Digital forensics and privacy: 3 things to know
Digital forensic analysts are the Sherlocks of cybersecurity, gathering and interpreting evidence from digital sources for use in criminal or civil court cases. While the field of digital forensics is an interesting topic in its own right, it’s also worth learning about if you’re interested in digital privacy issues.
Understanding how digital forensic analysts work—and in particular, what they look for in their investigations—can teach you a lot about what’s going on behind the scenes on your computer. And once you know that, you can take steps to better protect your privacy.
Here are 3 facts from the world of digital forensics that can help keep you safe.
Deleted files aren’t really gone
Forensic analysts are often called upon to recover deleted files from computer systems in their investigations. For many people, this may sound somewhat contradictory. After all, once you’ve deleted a file and emptied your Trash or Recycle Bin, the data is gone forever, isn’t it?
Unfortunately, file deletion doesn’t really work this way. But to understand why, you need to know how files are managed on a computer. Every OS has something called a filesystem, which handles the storage and retrieval of files. It does all the heavy lifting of file management for the user: allocating space in the machine’s physical memory for file storage, keeping track of where one file begins and another ends within this memory, naming and renaming files, and so on. It also does its best not to waste system resources, which is significant in the context of file deletion.
Much of a filesystem’s work is kept hidden from users by the OS’s user interface (UI). The UI provides a graphical, easy-to-understand picture of what’s happening on the system, so that users can focus on getting their work done. But the UI’s simplified representation of system actions can sometimes be a little misleading, and file deletion is a perfect example of this.
On most systems, when you click “delete”, nothing actually happens to the data in the files you’re trying to erase. The filesystem simply makes a note to itself that the physical memory locations which stored the data are now free: meaning they can be safely overwritten. The filesystem also removes your ability to see your “deleted” files in the UI, which is why most people think those files are completely gone. But in fact, the actual data—the 1s and 0s that make up the file—is still stored in the same place in memory as it always was. The only difference is that now it’s waiting to be overwritten by new data. But until it is overwritten, your old data is recoverable by a forensic analyst with the correct tools.
Privacy takeaway: The phenomenon of deleted files hanging around in memory is well-known (it even has a name: “data remanence”). For this reason, privacy-minded companies have created tools and apps to facilitate truly secure data deletion. These tools allow users to delete files securely by overwriting their memory locations multiple times with meaningless data, and then purging that data from the system. Data remanence is enough of a security concern that the Department of Defense imposes strict standards for secure data deletion at its facilities. Good news for Mac users: Secure data deletion (in compliance with DoD standards) is one of the functions of our own PrivacyScan app.
Private browsing isn’t private
One subset of digital forensics is network forensics, which involves monitoring, capturing, and analyzing network activity in order to build a body of evidence (typically in a criminal case). But just as most of us don’t have a clear picture of what our filesystem is doing, many of us also have a somewhat hazy view of how data is transmitted on a network.
While the subject of Internet protocols is a bit beyond the scope of this article, it suffices to say that all Internet activity is monitorable. This is how network forensic analysts do their jobs! But just as your OS’s interface gives you a somewhat simplified version of what the filesystem is doing, your web browser may give you a mistaken impression of how private your Internet activity really is.
When you enable “private browsing” in your web browser, you’re really just preventing the browser from recording your web activity locally. Your searches and site visits won’t be recorded in the browser’s history, and neither will cookies or form data be stored after your session ends. But the actual data sent and received, the network traffic itself, is extremely easy to intercept and monitor for anyone with the right tools—or simply anyone whose job it is to manage the network.
Remember that even career cybercriminals, who know how to cover their tracks online better than most people, are routinely caught by network forensic analysts. You should assume that anything you do online is visible to the government, law enforcement, Internet service providers, and even network administrators.
Privacy takeaway: Knowing that network traffic can be monitored by third parties—simply because of how the Internet works—is an important step in improving your personal security posture. It’s sobering to learn that your web activity can be seen by the FBI, Time-Warner Cable, or Susan in IT. But this knowledge also allows you to take steps to make your online activities a bit more private. Consider using a VPN in order to encrypt the data you send over the web. While it won’t anonymize you, it will protect your privacy—and make it more difficult for bad actors to do you harm.
Your OS is watching
Your OS is capable of recording nearly everything that happens on your computer. This information is stored in system logs, and is tremendously useful to system administrators or programmers when they are attempting to resolve performance issues or debug software. However, these logs can also be used by forensic analysts to understand what happened on a machine they are investigating.
Forensic analysts who are attempting to determine the cause of a cyberattack, for example, can use the information provided by system logs to gain a clearer picture of the attack vector. OS logs can be used to see if a thumb drive was inserted into a computer just before an attack, and if that storage device had been used previously. This kind of information could help an investigator determine whether or not the drive belonged to an everyday system user…or to an attacker. This can offer insight into how a piece of malware made its way onto the network.
These logs can also be used to review a device’s state history: When it was turned on, when it was turned off, and so forth. For laptops, this even applies to the state of the computer’s lid, as the system logs make a note of each time the lid is open or closed. This is extremely useful information to have in cases where an investigator suspects that someone’s computer may have been physically compromised—accessed by a malicious actor with direct access to the device.
Privacy Takeaway: Once you realize that all of this information is being captured by your OS, you can take action if you suspect that you may be the victim of a so-called “evil maid” attack (an intrusion which depends on someone having physical access to your device). There are tools and applications which can access your system logs and help you make sense of all that data. Some of them can even help monitor the logs on an ongoing basis to alert you to suspicious behavior. For macOS users, our friends at Objective-See offer a free Mac app called DoNotDisturb which provides this functionality—and offers a great way to start doing a bit of digital forensics yourself!
Digital forensics can be a somewhat intimidating topic, because it takes us into the complexities of how computers actually work. But learning about the methods of the cybersleuths who work in the field is an excellent way to gain insight into what’s going on “under the hood” of your computer. And that insight, hopefully, can help you stay safe online.