Understanding Digital Forensics
What digital forensics is, the case types it handles, and the concepts behind it.
Introduction
After years in offensive security, I’ve started picking up digital forensics on the side. Before going deep into tools and forensic distros, I wanted to understand the field conceptually first.
This post is what I learned along the way. It covers:
- What digital forensics is: the origin of the word, how it applies in the digital world, common case types, and how it differs from incident response.
- How investigations are done: the common frameworks, the roles of the people involved, the four main steps, how evidence is kept safe (chain of custody), and where evidence comes from.
- What determines the outcome: what makes an investigation succeed, what happens when findings go to court, and common misconceptions.
What is Digital Forensics?
Origin of the Word “Forensic”
The word “forensic” comes from Latin forensis, meaning “of the forum”, referring to the public forum in ancient Rome where trials and important matters were held. From the start, it meant a way of finding truth that could be examined and accepted in public.
The classic example is the forensic doctor. In a murder case, three roles work in parallel:
| Role | Job |
|---|---|
| Police | Catch the suspect |
| Emergency room doctor | Treat the victim |
| Forensic doctor | Examine the body to determine what happened, when, and how |
The forensic doctor’s job is the autopsy, with a method that can be reproduced by other experts.
In the Digital World
The same idea, but for digital evidence: computers, phones, networks, and cloud accounts.
The work has three parts: collecting the traces an attacker leaves behind, keeping them safe so they don’t get damaged, and using them to explain what really happened.
The same role split applies in digital cases:
| Role | Job after a breach |
|---|---|
| Law enforcement | Catch the hacker |
| IT team | Restore systems |
| Digital forensics | Work out what happened during the breach |
A digital forensic team tries to answer: when did the attacker get in, how did they get in, what did they do once inside, what data did they take, and how big the damage is.
The findings can be used for several things: as evidence in court, to support a cyber insurance claim, to report the incident to regulators, or as internal lessons so the same thing doesn’t happen again.
Note: In Indonesia, the relevant regulators cover different areas:
- BSSN: national critical infrastructure incidents under Perpres 47/2023 on the National Cyber Security Strategy
- OJK: financial sector (banks, insurance, fintech) under POJK 11/POJK.03/2022 on IT operations by commercial banks
- Personal data protection authority: personal data breaches under UU PDP (with a 3×24 hour notification window)
Key principle: Digital forensics finds out what happened. It doesn’t decide what to do about it. That decision belongs to someone else.
Common Case Types
Digital forensics is used in many different situations. Some of the most common case types:
| Case type | Typical question | Common evidence |
|---|---|---|
| Ransomware | How did the attacker get in? What was stolen before encryption? Can files be recovered? | Memory dump (encryption keys), logs, network traffic, ransom notes |
| Data breach | What data was taken? When? How? | Database logs, file access logs, outgoing network traffic, attacker tools |
| Business Email Compromise (BEC) | Whose email was hacked? How did the attacker maintain access? Were any payments redirected? | Email server logs, forwarding rules, login records |
| Insider threat | Did an employee leak data or steal files? When? To whom? | USB device history, email exports, file metadata, cloud activity logs, browser history |
| Fraud investigation | What financial transactions were involved? Who approved them? | Email correspondence, financial system logs, document timestamps |
Cases often overlap. A ransomware attack might also involve data theft if files were copied before encryption.
The case type determines which evidence is collected first. For ransomware, capturing RAM is the priority (it may still hold the encryption key). For insider threat, USB and email evidence are checked first.
Forensics vs Incident Response
When researching digital forensics, you will often see the term DFIR, which stands for Digital Forensics and Incident Response.
| Aspect | Digital Forensics | Incident Response (IR) |
|---|---|---|
| Core question | What happened? | How do we stop it? |
| Timing | After the event | During the event |
| Medical analogy | Autopsy | Emergency room doctor |
| Primary goal | Reconstruction | Containment |
The combined term exists because the two are difficult to separate in practice. Two ways things can go wrong:
- IR too fast. Evidence can be destroyed. For example, rebooting a compromised server to stop the attack erases everything in memory (RAM), which might have held the ransomware’s encryption key or the network connections the attacker was using. Once the server reboots, those clues are gone.
- Forensics too slow. The attack keeps spreading while the team is still analyzing.
Many teams now run both at the same time: securing evidence while containing the attack.
