Skip to main content
Build the future with Agentforce at TDX in San Francisco or on Salesforce+ on March 5–6. Register now.

Get to Know Cyber Defense Forensics

Learning Objectives

After completing this unit, you’ll be able to:

  • Define cyber defense forensics terms.
  • Describe the goals of cyber defense forensics.
  • Explain how cyber defense forensics benefits an organization’s cybersecurity.

Cyber Defense Forensics Glossary

Cyber defense forensics plays an important role in infrastructure protection, law enforcement, counterintelligence, counterterrorism, and safety. According to the National Initiative for Cybersecurity Careers and Studies (NICCS), cyber defense forensics analysts analyze digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation. People who work with digital forensics in cybersecurity are on the front lines in the fight against cybercrime. 

The role of computers and portable media devices such as cell phones and global positioning system (GPS) devices in criminal activity has increased significantly in recent years. These devices frequently contain vital evidence, including user data, files, call logs, location information, text messages, and audio and video recordings. 

According to TechTarget, cyber defense forensics is the application of investigation and analysis techniques to gather and preserve digital evidence from a particular computing device. For example, a cyber defense forensics analyst might assist investigators with accessing encrypted data from a locked mobile device during a narcotics investigation, to understand more about the distribution and sale of controlled substances.

As a cyber defense forensics analyst, you are a cyberdetective, who collects, preserves, and analyzes computer-related evidence during the investigation and analysis. Let’s take a look at some terminology before we dig deeper. 

A magnifying glass focused on a fingerprint, with 1s and 0s in the background

Term

Definition

Acquisition

The stage in a computer forensics investigation wherein the analyst collects the data involved, often by making a bit-by-bit copy.

Availability

This means that authorized users have reliable access to the systems and resources they need. 

Boot Record

Information in the first sector of any hard disk or diskette that identifies how and where an operating system (OS) is located so that it can be loaded into the computer’s main storage. 

Chain of Custody

A record of the chronological history of evidence and who accessed it.

Confidentiality

This means that data, objects, and resources are protected from unauthorized access. 

Cyber Defense Forensics

A branch of forensics that addresses digital evidence by applying investigation and analysis techniques to gather and preserve evidence in a way that is suitable for presentation in a court of law.

Forensic Image

A forensically sound copy of a hard drive or other digital media, generally intended for use as evidence. Such copies include unallocated space, slack space, and boot record. 

Indicator of Compromise (IOC)

A sign that an incident may have occurred. 

Integrity

Ensures that sensitive data is trustworthy and accurate and that it is maintained in a consistent, correct, and reliable manner. 

Slack Space

Leftover storage that exists on a computer’s hard disk drive when a computer file does not need all the space that the OS has allocated.

Unallocated Space

Space on the computer where deleted documents, file system information, and other electronic artifacts reside. 

Note

The terms digital forensics and computer forensics are commonly used synonyms for cyber defense forensics.

Goals, Tasks, and Benefits of Cyber Defense Forensics

Goals of Cyber Defense Forensics

These days, cybercriminals seem to be everywhere. All cyber defense strategies and tactics have a common goal to prevent, disrupt, and respond to cyber threats. Cyber defense forensics analysts help identify the compromise of confidentiality, integrity, or availability, and the circumstances around it—to obtain evidence, understand the source, prove what happened, and recover compromised data. Analysts conduct sufficient investigation (for example, by using deep-dive forensics capabilities) to identify (and prosecute, if appropriate) the perpetrator(s). 

The National Institute of Standards and Technology (NIST) states that, “The most common goal of performing forensics is to gain a better understanding of an event of interest by finding and analyzing facts related to the event.” Cyber defense forensics analysts collect, process, preserve, and analyze computer-related evidence. There are various applications for cyber defense forensics such as post-incident investigation and evidence collection for legal proceedings or internal disciplinary actions. 

