As a fundamental aspect of digital forensics, file analysis examines files extracted from storage devices or network logs and unearths evidence pertinent to a security incident or criminal activity:
- Identification of Malware: Malware analysis within incident response and intelligence collection is crucial. The analysis of a file's structure, code, and behaviour, helps forensic analysts to determine whether it exhibits malicious characteristics—whether designed to steal information, provide remote access, or disrupt systems.
- Uncovering Data Theft: File analysis assists in the identification of "actions over target," related data exfiltration. It can determine if sensitive information was accessed, modified, or copied. Analysts may look for evidence of recent file modifications, movements, or utilisation of data compression or encryption techniques employed by attackers to prepare stolen data for exfiltration.
- Reconstructing User Actions: File timestamps allow analysts to determine when files were created, accessed, or modified. It provides insights into the sequence of events during an attack. Further examination of temporary files, internet history logs, or recently used application lists can help reconstruct user activity.
- Extracting Metadata: Beyond the content, a file’s metadata—including creation dates, modification times, author details, and GPS coordinates (for images or videos)—can be revealing. This information can establish timelines, identify potential suspects, or corroborate other evidence.
The creation of a bit-for-bit copy of a storage device is crucial to preserve the integrity of data for forensic investigation from altering:
- Ensuring Evidence Integrity: The usage of a copy prevents, investigators to alter original data, which could compromise its admissibility in court.
- Recovering Deleted Data: The image of a disk allows forensic analysts to attempt the recovery of deleted files. The space occupied by deleted files on the drive is marked as available, but the data may not be overwritten. With the help of specialised tools, analysts can recover remnants of these files and uncover valuable evidence.
- Analysing File System Structures: A disk image provides a complete view of the file system and enables the examination of visible files, unallocated space, deleted file remnants, and even hidden partitions, which can be crucial to recover hidden data or reconstructing an attacker's actions.
The capture of the contents of a computer's volatile memory (RAM) can provide a snapshot of the processes that are running at the time of capture:
- Identifying Running Processes: This can be crucial to identify malicious programs that might not be visible in file system analysis, such as rootkits or other forms of malware designed to evade detection.
- Uncovering Network Connections: Memory analysis can reveal active network connections and provide insights into communication patterns, open ports, and suspicious IP addresses or domains that a system was altered with.
- Recovering Passwords and Encryption Keys: Sensitive information like passwords, encryption keys, or even private keys might temporarily reside in memory. Memory analysis provides an opportunity to recover this data, which can be crucial to decrypt encrypted files or to access restricted systems.
The examination of log files generated by operating systems, applications, and network devices provides a chronological record of events and offers valuable insights into system and user activities:
- Establishing Timelines and Reconstructing Events: Logs provide timestamps for events, which enables analysts to create detailed timelines of activities. This can be crucial to understand the sequence of events during an attack, to correlate actions across different systems, and to identify potential points of compromise.
- Detecting Anomalies and Suspicious Behaviours: With the analysis of log data, analysts can search for patterns or events that deviate from established baselines. These anomalies can be indicators of malicious activity or policy violations.
- Correlating Events Across Multiple Sources: Log analysis often involves the correlation of events across different log files. For example, a suspicious login attempt on a server might be correlated with network traffic logs that show connections from an unusual IP address around the same time. This correlation can strengthen evidence and provide a more comprehensive view of an incident.
The focus on data extracted from mobile phones and other portable devices is pertinent due to the ubiquity of these devices:
- Recovering Deleted Data: Mobile devices store vast amounts of data, including messages, call logs, location data, photos, and videos. Even deleted information can be recovered from these devices.
- Accessing Application Data: Mobile devices rely on applications, many of which store user data on the device itself or in the cloud. The extraction and analysis of this application data can include messages, social media posts, financial transactions, or health information.
- Examining Location Data: Mobile devices often record location data through GPS, Wi-Fi, or cellular tower triangulation. This data can be invaluable for recreating timelines, corroborating alibis, or tracking the movements of individuals involved in an investigation.