I will write about IR in a separate post.
How Investigations Are Done
Reference Frameworks
Frameworks help keep forensic work consistent and credible. Without one, results are easy to challenge in court or get rejected by regulators.
Two are most commonly used:
| Framework | Year | Focus |
|---|---|---|
| NIST SP 800-86 | 2006 | Whole-process workflow for corporate IT environments |
| ISO/IEC 27037 | 2012 | Evidence handling and investigator roles |
NIST sets the workflow. ISO sets the evidence handling standard and the roles. The next sections walk through both.
Roles in an Investigation
ISO/IEC 27037 defines two roles for the people handling digital evidence. You will see these labels in the chain of custody example later.
- DEFR (Digital Evidence First Responder). The person who arrives at the scene first. Their job is to identify what counts as evidence (servers, laptops, phones, recordings of network traffic), make sure those systems stay untouched, and start making copies of the data (a step called acquisition). Usually an experienced practitioner with broad acquisition skills across many device types.
- DES (Digital Evidence Specialist). The expert who does the deep analysis. They take the copies the DEFR made and examine them closely: reading through log files, building a timeline of what happened, studying any malware found, and recovering deleted files. Usually has deeper forensic training in a specific area (memory, disk, mobile, or network).
The two roles exist because the work happens in two different settings. DEFR work is at the scene under time pressure: some evidence disappears fast (anything in RAM is gone the moment the computer restarts, for example). DES work happens in a lab over weeks of careful analysis, with no rush. The skills are different, so the roles are separated.
In a small team, one person might do both, switching modes between scene work and lab work. In larger investigations, the two roles are split into different people, so the DEFR can move to the next incident while the DES is still analyzing the previous one.
ISO/IEC 27037 also covers evidence handling techniques and device-specific guidance, but the role split is what it’s best known for.
The Four Investigation Phases
NIST SP 800-86 breaks an investigation into four broad phases:
| Phase | What it covers | Key concern |
|---|---|---|
| Collection | Identifying evidence sources and making copies (memory, disks, network, cloud) | Preserve the original state and document everything |
| Examination | Going through the copies to pull out the relevant data (filtering, parsing, making it readable) | Reduce volume without losing important context |
| Analysis | Making sense of the extracted data to answer the case questions: what happened, who was behind it, when, and how big the damage is | Stay focused on what the evidence shows, not on theories |
| Reporting | Writing down findings, the method used, limitations, and what is still uncertain | Honesty, completeness, and clear enough so others can repeat it |
The phases run in order, but the flow is not strictly one-way. Analysis often reveals gaps that send the team back to collection or examination for more data.
Chain of Custody
Chain of custody is required by every forensic framework, including NIST and ISO above. It is a complete record of an evidence item’s full history, from the moment it is collected until it is presented in court or handed to a regulator.
Each entry records who held it, when, for what purpose, and where it was stored. A simple example:
| Timestamp | Handler | Action | Location | Hash check |
|---|---|---|---|---|
| 2026-01-25 09:00 | Andi (DEFR) | Imaged server-01 (made forensic copy) | Client site | a3f1... (computed) |
| 2026-01-25 11:30 | Budi (transport) | Sealed evidence bag, transported | Vehicle | a3f1... verified |
| 2026-01-25 13:00 | Citra (DES) | Received in lab | Forensic lab | a3f1... verified |
| 2026-01-26 14:00 | Citra (DES) | Mounted read-only for analysis | Forensic lab | a3f1... verified |
The hash column is a digital fingerprint of the file. If even a small part of the file changes, the hash changes completely, so tampering is easy to detect.
Important: A gap in the chain of custody can make the evidence questionable, even if technically nothing inside it changed. The court does not need to prove tampering happened, only that the possibility cannot be ruled out.
If chain of custody breaks, the quality of the analysis no longer matters much.
Sources of Evidence
Forensics collects evidence from many sources, not just logs. Each source holds different information and they complement each other.
The underlying principle was first described by French criminologist Edmond Locard in the early 1900s, known as Locard’s Exchange Principle: every interaction leaves a trace. It started as a principle about clothing fibers at a crime scene and dust on a suspect’s shoes, but applies just as well in the digital world.
