Forensics is the work of investigating the evidence and establishing the facts of interest that links to an incident. In this article we just discuss something about Digital Forensics. Here we try to give an introduction to digital forensics as we believe it is necessary to have a reaction plan when one of our assets, such as a server or web application, is compromised. We also recommend researching other sources for a more thorough training as this topic extends beyond the tools available in Kali Linux. Digital forensics is a faster growing area of interest in cyber security with very few people that know it well.
1. Never touch the evidence
Now it is not like the physical evidence touch. It means "never work on original data", always use a copy of evidence for forensics testing. We also need to ensure that we didn't modify the data while creating a copy. The moment we touch or modify original data, our case becomes worthless. Tampered evidence can never be used in any legal proceeding regardless of what is found. The reason is once an original is modified, there is a possibility of identifying false evidence that can misrepresent the real incident. An example is making a change that adjusts the timestamp in the system logs. There would be no way to distinguish this change from an noob analyst's mistake or attacker trying to cover his traces.
Most digital forensic analysts will use specialized devices to copy data bit for bit. There are also very reputable softwares that will do the same thing. It is important that our process be very well documented. Most digital copies in legal proceedings that have been thrown out were removed due to a hash of a storage medium, such as a hard drive, not matching copied data. The hash of a hard drive will not match a contaminated copy, even if only a single bit is modified. A hash match means it is extremely likely the original data including filesystem access logs, deleted data disk information, and metadata is an exact copy of the original data source.
2. Look for everything
The second vital rule for digital forensics is anything that can store data should be examined. In famous cases involving digital media, critical evidence has been found on a camera, DVR recorders, video game consoles, phones, iPods, and other random digital devices. If the device has any capability of storing user data, then it is possible that device could be used in a forensics investigation. Do not dismiss a device just because it is unlikely. A car navigation system that stores maps and music on SD cards could be used by culprits to hide data, as well provide evidence for Internet usage based on download music tags.
3. Well Documentation
This is the last crucial rule of digital forensics. Most of newcomers ignore it, but we MUST ensure documenting our findings. All evidence and steps used to reach a conclusion must be easy to understand for it to be credible. More importantly, our findings must be re-creatable. Independent investigators must arrive at the same conclusion as we using our documentation and techniques. It is also important that our documentation establishes a timeline of events on when specifics occurred and how they occurred. All timeline conclusions must be documented.
A forensic investigation is all about the perception of being a security expert validating evidence linked to an incident. It is easy to get caught up looking for bad guys and drawing conclusions on what may have happened based on opinion. This is one of the fastest ways to discredit our work.
As a forensics specialist, we must only state the facts. Did the person Tony steal Steve's files, or did the account that was logged on as the username Tony initiate a copy from the user account Steve's home directory to a USB drive with serial number XXX at the timestamp XXX on date XXX? See the difference? The real bad guy could have stolen Tony's login credentials (using methods covered in this book) and steal Steve's data while posing as Tony. The moment you jump to a conclusion is the moment your case becomes inconclusive based on personal interference. Remember, as a forensics specialist, we could be asked under oath to give testimony on exactly what happened. When anything outside of facts enters the record, our credibility will be questioned.
Extra Talks
These are the basic rules of digital forensics that we need to remember and follow all the time. Digital forensics is not so easy and it is very potential as a career option. As the basics we need to collect the information carefully and painstakingly analyzed with a view to extract evidence relating to the incident to help answer questions, as shown in the following diagram:
Love our articles? Make sure to follow us on Twitter and GitHub, we post article updates there. To join our KaliLinuxIn family, join our Telegram Group. We are trying to build a community for Linux and Cybersecurity. For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.