Welcome to this multipart series on digital forensics and its applications.
We will start with what digital forensics is exactly and how it is used out there in the real world. In the next installments, we will do a deep dive into an actual investigation and we will get very technical.
What is Digital Forensics?
First off, what is digital forensics? Wikipedia calls it “a branch of forensic science encompassing the recovery and investigation of material found in digital devices”.
It is an extremely fast-moving field of expertise. There is so much data that can be gathered from an operating system but oftentimes no clear-cut way to do it. There is a close-knit community out there discussing how to extract information and writing software to do this.
When I started out more than ten years ago it was the wild west out there. The Windows operating system is not open source and it is not easy to extract certain types of information from it.
Change within the field is happening at breakneck speed. We are now doing things like cloud forensics or investigating IoT devices.
As the definition of digital forensics states, it is a branch of forensics science. It is both the COLLECTION of evidence as well as the ANALYSIS of it.
A digital forensic investigator is much like the lab technician arriving at a murder scene.
I don’t have to tell you this but at a murder scene – the handling of the evidence is of extreme importance. If there is a bloody knife on the floor – you don’t pick it up with your bare hands and pass it around to your colleagues to have a look. You don’t wipe the blood off the knife with a towel because everything can lead to finding the murderer. You have to acquire the evidence in such a way that it is admissible in court. That includes having a “chain of custody” and proving you did not mishandle or contaminate the evidence. The suspect might walk away because of you mishandling the evidence.
In order not to mishandle the evidence you need to be trained. In digital forensics it is never as obvious as a bloody knife in a kitchen – there is an extreme amount of information to be found in every room of the house. This is why a digital forensic investigator would take ‘an image’ of a system. This can be compared to the forensic technician in a murder investigation picking up the entire house and taking it to his lab to look at it.
It is often said that digital forensics is “a science and an art”.
Because there are millions of ‘artifacts’ to look at on let’s say a typical Windows system and you simply don’t have time to look at every one of those – an investigator needs to form a hypothesis and then aim to discredit or confirm his own hypothesis.
This is something you get a “feel” for. This sounds horribly unscientific and it is difficult to describe but if you, for example, have done a lot of the same type of investigations you start to instinctively know where to look for the evidence.
Digging for the truth on a system or anywhere for that matter is utterly fascinating because this concept of “the truth” is so fleeting. Something happened and it happened in exactly one way. But yet, it is so difficult to grasp this and express it in words. There are the facts but there is also the “why” something has happened.
Going back to our bloody crime scene, a person killed another person with a knife. The entire situation- if filmed – could be expressed in a mathematical manner. The force of the arm coming down, the angle of the knife, .. You can do “blood splatter analysis” like the main protagonist in the Showtime series “Dexter”.
The ‘why’ however, cannot be expressed in mathematical terms.
And that brings us back to our ‘a science and an art’ statement. A digital forensics investigator is there to state the facts – it’s not about the psychology for him. But UNDERSTANDING the psychology will tell you where you will find the evidence.
For example: If someone wants to exfiltrate data from a company – there are only so many ways to do this. An experienced investigator can empathize with the person he is looking at and follows his steps
An demand for investigation usually arrives at our doorstep from a law firm contacting us for their client. It like the representative from the person stabbed in the kitchen would ask us to prove that this person is stabbed.
You can immediately understand how this can be problematic.
At Blacklynx we do fact-finding and even though we are working for “a side” – we never pick sides. It would jeopardize the entire business model. It has happened many times where our findings were not in line with what the client was expecting from the investigation.
A Digital forensic professional reports on the truth and cannot let himself or herself be influenced.. Even if it means not being paid for your efforts (yes, that also sadly happens). The truth is the truth.
The information you are looking for in an investigation is – unlike our bloody knife on the floor – not always plainly visible. We have hundreds of tools and scripts at our disposal to interpret data from for example the Windows operating simple and translate it into something a human can understand.
As the field matures, these tools get better and better. Most of these tools are open-source and Linux-based which means an investigator needs to be quite technical and know his way around a Linux terminal. We have of course also big commercial software suites that eliminate the need to be a command-line wizard but I think this creates problems.
Because if you are not technical and you don’t know where your evidence comes from – how are you supposed to use this to build a case. How are you going to respond to the questions that are inevitably going to come?
At Blacklynx, we like to use both approaches simultaneously. We like to throw the kitchen sink at the problem and run the evidence source against as many tools as possible. While the commercial tool is running, the information is also being parsed and probed on our Linux-based boxes. We have automated this so when we arrive in the morning entire troves of data are waiting for us. Of course, our approach changes depending on the kind of case. An intellectual property theft or a threat hunt on a system are different investigations.
Starting in the next installment we’ll be looking at a case – using only freely available open-source tools (no commercial software) and we’ll be telling you how to set up a forensic lab if you want to follow along..
Dfir, digital forensics