Cyber Forensics: Helping You Understand and Recover

Cyber forensics (aka digital forensics) is a branch of forensic science belonging to evidence found in computers, digital storage media, cloud services, and social media. Digital forensics in civil litigation is a growing requirement of courts to ensure evidence is properly preserved, processed, and presented in court. Digital forensic collections, data extraction, and forensic reports are all part of this growing field.


Adding the ability to practice sound computer forensics will:

  • Help you ensure the overall integrity and survivability of your network infrastructure by adding a layer of traceable responsibility and monitor compliance with policies and regulations.
  • Help you capture vital information if your network is compromised and will help you deal with the case internally if the intruder is caught.
  • Help you realize that allocating a greater portion of the information technology budgets for computer and network security will ultimately save your organization money.
  • Help preserve vital evidence or having forensic evidence ruled inadmissible in a court of law.
  • Help your organization comply with new laws that mandate regulatory compliance and assign liability if certain types of data are not adequately protected.

You can help your organization if you consider computer forensics as a new basic element in what is known as a “defense-in-depth”, which is designed on the principle that multiple layers of different types of protection from different vendors provide a substantially better protection approach to network and computer security.

Computer forensics is a relatively new discipline to the courts and many of the existing laws used to prosecute computer-related crimes, legal precedents, and practices related to computer forensics are in a state of flux. Nevertheless, digital forensics can be invaluable in dealing with a rogue or ill-intended employee or ex-employee.

In these cases, having the incriminating information intact and safe from further destruction or obliteration, may prove invaluable in not only dealing with said individual, but in applying recovery measures that could otherwise not be possible at all.


Technical goal: to identify, collect, preserve, and analyze data in a way that preserves the integrity of the evidence collected so it can be used effectively in a legal case or in internal procedures.

Understanding: those who investigate computers have to understand the kind of potential evidence they are looking for in order to structure their search. Crimes involving a computer can range across the spectrum of criminal activity, from child pornography to theft of personal data to destruction of intellectual property.

Use of tools: the investigator must pick the appropriate tools to use. Files may have been deleted, damaged, or encrypted, and the investigator must be familiar with an array of methods and software to prevent further damage in the recovery process.

Data types: persistent data is the data that is stored on a local hard drive (or another medium) and is preserved when the computer is turned off.

Volatile data: any data that is stored in memory or exists in transit, that will be lost when the computer loses power or is turned off. Volatile data resides in registries, cache, and random access memory (RAM). Since volatile data is ephemeral, it is essential that the investigator knows reliable ways to capture it.

Personnel: System administrators and security personnel must also have a basic understanding of how routine computer and network administrative tasks can affect both the forensic process (the potential admissibility of evidence at court) and the subsequent ability to recover data that may be critical to the identification and analysis of a security incident.

Depending on the needs, a whole range of different investigative actions can be taken to produce relevant forensics data. Below is just an exemplary list of actions and checks that reflects the most common scenarios, and can, of course, be expanded to accommodate other requirements:

  • Active, Archival, and Latent Data;
  • Hashes and Checksums;
  • Conducting Keyword Searches;
  • Creating Understandable and Accurate Reports;
  • Creating Forensically Sound Working Copies or Images of Media;
  • Common File Header Formats;
  • Documentation, Chain of Custody, and Evidence Handling Procedures;
  • Assisting with Motions (i.e., Compel Production of HDD’s, Logs, etc.);
  • Questions to Prepare for/Advising Your Retaining Counsel;
  • FAT 12/16/32 File Systems;
  • File Slack, Ram Slack, Drive Slack, and Unallocated Space;
  • NTFS File Systems;
  • Compact Disc Analysis;
  • Interpretation of Various Log Formats;
  • Interpreting Internet History and HTTP concepts;
  • Manual and Automated Data Recovery;
  • Metadata for Microsoft Office and PDF documents;
  • Overcoming Encryption Mechanisms And Password Protection;
  • PC Hardware Concepts;
  • Privacy Issues;
  • Rules of Evidence;
  • Windows Print Spool Files;
  • Windows Registry;
  • Windows Shortcuts;
  • Windows Swap File;
  • Working as an Expert Technical Witness;
  • Insurance/Liability Issues;
  • Viruses and Malware.