Making the DFIR-ence: Beginners Insight into DFIR

 

Digital forensics and incident response, or DFIR, is the discipline of gathering and analyzing digital evidence while preventing additional exposure. Evidence needs to be identified, preserved, analyzed, and presented. Digital forensics connects to every part of technology, including computer science concepts, hardware, programming languages, application software, database management, and network architecture management. 

   

As digital devices evolve, so does digital forensics. Analog systems, such as telegraphs or punch cards, have been used in criminal activity since the mid-1820s.  Digital cybercriminal activity can be traced back to the early 1970s – 1980s (Oxygen Forensics, n.d.).  As personal computers and mobile devices grow, so has the need for forensic techniques to grow with them.

 

An example of a very early case of a first-person investigator account of a network intrusion can be found in The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage by Clifford Stoll.  During the early years of networks, systems were connected via telephone lines. Universities and military outfits were the primary users of the ARPANET system. A hacker was able to access the systems by looking at files, stealing passwords, and logging into unsecured systems. A “honeypot,” or fake file that would intrigue the hacker, was set up, and utilizing the understanding of the technology of the time and an extensive game of cat-and-mouse, Clifford Stoll was able to point to the person who was committing the crime of unauthorized access (Stoll, 1989).

Since forensics is an examination of evidence, one must look for where it resides. Forensic examiners need to know the nomenclature of a device’s hardware and how it functions. Evidence can be found in the hardware of any given digital device, be it servers, network switches, computers, or mobile devices. Not only does it reside there, but the tools used to obtain it also require hardware. An examination could obtain information from a volatile source, such as the computer’s RAM. In this case, the computer would need to be in an “on” state, and software would need to be used to probe the device.

 

Programming languages, such as Python, assist in sending the code of instructions via a “client” onto the target device. Python, C++,  or another programming language will then instruct how to pull, structure, and output the information obtained (Tutorialspoint, n.d.). For example, when information is extracted from a mobile device, that device will be hooked up to a computer with a write-blocker client, and the data will be dumped into files on the host computer.

Application software, such as Microsoft Word and Excel, is used to parse and analyze the information. Reports need to be generated by examiners to make sense of the data obtained. PDF reports for one device extraction could contain as many as 40,000 pages. Excel and Word documents are used to report only the critical information required. Word documents can be used to provide expert opinions on the who, what, when, where, and how information related to the crime. To maintain data integrity, the examiner must ensure that any completed document reporting is locked (Forensic Focus, n.d.).

Application forensics entails databases. Carving or parsing information from a database is important for examiners to know. Most applications on mobile devices rely on databases. Examinations focus on reconstructing the metadata into a readable form. This reconstruction can also be used to locate damaged data left behind after an intrusion. Some of these databases are Oracle, MySQL, Microsoft SQL Server, and SQLite. (Messina, 2018).  

Another field that examiners must have a foundational understanding of is network architecture. This involves the management and security of that network. The examiner must know about network protocols and how data is transmitted to identify an intruder. They need to know what security features are in place. With this information, tracing the digital footprints of an intruder can assist in damage control and lessen exposure to future attacks.  

 

Digital forensics touches all tech fields and requires fundamental knowledge of the computer sciences.  As technology advances, so will the requirement of a basic understanding of examiners. Digital forensics plays a critical role in the security and integrity of computer systems.

 

 

 References

Forensic Focus. (2021, February 4). Writing DFIR reports: A primer. Retrieved from https://www.forensicfocus.com/articles/writing-dfir-reports-a-primer/ 

Messina, G. (2018). Computer forensics: Overview & types of database forensics. Infosec Institute. https://www.infosecinstitute.com/resources/digital-forensics/computer-forensics-overview-types-database-forensics/ 

Oxygen Forensics. (n.d.). What is digital forensics? Retrieved from https://www.oxygenforensics.com/en/resources/what-is-digital-forensics/ 

Stoll, C. (1989). The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. Doubleday.

Tutorials Point. (n.d.). Python digital mobile device forensics. https://www.tutorialspoint.com/python_digital_forensics/python_digital_mobile_device_forensics.htm