4 Mistakes That Can Sink a Cyber Forensic Investigation

4 Mistakes That Can Sink a Cyber Forensic Investigation

It is exciting to see how forensics contributes to the investigation of a cyberattack. The application of forensics in the crime scene is what we are aware of but using forensics in digital crime requires a deeper understanding. One common aspect among both is that the evidence must be secured and handled carefully. In the case of computer forensics, the digital data in the devices, and other information gathered from the crime scene should be stored properly.

The major similarity between a security breach and crime lies in the mistakes that investigation officers often commit. A prime example of ineffective forensic investigation is that of Equifax’s breach which was reported in 2017. The hackers breached the Equifax application in May 2017 but the company only realized this after July 2017. However, this was the company’s second breach and the previous breach was in April 2016. Equifax ignored the severity of the breach and also failed to alert its clients about the incident. The data of nearly 143 million Americans was breached due to the company’s poor investigation. The icing on the cake is that the Equifax also failed to effectively handle the incident and ended up diverted the users to a phishing site. [1]

Avoid These 4 Mistakes:

Mistake #1: Missing the only chance of capturing the image

Like crime, detectives have only one chance to take the first picture of the crime scene as soon as the crime is reported. The digital forensic investigators also get the only chance to capture the initial scene of the breach. Forensic imaging is also important in analyzing the root cause of the attack. It involves capturing and storing all the targeted systems’ data. Capturing and preserving the exact image of the breached network will help preserve the state of the system at the time of the incident. Any changes made to the systems after this will not affect the analysis.

Mistake #2: Inadequate prevention

While starting to investigate a crime scene it is important to define its boundaries and restrict entry to the crime scene to preserve the crime elements. The same goes for cybercrime. Cyber investigators must assess the severity of the attack, find what information has been compromised, the longevity of the attack, and analyze what is persistent and non-volatile for investigation. The investigation should be performed carefully by not altering the metadata, caches and temporary files.

Mistake #3: Lack of communication

A crime investigation requires a lot of communication between the detective, the pathologist, the coroner, the lab scientists, and other partners involved. A lack of communication could hinder the effective investigation. The communication in the case of cyber forensics extends beyond the security team to the management, stakeholders, law enforcement, etc. The investigators communicate with the IT team to understand the network environment. They communicate with senior management to assess the impact of the security breach on the business.

The most important communication that is often neglected is addressing the breach to the stakeholders and customers. A communication professional reports the information on a timely basis to the stakeholders and the clients and ensures to minimize the damage of an organization’s reputation. The information about the breach should neither be delayed not it should be too early that it lacks valid details about the incident.

Mistake #4: Lack of policies and rules

An incident can be better handled when the policies are defined. Most often, initial drafting of policies and procedures are ignored as the task is laborious. But in the absence of pre-defined policies, there will be unnecessary delay in an investigation resulting in negative outcomes or compromised evidence.

An incident response plan is a set of policies and procedures that need to be followed on happening of an incident. An IR plan will serve as a guiding route map to the digital forensic investigators. Therefore, it is significant that the plan should be practical and updated annually based on the latest experiences. In order to make the plan more effective, the investigators should be trained prior to hand on how to effectively carry out the plan.

With so many differences between the physical crime scene and cyber breach, the investigators can learn from each other’s best practices, as well as the mistakes that each team tries to avoid.

Want to be a leader in computer forensic investigation?

Join EC-Council’s Computer Hacking Forensic Investigator (C|HFI) program now. The program certifies individuals in the specific security discipline of computer forensics from a vendor-neutral perspective. The certification fortifies the application knowledge of the cyber investigator on various forensic-related domains like reporting, storing, law enforcement, etc.


  1. https://www.healthcareitnews.com/news/how-not-handle-data-breach-brought-you-uber-equifax-and-many-others
get certified from ec-council
Write for Us