Digital Forensics
Introduction
- Collects and analyzes digital evidence 디지털 증거를 수집하고 분석
- Ensures evidence integrity 무결성 보장하고 법정에서의 허용 가능성을 유지하는 방식
- Maintains court admissibility
Digital forensics versus computer forensics
- Careful handling of evidence
- Follows strict chain of custody
- Ensures data integrity and trust
- Digital forensics : Covers all devices
- Computer forensics : Focuses on computers
Digital forensics process
Key steps outlined by NIST
Identification
- Locate devices with relevant data 관련 데이터를 포함할 수 있는 디지털 장치를 찾는 작업
- Seize and preserve evidence 증거를 압수 및 보존하여 분석을 위해
- Create forensic copy for analysis 무결성을 유지할 수 있는 포렌식 사본 만드는 것
Examination
- Analyze data for criminal activity 수사관이 범죄 행위의 징후를 찾는 것
- Investigate metadata, history, and logs 메타데이터, 검색 기록, 채팅 로그
- Search for deleted files 삭제된 파일 검사
Analysis
- Investigate the sequence of events 사건의 순서
- Identify methods of targets 사용된 방법, 잠재적 대상을 파악할 수 있는 인사이트를 찾기
- Use Tools : EnCase, FTK, Autopsy
- Analyze file changes and traffic
Reporting
- Compile findings into a report 결과를 취합해 공식 보고서 작성
- Crucial for law enforcement
- Outline evidence and methods 증거, 분석 방법 및 취해진 조치를 요약
- Includes prevention recommedations 유사 사고 예방을 위한 권장 사항 포함
Digital forensics and incident response (DFIR)
- Combines forensics with incident response
- Manages threats in real-time
- Preserves critical evidence during response
Coordinated threat response
- Response team contains threat
- Forensic experts collect evidence
→ Dual appraoch minimizes impact
→ Immediate threat mitigation
Importance of digital forensics
- Essential for cybersecurity and law enforcement
- Uncovers digital evidence
- Preserves evidence integrity
- Ensures justice is served
Whatever I want | Interested in DFIR, Security, Infra, Cloud