However, keep in mind that computer forensics investigations are not always tied to a crime. The forensics process has a variety of applications, such as recovering data from a crashed server or a failed drive. Forensics analysts may also use digital forensics to reformat an operating system (OS) or to assist in other situations where a system has unexpectedly stopped working. For this reason, before you begin identifying and preserving evidence, it’s important that you determine the objectives of your investigation and gain approval either from legal counsel or your organization’s leadership.

Cyber Defense Forensics Tasks

As a forensics investigator, you’ll be on the front lines of fighting cybercrime and helping law enforcement provide security. You’ll investigate computer-related security incidents including data breaches, theft, or other online criminal activities. No matter the case, you’ll investigate a range of crimes where the computer is either the target of a crime (unauthorized access) or an object of a crime (used to commit fraud). Let’s look at a more detailed example.

Jocelyn is a cyber defense forensics analyst for a law enforcement agency investigating the theft of a valuable bracelet from a museum. Her team believes this crime is similar to another crime for which the suspect is already in custody. They suspect that a lot of detailed planning went into the heist and that details of that plan may be stored on the suspect’s computer, which was seized with a search warrant in a previous investigation. 

Jocelyn discusses with her manager how she plans to investigate the suspect’s computer to collect evidence regarding this matter. Jocelyn’s objective is to uncover digital evidence from the suspect’s seized computer that can connect him to this crime. Jocelyn prepares a forensics workstation where she dynamically assesses forensic copies of the suspect’s computer. On this workstation, she installs forensics tools such as EnCase, IBM Security QRadar, and Forensic Toolkit (FTK), which can help her recover evidence from the seized hard drive. 

At her forensics workstation, Jocelyn creates a forensic image of the suspect’s computer hard drive. She installs this image on her workstation and begins to examine the data contained in it. 

While examining the data, Jocelyn uncovers a hidden folder that includes building plans to the museum. She also uncovers phishing emails sent to the building’s security staff, targeted at gaining unauthorized access to credentials into the security monitoring system. Finally, she finds a deleted photo showing the suspect wearing the stolen bracelet. 

As she identifies each piece of evidence, she collects and preserves this data in case she is called to testify in a court of law about evidence obtained during the course of the investigation.

Benefits of Cyber Defense Forensics

Many organizations are undergoing digital transformations, and it’s therefore critical to be aware and vigilant about cybersecurity. Our lives are fully online, so we need these skills now more than ever to help us stay safe. Malicious actors often go to great lengths to cover up their tracks making it very challenging to bring them to justice. As a cyber defense forensics analyst, you, like Jocelyn, make use of your unique skill set to uncover digital fingerprints from a crime to identify the perpetrators. 

In Jocelyn’s case, cyber defense forensics was used to collect digital evidence of a physical crime, and also pointed toward evidence of the suspect using the computer to commit a crime. In this case the museum’s IT resources, including its security monitoring system and the security staff member’s account.

A cyber defense forensics program within an organization typically covers solving computer crimes such as a malicious actor improperly accessing a computer, modifying data, or introducing a virus to a computer system. Companies that are vigilant about protecting their data regularly test their systems, looking for vulnerabilities. 

In this case, the museum that was the target of the theft may decide to employ forensics analysts to look for vulnerabilities in its email, security training protocols, and security monitoring systems and recommend strategies to mitigate their impacts. Early detection and swift investigation are critical to fending off attackers and responding to threats. Implementing a cyber defense forensics program allows an organization to proactively improve its cybersecurity, and protect its earnings and valuable time. 

Knowledge Check

Ready to review what you’ve learned? The following knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column next to the matching term on the right. When you finish matching all the items, click Submit to check your work. If you’d like to start over, click Reset.

Great work!

Sum It Up

Now you understand more about cyber defense forensics terms, goals, tasks, and benefits. In the next unit, you learn more about the responsibilities of a cyber defense forensics analyst and discover the skills that help forensics analysts succeed. 

Resources 

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback