This comprehensive guide covers everything you need to know about digital forensics, the science of recovering data from computers, networks, mobile phones, and IoT devices.
"On the internet nobody knows you're a dog," famously joked Peter Steiner. To the layperson in 1993, when the cartoon was published in The New Yorker, both dogs and people were free to explore bulletin boards and chat on IRC with little fear of leaving a digital trail. The infant internet was a realm where ideas flourished and privacy was assured.
Today information and connected devices are abundant, but online privacy is a rare commodity. Though the web superficially appears to be anonymous, your behavior is tracked by your ISP and analyzed by the NSA, web marketers mine your clickstream, and even encryption, a tool deployed by the most privacy-sensitive web users, is under attack.
SEE: Job description: Computer forensic analyst (Tech Pro Research download)
Digital forensics is the application of scientific tests related to crime detection. This type of forensics is a documentation and analytical method of recovering data from physical media, such as PCs, servers, mobile phones, and IoT devices.
For countless personal and professional reasons consumers and companies should be aware of how online activity can leave detectable breadcrumbs. This cheat sheet is a routinely updated "living" precis loaded with contemporary information about how digital forensics works, who it affects, and how to learn more about web analysis.
What it is: Digital forensics is the extraction, analysis, and documentation of data from physical media.
Why it matters: Digital life is not anonymous. As we use the web, we also scatter fragments of data in our wake. If collected, personal data fragments can present an accurate profile of our behavior and personality. Often this data trail is accompanied by legal implications. Digital forensic experts know how to assemble the picture.
Who it affects: Because digital forensics experts are typically used in a legal setting, government organizations, SMBs, and enterprise companies may want to consider preemptively working with an expert to better understand potential vulnerabilities.
When it's happening: Digital forensics has been a thriving industry since the mid-1970s.
WATCH: Cracking The 'Great Firewall Of China' (CBS News)
What it is
Digital forensics scientists are responsible for capturing hard-to-access data from disc drives and flash storage and analyzing digital trails. Often part of the discovery process, in conjunction with a civil or criminal law, the results of digital forensic analysis can provide evidence used in court cases or documentation material to prove or disprove alibis and accusations.
Modern digital forensics is process-oriented and composed of three primary areas of emphasis and expertise: computer (PCs), network (connected PCs), and mobile (phones and IoT). Each of these disciplines requires a mastery of several hardware and software tools.
- Forensic Bridge Also known as write blockers, these versatile devices connect to and safely extract data from an array of storage media.
- FRED An acronym for Forensic Recovery of Evidence Device, these workstations plug directly into and analyze data on high-speed networks.
- The SHADOW This is a speedy device that can image a suspect's hard drive at the scene of a crime.
- Media duplication terminal This is a stand-alone evidence-grade box with modular inputs that can capture data from CDs and DVDs, USB, flash cards, and mobile devices.
- Capture screens These are portable evidence scanners that can grab screen captures and record video in the field.
- The Sleuth Kit This open source suite of applications can locate hidden files, recover lost documents, and analyze registry changes on Windows, DOS, Unix, Linux, Mac, and other common operating systems.
- Wireshark This is a widely used open source network packet sniffer.
- CAINE This Linux distribution is tailored for digital forensics and offers an integrated set of memory, mobile, and network forensic tools.
- Registry Recon This software analyzes and can rebuild the Windows registry.
- COFEE Developed by Microsoft, this data extraction and documentation tool is used by law enforcement agencies.
- Volatility This memory forensics tool can extract information stored on RAM.
- TechRepublic reporting on digital forensics (TechRepublic)
- So you want to be a computer forensics expert (TechRepublic)
- Digital forensics: The science behind 'who done it' (TechRepublic)
- Computer forensics: Collecting physical evidence (TechRepublic)
Why it matters
Everything we do online leaves a footprint. Love it or lump it, in legal disputes public and private this footprint is compiled and frequently used as evidence. Though the digital forensics field was once as wild and disorganized as early Silicon Valley, today experts are highly trained and follow rigorous protocols. These guidelines help protect law enforcement agencies from evidence contamination and help corporations fend off cyberattacks.
