Introduction to Digital Forensics

Introduction to Digital Forensics

This post was written by Ilias Spais , Senior IT Project Manager and researcher. AEGIS IT Research

(Athens, Greece), Dec. 18th

Digital Forensics: the term

Generally, the definition of digital forensics is “…the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data". 1

Following this definition, digital forensics has been in the popular mainstream for some time, and has matured into an information-technology capability that is very common among modern information security programs. The goal of digital forensics is to support the elements of troubleshooting, monitoring, recovery, and the protection of sensitive data. Moreover, in the event of a crime being committed, cyber forensics is also the approach to collecting, analysing, and archiving data as evidence in a court of law 2.

The critical role of forensics visualization

Although scalable to many information technology domains, especially modern corporate architectures, digital forensics can be challenging when being applied to non-traditional environments, which are not comprised of current information technologies or are designed with technologies that do not provide adequate data storage or audit capabilities. In addition, further complexity is introduced if the environments are designed using proprietary solutions and protocols, thus limiting the ease of which modern forensic methods can be utilized. Critical infrastructures are those "systems and assets, whether physical or virtual, so vital that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters .” The importance of maintaining critical infrastructures (CIs) safe increases the severity of the framework that ensures integrity and makes them non-traditional and extremely dependent to the complete environment. Moreover, the legacy nature and somewhat diverse or disparate component aspects of CIs can often prohibit the smooth incorporation and utilization of modern forensics analysis. Compounded by a wide variety of proprietary technologies and protocols, as well as critical system technologies with no capability to store significant amounts of event information, the task of creating a ubiquitous and unified strategy for technical cyber forensics for CIs or computing resource is far from trivial. To date, no direction regarding digital forensics as it relates to CIs has been produced other than what might be privately available from commercial vendors.

Types of investigation and incidents

There are three types of digital investigation:

  • Internal: no search warrant or subpoena needed, quickest investigation
    • Corporate investigation that involves IT administrator reviewing documents that they should not be viewed.
  • Civil: other side may own the data, may need subpoena
    • One party sues another over ownership of intellectual property, must acquire and authenticate digital evidence so it can be submitted in court.
  • Criminal: highest stakes, accuracy and documentation must be of highest quality, slowest moving
    • Child porn investigation that involves possession and distribution of contraband.

The most well-known types of incidents a forensics process can be utilized for are the following:

  • Malicious code
  • Unauthorized Access
  • DOS (denial of service)
  • Misuse of resources
  • Espionage
  • Hoaxes

AEGIS Forensics Visualization Toolkit

For forensics purposes CIPSEC framework will count with AEGIS visualization toolkit. AEGIS visualization toolkit is based on a dynamic visualization framework with viewpoints of varying granularity, produced by a set of interactive visualization tools capable of allowing for a more straight-forward exploratory analysis. The selection of the tools, and the definition of the theoretic forensics visualization framework has been taking into account the cybersecurity domain applied and the pilot’s end-users requirements.

Example of visualization viewpoints showing different aspects of the network, the one on left shows traditional charts of various network parameters, while the one on the right shows bandwidth consumed per IP address.


1 NIST SP 800-86, “Guide to Integrating Forensics Techniques into Incident Response,”
2 DHS National Cyber Security Division, Control Systems Security Program

CIPSEC project results receive funding from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement no 700378.
The opinions expressed and arguments employed in this publication do not necessarily reflect the official views of the Research Executive Agency (REA) nor the European Commission.