Cyber forensics explained: investigating the digital crime scene

Whenever a major cybersecurity incident occurs, the Malaysian public is usually ­reassured that a thorough ­investigation is being conducted, but with few details on what has actually transpired.

This is where the subfield of cybersecurity, known as cyber forensics, enters the picture. 

Cyber Sherlocks

According to National Cyber Security Agency (Nacsa) chief executive Dr Megat Zuhairy Megat Tajuddin, cyber forensics plays a critical role from the ­earliest stages of cyber incident response.

At that point in the investigation, investigators work to preserve volatile evidence such as memory dumps, system logs, and network traffic, which can be easily lost when a compromised system, virtual machine, or cloud container is shut down.

“Cyber forensics is a specialised area within the broader field of cybersecurity that focuses on identifying, ­preserving, analysing, and interpreting ­digital evidence ­following a cyber incident.

“While cybersecurity emphasises proactive defence, such as threat ­prevention, system hardening, and monitoring, cyber forensics is more reactive, providing critical insights post-­incident.

“It helps uncover how a breach occurred, assesses the extent of impact, and ­supports efforts to improve security ­moving forward,” he says, stressing that “both fields are complementary and equally vital in a robust cybersecurity strategy”.

Financial forensics expert and managing principal with Graymatter Forensic Advisory Raymon Ram put it in simpler terms, saying that cyber forensics is “the process of identifying, ­preserving, analysing, and presenting digital evidence following a security breach or suspicious cyber incident”.

This comes with the end goal of uncovering “what transpired, how it happened, and who was involved” after a cybersecurity incident has occurred. Raymon also serves as the president of the NGO Transparency International-Malaysia.

During an actual investigation, Nacsa would evaluate the extent of an incident’s impact and potential risks, while technical teams handle collecting and ­analysing evidence, identifying signs of a system compromise, and collaborating with stakeholders to minimise ­damage and ­contain the threat.

In greater detail

Malaysia Cybersecurity Community Raw Security (rawSEC) chairman and co-founder Tahrizi Tahreb ­further broke down the stages of an investigation, stressing that cyber forensics is not a ­standalone activity but “deeply embedded within the structured incident response lifecycle”.

“While incident response focuses on real-time detection and containment, digital ­forensics provides the critical insights and evidence that inform and enhance the entire process.

“It typically comes into play very early on, during the ‘Identification’ phase, to confirm if a cyberattack has indeed occurred and to understand its immediate scope and nature.

“However, its most central role emerges during the ‘Containment’ phase. This is where specialists meticulously identify, label, record, and acquire data from all relevant sources, such as hard drives, memory, network logs, and mobile devices, while ­rigorously preserving its integrity.

“Maintaining a strict ‘chain of custody’ is paramount to ensure the integrity and reliability of the evidence for potential legal proceedings,” he says.

These findings are then used to guide the ‘Eradication’ and ‘Recovery’ phases, which, as the names suggest, aim to remove the threat and recover the ­affected systems.

This is followed by a ‘Post-Incident’ stage, where a thorough review is conducted to identify the root causes and exploited vulnerabilities and assess the effectiveness of existing defences. Lessons learnt will then be used to proactively shore up security measures.

Megat Zuhairy emphasises that Nacsa plays a crucial part when incidents have an impact on National Critical Information Infrastructure (NCII), with the agency taking a leadership role in forensic response, coordination, and oversight of the affected organisations.

“When an entity lacks the technical capability or resources to conduct proper forensic analysis, Nacsa may deploy or assign specialised response teams to provide direct support.

“Furthermore, a dedicated team from the Royal Malaysia Police (PDRM) is embedded within Nacsa to assist with cases involving potential criminal elements.

“This integration ensures that legal and law enforcement considerations are taken into account early in the investigation, helping to preserve digital evidence and facilitate any subsequent legal action,” Megat Zuhairy says.

He adds that cases have become increasingly ­complex over the years, with a shift away from opportunistic attacks like phishing and ­malware cases to well-planned, sophisticated and targeted threats deployed by highly ­coordinated operations.

“These include ransomware used for financial extortion, ­coordinated malware infections that can lead to multiple layers of impact, beacons used for ­external command-and-control communication, backdoors ­enabling stealthy remote access, and spyware designed for ­surveillance,” he says.

Talking about transparency

A key part of the cyber ­forensic process is communication with the public, which is carefully managed to avoid misinformation or premature conclusions on the cybersecurity incident.

Megat Zuhairy acknowledges that while transparency is essential, caution needs to be exercised so as to prevent ­incidents from worsening, with the focus being on conducting a comprehensive and accurate investigation rather than an immediate disclosure.

“Sharing technical details too early can be risky, as it may alert threat actors, enabling them to launch the second wave of attacks, change their tactics, or cover their tracks. For this reason, public updates are often limited during an active investigation.

“As Malaysia’s national cyber security agency, Nacsa is committed to responsible ­information sharing while ­protecting national security interests.

“All external communication undergoes careful validation to ensure sensitive data, especially related to critical infrastructure or national systems, remains secure.

“Our goal is not to withhold information unnecessarily, but to strike a balance between ­transparency and operational security,” he says, adding that transparency is still a guiding principle of Nacsa.

He further says that the agency does share further information such as Tactics, Techniques, and Procedures (TTPs) used in attacks, along with recommended mitigation strategies whenever possible.

“Through this measured and strategic approach, we ensure that forensic investigations not only resolve incidents effectively but also contribute to long-term national and regional cyber resilience,” he says.

Similar thoughts are shared by both Raymon and Tahrizi, who believe in taking a more measured approach in transparency with the public.

“The balance lies in sharing general findings – such as the nature of the breach, affected systems, and response measures – without revealing sensitive forensic techniques or evidence trails.

