Digital Forensics in Corporate Simulations: A Study of Tool Efficacy and Analysis Techniques

Digital forensics is a critical field within forensic science that focuses on the identification, acquisition, processing, analysis, and reporting of electronic data relevant to investigations. This discipline plays a critical role in responding to cyber attacks, allowing the identification, mitigation, and eradication of threats, and presenting key information to auditors, legal teams, and law enforcement following incidents. The forensic process involves several important steps: identification of potential evidence, preservation of electronically stored information (ESI), in-depth analysis of data objects, meticulous documentation of procedures, and effective presentation of findings to relevant stakeholders. This thesis explores the current application of digital forensics techniques within corporate environments. The aim is to develop practical strategies for their effective implementation and to identify areas that could benefit from improvement. The research highlights the alarming increase in cyber attacks, particularly against small and medium-sized businesses, which often lack adequate defenses. Exploring the latest advances in digital forensics, this study examines their integration into enterprise incident response strategies. To achieve these goals, controlled experiments were conducted in a virtualized environment, simulating real-world scenarios to evaluate the effectiveness of various forensic tools such as Autopsy. The scenarios addressed include a data breach involving an external attacker and an insider accomplice who helps carry out the attack, a phishing scheme through which the attacker gains access to employees' credentials to extract company data, and two distinct types of cyber attacks involving malicious software, both delivered via email and disguised as urgent updates. In the first one, the ransomware encrypts the contents of the victims' computers and leaves a ransom note with instructions, while in the second one, the malware remains on the computer and, periodically, sends the content of specific folders to the attacker. For each case examined, the configuration was set up in Docker to allow the simulation of attacks in a closed, isolated environment, providing flexibility in managing the various components involved. Following the setup and simulation phases, the components are isolated and subjected to a thorough analysis using forensic tools to investigate the origins of the attack and to reconstruct the sequence of events. The findings from this research aim not only to demonstrate the effectiveness of various digital forensics tools in corporate incident response but also to provide practical information for companies to improve their cybersecurity strategy.