Network Forensics & Antiforensics
When you are the victim of a cyber-incident – network intrusion, data theft or APT – where do you start? The first step in responding to a cyber-incident is to gather the facts: what happened, how did it happen, when did it happen and who did it. A crucial element is establishing an accurate timeline of events, including the points in time when the actions took place and when any related electronic materials originated (e.g. computer files, programs, etc).
At a physical crime scene, the forensic team can interpret and date blood spatter using a variety of techniques. But how do you date a file on a computer, particularly when you know the computer has been tampered with? There are few parallels between the techniques and methods used in physical forensics and those used in computer and digital forensics. The challenge for the cyber-investigator is to reconstruct when and what happened, when the data in question is electronic and ephemeral, not physical.