The past decade has seen previously unimagined advances in technology, and although those developments have benefited individuals and businesses alike, they have also become tools for fraudsters and cyber criminals to steal money and data, and avoid detection.
Hackers use technology to hide their illicit activities and to move funds across jurisdictions and around the globe. Their operations are complex and they have significant resources to help them evade detection.
This means that those tasked with investigating cyber criminal activity have had to keep pace. We are seeing a new breed of investigator, the digital forensic practitioner, who traces these criminals and their activities.
Just as how we leave traces of ourselves in the physical world, we do in the digital world too. We leave ‘digital footprints’ or traces such as activity logs, timestamps, metadata, and suchlike, and this can be extremely valuable for several reasons.
“These traces could be used as evidence in establishing the origins of a document or file, for legal purposes in determining the activity of a party involved in a criminal case of fraud or theft,” says Robert Brown, Chief Executive Officer at DRS, a Cyber 1 company.
Irrespective of the motivation, the examination, interpretation, or reconstruction of trace evidence in the digital world falls within the purview of digital forensics. Brown explains that digital forensics is the practice of identifying, collecting, analysing, and reporting on information found on computers and networks, in such a way that this all the evidence is admissible in a legal context.
“Digital forensics are necessary for law enforcement and investigation, but also have applications in commercial, private, or institutional organisations. All activity conducted on an individual’s computer systems as well as on a company network leave a digital traces, which can range from web browser history caches and cookies, all the way to document metadata, deleted file fragments, email headers, process logs, and backup files,” she explains.
“For the cyber security team whose role it is to protect the organisation, or the investigators who are trying to establish how the business was breached, these bits of evidence are crucial. They will show how an incident happened, who was responsible, how to respond to it, and most importantly, how to stop it happening again in the future.”
Brown says careful scrutiny of hackers’ activities and methodologies, in conjunction with a digital forensic analysis of the tools and techniques that they use, will give the company tremendous insight into attack trends, how these criminal groups work, what their motivations are, what new tricks and tools they are using, and so on. “This evidence gives valuable input into knowledge and best practice resources, as well threat intelligence databases.”
Moreover, the evidence collected from a digital forensic analysis helps in incident response and remediation activities, once the company realises that a breach has happened. “Data can be gleaned on new attack vectors, and sophisticated types of malware that might not have been seen before.”
He says it is also particularly useful in tracing the path of an advanced persistent threat (APT) which uses a variety of tricks and tools to achieve its ends. “APTs are highly targeted, and usually stay undetected on the victim’s network for months, performing reconnaissance and exfiltrating data. Digital forensics helps to trace these attacks and discover what motivated them.”