What is Digital Forensics?
Digital forensics, sometimes referred to as “computer forensics,” is the process of identification, preservation, examination, documentation, and presentation of digital evidence found on a computer, phone, or digital storage media. Essentially, digital artifacts can be collected from all devices that store data such as phones, laptops, hard disks, pen drives, etc.
Digital forensics involves analyzing these digital artifacts in order to find out what happened, how and when it happened, and who was involved in an alleged crime or malfeasance. The results of a digital forensic investigation can then be used as evidence in a court of law.
Need a digital forensics expert?
Table of Contents
- Step 1: Identification
- Step 2: Preservation
- Step 3: Examination
- Step 4: Documentation
- Step 5: Reporting
What are the Types of Digital Forensics?
What Types of Investigations Require Digital Forensics?
There are broadly two types of investigations where digital forensic expertise is called upon:
Investigations that involve criminal or civil cases. Criminal cases involve alleged breaking of laws and offenses against individuals and the state while civil cases involve disputes or lawsuits in which the questions of property or money must be settled. Lawyers often rely on digital forensic expertise to present digital evidence in court to support or refute allegations. In criminal cases, computer forensic investigators could obtain and investigate computers and other digital devices that may have been used for the crime.
Private investigations are often corporate investigations where organizations hire digital forensic experts to identify the cause of a data breach, a data leak, or a cyberattack that the organization faced. Violations of organizational policies could also lead to such private investigations where digital forensic experts could be called upon. Examples of such situations include corruption, misbehavior or misconduct of employees, and such.
What is the Digital Forensics Process?
Digital forensics is a detailed, methodical process. Strict adherence to a methodology could mean the difference between success or failure of a computer forensics investigation. There are broadly five steps that a digital forensic investigation follows:
Step 1: Identification
In this very first step, all potential sources of evidence that are capable of storing digital information are identified such as computers, phones, hard drives, pen drives, etc. Forensic experts then identify which of these devices require analysis to meet case objectives. The scope could range from a single laptop to a complete network. In the event that an entire network is under scrutiny, the investigator must identify any rogue devices on the network that are unknown to the organization. In such cases, the mapping and identification of all the machines and devices in the networked environment becomes a forensic expert’s first task.
Step 2: Preservation
Next, the scope of materials identified in the first step are isolated, secured, and preserved. Steps are taken to ensure that people do not use these devices so that the evidence is secured. Evidence is handled in a manner that in a manner that maintains the authenticity, and hence credibility, of data. Next, an image of the evidence is created. An image is a bit-by-bit copy of the evidence (hard drive, USB device, shared network folder, etc.). Evidence collection concludes when all relevant evidence is imaged. The following aspects are among the many issues to be considered in relation to data collection:
- To collect volatile data like RAM data or current users logged into the network, the system would remain on during the collection process.
- It is necessary to create a duplicate copy of the original source to create an image of the evidence. Hashing techniques should be used to ensure integrity.
- In the event that it is necessary to completely seize the physical devices and then collect data from them, the devices might need to be on or off depending on the specific situations.
Step 3: Examination
This step involves in-depth analysis of all the images or copies of evidence in place. The examination phase is never carried out on the actual evidence so that the original evidence remains intact in the event that something goes wrong. There are different types of data that are of interest to a forensic expert at this point:
- Saved Data - This is data that is not deleted or created temporarily and is simply present on the image. This could include files created by various users on the system under investigation and could also include operating system specific files.
- Temporary Data - A number of programs on a computer system create temporary files and archived files. For instance, try opening a Microsoft Word document and you will notice in the folder, where the file is located, that a number of temporary files are created that often start with a ‘~’ character or have a “.TMP” extension. Such files represent a snapshot of the original file at some point in time and could be important.
- Deleted Data - Data that is deleted is still present on a computer system or device. Deletion only instructs the operating system to “forget” that this data exists and notes that the location occupied by this data is now free to be overwritten. The data remains there until the computer writes new data on that part of the drive. With the right tools, this deleted data can still be extracted as long as it hasn’t been overwritten. It is also sometimes possible to reconstruct the file even if it has been partially overwritten. Deleted data is sometimes one of the most important pieces of the forensic puzzle.
- Metadata - Metadata is data that describes data. For instance, a file could have related information such as the time of creation of the file, the time it was last modified, the physical location of the file on the hard drive, etc. When data is deleted, it is this metadata that is deleted by the operating system. So, basically, the operating system does not “know” where the data is located anymore. But the fact remains that the data still exists on the drive or storage media.
- Slack Space Data - Slack space is the area on a hard drive or storage media that is not used by the operating system. Almost every file on a computer system has some associated slack space. If you were given 1.5 gallons of fuel and had 2 canisters of 1 gallon each to fill it, one of these would be full and the other would be half-full. The remainder of the second canister, which is the half-empty portion, is the slack space. This slack space on storage media can sometimes contain data that could change the course of a trial.
