An introduction to Digital Forensics

Ransomware Recovery

The American Heritage Dictionary defines Forensics as “The use of science and technology to investigate and establish facts in criminal or civil courts of law.”

Digital Forensics is a comparatively new field, with one main purpose – to find “digital” fingerprints in a virtual world. With the widespread use of computers dates back to the 1970s, widespread computer crime began – the first major incidents were spotted in the 1990s – early cases of extorsion, cyberbullying, fraud, data and identity theft, corporate mischief, spousal infidelity and illicit content distribution. Those types of electronic crimes required a different type of investigators – and that was the trigger that started the evolution of a separate branch in the forensic field – Digital Forensics. As such, it takes forensics principles and applies them to online crimes.

The field of Digital Forensics concentrates on preservation, identification, extraction, interpretation and documentation of computer-based evidence.

To distinguish from data recovery, Digital Forensics is often required whenever there is a dispute between the parties, which will require a mediator to intervene. In a corporate world, a good example would be an employee leaving his company with a list of its clients or selling some inside secrets to the competition. A skilled digital forensics expert will be able to determine if any private data was leaked.

In a private world, we are often called to assist with various family matters – divorce cases, infidelity, friends or spouses spying on each other, location suspicious browsing and network activity, and more.

And obviously, there is a big demand for digital forensics experts in law enforcement, looking for illicit communication, cyberbullying, individuals producing and publishing illegal content, and more. Digital forensic experts participate in search and seizure activities in the field and analyze the data acquired in their labs.

Some History

Up until 2009, the growth of those cases was slow but steady. In 2009 though, something happened – the bitcoin was revealed. In the early days of cryptocurrency, most of us didn’t realize the potential of this new currency—most of us but not criminals.

Think about it for a second. In 2009, if somebody got leverage on you – either by finding some data you hold valuable and demanding a ransom or by tricking you into believing that you need to send him money for some reason, how would you pay? Bank transfer? Western Union? Credit Card? Leave it in the dumpster under the old tree in the park? All of that is traceable, and the criminal would often get caught.

Shortly after bitcoin was released, the cybercriminals had a great new way to get paid, completely untraceable. That leads to a sharp jump in the number of reported cybercrimes and, with time, to a new type of digital kidnapping called ransomware.

Unfortunately, ransomware is only one of many variants of cybercrime we are facing today. Our digital companions store and reproduce a vast amount of information regarding its owners, which is often staggering. We call it “The traces we leave in a digital world.”

As an example, have you ever thought about:

  • How much of your personal information is being collected and stored by your mobile device?
  • Is there any data left on your devices after you format or factory reset them?
  • Are all your files and pictures gone after you delete them?
  • Can someone retrace your steps in the real and digital world by accessing your devices?

Our digital companions hold on to our personal information for much longer than we would guess, and there is no way to know if the files/folders deleted are truly gone for good to an inexperienced user. This is where data recovery and digital forensics expert steps in.

Some examples as per the types of deleted information a skilled expert can locate:

On Mobile Phones

  • Accurate geolocation data
  • Deleted messages, emails, contacts, call logs
  • Deleted emails and attachments
  • Chats from various apps
  • Deleted notes and downloaded documents
  • Deleted pictures, videos and voice recordings
  • Login credentials to financial apps and sites
  • Passwords (apps, Wi-Fi)
  • Social media accounts

On Desktop or Laptop devices

  • Deleted files or folders
  • Formatted partitions
  • Browsing history
  • System backups (shadow copies)
  • Logins and passwords
  • Emails
  • Social media

Using the right skills and equipment, there is no limit as to what can be found. Our experts have extracted files from a device that spent a year under the sea, devices shuttered by bullets or explosions, damaged by fire, water, blood or other liquids, recovered from airplane crash scenes, devices that have been formatted, deleted, wiped, demagnetized, etc.

Another aspect to digital forensics is how one treats the evidence at hand. Nearly one hundred years ago, a pioneer in the forensic field, Dr Edmond Locard formulated his famous principle stating “Every contact leaves a trace”. It is true with every field of forensics –  if we want our finding to serve as a legally accepted evidence, we must not contaminate it. The best example would be – a skilled investigator will never pick up a gun from a murder scene using his bare hands.

Same principle applies to digital forensics – in order to investigate digital evidence, a special set of skills, tools and experience is required. Otherwise, if the evidence is handled by an unskilled investigator, it will be thrown out by the legal mediator looking at it.

Digital forensics is an evolving field, which will become more and more popular as years go by. The need for skilled forensic investigators grows exponentially, and the cases we have to deal with are becoming more and more complexed.