The role of cyber forensics in defense industry


What is cyber forensics?

Computer forensics (digital forensics) is a field of technology that uses investigation techniques to help identify, collect, and store evidence from an electronic device and analyze the digital evidence to uncover and prevent cybercrime.

Cyber forensics aims to identify, preserve, analyze, and present digital evidence in a legally admissible manner. It involves the application of various scientific techniques and methodologies to collect and examine data from computers, networks, digital devices, and other electronic systems. This evidence can be crucial in uncovering the truth behind cyberattacks, data breaches, fraud, intellectual property theft, and other forms of cybercrime.

Types of digital forensics

Computer forensic science (computer forensics) investigates computers and digital storage evidence. It involves examining digital data to identify, preserve, recover, analyze and present facts and opinions on inspected information. So here are a few examples of the different types of digital forensics that are used to investigate and analyze digital evidence in various contexts.

  • Computer Forensics: Investigating and analyzing digital evidence from computers, including hard drives, memory, and operating systems.
  • Network Forensics: Examining network traffic and logs to identify potential security breaches, attacks, or unauthorized activities.
  • Mobile Device Forensics: Extracting and analyzing data from smartphones, tablets, and other mobile devices to uncover evidence related to criminal activities.
  • Database Forensics: Investigating and analyzing data stored in databases to identify any unauthorized access, tampering, or data breaches.
  • Memory Forensics: Analyzing the volatile memory of a computer system to retrieve information such as running processes, network connections, and encryption keys.
  • Multimedia Forensics: Analyzing digital images, audio files, and video recordings to authenticate their origin, detect tampering, or recover hidden information.
  • Cloud Forensics: Examining digital evidence stored in cloud computing environments, such as data centers or online storage services.

Working of cyber forensics

Investigators use specialized tools and techniques to examine digital devices and search for evidence of cybercrime. These techniques include recovering deleted files, performing cross-drive analysis, using live analysis, and reverse steganography. Additionally, stochastic forensics is used to analyze and reconstruct digital activity without relying on digital artifacts. All evidence found during the investigation is carefully documented in a report and verified with the original device to prepare for legal proceedingsIn general, these procedures include the following three steps
  • Investigators physically isolate the device to prevent tampering and make a digital copy of the storage media, which is then used for the investigation. The original device is locked away in a secure facility to maintain its pristine condition. Publicly available information, such as social media posts or Venmo charges, may also be used for forensic purposes.
  • Investigators analyze digital copies of storage media to gather information for a case. The analysis is conducted in a sterile environment using various tools, such as Basis Technology's Autopsy for hard drive investigations and the Wireshark network protocol analyzer. Additionally, a mouse jiggler is used to prevent the computer from going to sleep and losing volatile memory data during the examination.
  • Forensic investigators present their findings in a legal proceeding, where a judge or jury uses the evidence to help determine the outcome of a lawsuit. In a data recovery situation, investigators present what they were able to recover from a compromised system.

Digital forensic techniques
  • Steganography is a common tactic used to hide data inside any type of digital file, message or data stream. Investigators use data hashing to analyze the file and identify any attempts at steganography. If a cybercriminal hides important information inside an image or other digital file, the underlying hash or string of data that represents the image will change, even if it looks the same before and after to the untrained eye (but the underlying hash or string of data that represents the image will change).
  • Stochastic forensics is used by investigators to analyze and reconstruct digital activity without relying on digital artifacts. Artifacts are unintended alterations of data that occur from digital processes and can include clues related to a digital crime, such as changes to file attributes during data theft. Stochastic forensics is frequently used in data breach investigations where the attacker is thought to be an insider who might not leave behind digital artifacts.
  • Cross-drive analysis is used by investigators to search for, analyze, and preserve information relevant to an investigation. The technique involves correlating and cross-referencing information found on multiple computer drives. Events that raise suspicion are compared with information on other drives to look for similarities and provide context. This is also known as anomaly detection.
  • Live analysis is used by investigators to analyze a computer from within the operating system while the device is running. The analysis looks at volatile data, which is often stored in cache or RAM. Many tools used to extract volatile data require the computer to be in a forensic lab to maintain the legitimacy of a chain of evidence.
  • Deleted file recovery is used by investigators to search for fragments of files that were partially deleted in one place but left traces elsewhere on the computer system and memory. This technique is also known as file carving or data carving.

