With our lives increasingly dependent on computer networks and the internet – both potential targets of terrorist and criminal attacks – cyber security is one of society’s greatest challenges. Now, more than ever, IT professionals are tasked with determining specific cyber security needs and effectively allocating resources to address threats.
It is vital that, in any organisation, when a security incident occurs, those charged with responding and investigating can follow a structured, effective and informed process. There are many proposed methodologies for digital forensics, but generally they can all be condensed into the same five steps:
- Ascertain key points: when it happened, who it affected and the business impact
A modern network generates an enormous quantity of data, so before investigating, it is important to narrow down where to look. Question those who reported the event to find out: when the issue was first spotted; how long it went on for (or whether it’s still happening); who was involved; and what impact it’s had, or is likely to have, on the business. While you can identify from the users which machines have been affected, this may not be the only area that needs investigation. Remember, in any digital forensic investigation, once you interact with the environment it changes, and the evidence is altered, so it is important to understand what actions people have taken (or tried to take) and work from that point.
- Plan your approach following company policy and procedure
In a digital environment events happen very quickly. Identify and prioritise the areas where you can get valuable evidence; working from the most volatile, to the most stable. Ensure legal guidelines are followed, otherwise evidence may be inadmissible in a court of law. Ensure you have the right people to conduct the investigation; you will need experts for your hardware and software configurations to ensure that evidence is not inadvertently compromised. External agents could provide an unbiased alternative but balancing the proportional effort, cost and risk to the business is essential.
- Gather evidence
Digital evidence can be delicate and highly sensitive. As evidence is touched, it is immediately changed, so document, date and sign everything to ensure you keep a clear audit path. Any work carried out on data should be on copies only, ensuring that the master copy is kept intact and remains the ultimate reference point. Use cryptographically verifiable data; when data is captured and recorded it will always have a ‘hash’ – its unique identification number. Any copies taken must have the same reference.
- Create a timeline and analyse data
Data from multiple sources may have different time stamps. By compiling data you can build a complete timeline of events. Matching the evidence over the time period also helps to identify corroborating evidence. It is important to work systematically, hypothesising and running tests to prove or disprove any theories. Remember to include things like file names and date created which can provide critical evidence. Additional corroborating evidence may be required.
- Document and report findings
At the end of the investigation your report needs to contain only defensible data and explain your findings in such a way that they make sense to those without an IT background. As well as the summary report it is also important that all relevant data is compiled in an additional appendix. For serious cases, investigative experts will need to review the data to corroborate the facts that you have presented.
By following these five steps your digital forensic investigation and subsequent report is more likely to meet the stringent requirements of courts and industrial tribunals and provide valuable information to the business and those affected.
In the UK, the number of digital technology jobs has grown at twice the rate of other roles. The University of York’s MSc Computer Science with Cyber Security online Masters programme is designed for working professionals and graduates who want to launch their career in this in-demand and lucrative field but may not currently have a computer science background. Graduates of this programme go on to a range of positions in software and web development, IT systems, support and programming.
Focusing on network and operating system security, risk analysis and secure software development, it will grow your expertise through specialist modules and projects, and develop your core computer science skills. The 100% online programme allows you to study around work and home commitments, at different times and locations, and has six start dates a year. There is a pay-per-module option available, and you may be eligible for a government backed postgraduate loan which covers the course cost.