- Disclosure investigations newest narrative in enterprise breach forensics (ZDNet)
- Introducing digital forensics in schools key to cybersecurity's future (ZDNet)
Who it affects
Law enforcement ranging from the United Nations to the FBI to local and state police all employ healthy teams of digital forensics analysts. As cybersecurity becomes a priority for business, corporations are hiring forensics experts to test network resiliency and help develop cyber-defense policy. Every major private sector cybersecurity firm retains trained and experienced forensics experts.
Consumers, protected by encryption on everything from mobile devices to bank websites, are affected by digital forensics. Apple, of course, famously went to war with the FBI to protect the company's right to use strong encryption on the iPhone. Still, with the right tools, iOS and Android devices are susceptible to data recovery tactics.
- Researchers describe tool that manipulates RAM, misleads cybercrime investigators (TechRepublic)
- Disk wiping and data forensics: Separating myth from science (TechRepublic)
- Forensic scientist identifies suspicious 'back doors' running on every iOS device (ZDNet)
When it's happening
Digital forensics experts are investigators. Just as their offline counterparts dust for fingerprints at crime scenes, digital forensics analysts uncover and document data clues hidden on computers and mobile devices.
Born in the mid-1970s the art of digital forensics evolved in tandem with the growth of personal computing. Similar to hackers, progenitors of the profession probed early computer networks and documented vulnerabilities. The process was generally disorganized and relied on non-specialized available tools.
In the 1980s and 1990s computer crime entered the mainstream and along with it came the need for new tools, new standards, and new laws. Packet analyzers and write blockers emerged as essential utensils. Based in part on Kenneth S. Rosenblatt's famous publication High-Technology Crime, forensics analysis helped standards and procedures employed by courts, the FBI, and local enforcement agencies.
Academic and professional standards evolved in the 2000s, and the industry shifted focus to web and mobile cybercrime, hacking, and cyber-defense. By 2021, digital forensics is estimated to be a $4.9 billion industry.
- Computer forensics: Preparing for electronic evidence acquisition (TechRepublic)
- Why forensics investigators must handle solid-state drives with care (TechRepublic)
- From IoT threats to forensics: How this simulator is helping sharpen cybersecurity skills (ZDNet)
How to learn more
The number of educational resources to support the burgeoning field is growing as well. Community colleges and major universities like Boston University, Pace, and Penn State, along with local and regional community colleges, offer digital forensics programs.
Lynda.com, a website that sells professional training courses, hosts a growing number of digital forensics how-to videos.
YouTube is a helpful and free resource to learn the fundamentals of digital forensics.
- Digital forensics resembles the Wild West when it comes to regulation (TechRepublic)
- Don't let your improper handling of digital evidence sink a cybercrime investigation (TechRepublic)
- Real-life computer crimes investigation: It's not like on TV (TechRepublic)
- Five tips for meeting the eDiscovery challenge (TechRepublic)
- Electronics-sniffing dogs: How K9s became a secret weapon for solving high-tech crimes (TechRepublic)
- 66% of organizations won't recover after cyberattack, study says (TechRepublic)
- Experts predict 2017's biggest cybersecurity threats (TechRepublic)
- Gaps starting to close in cyberinsurance policies (TechRepublic)
- 10 programs to help you break into a cybersecurity career (TechRepublic)
- Research: Companies fear mobile devices as massive cybersecurity threat (ZDNet)
- Survey: Protecting the enterprise from cyberwarfare threats (ZDNet)
- Passwords have a dopey equal in Things on the Internet (ZDNet)
- Cybersecurity sleuths learn to think like hackers (CNET)
- Glowing fingerprints leave old forensic techniques in the dust (CNET)