Understanding Digital Forensics
What digital forensics is, the case types it handles, and the concepts behind it.
Introduction
After years in offensive security, I’ve started picking up digital forensics on the side. Before going deep into tools and forensic distros, I wanted to understand the field conceptually first.
This post is what I learned along the way. It covers:
- What digital forensics is: the origin of the word, how it applies in the digital world, common case types, and how it differs from incident response.
- How investigations are done: the common frameworks, the roles of the people involved, the four main steps, how evidence is kept safe (chain of custody), and where evidence comes from.
- What determines the outcome: what makes an investigation succeed, what happens when findings are challenged (in court or elsewhere), and common misconceptions.
What is Digital Forensics?
Origin of the Word “Forensic”
The word “forensic” comes from Latin forensis, meaning “of the forum”, referring to the public forum in ancient Rome where trials and important matters were held. From the start, it meant a way of finding truth that could be examined and accepted in public.
The classic example is the forensic doctor. In a murder case, three roles work in parallel:
| Role | Job |
|---|---|
| Police | Catch the suspect |
| Emergency room doctor | Treat the victim |
| Forensic doctor | Examine the body to determine what happened, when, and how |
The forensic doctor’s job is the autopsy, with a method that can be reproduced by other experts.
In the Digital World
The same idea, but for digital evidence: computers, phones, networks, and cloud accounts.
The work has three parts: collecting the traces an attacker leaves behind, keeping them safe so they don’t get damaged, and using them to explain what really happened.
The same role split applies in digital cases:
| Role | Job after a breach |
|---|---|
| Law enforcement | Catch the hacker |
| IT team | Restore systems |
| Digital forensics | Work out what happened during the breach |
A digital forensic team tries to answer: when did the attacker get in, how did they get in, what did they do once inside, what data did they take, and how big the damage is.
The findings can be used for several things: as evidence in court, to support a cyber insurance claim, to report the incident to regulators, or as internal lessons so the same thing doesn’t happen again.
Note: In Indonesia, the relevant regulators cover different areas:
- BSSN: national critical and vital information infrastructure under Perka BSSN 1/2024 on cyber incident management (24-hour incident reporting)
- OJK: banking, insurance, fintech under SEOJK 29/SEOJK.03/2022 on cyber security and resilience for commercial banks
- Bank Indonesia: payment system operators, money market, foreign exchange under PBI 2/2024 (1-hour preliminary notification, 3-day full report)
- Komdigi: general Electronic System Operators (PSE) under Permenkominfo 5/2020
- Personal Data Protection Authority (currently handled by Komdigi): personal data breaches under UU PDP (3×24 hour notification window)
Key principle: Digital forensics finds out what happened. It doesn’t decide what to do about it. That decision belongs to someone else.
Common Case Types
Digital forensics is used in many different situations. Some of the most common case types:
| Case type | Typical question | Common evidence |
|---|---|---|
| Ransomware | How did the attacker get in? What was stolen before encryption? Can files be recovered? | Memory dump (encryption keys), logs, network traffic, ransom notes |
| Data breach | What data was taken? When? How? | Database logs, file access logs, outgoing network traffic, attacker tools |
| Business Email Compromise (BEC) | Whose email was hacked? How did the attacker maintain access? Were any payments redirected? | Email server logs, forwarding rules, login records |
| Insider threat | Did an employee leak data or steal files? When? To whom? | USB device history, email exports, file metadata, cloud activity logs, browser history |
| Fraud investigation | What financial transactions were involved? Who approved them? | Email correspondence, financial system logs, document timestamps |
Cases often overlap. A ransomware attack might also involve data theft if files were copied before encryption.
The case type determines which evidence is collected first. For ransomware, capturing RAM is the priority (it may still hold the encryption key). For insider threat, evidence of how data may have left the organization is checked first: USB, email, cloud activity, and browser history.
Forensics vs Incident Response
When researching digital forensics, you will often see the term DFIR, which stands for Digital Forensics and Incident Response.
| Aspect | Digital Forensics | Incident Response (IR) |
|---|---|---|
| Core question | What happened? | How do we stop it? |
| Timing | After the event | During the event |
| Medical analogy | Autopsy | Emergency room doctor |
| Primary goal | Reconstruction | Containment |
The combined term exists because the two are difficult to separate in practice. Two ways things can go wrong:
- IR too fast. Evidence can be destroyed. For example, rebooting a compromised server to stop the attack erases everything in memory (RAM), which might have held the ransomware’s encryption key or the network connections the attacker was using. Once the server reboots, those clues are gone.
- Forensics too slow. The attack keeps spreading while the team is still analyzing.
Many teams now run both at the same time: securing evidence while containing the attack.
I will write about IR in a separate post.
