What is digital forensics? Introducing its types and procedures

everyone is"Digital Forensics"Have you ever heard the word? What is digital forensics?Technology to preserve and analyze data in the event of information leakage or unauthorized manipulationIn this article, we will introduce you to digital forensics.

What is digital forensics?

To begin with, forensics comes from a medical term."(Forensic) analysis, investigation"There is a meaning. It may be easier to understand if you imagine police forensics, which involves preserving, investigating, and analyzing the situation at the scene when an incident or accident occurs.

I added digital to it."Digital Forensics"refers to technology that analyzes and investigates digital data when an information security incident occurs. When there is an information leak incident or unauthorized operation, etc., like forensics,Technology to preserve, investigate, and analyze informationis.

The importance of digital forensics

The investigation results derived from digital forensics areLegally supported evidence for the caseIt can be.

On the corporate side, it is also used as support for important evidence related to the location of liability and the amount of compensation for damages. Furthermore, it is important to improve current security measures to prevent similar incidents from happening again.

Types of digital forensics

Digital forensics can be subdivided into names depending on what is being analyzed, but what you should remember is the following:Three types: "Computer Forensics", "Mobile Forensics", and "Network Forensics"is.

So let's take a look at what each of them is.

Computer forensics refers to the investigation of computer hard disks, etc.Technology to investigate and analyze information stored on computersis.

Not only computers, but servers, etc.What operations were performed on the computerFind evidence that. Sometimes data is deleted as a cover-up, but with forensic tools it may be possible to recover the files.

What is mobile forensics?Technology to investigate and analyze data from mobile devices such as smartphonesis. Collect information such as call history and application usage history.

It can also be called computer forensics in that it deals with data stored on computers, but with the spread of smartphones, the presence of mobile forensics is increasing. In fact, in 2016, smartphones accounted for the highest proportion of data investigated and analyzed by the Metropolitan Police Department for criminal investigations, indicating that mobile devices are increasingly being misused for crimes.

In recent years, there has been an increase in cyber attacks against services that actively use the Internet.Aggregating and analyzing "various logs left as records of the flow of packet communication on the network"has become common.

A packet is a group of data that is exchanged over a network, and data is usually divided into packets and sent over the network. theCollect packet informationBy doing so, we can develop technology to investigate and analyze what data was sent from which terminal, when, by what route, and other details.network forensicsis.

Digital forensics steps

Digital forensics has a common procedure.

① Advance preparation

Preparation refers to measures taken before an incident that requires digital forensics occurs. Specifically, it is necessary to have a system in place that can quickly and accurately carry out the initial response and evidence preservation flow.

② Preservation of evidence

After an incident occurs, the first step for digital forensics is data preservation. In order to preserve the situation at the time of the incident as accurately as possible, we quickly and accurately understand the situation and details at the time of the incident and carry out maintenance work accordingly.

③ Restoration and decryption of confidential data

Cases in which evidence data is kept secret (known as anti-forensics) are often seen, as much of the important evidence is deleted, encrypted, or hidden from view. By performing restoration and decryption depending on the purpose and target of the forensic investigation in the incident, it may be possible to reduce the time required for subsequent analysis.

④ Analyzing the data

We will analyze the data that has been preserved as evidence and the restored data to determine the cause of the incident, what caused it, when it happened, and who caused it.

⑤ report

We report the results obtained from the analysis.

The importance of advance preparation and evidence preservation

The important steps in digital forensics are:"Advance preparation"and"Evidence preservation"is.

After an incident occurs, steps are taken to preserve evidence, restore data, and analyze data.underlying dataThis is only possible if the above exists.

For example, if no operation logs or packet collection is done within the company, even if an incident occurs, there will be no data to preserve, no data to restore, and no data to analyze.It is important to have a system in place in advance to back up operation logs and data, and collect packets.is.

Furthermore, even if operation logs and packets are collected, if someone who is not very familiar with digital forensics responds to an incident, there are many cases where the information is accidentally rewritten or deleted. If a problem occurs, do not perform careless operations.Report and consult with security team or expertslet's.

lastly

How was it? Of course, it is important to take measures to prevent incidents from occurring, but perfect information security does not exist. Don't think about digital forensics after an incident occurs;Plan your response before an incident occurs.

In addition, after an incident occurs, we quickly investigate the cause, minimize damage, andImprovements to prevent recurrenceIt is also very important to do this. Raise awareness of information security within your organization by referring to the opinions of experts.

[Reference site]
・What is digital forensics | Digital Forensics Study Group