Webinar: What's New in Graylog 6.0? | Watch On-Demand >> ​

The Phases of the Digital Forensics Investigation Process

Investigating a security event is the less glamorous version of an episode of CSI: Crime Scene Investigation. Without the snazzy, high-end, mostly-fictitious technology that television shows you, your actual digital forensics investigation usually involves an arduous process of reviewing technical data and looking for the breadcrumbs a malicious actor left behind. Further, you need to follow very specific steps when engaging in a digital forensics investigation because you need to preserve the data so it can be used as evidence. Since rules of law are strict, your processes for ensuring evidence integrity and authenticity must be beyond reproach.


By understanding what digital forensics is and the phases of a digital forensics investigation, you can build the evidence collection processes and technology stack necessary.

What is digital forensics?

Digital forensics is the branch of forensic science focused on identifying, acquiring, and analyzing electronic evidence. While used across various criminal and civil investigation use cases, digital forensics is critical to incident response and cyber crime investigations. Digital forensic investigators collect, assess, and present digital evidence gathered from the event logs generated by:

  • Computers
  • Mobile devices
  • Applications
  • Network devices
  • Databases
  • User accounts


Digital forensics uses scientifically accepted and validated processes so that organizations can use the data in and out of court. After a cyber attack, organizations often provide digital forensics to:

  • Law enforcement
  • Legal teams
  • Auditors
  • Regulatory agencies


Why is digital forensics important?

In an increasingly electronic world, digital forensics is critical to nearly every legal proceeding, whether criminal or civil. Every device, application, and storage location generates log data, the information that tells you:

  • What actions occurred
  • Who took the actions
  • When the person took the actions
  • Where the actions were taken from


With this digital evidence, you can:

  • Investigate incidents faster
  • Identify breach data and attackers
  • Document fraud and identity theft
  • Draw conclusions about malicious actors based on the information they leave behind in systems and networks
  • Create detailed security incident reports for law enforcement, attorney, judgets, senior leadership
  • Recover data from broken hard drives, crashed servers, or devices otherwise compromised


What are the different types of digital forensics?

Since digital forensics covers a wide array of use cases and data types, many people specialize in one or two of the science’s branches.

Computer forensics

Used in criminal and civil proceedings, computer forensics investigates computers and digital storage locations, typically including data like:

  • Log files
  • Email messages
  • Documents
  • Spreadsheets
  • Presentations
  • Contacts


Database forensics

This branch of forensics studies databases and their metadata, looking at things like:

  • Database contents
  • Timestamps on changes to data or fields
  • User access
  • Cached information in a server’s RAM


Digital image forensics

Forensic image analysis verifies the authenticity and content within an image file. Typically, this forensic analysis is used to uncover deep fakes.


Disk forensics

Disk forensics focus on data from digital storage media, like:

  • Hard disks
  • USB devices
  • Firewire devices
  • CDs
  • DVDs
  • Flash drives


Email forensics

This branch of forensics recovers and analyzes emails, including deleted:

  • Emails
  • Calendar data
  • Contact information


Forensic data analysis (FDA)

FDA examines structured data in applications and databases during financial crime and fraud investigations.


Internet of Things (IoT) forensics

IoT forensics identifies and extracts digital data at the

  • Device level: local memory, running processes
  • Network level: traffic logs to identify patterns or sources
  • Cloud level: device data stored in the cloud, resulting from limited on-device storage and processing capabilities


Malware forensics

This branch studies a payload to understand how a malicious code works, like a trojan, ransomware, virus, or worm.

