🕵️♂️ Summary: The Different Phases of Digital Investigation
Digital investigation is a structured process aimed at retrieving, analyzing, and utilizing digital traces following a security incident, fraud, or legal inquiry.
🔍 1. Identification
Objective: Detect that an incident has occurred and identify potential sources of evidence.
Key actions:
- Monitoring system logs
- Security alerts (SIEM, IDS/IPS)
- User reports
📦 2. Preservation (or Acquisition)
Objective: Secure data without alteration to ensure evidence integrity.
Key actions:
- Creating bit-by-bit disk images
- Using write blockers
- Maintaining chain of custody
🧪 3. Analysis
Objective: Deeply examine collected data to extract relevant information.
Types of analysis:
- Log file review
- Malware or backdoor detection
- Metadata extraction
- Network traffic analysis (PCAP)
🧾 4. Documentation
Objective: Accurately record every step to ensure reproducibility and legal admissibility.
Best practices:
- Timestamp all actions
- Take screenshots
- Write a structured report
🧑⚖️ 5. Presentation
Objective: Present the findings to decision-makers, investigators, or in court.
Possible formats:
- Technical reports
- Visual summaries
- Expert testimony
🛡️ 6. Bypassing / Active Response
Objective: In offensive or defensive contexts, understand how protections were bypassed.
Associated actions:
- Analyzing rootkits or evasion techniques
- Reconstructing the attack vector
🧭 7. Tracing Activities
Objective: Identify past activity even if attempts were made to erase it.
Examples:
- Recovering deleted files
- Reviewing login histories
- Restoring digital artifacts
🧱 8. Finding Hidden Traces
Objective: Detect deliberately concealed evidence.
Techniques:
- Steganography analysis
- Searching unallocated disk space
- Analyzing suspicious timestamps
✍️ Note: Each step must be carried out with precision and traceability, especially in a judicial context.