A digital forensics investigation in nine parts

Digital forensics is a complex discipline that straddles cyber security, law and data technology. It requires a specific skill set and an in-depth knowledge of the legal and regulatory requirements of presenting electronic data for civil and criminal proceedings (in other words, the rules around eDiscovery). Its uses go beyond cyber crime and dealing with the aftermath of cyber threats (e.g. denial of service attacks or phishing attacks).

This brief introductory guide breaks down a typically complex digital forensics investigation into nine distinct stages. 

Stage one: Identification of potential digital evidence

The identification phase involves finding and isolating relevant digital devices that may contain valuable information. Such devices include computers, mobile devices like tablets and smartphones, servers, USB sticks and any other kind of storage media. Digital forensics experts will carefully catalogue and document the hardware and software configurations.

Stage two: Preparation of physical and digital tools

Getting all the physical and digital tools ready for the investigation can be time-consuming. A separate workstation for data collection and analysis is key to maintaining the original data’s integrity.

Stage three: Development of a strategic approach 

A structured response is essential. It should be thorough, covering aspects such as chain of custody procedures, investigative techniques, and reporting. 

The approach should also follow the affected organisation’s incident response plan. For example: 

• a threat actor gained access to systems or networks (e.g. through a social engineering attack like a phishing email, or an exploited vulnerability); 
• malicious software (malware) has been detected; or
• cyber criminals or personnel have accessed and leaked sensitive data (data breach).

Stage four: Preservation of data to prevent alteration and tampering

A forensic expert uses specialised tools and techniques to create forensic copies, known as images, of the original data and run a process to capture the original timestamps. Preserving the data in this way ensures that investigators can analyse the evidence without compromising its authenticity, and maintain a ‘chain of custody’ required for legal proceedings. 

Stage five: Collection of relevant data from preserved evidence

This step may involve retrieving files, examining log files, and inspecting system and application data. At this point, the examiner will also be looking to eliminate anything that is not useful or relevant to the investigation.

Advanced forensic tools aid in the extraction of information, helping investigators to piece together a comprehensive understanding of what happened. Someone determined to steal data, for example, may make several attempts before being successful and that will be reflected in the files.

Stage six: Examination of collected data

This is the heart of any digital forensics investigation, requiring a sharp eye for detail and a deep understanding of digital systems. Forensic experts analyse the information extracted from the various sources to uncover patterns, anomalies, and any digital artefacts that might become evidence. In cases where someone has stolen data, there may also be clues as to their identity.

Techniques such as keyword searches, data carving, and timeline analysis help in reconstructing events and establishing what happened and when. 

Stage seven: Analysis and reporting 

As the investigation enters its final phases, the findings are brought together in a comprehensive report. The digital forensics experts present their conclusions along with details about the discovered evidence, the methodologies they used, and the implications for the case. 

Stage eight: Presentation to non-technical stakeholders

There are numerous non-technical experts and stakeholders who will need to understand what the investigation has revealed – managers, board members, lawyers, court personnel, law enforcement agencies and so on. If the evidence needs to be presented in court, the digital forensics specialist will also need to act as an expert witness and present their findings in testimony before a judge (and possibly a jury).

The information must be conveyed clearly and accurately, without omitting any information. Technical jargon must be kept to a minimum.

Stage nine: Post-mortem 

The review phase is essentially a post-mortem of the entire investigation and provides insights for future improvement. It also helps to identify patterns emerging across different investigations, including the kind of systems of networks involved, and the types of threat actors responsible (including whether they are backed by nation states, and which ones).

A multi-faceted solution to a multi-faceted problem

Although hacking is a constant concern, organisations and businesses of every kind need to realise that it is not just cyber attacks that pose a risk to their valuable data. A digital forensics expert can identify other threats that could result in the leakage of highly sensitive information, be it trade secrets, product designs, or business intelligence.

Business espionage, disgruntled employees who steal and leak information, and poor cyber security practices (such as password sharing) can also result in significant financial loss, competitive disadvantages and reputational harm.

Identifying the threat actors and the methods used are just one aspect of the work done by digital forensics and incident response teams. They are not just there to assist after the fact – they also play a vital role in an organisation’s proactive efforts to defend themselves against similar cyber security incidents in future.