Cyber forensics refers to the practice of extracting information, analyzing the data and gaining intelligence into activities that involve the use of technology as a structured chain of evidence that can be presented in the court of law.
In this article, I’ll look at the basics of cyber forensics: what it’s for, phases in a forensic procedure, challenges and how it goes far beyond auditing.
(This article was written by Muhammad Raza. See more of Muhammad’s contributions to Splunk Learn.)
What is cyber forensics?
Sometimes known as computer forensics, cyber forensics is required for legal compliance and to enforce auditing policies in a way that the integrity of information is maintained and tied to a sequence of actions, which may be attributed to a criminal behavior.
(It often goes hand-in-hand with incident investigation, though you can investigate incidents without needing the more detailed route of true forensics.)
In cyber forensics, you’ll typically uncover the following crucial pieces of information:
- Which users can be attributed to specific actions
- Details on action sequences performed, authorized or related to the user
- Information logs and metadata details such as time, file type, size and volume of data
- The information content such as audio, video and text files
- The technologies involved
Cyber forensics requires measures that go far beyond a standard data collection process. That’s because required information in a legal setting may not be immediately available, needs recovering and reproduction, authentication and verification, and analysis to connect the available data insights with the appropriate user and their actions.
While the underlying data records may be present, InfoSec experts may require additional access authorization such as instructions from senior executives, external auditors and court subpoenas to be able to extract insights into a structured investigative report.
Phases in a cyber forensic procedure
The cyber forensic typically follows a predefined procedures for extracting information and generating a structured evidence report:
- Identification. Determining which evidence is required for the purpose.
- Preservation. Deciding how to maintain the integrity and security of extracted evidence.
- Analysis. Understanding the insights the information does (and does not) provide.
- Documentation. Creating and recovering data to describe the sequence of actions.
- Presentation. Offering a structured overview of the extracted insights that lead to a conclusion.
At all stages of the cyber forensics process, investigators are expected to follow the procedures that satisfy comprehensiveness, objectivity, authenticity and integrity of information uncovered during the investigation.
Cyber forensics vs. auditing: Comparing cyber processes
All of this sounds like auditing, but there are clear differences between a standard auditing process and cyber forensic investigation that is designed to extract evidence on specific unknown events and their consequences:
Auditing simply refers to the process of examining information for accuracy. Cyber forensics is much more detailed: it’s the process of extracting information that can be reliably used as evidence to certain actions performed by a user or the systems.
The goal of auditing is to simply ensure operational compliance in terms of how information is recorded and stored. The objective of cyber forensics is to derive knowledge from information such that a sequence of actions or events can be reconstructed.
Audit activities cover risk mitigation activities, predefined audit procedures, and are bound by time and organizational function.
Cyber forensics is an end-to-end investigative process that includes data acquisition, analysis, documentation; analysis and knowledge extraction; reporting and presentation in acceptable format — all according to the court of law or organizational policies.
Auditing is a standard business process that follows a regular and periodic schedule. On the other hand, cyber forensics activities can be mandated spontaneously, typically in response to:
- A policy violation or misconduct
- External legal investigation process
- Risk mitigation
- Reducing liability to applicable laws
Cyber forensic investigations are usually unique and independent.
Standards such as Generally Accepted Accounting Principles dictate the auditing process of collecting information and analyzing it for accuracy and reliability for an auditing process.
Cyber forensics must first establish a justification for the investigation, then evaluate the impact and obtain necessary information — before you can gather any information.
Reporting and presentation
Audit reports follow a fixed written format and are distributed to the concerned decision makers and business executives. Cyber forensics reports are developed based on the applicable laws and the nature of crime involved. The final report may include:
- The content of evidence
- Conclusions obtained after a thorough analysis
Challenges with cyber forensics
Cyber forensics experts extract data from a variety of sources — any technologies that may be used by an end-user. These include mobile devices, cloud computing services, IT networks and software applications.
These technologies are developed and operated by distinct vendors. The technology limitations and privacy measures tend to restrict investigative capacity of an individual InfoSec expert as they face the following challenges:
- Data recovery. If the data is encrypted, the investigator will not be able to decrypt the information without access to encryption keys. New storage tools such as SSD devices may not offer immediate factory access to recover lost data, unlike traditional magnetic tape and hard disk drive systems.
- Visibility into cloud system. Investigators may only have access to metadata but not the information content of the files. The underlying resources may be shared and allocated dynamically. That lack of access to physical storage systems means that lost data may not be recovered by third party investigators.
- Network log big data. Network log data grows exponentially and requires advanced analytics and AI tools to connect the dots and find insightful relationships between networking activities.
- Multi-jurisdiction data storage. If the data is stored in a different geographic location, cyber forensics investigators may not have the legal authority to access the required information.
Cyber forensics on the rise?
As more laws and compliance standards go into effect regarding data privacy and data protection, we might see increased need for cyber forensics. For example, if a company wants to pursue legal action against cyberattackers, performing cyber forensics would be necessary to establish the case: who did it, what steps they took, the effects and damage, etc.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.