IT systems, devices and networks can be the targets of crime as in hacking, ransomware and computer fraud. They are also tools that criminal use to research, plan and coordinate their crimes. Furthermore, criminals use technology routinely to manage and conduct their business, financial and personal affairs, just like the rest of us.
Hence digital devices can contain a wealth of evidence concerning crimes committed and the criminals behind them.
Since most IT systems and devices store security-related information digitally, digital forensics techniques are also used to investigate other kinds of incidents, figuring out exactly what happened, in what sequence, and what went wrong ... giving clues about what ought to be fixed in order to prevent them occurring again.
It’s not as simple as you might think for investigators to gain access to digital data, then analyze it for information relevant to an incident. For a start, there can be a lot of it, distributed among various devices scattered across various locations (some mobile and others abroad), owned and controlled by various people or organizations. Some of it is volatile and doesn’t exist for long (network traffic, for instance, or the contents of RAM). Some is unreliable and might even be fake, a smoke-screen deliberately concealing the juicy bits.
A far bigger issue arises, though, if there is any prospect of using digital data for a formal investigation that might culminate in a disciplinary hearing or court case. There are explicit requirements for all kinds of forensic evidence, including digital evidence, that must be satisfied simply to use it within an investigation or present it in court. Ensuring, and being able to prove, the integrity of forensic evidence implies numerous complications and controls within and around the associated processes. They are the focus of October’s NoticeBored security awareness materials which:
- Describe the structured, systematic process of gathering digital forensic evidence and investigating cyber-crime and other incidents involving IT;
- Address information risks associated with the digital forensics process;
- Prompt management to prepare or review policies and procedures in this area, training workers or contracting with forensics specialists as appropriate;
- Encourage professionals with an interest in this area to seek and share information;
- Discourage workers in general from interfering with and perhaps destroying forensic evidence.