The primary reason for this is that after a major cyber threat has been launched and has made its impact, it is the “cleanup” work after this which becomes most important. For example, key questions which need to be asked and answered include some of the following:
Where did the cybersecurity threat originate from? Whom was involved? How did it happen? To what degree was the impact, both in terms of quantitative and qualitative terms? Who was most impacted? Most importantly, how can this type of threat and ones similar to it be prevented.
Most, if not all of the answers to these questions are investigated in the field of what is known as “Digital Forensics”. It can be specifically defined as follows: “Digital forensics is the process of uncovering and interpreting electronic data. The goal of the process is to preserve any evidence in its most original form while performing a structured investigation by collecting, identifying and validating the digital information for the purpose of reconstructing past events.” Obviously, in order to be a specialist in this field one has to have a university degree and the requisite number of years of experience. These professionals have access to the most modern forensics tools available in order to trace out how a major cyber threat occurred, what the impact of it was, and how it can be mitigated in the future. They also have the tools to even predict what similar attack vectors could like. But, what about the everyday, security practitioner? It is clear that they do not have this level of sophistication in their toolkit, so how can he or she gain access to the critical developments and happenings in the field of digital forensics? Well, there are many online tools which are available, ranging from books to university courses to even online newsletters. Because of this plethora of forensics resources, it can be often very difficult to filter out those sources which offer the most timely information. This is the primary objective of this article, and instead of taking a random sampling of what is available, we focus on one main resource: The forensics blog. You may be asking, why this resource? For the most part, it is one of the most up to date resources which are available. Not only that, but depending upon the history of the particular resource, you will very often find the top digital forensic professionals contributing to them. Best of all, they are also free to access and use.
The Top Digital Forensics Blogs
SANS Digital Forensics and Incident Response Blog One of the most renowned IT content sources is that of the SANS Digital Forensics and Incident Response Blog. This is actually a part of the SANS Institute, one of the leading sources IT Security, Training, Certs, and Research. Because of this, they are able to offer one of the most popular blogs on digital forensics. This site is jam packed with content, which includes some of the following:
Artifact Analysis; Cloud Forensics; Browser Forensics; Drive Encryption; E-Discovery; E-Mail Investigations; Evidence Analysis; Memory Analysis (as it relates to Smartphones); Windows Memory Forensics; Digital Forensic Law; Artifact Analysis; Evidence Acquisition; Network Forensics; Registry Analysis; Malware Analysis.
Some of the recent posts include some of the following topics: “Understanding EXT4 – Part 6” As the name of the blog implies, this is a series of the EXT4 File System, which is a popular file system used in the Linux Operating System. In this article, the author delves into deeper detail as to how the directory structures are actually constructed in EXT4. For a computer forensic investigator or examiner, this is obviously a very important concept to master. Since the IT world is getting closer to open sourced systems, many investigations start out with examining the directory structures, and how they were created, modified, misused, etc. The author provides distinct examples as to how a EXT4 directory structure and its respective files are created, how they can be deleted, and the advantages and disadvantages of creating large scale EXT4 directory structures. “The WannaCry Ransomeware Threat: What We Know So Far” In terms of cyberthreats, Ransomware is fast becoming one of the biggest Security risks not only for businesses and corporations, but even to individuals as well. Essentially with this kind of threat, targeted files can be locked by a cyber attacker and can only be unlocked if a ransom is paid in a virtual currency. This article delves more into a certain type of Ransomware, known specifically as the “WannaCry”. In it, explains how “WannaCry” is different from other Ransomware Attacks:
It appears to be a worm, which can actually propagate itself. Because of this, it can multiply itself very quickly, and affect many kinds of wireless and mobile devices all at once. To a forensics investigator or researcher, this a crucial piece of information to know, in case they are called into investigate the impacts of it in specific threats. Apparently ,it uses a flaw in a recent software patch which was stolen from the NSA.
This article is then linked to an actual webcast (launched in May 2017), and is conducted by SANS instructor Jake Williams.
Forensics Focus Another leading digital forensics blog site is that of the Forensics Focus. This blog contains timely information about the developments that are occurring in this field. It is a much more focused blog, and offers an array resources for the forensics investigator, or for that matter, any professional belonging in the IT Security world. For example, the site offers links to various discussion groups that are specialized in a certain area of digital forensics. Some of these include the following:
Mobile Phone Forensics; Forensic Software; Forensic Hardware; The Legal Issues Surrounding Forensics (this is of course another area of importance to the forensics examiner/investigator, as evidence has to be handled in a strict fashion in order for it to be admissible in a court of law).
There is also a Webinar section, in which the end user can download any audio content that is of interest in any forensics project that they are working on. Examples of these include the following:
How to make your forensics investigations more streamlined, effective, and time efficient; How to use the various social media tools (such as Facebook, Twitter, Linked In, etc.) to help propagate further any kind or type of forensics investigation; The latest techniques in acquiring removable drives from mobile devices; How to break PIN Numbers and passwords on Android devices which are already locked; How to do deep dive when it comes to searching for deleted files.