Memory forensics

Memory forensics uses data’s raw form to look for evidence in system memory, like:

  • System registers
  • Cache
  • RAM


Mobile device forensics

Mobile device forensics recovers data from devices with internal memory and communication capabilities, including smartphones and tablets. Data gathered can include changes in:

  • Operating systems
  • Malicious apps
  • Performance


Network forensics

Network forensics monitors and analyzes traffic patterns on local and wireless networks. The two primary use cases are:

  • Identifying suspicious traffic to detect an attack
  • Capturing network traffic to use in a criminal investigation


The Stages of a Digital Forensics Investigation

Every digital forensics investigation follows the same basic principles. Across all stages, you need to remember that this data will be used in court proceedings, so your processes need to maintain the evidence’s integrity, including documenting the chain of custody.



Before you can collect data, you need to identify the devices and processes where it might be located. Some examples include:

  • On-premises data centers
  • Cloud storage locations, including servers and databases
  • Networks
  • Applications
  • Devices, including workstations and mobile devices
  • External storage locations, like thumb drives, flash cards, magnetic disks
  • IoT devices, like cameras or printers

After identifying where they plan to look for or find evidence, the investigators need to prevent anyone else from accessing the locations and tampering with it.


Just like criminal investigators need to sweep a room for all physical evidence, incident investigators need to collect digital forensic information like:

  • Audio, video, and images
  • Network traffic and packet data
  • Emails
  • Active, modified, or deleted files
  • Operating system data
  • Application data
  • Network configurations
  • Network connections
  • Slack and free space
  • Running processes
  • Open files
  • Login sessions
  • Operating system time
  • Users and groups
  • Passwords
  • Network shares
  • Logs


Before collecting the data, you should clearly define the chain of custody that you plan to follow so that you preserve evidence as required by legal or internal disciplinary proceedings. The chain of custody processes should include:

  • Log of every person who had physical custody of evidence
  • Documenting who performed activities on evidence and when they performed them
  • Securely storing evidence
  • Making a copy of evidence
  • Only performing examination and analysis on the copied evidence
  • Verifying the integrity of the original and copied evidence’


During the examination phase, you will:

  • Extract and assess relevant pieces of information within the collected body of data
  • Bypass or mitigate OS or application features obscuring data and code
  • Filtering out extraneous information from data files of interest



Using the copy of the evidence, you can now start looking for answers to questions like:

  • Who created or edited the data?
  • How was the data created or edited?
  • Where was the data sent?
  • When did these activities occur?

Your analysis should use a methodical, repeatable approach for:

  • Validating original data sources, like log data
  • Relying on file headers rather than file extensions
  • Focusing on the events characteristics and impact
  • Leveraging tools that bring together data from various sources sources together in a single place



With all the evidence collected and analyzed, the investigators create the timeline of events and present it to senior leadership. This process enables the organization to review its people, processes, technologies, and controls to prevent the same incident from happening again.


When writing your report, you should consider the following factors:

  • Alternative explanations: Lacking conclusive evidence, you should consider all plausible explanations then prove or disprove each one.
  • Audience: You may need to provide different reports based on an audience’s need, like law enforcement requiring copies of evidence, system admin needing network traffic statistics, or senior management reviewing a simplified visualization
  • Actionable information: Your report should identify information that helps collect new data sources or prevents future events.


Some common issues identified in reports include:

  • Improvements to guidelines and procedures
  • Managing gigabytes or terabytes of collected data
  • Improvements to data collection by altering security controls, like auditing, logging, or intrusion detection


Graylog Security: The log data solution for digital forensics investigations

Using Graylog Security, you get the speed, documentation, and accuracy necessary to build out a digital forensics investigation. Our detections, especially our Sigma rules, enable you to detect and investigate incidents by giving you the keywords necessary to trace known attack types. Within Security Investigation, you can create a new case, create custom prioritizations, document status, assign responsible incident responders, report findings, and link to log data evidence.

By leveraging Graylog Security’s out-of-the-box content and security analytics, you can build high-fidelity alerts then pivot directly into researching the log data that matters most. Our platform gives you all the functionality of a SIEM without the complexity, providing a robust technology that empowers users of all experience levels.

To see how Graylog Security enables your digital forensics investigations goals, contact us today.



Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.