Three Best Practices for Cyber Forensics Investigations

Comments (0)

Successful cyber forensics investigations begin with the right tools and the right environment

Cyber Forensics: Who is Watching Whom?

You’re tasked with investigating a cyber crime or threat online. You need to watch suspected bad actors as they are active online, analyze their behavior, gather social media data, check their historical footprint, and find out who else is in their network. However, today’s sophisticated criminals know when they’re being watched and one misstep can trigger their defenses and sink your investigation.

To successfully gather your adversary’s tactics, techniques, and procedures you must be discrete, able to not just hide your true identity and location but manage your entire internet persona. Everything you do online while conducting your research will leave a trail. How can you ensure that your work will not tip off a wary adversary?

Three Best Practices for Cyber Forensics Investigations

"The only solution to remove digital footprints and to contain digital exhaust is through a strict policy of managed attribution and non-persistent computing. In order to obtain managed attribution, a multi-nodal, secure infrastructure must be put into place that offers the necessary performance required for a user to perform their daily job without suffering the latency blues." (Adam Jackson, Armored Cloud)

One: Manage all of your digital exhaust to present a complete persona

Passive trails of information are left behind with every online activity, from email to internet browsing to social media use. These trails, known as “digital exhaust” or “digital footprints”, can be sniffed out by the very cyber criminals you’re trying to watch, tipping them off to your presence and intent. Every bread crumb that can be left behind during your cyber forensics work must be managed so that the trail you leave not only hides your true location and identity, but also builds a believable persona that will seem believable and innocuous to the suspects you are monitoring.

Two: Complete separation of investigative environment from the main network

Since everything you do online leaves a trail, to fully mitigate risk your cyber forensics work must be done in an environment that is completely separate from your main network. There can be no technical or commercial links between your investigative environment and your regular work environment. Ideally, you would be able to set up a distinct network quickly, with nodes that can be compromised and discarded available at short notice anywhere in the world where you need to appear to be. This brings us to our third best practice.

Three: Use non-persistent environments for online investigations

You’re controlling your digital footprint to manage your internet persona. You’ve completely isolated your environment. Next, invest in non-persistent environments to limit your digital exhaust to that computing session and that session only. This way, you can use a unique persona each time you conduct research without risk of blending your identities. Start with a clean slate each time you launch an investigation, removing any digital footprints from previous sessions.

By using these three best practices, you can achieve fine-tuned control of your digital footprint, protecting your identity and ensuring that you can conduct your investigation without being tipping off your suspects.

Armored Cloud is used by organizations to conduct cyber forensics and cyber threat intelligence because we can easily achieve these three best practices at a much lower cost and with greater speed than any other solution available today.

Benefits of Using Armored Cloud for Cyber Forensics

  1. Confidently use one machine for multiple personas, knowing that all technical and personal information is remaining distinct for each established persona.
  2. Easily switch between personas by accessing a new VM, reducing time and workflow complications.
  3. Do everything you need to establish your persona—check email, social media accounts, browse the web, log into Google properties—all while leaking the right information.
  4. By masking traffic at the network level and using all ports and all protocols, unlike one-hop proxy solutions using targeted ports and protocols, your actual identity and location are virtually impossible to track down.
  5. No discernable latency, enabling users to operate normally without distinction while online.
  6. Sacrificial nodes available all over the world.

About Armored Cloud

Armored Cloud offers an enterprise suite of unique and innovative global enterprise solutions to organizations looking for competitive leverage and anonymized online activities. Operating under the philosophy that you can’t exploit what you can’t see, Armored Cloud offers a completely anonymous way for modern companies to do business, connect global resources, conduct research online, and collect threat intelligence data—all with minimal latency and zero impact to current business processes. Learn more at

We make demos and trials of our solutions available to qualified businesses and organizations. To learn more about Armored Cloud please call us at (877) 978-1688 or fill out our online contact form. If you are a US government agency, please contact our partner Telos at (800) 444-9628 or visit their website at

Be the first to comment!

Post a Comment

To reply to this message, enter your reply in the box labeled "Message", hit "Post Message."


Email:* (will not be published)


Notify me of follow-up comments via email.