How Investigations Are Done
Reference Frameworks
Frameworks help keep forensic work consistent and credible. Without one, results are easy to challenge in court or get rejected by regulators.
Two are most commonly used:
| Framework | Year | Focus |
|---|---|---|
| NIST SP 800-86 | 2006 | Whole-process workflow for corporate IT environments |
| ISO/IEC 27037 | 2012 | Evidence handling and investigator roles |
NIST sets the workflow. ISO sets the evidence handling standard and the roles. The next sections walk through both.
Roles in an Investigation
ISO/IEC 27037 defines two roles for the people handling digital evidence. You will see these labels in the chain of custody example later.
- DEFR (Digital Evidence First Responder). The person who arrives at the scene first. Their job is to identify what counts as evidence (servers, laptops, phones, recordings of network traffic), make sure those systems stay untouched, and start making copies of the data (a step called acquisition). Usually an experienced practitioner with broad acquisition skills across many device types.
- DES (Digital Evidence Specialist). The expert who does the deep analysis. They take the copies the DEFR made and examine them closely: reading through log files, building a timeline of what happened, studying any malware found, and recovering deleted files. Usually has deeper forensic training in a specific area (memory, disk, mobile, or network).
The two roles exist because the work happens in two different settings. DEFR work is at the scene under time pressure: some evidence disappears fast (anything in RAM is gone the moment the computer restarts, for example). DES work happens in a lab over weeks of careful analysis, with no rush. The skills are different, so the roles are separated.
In a small team, one person might do both, switching modes between scene work and lab work. In larger investigations, the two roles are split into different people, so the DEFR can move to the next incident while the DES is still analyzing the previous one.
ISO/IEC 27037 also covers evidence handling techniques and device-specific guidance, but the role split is what it’s best known for.
The Four Investigation Phases
NIST SP 800-86 breaks an investigation into four broad phases:
| Phase | What it covers | Key concern |
|---|---|---|
| Collection | Identifying evidence sources and making copies (memory, disks, network, cloud) | Preserve the original state and document everything |
| Examination | Going through the copies to pull out the relevant data (filtering, parsing, making it readable) | Reduce volume without losing important context |
| Analysis | Making sense of the extracted data to answer the case questions: what happened, who was behind it, when, and how big the damage is | Stay focused on what the evidence shows, not on theories |
| Reporting | Writing down findings, the method used, limitations, and what is still uncertain | Honesty, completeness, and clear enough so others can repeat it |
The phases run in order, but the flow is not strictly one-way. Analysis often reveals gaps that send the team back to collection or examination for more data.
Chain of Custody
Chain of custody is required by every forensic framework, including NIST and ISO above. It is a complete record of an evidence item’s full history, from the moment it is collected until it is presented in court or handed to a regulator.
Each entry records who held it, when, for what purpose, and where it was stored. A simple example:
| Timestamp | Handler | Action | Location | Hash check |
|---|---|---|---|---|
| 2026-01-25 09:00 | Andi (DEFR) | Imaged server-01 (made forensic copy) | Client site | a3f1... (computed) |
| 2026-01-25 11:30 | Budi (transport) | Sealed evidence bag, transported | Vehicle | a3f1... verified |
| 2026-01-25 13:00 | Citra (DES) | Received in lab | Forensic lab | a3f1... verified |
| 2026-01-26 14:00 | Citra (DES) | Mounted read-only for analysis | Forensic lab | a3f1... verified |
The hash column is a digital fingerprint of the file. If even a small part of the file changes, the hash changes completely, so tampering is easy to detect.
Important: A gap in the chain of custody can make the evidence questionable, even if technically nothing inside it changed. The court does not need to prove tampering happened, only that the possibility cannot be ruled out.
If chain of custody breaks, the quality of the analysis no longer matters much.
Sources of Evidence
Forensics collects evidence from many sources, not just logs. Each source holds different information and they complement each other.
The underlying principle was first described by French criminologist Edmond Locard in the early 1900s, known as Locard’s Exchange Principle: every interaction leaves a trace. It started as a principle about clothing fibers at a crime scene and dust on a suspect’s shoes, but applies just as well in the digital world.
Common sources of evidence, ordered by how fast they disappear:
| Source | Volatility | What it captures |
|---|---|---|
| Memory (RAM) | High, lost on restart | Active processes, network connections, encryption keys |
| Logs | Medium, depends on how long logs are kept | OS, applications, firewalls, centralized log systems (SIEM) |
| Filesystem metadata | Low | Records of every file’s existence and changes (like the NTFS Master File Table on Windows) |
| Registry artifacts (Windows) | Low | Records of programs run and folders opened (ShimCache, AmCache, Shellbags) |
| Application caches | Low | Browser, email client, messenger local data |
| Slack space | Low | Files that were “deleted” but still on disk until something overwrites them |
| External sources | Varies | Cloud provider logs, Microsoft 365, Google Workspace, connected business partners |
How complete these sources are at investigation time depends on the organization’s forensic readiness: whether the systems were configured to record and retain traces before any incident.