Probably one of the nicest things about this section is that even the full transcripts are provided for each and every webinar, so if you don’t have the time to listen to it, you can do various keyword searches to search for the specific item(s) that you are looking for. This blog site is also very rich in terms of the written content as well. For instance, there is also a section in which leading digital forensic specialists are interviewed. In them, these professionals offer their own unique insight into how they conduct their investigations, any roadblocks they faced, how they overcame it, and various other tips and strategies. Examples of these interviews include the following:
Interview with Amber Schroader, the CEO/Founder of Paraben, a digital forensics firm; Interview with Jad Saliba, the Founder/CTO of Magnet Forensics; Interview with Ashley Hernandez, Director of Product Management, a computer forensics firm; Interview with Cesar Leon, Head of the Support Team, Oxygen Forensics.
However, it should be noted that the main thrust of this blog site are the news articles which are published. It is this kind of content which discusses and reviews in some detail some of the latest techniques in digital forensics. Examples of such content include the following:
How to physically image a Samsung Galaxy Smartphone S7 Smartphone which is running the Android 7.0 operating system; The Big Data challenges of which a forensics investigator/examiner might experience in their course of a particular investigation; How to extract information and data locked Motorola smartphones.
Ride The Lightning The other two digital forensic blog sites that we reviewed are actually a collaborative effort by the various organizations and business entities that have founded them. Although these blog sites do offer some of the most timely information and data that any IT Security professional would need, there is yet another angle that is very crucial in the field of digital forensics. This is the legal perspective of handling the evidence, and making sure that it is admissible in a court of law. After all, if this forensic evidence is not handled properly and documented, it is quite possible that a court could dismiss all of it, thus wasting the many hours effort and research it took in the first place to collect this kind of forensic evidence. As a result, the blog site called “Ride The Lightning” was created specifically in mind to address these issues so that the forensics investigation community will be made aware of the latest in these legal issues. This blog was actually founded by Shannon D. Nelson, Esq. who is an attorney that specializes in this area. In fact, she also even founded Sensei Enterprises, Inc., a Cybersecurity firm which is based out of Washington, DC. This company exclusively specializes in both IT security as well as digital forensics. Some of the latest blog postings include the following:
Digital Forensic E-Filing is now being accepted by the United States Supreme Court:
As the blog states, this has become effective as of August 3rd, 2017. With this new method, any documents which relate to a digital forensics investigation can be submitted can be filed via a secure filing channel. Although the traditional paper documents will have to be submitted as well, the idea behind with this e-filing approach is to help speed up the process of presenting and litigating digital forensic investigation in a court of law.
Understanding the legal ramifications of submitting electronic communications:
This article comes on the heels of the above one. In it, it discusses the legal aspects of what can be and cannot be communicated the progression of a digital forensics investigation via any electronic communications channel, especially that of E-Mail. It discusses the sheer importance of safeguarding any means of electronic communications, especially using that of Encryption and Cryptography.
The use of the Cloud to store forensic investigation information and data:
As we all know it, the Cloud is fast becoming one of the most popular ways to effectively store data and information. But once again, although many Internet Service Providers (ISPs) stake their reputation on the sheer level of Security mechanisms that offer to safeguard all of this, there are very special considerations which need to be taken when it comes to storing the information and data from a digital forensics investigation. Just imagine this scenario: Suppose you are an actual forensics investigator/examiner, and that you have taken great pains to insure the integrity of all of your information that you have stored into the Cloud. But to anybody’s surprise, suppose that this ISP whom you have trusted is all of a sudden with a major Cyberthreat, and now the hacker(s) have access to all of this forensic information and data. Now what do you do? Will all of this forensic information still be admissible in a court of law? This issue is addressed in some further detail in this article. If you’re in the market for top-notch digital forensics certification training, check out InfoSec Institute’s computer forensics bootcamp by filling out the brief form below.
Conclusions
In summary, the field of digital forensics is a booming one within IT Security. One of the primary reasons for this is that once a Cyber-attack has been launched and made its impact, it is the forensics investigators and examiners which are called upon to collect and examine the evidence which is available. From here, detailed analyses can then be conducted to determine when and where the actual Cyber-attack was initiated, and perhaps even whom was responsible for it. The advancements which are occurring in digital forensics are rapid and quick. Thus, it is very important to the IT Security professional to be able to glean as much information as they can from the resources that are available in order to apply these developments in their own roles. This article has reviewed one avenue of where such information on digital forensics can be found, namely the various blog sites which are available are online. There is no doubt that there is a plethora of them, so we have focused on what we believe are to be the top three blogs. It is important to note, that apart from just the blog content, these three resources also possess other sources of rich information, such as webinars, professional interviews, links to sub discussion groups, etc. Probably the best takeaway from these three blogs is that they are not just written by one forensics professional; rather they are written by others as well. Thus, this offers to the IT Security Professional many points of view that they should consider in understanding the overall world of digital forensics.
Resources
https://www.techopedia.com/definition/27805/digital-forensics http://www.forensicsciencetechnician.net/top-40-forensic-forums/ https://www.forensicfocus.com/News/page=1/ https://digital-forensics.sans.org/blog http://www.digitalforensicsassociation.org/discussion-groups/