Step 4: Documentation
In this phase, an accurate record of all activities undertaken in relation to the investigation is created. This includes details of the methods used for retrieving, copying, storing, and testing data as well as methods used to examine and access evidence. The forensic expert creates a timeline of events that serves as a foundation for the investigation. Good documentation is critical and should demonstrate how the integrity of data was maintained and also prove that proper policies and procedures were adhered to by everyone involved in the investigation. An investigator’s failure to accurately document the process could compromise the validity and admissibility of the evidence.
Step 5: Reporting
A good report can serve as the invaluable link between the technical and non-technical elements of a case. A report needs to be comprehensive but at the same time it should be simple and offer an easily understandable explanation of the case-relevant sections of the evidence. The report is, essentially, the evidence itself in a form that everyone present in court can understand and interpret. At a minimum, a forensic report should identify the data and the events that took place, an independent evaluation of the sequence of events, and a conclusion or opinion at the end. There’s a rule of thumb that you need to follow in digital forensics – If You Didn’t Write It Down, It Didn’t Happen! This is a simple rule to live by when it comes to documenting all the activities involved in the investigation.
What are the Procedures for Evidence Handling?
Evidence handling is one of the most important aspects of digital forensics because it singlehandedly determines whether evidence will meet the standards necessary to be admissible in a court of law. Evidence needs to be authentic, reliable, and complete in order to be considered legally valid. Here are some key elements that need to be kept in mind in relation to evidence handling:
Policies and Procedures
Chain of Custody
Handling and Transportation
What Tools are Used in Forensic Investigations?
Various phases of a digital forensic investigation can be significantly aided and made a lot more efficient with the use of forensic tools – both hardware tools and software tools. A very large number of very good tools, both open-source and proprietary, are available in the market today. Each tool supports a specific purpose and phase of the forensic investigation process.
For instance, there are tools for disk data capture, registry analysis, email analysis, mobile device analysis, database analysis, and so on. There are also forensic tools that offer broader functionalities such as network forensic tools and Internet analysis tools.
However, it is important to remember that tools are meant to supplement and support. The real value in a digital forensic investigation is brought to the table by the investigator’s expertise and experience.
Furthermore, when using tools, it is a good idea to use multiple tools when trying to validate findings and/or increase the reliability of the evidence. The National Institute of Standards and Technology (NIST) and the National Institute of Justice (NIJ) have established methodologies and guidance on general tool specifications, hardware, test procedures and more that help organizations and investigators decide upon the best set of tools to use depending on the situation and organization. The Computer Forensics Tools & Techniques Catalog is a great resource at: https://toolcatalog.nist.gov
How do you Pick a Digital Forensics Company?
If you are in need of digital forensic services, here are some things to consider when making a final choice:
- Analyze if the computer forensics company or expert has experience in the platforms and systems that potentially fall within the scope of the investigation. There could be situations where a very competent computer forensics examiner might not be the right choice for your environment because it might be her/his first time reviewing a specific technology in your environment.
- Assess the computer forensic team’s and company’s qualifications. There are several digital forensics certifications available today that are widely acknowledged and highlight expertise in forensic techniques and procedures, standards of practice, and legal/ethical principles such as:
- PCI Forensic Investigator (PFI)
- Encase Certified Examiner (ENCE)
- Certified Computer Forensic Examiner (CCFE)
- Certified Cyber Forensics Professional
- GIAC Forensic Examiner (GCFE)
- GIAC Forensic Analyst
- GIAC Network Forensic Analyst
- GIAC Advanced Smartphone Forensics
Employees holding one or more of these certifications are well-trained in digital forensics services. Also look to see if the company or its employees have experience in Expert Witness Testimony.
- Check to see if the computer forensic company has good references. Also, ask for sample deliverables of work to verify the quality.
- Verify if the company is willing to testify in court in criminal or civil cases if necessary, before the investigation begins. This is where a company's experience in expert witness testimony can be critical.
- Inquire into the company's infrastructure to ensure that they have a well-equipped digital forensics laboratory and if they regularly upgrade their software and equipment with time.
What are the Legal Considerations?
Computer forensic investigators must discover evidence to support or refute an allegation in a trial in a lawful manner. Legal issues include the method used to obtain the evidence, the right to access it, and the manner in which it is examined.
Before seizing a computer or other electronic device, investigators need to examine whether the Fourth Amendment requires a search warrant. The investigation team needs to know what constitutes a legal search, what telecommunications can lawfully be intercepted or examined, and what privacy rights employees or others involved in the investigation possess.
There may also be situations where data resides across borders, such as in cases involving datacenters operated by a cloud service provider. In such cases, appropriate legal steps need to be followed which factor in regulations and privacy laws that apply to the other country regarding the retrieval of relevant data from their data centers.
These legal issues are the reason that forensic investigators typically work alongside the client’s General Counsel, prosecutors or outside lawyers who specialize in laws and regulations impacting their investigations.