Common sources of evidence, ordered by how fast they disappear:
| Source | Volatility | What it captures |
|---|---|---|
| Memory (RAM) | High, lost on restart | Active processes, network connections, encryption keys |
| Logs | Medium, depends on how long logs are kept | OS, applications, firewalls, centralized log systems (SIEM) |
| Filesystem metadata | Low | Records of every file’s existence and changes (like the NTFS Master File Table on Windows) |
| Registry artifacts (Windows) | Low | Records of programs run and folders opened (ShimCache, AmCache, Shellbags) |
| Application caches | Low | Browser, email client, messenger local data |
| Slack space | Low | Files that were “deleted” but still on disk until something overwrites them |
| External sources | Varies | Cloud provider logs, Microsoft 365, Google Workspace, connected business partners |
How complete these sources are at investigation time depends on the organization’s forensic readiness: whether the systems were configured to record and retain traces before any incident.
If readiness is good, many sources are available and the investigation can be detailed. If readiness is weak (logging not enabled, short retention, no infrastructure documentation), it is not only logs that disappear. The other sources are also limited.
Note: In extreme cases when nearly all sources are already gone (memory wiped by restart, disks reformatted, no external logs), the ability to reconstruct events is very limited. The report will honestly state what cannot be verified, and beyond that point the work moves out of digital forensics into internal investigation or audit territory.
What Determines the Outcome
Success Factors
The success of a forensic investigation does not depend only on the capability of the technical team. Forensics is a system with many components. If one is lacking, the result can be less than ideal even with a capable team.
Four main factors usually determine success:
- Forensic readiness. Already explained earlier. This determines how much evidence can be obtained at investigation time.
- State of evidence at arrival. Internal IT often does “cleanup” (restart server, restore from backup, rotate passwords) before the forensic team is called. Good intentions, but valuable evidence can be erased in the process.
- Response speed. The faster the team is called in, the more evidence is still intact.
- Client cooperation and authority. Without proper access authorization and openness from the internal team, the forensic team cannot move forward.
A capable team is necessary but not enough on its own. Successful forensics also requires client readiness, preserved evidence, and process discipline from all parties involved.
When Findings Go to Court
If forensic results are brought to court, the forensic expert appears as an expert witness, which is a different role than a witness of fact (an eyewitness). Indonesian law makes the distinction explicit:
| Aspect | Witness of Fact | Expert Witness |
|---|---|---|
| Legal basis | Article 1(27) KUHAP | Article 186 KUHAP |
| Knowledge basis | Personal experience | Specialized expertise |
| Sample testimony | “I saw the hacker break in” | “Based on log analysis, technique X was used, with confidence Y, based on methodology Z” |
The judge is not required to follow the expert’s opinion, and the opposing party usually brings their own expert to question the methodology or the conclusions. An expert who is ready to be challenged sticks to the method, not personal opinion, honestly acknowledges limitations, and has a clean chain of custody.
Common Misconceptions
Five common misconceptions about digital forensics. They often come up in client conversations, but they are things people misunderstand about digital forensics in general.
| Misconception | Reality |
|---|---|
| “You will catch the perpetrator” | What is realistic is a profile of who or what group is behind the attack, not a name. Reaching the individual requires cross-jurisdictional cooperation with law enforcement, which is outside the forensic team’s scope. |
| “Done in a few days” | Imaging a single server alone can take days, and a thorough investigation takes weeks to months depending on the scope. Rushing it usually means the report becomes weaker when someone challenges it later. |
| “Forensics = recovery” | Three different activities are involved: forensics (find out what happened), recovery (restore operations), remediation (fix the security hole). They can all be requested, but each works differently and needs its own plan. |
| “Black-and-white results” | Forensic findings come with confidence levels, not yes-or-no answers. “With high confidence, the attacker entered via a compromised VPN account at timestamp X” is the shape of an honest finding. “100% certain” is not. |
| “The report can be adjusted” | The report has to stay neutral and factual. Once findings are adjusted to fit what someone wants to hear, the report loses its value as evidence for court, regulators, or insurers. |
Conclusion
We’ve walked through the basics of digital forensics: what it is, how investigations are done, and what determines the outcome.
Digital forensics looks like a technical job: tools, frameworks, hashes, evidence acquisition. But the foundation is not only mastering those things. It is also keeping the evidence, the report, and the process trustworthy at every step. If any of those is compromised, the others lose their value as well.