Digital Forensics is a term that is much more complex and nuanced than you may think at first glance. It can be broken down the easiest by determining what the purpose of the digital forensics is, then looking at the categories that make up those purposes and finally, analysis tools that may be used in for each category.
Break down on Digital Forensics
While this may not be textbook, this is how I break down the field.
- Examining a device or media as an instrument of a crime or wrongful act. This includes such things as tracking movements of individuals, evidence and contents therein of an online footprint of a person such as logins and site visits and images, documents, files and other materials downloaded on devices and removable media. Such work can be performed in internal investigations or by law enforcement in almost any category, to include violent acts, sexual offenses, or property crimes.
- Examining a network or device for evidence of a wrongful intrusion or denial of service. While this can overlap with the above, it is generally equated with finding and identifying malware, damage assessments based on digital markers and evidence of duration and scope of the intrusion. While intrusion cases are also most likely crimes, often the first step in this type of forensics is to prevent or mitigate further damage. Law enforcement agencies, such as the FBI are heavily involved, in these type of forensic investigations but if the matter has suspicions of nation state involvement, then DHS and DoD will often play a vital role in the intrusion investigation as well. If a private sector network is breached, they may also contract with a company who specializes in digital forensics to conduct their own internal investigation.
- Specialized Digital Forensics can include areas such as mobile devices, IOT systems, and cloud networks. These fields are often dependent on very specific diagnostic and analysis tools which take a level of expertise to use competently.
Getting a career in Forensics
If you are interested in starting a career in forensics, I would suggest you look at and become familiar with several open source tools that can help you with all of the categories above:
1. Wireshark
Wireshark is free to download and captures network traffic at all layers and protocols. You can find things such as sites visited by people on your network, unencrypted messages and files that may have been transferred. While I do not recommend you hang out at Starbucks and try it out, it is fun to see what is moving back and forth on your home network, especially if you have more than one user. There are numerous tutorials on Youtube about Wireshark and the basics are easy to learn.
2. Exif Viewers
Exif Viewers are abundant as both OS applications and browser sites. You simply can download a photo into the viewer, it shows metadata that hasn’t been stripped, such as type of camera used, date and time taken, and even geo coordinates. Just search Exif Viewers in your browser and you will be directed to several good choices
3. Aperi Solve
Aperi Solve is a browser-based tool, which can solve Steganography puzzles. Steganography is the art or discipline of hiding a file inside a file often using images or .pdfs to do so. It is quite entertaining once you get the hang of it and there are plenty of problems you can find online for practice.
4. Autopsy and FTK Imager
Finally, Autopsy and FTK Imager are OS applications that can do deep dives and dissect hard drives and removable media to find evidence trails and alterations of data on a PC you are examining. Again, there are multiple tutorials on both video and written publications to help you use them.
The above are all free and again, relatively easy to learn the basics of for beginners, who are interested in the field. If you take a real liking to them, digital forensics may be the right choice for a new career.
