The term 'forensic’ revolves around usage of methods and techniques to investigate crime or examine evidence. It is not wrong to describe it as “Usage of science in decoding evidence for better investigative procedures”. It’s also referred to as scientific examination (root cause analysis) to get inputs about what, who, where, why, when and how a certain undesirable event happened.
Forensic knowledge can be used in multiple streams, or it can be sub-divided into various domains. A few of them are:
- Digital Forensics - Uncovering or interpreting electronic data.
- Forensic Anthropology – Study of the human skeleton and its cartilaginous structures to assist with medicolegal death investigations.
- Accounting Forensics – Investigations on accounting transactions and financial information for potential evidence of crimes.
- Forensic Engineering - Investigation of structures, materials or BOM that were used that caused damage to property.
- Forensic Dentistry - Examination and evaluation of dental procedures or evidence gathering for criminal investigations.
Essentially, digital forensics is branch of forensic science that focuses on identifying, preserving, analyzing, documenting and investigating data found in digital devices relating to cybercrime. The examination includes the entire IT infrastructure that stores and processes data. Results are used to uncover crimes and to present evidence in a court of law, when required. It involves recovery of data like documents, photos and emails from computer hard drives and other data storage devices (flash drives) that could have been either deleted, damaged or otherwise manipulated.
“Digital forensics is the process of uncovering and interpreting electronic data. The goal of the process is to preserve any evidence in its most original form while performing a structured investigation by collecting, identifying, and validating the digital information to reconstruct past events.”
- Techopedia
History - In the early 1980s, personal computers became more accessible to consumers, leading to their increased use in criminal activity, which gave rise to several new "computer crimes". Computer forensic emerged as a method to recover and investigate digital evidence for use in court. Digital forensics originally used as synonym to computer forensic however was expanded to cover investigations on all devices capable of storing data over digital media. The need for digital evidence led to a new area of criminal investigation.
Digital forensics entails the following steps:
- Identification – Identify the purpose of the investigation and the resources required
- Preservation – Isolate, secure and preserve the required data
- Analysis – Identify tools and techniques to be used, process the data and interpret analysis results
- Documentation – Document the evidence of a crime scene (Photos, Sketch, etc.,) and recreate the crime scene
- Presentation – Summarize and properly explain conclusions with the gathered facts.
The three As of digital forensics:
Acquisition – Data/evidence should not be altered or damaged
Authentication – Evidence should be retained as is the exact copy of the original data
Analysis – Validation or evaluation of data without modification
Is digital forensics reliable in the court of law?
Digital evidence is acceptable if it establishes the fact that evidence asserted in the case, remained unaltered during the digital forensics process and the results of the examination are valid, reliable and reviewed.
Few general rules of evidence that apply to digital forensics require that it be - Admissible, Authentic, Complete, Reliable and Believable. Ignoring these rules makes evidence inadmissible, and the case could be thrown out of court.
Some benefits of digital forensics are:
- Recovering, analyzing and preserving computer and related materials as evidence in criminal investigations ensures that justice is assisted.
- Identifying the motive of the crime and the main culprit.
- Recreating critical data that is assumed to be lost. To recover deleted files and deleted partitions from digital media.
- Tracking and identifying cyber criminals across the world.
- Identifying new trends in criminal activity to develop mitigation and prevention strategies.
Disadvantages of digital forensics:
- Recovering and preserving digital records for evidence purposes is costly.
- Software and hardware used for analyzing the data is expensive.
- It is a time-consuming process as recovering and analyzing data can take a long time.
- Evidence created via digital forensics should be proven as unaltered or untampered and should be proven reliable.
- Expertise in computer sciences is required to understand the digital information and how it is created as evidence.
- Only specific digital forensic methods are acceptable as per the court of law.
Types of digital forensics:
- Digital Image Forensics – Recover and analyze digital photographic images to ascertain authenticity and history of images.
- Digital Video/Audio Forensics – Analysis and validation of video and audio files to establish authenticity of files or for being tampered with malicious intent.
- Computer Forensics – Identification, collection, preservation, analysis, documentation and reporting of evidence found on digital media (computers, laptops, and storage media).
- Mobile Devices Forensics – Identification, collection, preservation, analysis and reporting of evidence found in mobile devices (smartphones, SIM cards, PDAs, GPS devices, and gaming consoles).
- Network Forensics – Monitoring, capturing, storing and analysis of network activities or events to discover the source or origin of security attacks, intrusions or other problem incidents, i.e., worms, virus or malware attacks, abnormal network traffic and security breaches.
- Memory forensics – Recovery of evidence from the RAM of a running computer, also called live acquisition.
Some laws surrounding digital forensics are:
Any failure to follow proper legal procedures will result in evidence being ruled inadmissible in court. Failure to behave in an ethical manner will erode public confidence in law enforcement, further making the job more difficult and less effective. As a result, a guilty criminal might go scot-free. Little has been written about the legal requirements for admissibility of digital forensic evidence, or about the ethical and regulatory issues related to forensics.
The balance between the individual's right of privacy and the government’s right to violate that privacy by searching and seizing property should be clearly defined. Few laws clearly state that “The right of the people to be secure in their persons, houses, papers and effects against unreasonable searches and seizures shall not be violated, and no warrants shall be issued, but upon probable cause, supported by affirmation, and particularly describing the place to be searched and the persons or things to be seized”.
The lawful manner of search and seizure of digital equipment, interception of electronic communications and accessing stored digital information for significant analysis and evidence documentation should be understood before performing any digital forensic task.
Forensic investigators should understand what constitutes a legal search of a stand-alone computer as opposed to a network; what laws govern obtaining evidence and securing it so that the chain of evidence is not compromised; what telecommunications may lawfully be intercepted or examined after they have been received; what legally protected privacy rights are possessed by employees and other individuals.
Some ethical issues confronting digital forensics practitioners are:
- Honesty
- Fairness
- Good reputation
- Consistency
- Goodwill
- Diligence
- Proficiency
- A sense of community
Few of the applicable legal regulations surrounding digital forensics are:
- Data privacy laws
- Property laws
- Cybercrime laws
- Computer Fraud and Abuse Act
- Children’s Online Privacy Protection Act
- Health Insurance Portability and Accountability Act (HIPAA)
- Telephone Consumer Protection Act (TCPA)
- Family Education Rights & Privacy Act (FERPA)
Certifications to become a Digital Forensic expert:
- Certified Digital Forensics Expert (CDFE)
- GIAC Certified Network Analyst (GCNA)
- GIAC Certified Forensic Analyst (GCFA)
- GIAC Cloud Forensics Responder (GCFR)
- GIAC Certified Forensic Examiner (GCFE)
