Skip to main content

DATA SECURITY KNOWLEDGE BASE

What is Data Forensics?

What is Data Forensics?

Data forensics, also know as computer forensics, refers to the study or investigation of digital data and how it is created and used. Data forensics is a broad term, as data forensics encompasses identifying, preserving, recovering, analyzing, and presenting attributes of digital information. In regards to data recovery, data forensics can be conducted on mobile devices, computers, servers, and any other storage device. Data forensics can also be used in instances involving the tracking of phone calls, texts, or emails traveling through a network. Digital forensics professionals may use decryption, reverse engineering, advanced system searches, and other high-level analysis in their data forensics process.

Two types of data are typically collected in data forensics. This first type of data collected in data forensics is called persistent data. Persistent data is data that is permanently stored on a drive, making it easier to find. The other type of data collected in data forensics is called volatile data. Volatile data is impermanent elusive data, which makes this type of data more difficult to recover and analyze.

The History of Data Forensics

As personal computers became increasingly accessible throughout the 1980s and cybercrime emerged as an issue, data forensics was developed as a way to recover and investigate digital evidence to be used in court. Today, investigators use data forensics for crimes including fraud, espionage, cyberstalking, data theft, violent crimes, and more. Computer forensic evidence is held to the same standards as physical evidence in court. This means that data forensics must produce evidence that is authentic, admissible, and reliably obtained.

The Data Forensics Process

The data forensics process has 4 stages: acquisition, examination, analysis, and reporting. There are also various techniques used in data forensic investigations. One of these techniques is cross-drive analysis, which links information discovered on multiple hard drives. A second technique used in data forensic investigations is called live analysis. Live analysis examines computers’ operating systems using custom forensics to extract evidence in real time. Recovery of deleted files is a third technique common to data forensic investigations.

Data Forensics Tools and Software

There are many different types of data forensics software available that provide their own data forensics tools for recovering or extracting deleted data. There are also many open source and commercial data forensics tools for data forensic investigations. Security software such as endpoint detection and response and data loss prevention software typically provide monitoring and logging tools for data forensics as part of a broader data security solution.

Challenges Facing Data Forensics

There are technical, legal, and administrative challenges facing data forensics. Technical factors impacting data forensics include difficulty with encryption, consumption of device storage space, and anti-forensics methods. Anti-forensics refers to efforts to circumvent data forensics tools, whether by process or software.

Legal challenges can also arise in data forensics and can confuse or mislead an investigation. An example of this would be attribution issues stemming from a malicious program such as a trojan. Trojans are malware that disguise themselves as a harmless file or application. Since trojans and other malware are capable of executing malicious activities without the user’s knowledge, it can be difficult to pinpoint whether cybercrimes were deliberately committed by a user or if they were executed by malware.

From an administrative standpoint, the main challenge facing data forensics involves accepted standards and governance of data forensic practices. Although there are a wide variety of accepted standards for data forensics, there is a lack of standardization. In regards to data forensics governance, there is currently no regulatory body that overlooks data forensic professionals to ensure they are competent and qualified.