“Once investigations are ­concluded, sharing lessons learnt can bolster public ­confidence and help others strengthen their own defences,” says Raymon.

Megat Zuhairy says that the full conclusion of an investigation can only be shared once all necessary legal actions have concluded, as otherwise it may jeopardise the trial involving the perpetrators, adding that such ­investigations are time-consuming.

He adds that while the agency does not usually publicly announce the full conclusion of investigations, it does publish important findings in the form of advisories that may be of use for others. These are regularly published on the Nacsa website without explicitly referring to any specific incidents.

“Updates may be issued when they serve the public interest, reinforce regulatory compliance, or provide clarity on systemic issues, while ensuring that ­confidential or classified details remain protected,” he says.

Meanwhile, Tahrizi believes that there needs to be nuance, with clear enough information being provided to build public trust and accountability without jeopardising the cyber forensic investigation.

“Privacy concerns are also ­paramount. Digital forensics often involves highly sensitive data, including personal communications, medical records, and financial transactions.

“Forensic professionals have an ethical responsibility to avoid unauthorised data access, respect individual privacy, and ensure proper handling of ­evidence.

“In Malaysia, the recent Cyber Security Act 2024 and the Publicly Accessible Data Universe (Padu) database have sparked significant debate regarding ­privacy, especially since the Personal Data Protection Act 2010 (PDPA) does not apply to government agencies, leaving ­citizens without legal recourse in case of misuse or breaches,” he says.

Workforce woes

All three agree that Malaysia is suffering from a ­significant lack of manpower when it comes to the broader field of cybersecurity, which has also affected cyber forensics.

From Tahrizi’s perspective, the shortfall is something that Malaysia struggles with, especially due to the rapid ­digital ­transformation in the country, with talent pipelines not matching the pace of ­development.

“The numbers paint a clear picture: as of mid-2024, Malaysia had approximately 16,765 cybersecurity personnel.

“Yet, the projected requirement stands at 26,430 by the end of 2025 and 28,068 by 2026.

“This talent gap isn’t just an abstract number; it’s a tangible vulnerability. Over 90% of organisations in Malaysia and neighbouring countries have reported security breaches attributed, at least in part, to a lack of skilled cybersecurity ­professionals.

“This directly impacts our national security and economic stability,” he says, adding that the reasons for this gap are multi-­faceted, with a disconnect between academia and the industry, limited industry-­aligned training, and intense global competition making it difficult to attract and retain top talents in Malaysia.

Raymon drives the message home, saying that the problem compounds on itself since “forensics is even more niche – it demands a unique blend of technical acumen, investigative rigour, and legal awareness”.

“Few institutions offer focused training in this field, and most graduates gravitate towards more mainstream roles like SOC (Security Operations Centre) analysts or network engineers.

“Consequently, many organisations depend on a small pool of specialists or outsource to consultancies like ours,” he says.

Megat Zuhairy says that this has to do with how cyber forensics as a whole is viewed by the public. He calls for a ­reshaping of how the field is ­perceived in order to appear more attractive to Malaysians.

“Cybersecurity is not limited to coding or working in high-tech environments. It plays a crucial role in protecting everyday aspects of modern life, from ­digital banking and transportation systems to healthcare data and national infrastructure.

“Presenting cyber forensics as a purpose-driven, problem-­solving profession can make it more relatable, impactful, and aspirational to a broader ­audience. It is a field where individuals can make a real impact.

“Importantly, we must break the misconception that talent must only come from traditional IT backgrounds. The field of cyber forensics benefits greatly from diverse disciplines. Individuals from engineering, mathematics, and science can bring analytical and technical strengths.

“At the same time, those with backgrounds in psychology offer valuable insights into human behaviour, especially in areas like social engineering and behavioural analysis during forensic investigations,” he says.

He adds that many officers within PDRM’s cyber forensic team “enter the field without ­formal technical training but develop cyber investigative expertise over time through ­targeted training and practical experience”.

What’s next?

Aside from the shortage in expertise, Megat Zuhairy believes that the rapid growth and evolution of the cyber landscape, which includes bad actors and threats to the nation at large, ­outpacing existing legislation and operational frameworks, have become a significant challenge to cyber forensic teams.

Both Tahrizi and Raymon have similarly pointed out that cross-­border cooperation is made cumbersome due to time-­consuming processes, such as Mutual Legal Assistance Treaties (MLATs), to share information and ­evidence for criminal law enforcement.

This is something that Nacsa is ­currently looking to address through ­legislation, according to Megat Zuhairy.

“Much of today’s digital ­evidence is encrypted or stored across ­multiple ­jurisdictions, often within cloud infrastructures.

“This complicates access and creates legal obstacles, especially when cross-border data sharing requires mutual legal assistance treaties or diplomatic coordination,” he says.

While Malaysia led the way with the Computer Crimes Act 1997, Megat Zuhairy says that it has since lost relevance and is “inadequate” at addressing the modern complexities of cybercrime.

“Notably, the Act does not differentiate between cyberattacks targeting national critical information infrastructure (NCII) and those affecting individuals or non-critical systems.

“This legal gap hampers the ability to impose proportionate penalties and prioritise national security interests.

“In response, Nacsa is in the process of drafting a Cybercrime Bill, which is designed to provide a more robust, technology-­neutral and future-ready legal framework.

“This Bill will introduce enhanced penalties for cyberattacks targeting NCII and will also explicitly address emerging and sophisticated threats such as ransomware, social engineering attacks, AI-driven exploits, malware, and supply chain attacks,” he says.

The Cybercrime Bill will also be aligned with international legal standards, ­specifically the Budapest Convention on Cybercrime and the UN Convention against Cybercrime, which he foresees will better facilitate cooperation across ­borders.