Digital Forensics

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free

Digital Forensics

by James G. Barr

Docid: 00018034

Publication Date: 2208

Publication Type: TUTORIAL


Digital forensics is the science of identifying, collecting, preserving,
analyzing, and presenting digital evidence in a legally-acceptable
manner. Also known as forensic computing or computer forensics,
digital forensics enables the apprehension – and prosecution – of cyber
criminals who exploit vulnerable computer systems, networks,
and devices.

Report Contents:

Executive Summary

[return to top of this

Digital forensics is the science of identifying, collecting, preserving,
analyzing, and presenting digital evidence in a legally-acceptable
manner. Also known as forensic computing or computer forensics,
digital forensics enables the apprehension – and prosecution – of cyber
criminals, individuals who exploit vulnerable computer systems, networks,
and devices to:

  1. Steal confidential information, in particular, personally identifiable
    information (PII), to facilitate identity theft and other consumer
  2. Steal proprietary information, such as business plans and trade
    secrets, to gain a competitive advantage through industrial espionage.
  3. Disrupt electronic commerce, either for competitive advantage or
    personal animus (as in the case of many computer hackers).
  4. Introduce instability into a target organization’s information
    technology (IT) infrastructure (often as a means of diminishing the
    target’s reputation or business prospects).
  5. Lower the target’s defenses (often as a prelude to a larger attack).
    For example, a thief may hack into an access control system which
    regulates entry to a warehouse containing valuable merchandise. In this
    scenario. the computer attack may occur hours, even days, before the
    warehouse is physically breached. Using digital forensics, an analyst
    may be able to alert authorities to the break-in BEFORE, not after, it

Faulkner Reports
Cybersecurity Best
Practices Tutorial
Network Security Best
Practices Tutorial

Digital forensics differs from normal incident investigation in four

  1. The incident in question is presumed to be the result of malicious
    action, not an inadvertent – and unintentional – mistake.
  2. The evidence collected may be used to justify an administrative
    action, like suspending or terminating an employee, or provide civil
    authorities with the means to arrest and convict a criminal suspect.
  3. A forensic examination is performed according to rigorous technical
    protocols, capable of withstanding intense legal scrutiny.
  4. A forensic examination is performed by a certified forensic analyst.
    The analyst may be a specially-trained member of the in-house security
    team or, more likely, a third-party practitioner.

Outsourcing is often the preferred analyst sourcing approach since an
in-house analyst will not have had the opportunity to learn through
experience (it is, after all, a part-time responsibility), and an in-house
analyst can be compromised (especially if the perpetrator is another
employee). In the latter case, the perpetrator may possess inside
information on how forensic exams are conducted (and, therefore, avoid
detection), or the examiner may be a friend of the perpetrator, and refuse
to “give him (or her) up.”


[return to top of this

Forensics is roughly divided into physical (or traditional) forensics and
digital forensics.

Where a physical forensics examiner might be concerned, for example, with
collecting physical fingerprints from a subject’s paper file folder, a
digital forensics examiner might be concerned with collecting “digital
fingerprints” from the subject’s computer hard drive.

Regardless, the purpose, if not the process, of gathering and evaluating
evidence is the same between physical and digital forensics.

As described by the US National Institute of Standards and Technology
(NIST), “Digital forensics is not a single technique, but many independent
techniques that operate on digital data.

“The techniques applied to a specific case depend on the type of
information likely to be useful for understanding what happened. For
example, browsing the contents of a digital device can find records of
financial misconduct, communication with others indicating collusion in
illegal activities, or possession of contraband material.

“Techniques for digital forensic analysis have been developed as needed
by digital forensics examiners (just as in other fields) trying to answer
the classic questions required to resolve the case. Because computing
technology is changing rapidly, there is a possibility that no tool will
be able to find or correctly parse all the information in each piece of
digital evidence, especially for more recently introduced or upgraded

“Digital data is easily modified. Sometimes it is difficult to prevent
some modifications. For example, if a computer is powered off, just
turning on the computer will modify metadata such as a log of when the
computer has been turned on. While the computer is powered off the storage
device can be removed by the forensic examiner and attached to a different
computer via a hardware device that intercepts and blocks any commands
that would write to the storage device.

