What Is Cyber Forensics?

With businesses and individuals relying heavily on technology, cybercrimes are growing fast. Proving these crimes, however, is not easy.

Critical evidence for cybercrimes often resides within electronics such as computers and mobile devices. It is important to collect digital evidence to help fight cybercrimes and bring justice. This is where cyber forensics comes in. Cyber forensics is a critical cybersecurity field that involves the identification, preservation, analysis, and presentation of digital evidence.

In this article, I’ll look at the basics of cyber forensics: what it’s for, phases in a forensic procedure, challenges, and how it goes far beyond auditing.

What is cyber forensics?

Cyber forensics refers to the practice of extracting information, analyzing the data, and gaining intelligence. This data is specific to activities that one can present in a court of law as a structured chain of evidence.

Sometimes known as computer forensics, cyber forensics first came into light as an official discipline in the 1980s. With the boom of personal computers, criminal activity started migrating to the digital world. Traditional forensics techniques were no longer enough to handle the new digital type of evidence. This led to the emergence of computer forensics.

Some key milestones in early cyber forensics:

• 1986 Computer Fraud and Abuse Act (CFAA)
• 1989 Formation of the International Association of Computer Investigative Specialists (IACIS)
• 1992 Computer Analysis and Response Team (CART) officially created
• 1995 International Organization on Computer Evidence (IOCE)
• 2000 Regional Computer Forensic Laboratory (RCFL) established

Since then, there have been several advancements in cyber forensics.

Cyber forensics is important for legal compliance and to enforce auditing policies to maintain the integrity of information. Additionally, it plays a major role in correlating a sequence of actions, which may contribute to criminal behavior.

(It often goes hand-in-hand with incident investigation, though you can investigate incidents without needing the more detailed route of true forensics.)

In cyber forensics, you’ll typically uncover the following crucial pieces of information:

• Which users can contribute to specific actions
• Details on action sequences performed, authorized, or related to the user
• Information logs and metadata details such as time, file type, size, and volume of data
• The information content such as audio, video, and text files
• The technologies involved

How does cyber forensics work?

Cyber forensics requires measures that go far beyond a standard data collection process. That’s because required information in a legal setting may not be immediately available. How is it different? Well, it needs recovering and reproduction, authentication and verification, and analysis to connect the available data insights with the appropriate user and their actions.

While the underlying data records may be present, InfoSec experts may require additional access authorization such as instructions from senior executives, external auditors, and court subpoenas to extract insights into a structured investigative report.

Phases in a cyber forensics procedure

Cyber forensics typically follows predefined procedures for extracting information and generating a structured evidence report:

1. Identification. Determining which evidence is required for the purpose.
2. Preservation. Deciding how to maintain the integrity and security of extracted evidence.
3. Analysis. Understanding the insights the information does (and does not) provide.
4. Documentation. Creating and recovering data to describe the sequence of actions.
5. Presentation. Offering a structured overview of the extracted insights that lead to a conclusion.

At all stages of the cyber forensics process, investigators have to follow procedures that satisfy the comprehensiveness, objectivity, authenticity, and integrity of information uncovered during the investigation.

(Related reading: what is digital forensics?)

Cyber forensics vs. auditing: Comparing cyber processes

All of this sounds like auditing, but there are clear differences between a standard auditing process and cyber forensic investigation.

Definition

Auditing is the process of examining information for accuracy. On the other hand, cyber forensics is much more detailed: it’s the process of extracting information that you can reliably use as evidence of certain user or system actions.

Objective

• The goal of auditing is to simply ensure operational compliance in terms of how information is recorded and stored. 
• The objective of cyber forensics is to derive knowledge from information to reconstruct a sequence of actions or events.

Scope

Audit activities cover risk mitigation activities and predefined audit procedures, and are bound by:

• Time 
• Organizational function

Cyber forensics is an end-to-end investigative process that includes data acquisition, analysis, documentation; analysis and knowledge extraction; reporting, and presentation in an acceptable format — all according to the court of law or organizational policies.

Timing

Auditing is a standard business process that follows a regular and periodic schedule.

Conversely, cyber forensic investigations are usually unique and independent. Authorities may mandate cyber forensics activities spontaneously, typically in response to:

• A policy violation or misconduct
• External legal investigation process
• Regulatory compliance
• Risk mitigation
• Reducing liability to applicable laws

Methodology

The auditing process is dictated by external standardards such as Generally Accepted Accounting Principles. This includes collecting information and analyzing it for accuracy and reliability for an auditing process.

Cyber forensics must first establish a justification for the investigation, then evaluate the impact and obtain necessary information — before you can gather any information.

Reporting and presentation

Audit reports follow a fixed written format and are distributed to the concerned decision-makers and business executives. In contrast, cyber forensics reports are developed based on the applicable laws and the nature of the crime involved. The final report may include:

• The content of the evidence
• Conclusions obtained after a thorough analysis

Challenges with cyber forensics

Cyber forensics experts extract data from a variety of sources — any technologies that may be used by an end-user. These include mobile devices, cloud computing services, IT networks, and software applications.

Distinct vendors develop and operate these technologies. The technology limitations and privacy measures tend to restrict the investigative capacity of an individual InfoSec expert as they face the following challenges:

• Data recovery. If the data is encrypted, the investigator will not be able to decrypt the information without access to encryption keys. New storage tools such as SSD devices may not offer immediate factory access to recover lost data, unlike traditional magnetic tape and hard disk drive systems.
• Visibility into cloud system. Investigators may only have access to metadata but not the information content of the files. The underlying resources may be shared and allocated dynamically. That lack of access to physical storage systems means that third-party investigators might not recover lost data.
• Network log big data. Network log data grows exponentially and requires advanced analytics and AI tools to connect the dots and find insightful relationships between networking activities.
• Multi-jurisdiction data storage. If the data is stored in a different geographic location, cyber forensics investigators may not have the legal authority to access the required information.

While there are challenges with cyber forensics, there are also resources that can help you minimize their impact, if not overcome them.

Resources for cybersecurity and forensics

Luckily, there's a wealth of free resources available for cybersecurity and forensics to help you with your journey. I am listing some of the popular ones below:

• SANS Institute
• National Institute of Standards and Technology (NIST)
• Open Web Application Security Project (OWASP)
• Cybrary
• EC-Council
• Digital Forensics Framework
• Autopsy
• The Sleuth Kit

Cyber forensics on the rise?

As more laws and compliance standards go into effect regarding data privacy and data protection, we might see an increased need for cyber forensics.

For example, if a company wants to pursue legal action against cyberattackers, performing cyber forensics would be necessary to establish the case: who did it, what steps they took, the effects and damage, etc.