IT forensics was originally a specialised science of investigative authorities. It includes
- Forensic analyses
- Dealing with IT systems in the event of IT failures (hardware and software failures), cyber risks and operating errors by the user
and is particularly relevant in the case of threatened or suffered data loss.
The term is defined as follows:
“IT forensics is the strictly methodical analysis of data on data carriers and in computer networks to clarify incidents, including the possibilities of strategic preparation, especially from the perspective of the system operator of an IT system.”
One of the main tasks of IT forensics is to identify whether an incident has occurred (for example, a hacker attack). If there is an incident, it must be identified. By quickly identifying and confirming an incident, measures can be taken to limit the damage. The quicker the reaction, the better the chances of keeping the damage to a minimum. Within the company, it must be identified which areas are affected. Only through a precise damage analysis can the impact of an incident be assessed.
Further tasks of IT forensics are the restoration of IT systems and the IT infrastructure and the clarification of the cause of the damage.
IT forensics can be divided into post-mortem analysis and live forensics.
In post-mortem analysis, also known as offline forensics, incidents are clarified after the fact. The investigation is carried out by examining the data carrier images for non-volatile traces of incidents. The focus is on the investigation and recovery of renamed, encrypted, deleted and hidden data from mass storage devices.
Live forensics, also called online forensics, investigates the incident during runtime. Attempts are made to obtain and investigate volatile data. The data contains information about existing network connections, main memory contents and started processes.
Through professional data recovery, data can be recovered from defective data carriers to prevent a final loss. However, as we have already learned, unauthorised third parties can also recover data with the help of data recovery. A distinction is made between eight different forensic data types:
- Hardware data
- Data details
- Process data
- Session data
- Raw data content
- User data
- Configuration data
- User data
Various requirements are placed on the provision for IT forensics. The Information Security Officer (ISO) is responsible for ensuring that the requirements are met. Basic requirements that must be met are:
- When collecting and analysing data for forensic investigation, all framework conditions, legal and regulatory, must be complied with. There must also be no violation of internal company regulations and employee agreements. Therefore, the data protection officer, the works council and the work council must be involved.
- A guidebook regulating the initial measures to be taken in the event of an IT security incident must be prepared. Possible traces should not be destroyed, which is why a plan of action must be drawn up.
- If a company does not have its own forensics team, external forensics service providers must be consulted. Documentation on the service providers in question is required.