Digital Forensics Demystified

by Brent Kirkpatrick

Digital forensics is a mysterious process that explains a hack.

There are two types of digital forensics: detection and discovery. Both types are able to explain what happened when a computer was hacked. Detection is typically faster and easier than de novo discovery.

Detection in forensics is the process where we use indicators of compromise to identify known hacks. For example, your computer might have been hacked using the same method that was used to hack Target last year. The forensics team that analyzed the Target hack may have found indicators of compromise that they published. When you request forensics, your computer can be scanned for evidence of the same or similar hack.

Discovery is a de novo process designed to identify evidence of a novel hack. This type of forensics is used when detection fails to identify the method of attack. For example, if your computer was hacked using a zero-day exploit, discovery may lead to isolating the machine code used in the hack. After being isolated, the machine code is read by an expert to discover what it does.

Detection is significantly faster than discovery. In some cases, detection can be automated with scanning tools. Root kits, viruses, trojans, and command-and-control code can all be detected using scanning tools. Discovery, on the other hand, can take months of painstaking work.