“One solution to avoid modifying digital evidence during examination is
to copy the evidence [bit-for-bit to an image file using a forensic disk
imager, as shown in Figure 1]. Then, the data in the image file can be
examined with a tool designed to access the data without modification.
Another solution is to access the file system as read only, so that the
data is protected from modification by the operating system.”1

Figure 1. Forensic Disk Imager

Figure 1. Forensic Disk Imager

Source: Wikimedia Commons

“A digital investigation begins with the context of the investigation
and the digital devices being examined. To investigate a suspected
espionage case the examiner might look for:

  • “Contraband (classified documents)
  • “Removable device history (moving the contraband around)
  • “Geolocator information (places the suspect has visited)
  • “Contacts (identify collaborators)
  • “Messages (extraction of planned actions)
  • “Deleted documents (hiding activity)”2


The computing world is presently in the midst of a “Digital
Transformation,” a movement that seeks to reinvent or revitalize
enterprise operations through the application of digital technology.
Digital transformation has greatly expanded the number and variety of
systems and devices demanding digital forensics support, including:

  • Servers
  • Computers
  • Cloud infrastructure (IaaS, SaaS, etc.)
  • Cloud-hosted applications (Microsoft 365, custom applications, VDI,
  • Networking equipment (routers and switches)
  • Video data solutions (NVR/DVR)
  • Point of sale systems
  • Firewalls
  • Proxies
  • Medical equipment/devices3


Digital forensics practices are informed by a set of generally-accepted
standards, including those offered by the International Organization for
Standardization (ISO):

  • ISO/IEC 27037:2012: Information technology — Security
    techniques — Guidelines for identification, collection, acquisition and
    preservation of digital evidence
  • ISO/IEC 27041:2015: Information technology — Security
    techniques — Guidance on assuring suitability and adequacy of incident
    investigative method
  • ISO/IEC 27042:2015: Information technology — Security
    techniques — Guidelines for the analysis and interpretation of digital
  • ISO/IEC 27043:2015: Information technology — Security
    techniques — Incident investigation principles and processes

Best Practices

[return to top of this

Protect Confidential and Proprietary Enterprise Data

Many digital attacks are designed to steal or otherwise liberate
confidential or proprietary enterprise information, including passwords,
personally identifiable information (PII), business plans, trade secrets,
etc. It would be ironic if a perpetrator failed to accomplish his or her
mission only to have a forensic examiner, through ignorance or negligence,
reveal the same sensitive data the perpetrator was seeking. As a result,
forensic examiners should employ extraordinary procedures to ensure that
sensitive information is not lost, stolen, modified, destroyed, or
misappropriated during the course of an examination. Otherwise, one
security investigation could lead to two.

Equip Examiners with Digital Forensic Software

Digital forensic software is valuable not only for acquiring disk images,
but also for automating much of the analysis process, such as:

  • Identifying and recovering file fragments, and hidden and deleted
    files and directories from any location (e.g., used space, free space,
    slack space, etc.).
  • Examining file structures, headers, and other characteristics to
    determine what type of data each file contains, instead of relying on
    file extensions (e.g., .doc, .jpg, .mp3, etc.).
  • Displaying the contents of all graphics files.
  • Performing complex searches.
  • Graphically displaying the acquired drive’s directory structure.
  • Generating reports.4

Establish an Enterprise-Grade Digital Forensics Program

The enterprise chief security officer (CSO) should assume responsibility
for establishing, monitoring, and maintaining an enterprise-grade Digital
Forensics Program, starting with the steps described in Table 1.

