Forensics: Digital

Contents

A Cellebrite Universal Forensics Extraction Device (UFED) extracting data from an iPhone 4S, 2013.

Digital forensics is the retrieval, storage, and analysis of electronic data that can be useful in investigations. This includes information from computers, phones, hard drives, and other data storage devices.

For example, digital forensics can be used to retrieve a “deleted” file from a computer's hard drive, retrieve a phone's web browsing history, or determine how a server was hacked.

Used in tactics: Incrimination

Mitigations

NameDescription
Avoiding self-incrimination

An adversary can use digital forensics to retrieve self-incriminating information from a digital device. To mitigate this, you can avoid storing such information on digital devices except for very deliberate reasons (such as writing and sending an action claim while following digital best practices).

Digital best practices

An adversary can use digital forensics to retrieve data from a digital device you have used. To mitigate this, you can follow digital best practices and, in particular, use Tails[1], an “amnesic” operating system designed to leave no trace on the computer it runs on.

When investigating a cyber action, an adversary can use digital forensics to analyze the targets of the action to determine where the action came from, a process called attribution which may include determining what tools were used in the action and any other digital “signatures”. When carrying out a cyber action, you can follow digital best practices to make it harder for an adversary to achieve attribution. For example, you can:

  • Use popular rather than custom tools.
  • If you use a Virtual Private Server (VPS), purchase it anonymously and access it through Tails[1].
Encryption

An adversary can use digital forensics to retrieve data from unencrypted digital devices. To mitigate this, you can encrypt your digital devices with Full Disk Encryption and a strong password.

Metadata erasure and resistance

An adversary can use digital forensics to retrieve and analyze metadata. To mitigate this, you can erase metadata from files before publishing them online or sending them to others.

Used in repressive operations

NameDescription
Bure criminal association case

Investigators analyzed storage devices by automatically extracting files containing the following keywords relevant to the investigation[2]:

  • Action”.
  • “Andra”, the agency responsible for the Cigéo project.
  • “Bindeuil”, the name of the building that was attacked during the June 21, 2017 demonstration.
  • Hibou” (“owl”), a name used by people fighting against Cigéo to refer to themselves.
  • Incendie” (“fire”).

2. 

Private source.