and security managers have found themselves needing to better understand the world of digital forensics, defined as the ability to track down the source of a network intrusion, an exploit such as ransomware, or some other incident where an unauthorized person has accessed a network to steal data or do other damage. Digital forensics combines a variety of skills, including a “CSI”-type investigator who has a background in law enforcement or at least an understanding of what is involved in collecting and preserving evidence that could end up in a courtroom as part of a lawsuit or criminal complaint.
This evidence could support further legal discovery efforts as part of a regulatory compliance violation. The goal of digital forensics is to examine a breach and produce the necessary documentation about what happened, along with stopping cyberattacks and cyber-based fraud.
Digital forensics has become more important as the probability of being breached continues to approach near certainty, and as organizations need to better prepare themselves for legal actions and other post-breach consequences.
“It isn’t like the TV show CSI,” said Davin Teo at his 2015 TedX speech in Hong Kong. Teo is a digital investigator and forensics consultant. “Things don’t usually get solved in neat one-hour time slots.” Teo has been active in this field since 2000. “Back then, there weren’t any courses to study and we were excited just to have digital cameras.” Both the tools and the threats have certainly become more sophisticated since then. For example, he now investigates anonymous death threats via email and fraudulent financial transactions.
Digital forensics, incident response (DFIR) combines many security tools and approaches, including being able to reverse-engineer malware, discover malicious files and search computer memory and digital documents for infections and threats. These tools come in handy both before and after a breach, and they could include endpoint detection and response (EDR), security information and event management (SIEM), log analyzers, threat intelligence databases, penetration and application testing tools, firewalls and intrusion detection products.