Table 1. Forensics Action Plan
Action Purpose
Update enterprise security policies to define the “acceptable use”
of digital forensics.
To legitimize digital forensics from an enterprise perspective.

To alert and, thus, discourage employees from engaging in cyber
crime, owing to the enterprise’s digital forensics commitment and

Recruit or train a Digital Forensics Team. To ensure that digital forensics examinations are performed
efficiently and effectively.

To minimize the possibility that digital forensics evidence will
be declared inadmissible in court.

Establish the threshold for launching a forensic investigation. To identify which types of digital security incidents demand
digital forensics investigation.

To enable the use of digital forensics, as appropriate, for the
prevention of future digital security incidents.

To establish when it’s better to let a “bad guy get away” than
disrupt critical enterprise operations in an attempt to process
digital evidence.

Validate forensic procedures with local law enforcement. To guarantee compliance with all relevant civil and criminal
standards and statutes for the identification, preservation,
analysis, and presentation of digital evidence.

To facilitate a public-private partnership in the field of
digital forensics.

Incorporate digital forensics into regular enterprise incident
management and problem management disciplines.
To provide feedback to help desk and other incident management
specialists that may be useful in resolving digital security
Enlist a physical security specialist to join the Digital
Forensics Team.
To offer assistance to digital forensics examiners in situations
involving both information and physical infrastructure.
Retain a reputable third-party firm that specializes in digital
To establish a backup capability in the event a particular digital
forensics examination is too challenging for in-house staffers, or
employees are implicated in the investigation.


[return to top of this

Like cybersecurity specialists and other computer professionals, digital
forensics examiners should be certified in their profession.

One option is to require enterprise examiners to obtain both a CISSP
certification for general information systems security, and a CDFE5
for digital forensics.

CISSP (Certified Information Systems Security Professional)

The CISSP credential is, perhaps, the most highly acclaimed certification
for information security professionals seeking a better understanding of
cybersecurity strategy and implementation.

Candidates must pass an exam and have at least “five years of cumulative,
paid work experience” in two or more of eight security domains. These
domains and their percent weight on the CISSP exam are as follows:

  • Security and Risk Management – 15 percent
  • Security Architecture and Engineering – 13 percent
  • Communication and Network Security – 13 percent
  • Identity and Access Management (IAM) – 13 percent
  • Security Operations – 13 percent
  • Security Assessment and Testing – 12 percent
  • Software Development Security – 11 percent
  • Asset Security – 10 percent

The CISSP credential is DoD approved, complies with ISO 17024, and is the
most required security certification on LinkedIn.

CDFE (Certified Digital Forensics Examiner)

The CDFE credential is designed for individuals “interested in pursuing
litigation, proof of guilt, or corrective action based on digital
evidence. An example of ‘corrective action’ would be the termination of an
employee for a violation of computer usage where digital evidence was
needed to support the allegation. The investigator must furnish an
irrefutable burden of proof based on that digital evidence. If not
irrefutable, an attorney knowledgeable about [digital] forensics could
have the case thrown out of court. Government or investigative agencies
need proper training to succeed in cases like the above as well as those
including acts of fraud, computer misuse, illegal pornography,
counterfeiting, and so forth.

“The CDFE training covers a wide range of topics, including:

  • “Forensic examination
  • “Tools of the trade
  • “Seizure concepts
  • “Incident investigation
  • “Fundamentals of conducting an effective [digital] forensic
  • “Electronic discovery and digital evidence”6

[return to top of this


About the Author

[return to top of this

James G. Barr is a leading business continuity analyst
and business writer with more than 40 years’ IT experience. A member of
“Who’s Who in Finance and Industry,” Mr. Barr has designed, developed, and
deployed business continuity plans for a number of Fortune 500 firms. He
is the author of several books, including How to Succeed in Business
BY Really Trying
, a member of Faulkner’s Advisory Panel, and a
senior editor for Faulkner’s Security Management Practices.
Mr. Barr can be reached via e-mail at

[return to top of this