If readiness is good (logs enabled, long retention, infrastructure documented), the investigation can be detailed. If readiness is weak (logging not enabled, short retention, no infrastructure documentation), the investigation will be limited.
Note: In extreme cases when nearly all sources are already gone (memory wiped by restart, disks reformatted, no external logs), the ability to reconstruct events is very limited. The report will honestly state what cannot be verified, and beyond that point the work moves out of digital forensics into internal investigation or audit territory.
What Determines the Outcome
Success Factors
The success of a forensic investigation does not depend only on the capability of the technical team. Forensics is a system with many components. If one is lacking, the result can be less than ideal even with a capable team.
Four main factors usually determine success:
- Forensic readiness. Already explained earlier. This determines what evidence the systems captured in the first place.
- State of evidence at arrival. Internal IT often does “cleanup” (restart server, restore from backup, rotate passwords) before the forensic team is called. Good intentions, but valuable evidence can be erased in the process.
- Response speed. Even without IT cleanup, evidence gets harder to recover the longer you wait. The system may have been restarted (RAM gone), old logs may have been overwritten by newer ones, and live connections to the attacker may have dropped. The faster the forensic team is called in, the more is still recoverable.
- Client cooperation and authority. Without proper access authorization and openness from the internal team, the forensic team cannot move forward.
A capable team is necessary but not enough on its own. Successful forensics also requires client readiness, preserved evidence, and process discipline from all parties involved.
When Findings Go to Court
If forensic results are brought to court, the forensic expert appears as an expert witness, which is a different role than a witness of fact (an eyewitness). Indonesian law makes the distinction explicit:
| Aspect | Witness of Fact | Expert Witness |
|---|---|---|
| Legal basis | Article 1(27) KUHAP | Article 186 KUHAP |
| Knowledge basis | Personal experience | Specialized expertise |
| Sample testimony | “I saw the hacker break in” | “Based on log analysis, technique X was used, with confidence Y, based on methodology Z” |
The judge does not have to follow the expert’s opinion. The opposing side usually brings their own expert to question the method or conclusions.
Challenges can also come from outside court: clients who don’t like the conclusion, regulators asking for stricter proof, insurance companies disputing the claim, or other forensic experts in internal review. In all these situations, the principles for defending the findings are the same:
- Stick to the method. Explain how you got there: which logs you analyzed, which tools you used, which steps you took. Don’t argue from what feels right.
- Stay within your expertise. Only talk about technical findings, not about motives, the law, or business impact. A digital forensic expert can say “this file was accessed at timestamp X” but not “therefore the suspect wanted to steal it”.
- Acknowledge limitations honestly. Be clear about what you could not verify and how sure you are about each finding. “I don’t know” is stronger than guessing.
- Keep the chain of custody clean. Without a clean record, even perfect analysis can be thrown out. With one, the evidence stays solid; only the interpretation can be debated.
- Have recognized competence. Have the credentials to back you up: degree, certifications, prior cases, professional standing. Without them, the other side can dismiss you before they even look at your findings.
Common Misconceptions
Five common misconceptions about digital forensics that often come up in conversations:
| Misconception | Reality |
|---|---|
| “You will catch the attacker” | Forensic work can identify what kind of group is behind the attack: their methods, tools, and patterns. It rarely identifies a specific individual. Reaching the individual needs police cooperation across borders, which is outside the forensic team’s scope. |
| “Done in a few days” | Imaging a single server alone can take days, and a thorough investigation takes weeks to months depending on the scope. Rushing it usually means the report becomes weaker when someone challenges it later. |
| “Forensics = recovery” | Three different activities are involved: forensics (find out what happened), recovery (restore operations), remediation (fix the security hole). They can all be requested, but each works differently and needs its own plan. |
| “Black-and-white results” | Forensic findings work on the principle of best explanation given available evidence. “With high confidence, the attacker entered via a compromised VPN account at timestamp X” means this conclusion best fits current evidence, but the team could still be wrong if new evidence appears. “100% certain” would mean ruling out every possible alternative, which is rarely possible in real cases. |
| “The findings can be adjusted” | The report has to stay neutral and factual. Once findings are adjusted to fit what someone wants to hear, the report loses its value as evidence for court, regulators, or insurers. |
Conclusion
We’ve walked through the basics of digital forensics: what it is, how investigations are done, and what determines the outcome.
Digital forensics looks like a technical job: tools, frameworks, hashes, evidence acquisition. But the foundation is not only mastering those things. It is also keeping the evidence, the report, and the process trustworthy at every step. If any of those is compromised, the others lose their value as well.