Every action on an information technology system such as a computer leaves traces. From these traces, forensic experts can draw conclusions about activities on the computer or IT system and thus solve criminal offenses such as hacker attacks or malware infections. How do digital forensics experts do this?
What types of digital tracks are there?
Digital forensics deals with digital traces. These are in different places on the computer. A part lies on the mass memory of the computer such as hard drives (HDDs) or flash memories (SSDs). Among other things, stored files, programs and also log files are stored on the mass storage device. In these, the computer saves many of the actions performed.
There are also fleeting traces that reside, for example, in the computer’s RAM. These are the currently running programs and their data. Active data connections are also fleeting traces, since they do not (or no longer) exist before and after the communication.
Securing traces, also known as artifacts, is one of the most important tasks in digital forensics. If mistakes are made here, it may not be possible to clarify the facts later. For this reason, this is the task of experts, both in classical forensics and in digital forensics. In digital forensics, experts use special software to secure digital traces. Digital tracks are very sensitive. A change and thus manipulation is almost inevitable without expert knowledge. Many digital tracks are volatile and can only be saved at a specific point in time, like tracks in memory. These traces are irretrievably destroyed very quickly.
The correct evaluation of the digital traces requires comprehensive, in-depth computer knowledge and special software. Depending on the type of trace and the event they are looking for, the experts use different methods and software. They then put the findings from the individual digital tracks together to get an overall picture. This can be imagined as a thriller, only with purely digital tracks.
Results of digital forensics
The aim of the forensic investigation is to clarify the incident. The classic wh-questions play a central role here. Expert opinions that can be used in court are often required if damages are claimed or criminal charges are necessary. This also applies to data protection incidents: If personal data is affected, the processes must be digitally forensically processed in accordance with Articles 33 and 34 GDPR. The person responsible within the meaning of Article 4 No. 7 GDPR is subject to a duty of explanation and information. He can only comply if he knows what happened. But those responsible should also act quickly in their own interest. IT systems can only continue to operate securely if all traces of the malware and all hidden back doors of the hackers have been found and eliminated.
The earlier hacker attacks are cleared up and malware uncovered, the smaller and more manageable the effort required and the possible damage. It is therefore advisable for everyone affected to consult experts in the field of digital forensics at an early stage if there is suspicion of malware, hacker attacks or data leaks.
dr Christian Zurmühl advises clients in the public and private sector in the field of IT security with a focus on digital forensics.