IT systems, devices and networks can be the targets of crime as in hacking, ransomware and computer fraud. They are also tools that criminal use to research, plan and coordinate their crimes. Furthermore, criminals use technology routinely to manage and conduct their business, financial and personal affairs, just like the rest of us. Hence digital devices can contain a wealth of evidence concerning crimes committed and the criminals behind them.
Since most IT systems and devices store security-related information digitally, digital forensics techniques are also used to investigate other kinds of incidents, figuring out exactly what happened, in what sequence, and what went wrong ... giving clues about what ought to be fixed in order to prevent them occurring again.
It’s not as simple as you might think for investigators to gain access to digital data, then analyze it for information relevant to an incident. For a start, there can be a lot of it, distributed among multiple devices scattered across various locations (some mobile and others abroad), owned and controlled by various people or organizations. Some of it is volatile and doesn’t exist for long (network traffic, for instance, or the contents of RAM). Some is unreliable and might even be fake, a smoke-screen deliberately concealing the juicy bits.
A far bigger issue arises, though, if there is any prospect of using digital data for a formal investigation that might culminate in a disciplinary hearing or court case. There are explicit requirements for all kinds of forensic evidence, including digital evidence, that must be satisfied simply to use it within an investigation or present it in court. Ensuring, and being able to prove, the integrity of forensic evidence implies numerous complications and controls within and around the associated processes. They are the focus of this awareness module.
- Describes the structured process of gathering forensic evidence and investigating cybercrime and other incidents involving IT;
- Addresses information risks associated with the forensics process;
- Prompts management to prepare or review policies and procedures in this area, training workers or contracting with forensics specialists as appropriate;
- Encourages professionals with an interest in this area to seek and share information.
Consider your learning objectives in relation to forensics. Before you get carried away by the topic, fascinating though forensics may be, consider whether there is a genuine need for awareness in your organization:
- How often has your organization actually engaged in forensics? Have there been situations where it might usefully have done so if only it had been prepared?
- When was the last [potential] court case, and how did it work out?
- Is your organization relatively experienced and competent in this area, or inexperienced and naïve?
- Are there particular aspects of concern? Any specific changes you’d like to see and hence messages you’d like to put across?
Digital (cyber) forensics awareness
Digital or cyber forensics is more painstaking and far more tedious than TV programs such as CSI suggest, but no less important.
Digital forensics has become an inherent part of many court cases, with digital evidence supplementing more traditional forms - fingerprints and footprints. It is relevant whether computers were the targets or tools of crime, or were simply used routinely by criminals - just as we all do. Even criminals have social networks!