Cyber forensics in defense sector

Cybersecurity solutions help a defense organization to monitor, detect, report, and counter cyber threats that are internet-based attempts to damage or disrupt information systems and hack critical information using spyware and malware, and by phishing, to maintain data confidentiality. However, the increased connectivity also means that there are more opportunities for cyber attacks, data leaks, and other IT security breaches. The economy, stability, development, and defense of any nation are increasingly dependent on their ability to provide resilient and secure cyberspace.

 Cyber Attacks on Military/Government Organizations

1) China’s cyberattack on Maharashtra power grid  (October 12, 2020)

According to a study conducted by cybersecurity firm Recorded Future, Chinese malware was found in India's power grid, including a high-voltage transmission substation and a coal-fired power plant. The 100-page report confirms a malware attack was behind the blackout and said that about 14 Trojan Horses and 8 GB of unaccounted data was found in the system, which according to the investigation was installed in the Maharashtra State Electricity Board (MSEB) system by unverified sources. The malware was never activated, but its presence raises concerns about potential future cyberattacks on India's power grid. The study suggests that this cyber campaign may have been connected to the border clash between China and India. The Chinese state-sponsored group, Red Echo, was identified as being behind the cyber campaign, which aimed to gain a foothold in nearly a dozen critical nodes across India's power generation and transmission infrastructure. The Mumbai blackout in October 2020 affected millions of people and caused hospitals to switch to emergency generators. While Indian officials have not provided details about the investigation into the blackout or the evidence provided by Recorded Future, the discovery of the malware raises questions about whether it was a result of a Chinese cyberattack. The placement of malware in an adversary's critical infrastructure has become a form of aggression and deterrence, as it serves as a warning that if pushed too far, millions could suffer.

2) Data of Japanese Government Entities Breached Through Fujitsu’s Systems

The news has recently reported that several Japanese government entities' data was breached through Fujitsu's systems, a Japanese multinational information technology equipment and services company. This has led to concerns about the security of government information and the effectiveness of cybersecurity measures in Japan.

The breach was discovered in early February 2022, and it is believed that the attackers gained access to the government entities' data through Fujitsu's systems. The breach affected several government entities, including the Ministry of Foreign Affairs, the Ministry of Defense, and the National Police Agency.

This incident highlights the importance of strong cybersecurity measures and the need for organizations to prioritize the protection of sensitive information. It also raises questions about the security of third-party providers and their responsibility in protecting their clients' data.

3) DDoS Attack on Russian Defense Ministry

It was reported that the Russian Defense Ministry was targeted by a distributed denial-of-service (DDoS) attack. The attack caused disruptions to the Ministry's website and communication systems, impacting the Ministry's operations.

A DDoS attack is a type of cyberattack that floods a website or network with traffic, overwhelming it and causing it to crash. The attack on the Russian Defense Ministry is believed to have been carried out by a foreign state-sponsored group.

Although the Russian Defense Ministry was able to detect and neutralize the attack quickly, the incident has raised concerns about the vulnerability of critical infrastructure and the potential for cyberattacks to disrupt essential services.
The DDoS attack on the Russian Defense Ministry underscores the vulnerability of critical infrastructure to cyberattacks and the need for strong cybersecurity measures. Organizations must prioritize the protection of sensitive information and essential services, while governments must collaborate to combat cyber threats.

Defense Cyber Security Market Leaders


In conclusion, cyber forensics is a vital field that uses investigation techniques to identify , collect, and analyze digital evidence to uncover and prevent cybercrime. It involves various scientific techniques and methodologies to examine data from computers, networks, digital devices, and other electronic systems. Cybersecurity solutions are crucial for defense organizations to monitor, detect, report, and counter cyber threats that can damage or disrupt information systems. It is essential to prioritize the protection of sensitive information and critical infrastructure to prevent cyberattacks from disrupting essential services. By leveraging its capabilities, defense organizations can effectively investigate cyber incidents, gather evidence, and enhance their overall cybersecurity defenses.