The investigation of a computer system believed to be compromised by cybercrime. Also called "digital forensics," it is used to examine a computer that may harbor incriminating data in non-cybercrime cases.
There is a large variety of forensic software for investigating a suspect PC. Such programs may copy the entire storage drive to another system for inspection, allowing the original to remain unaltered. Another example compares file extensions to the content within the files to determine if they have been camouflaged with phony extensions. For example, an image file might be renamed as a text document and vice versa. In addition, storage drives can be examined for deleted data (see
data remanence). The Kali version of Linux is widely used for computer forensics (see
Kali).
Network Forensics
In order to identify cyberattacks, "network forensics" deals with the capture and inspection of packets passing through a selected node in the network. Packets can be inspected on the fly or stored for later analysis. See
hidden disk areas,
forensically clean,
slack space,
write blocker,
file wipe,
IDS,
Internet forensics and
security event management software.
NIST Phases
The National Institute of Standards and Technology "Guide to Integrating Forensic Techniques into Incident Responses" covers four phases, which are briefly summarized below. For the complete 121-page NIST publication, download draft SP 800-86 at http://csrc.nist.gov/publications/nistpubs.
1 - Collection: Identify, label, record and acquire data from possible sources, while preserving the integrity of the data.
2 - Examination: Use manual and automated methods to assess and extract data of particular interest, while preserving the integrity of the data.
3 - Analysis: Use legally justifiable methods and techniques to derive useful information.
4 - Reporting: Describe actions used, explain how tools and procedures were selected, determine what other actions need to be performed, including forensic examination of additional data sources, securing identified vulnerabilities and improving existing security controls. Recommend improvements to policies, guidelines, procedures, tools and other aspects of the forensic process.