Digital Forensics Demystified
by Brent Kirkpatrick
(Date Published: 5/23/2018.)
Detection in forensics is the process where we use indicators of compromise to identify known hacks. For example, your computer might have been hacked using the same method that was used to hack Target last year. The forensics team that analyzed the Target hack may have found indicators of compromise that they published. When you request forensics, your computer can be scanned for evidence of the same or similar hack.
Discovery is a de novo process designed to identify evidence of a novel hack. This type of forensics is used when detection fails to identify the method of attack. For example, if your computer was hacked using a zero-day exploit, discovery may lead to isolating the machine code used in the hack. After being isolated, the machine code is read by an expert to discover what it does.
Detection is significantly faster than discovery. In some cases, detection can be automated with scanning tools. Root kits, viruses, trojans, and command-and-control code can all be detected using scanning tools. Discovery, on the other hand, can take months of painstaking work.
Contact Intrepid Net Computing if you need carefully done digital forensics, or if you need forensics in support of incident response.
defendIT. AI-driven incident response measures derived from security incident data.