Introduction

Digital forensics is the science of preserving and analyzing digital data; this data can then be used in court cases as well as for crime detection and prevention. Digital forensics began in the 1970s and was initially used as a tool for fighting financial crime. Today, with computers and digital devices being an integral part of our professional and private lives, digital forensics are used/needed in a wide variety of disputes.

Categories of Digital Evidence

Because of the many different types of digital evidence, it is usually broken down into four main categories, based upon their source. They are:

Computer forensics: The oldest branch, this focuses on digital information from computers, including laptops or desktops, memory, hard drives, operating systems, and logs. Usually, a computer device is confiscated and a digital image of drive is created for analysis. One of the main aspects of computer forensics is recovering deleted files.

Mobile forensics: As mobile phones began to become ubiquitous in the early aughts, this category emerged. A mobile device is generally defined as one with a built-in communication system (a la GSM or SMS) as well as location information via GPS; however, mobile devices also include cameras and USB drives.

Network forensics: One of the newest categories monitors and collects evidence related to computer networks. This is often used to detect intrusions into companies as well as examine packets of data transmitted through the system. Information can be gathered en mass and stored for later analysis or collected in real-time and filtered to watch for specific files or events.

Database forensics: The analysis of data and metadata contained in databases such as Microsoft SQL, Oracle, and others. This information can is helpful in tracking financial crime activity as well as establishing timelines of events.

There are sub-categories such as email forensics, software-specific forensics, hardware forensics, and web forensics that offer additional niche specialties.

Classifications of Digital Evidence

Digital evidence is usually further grouped in three ways:

Source: Metadata or other artifacts can reveal where the information came from. For example, some programs embed a watermark or code that identifies its origination or authenticity, which can be crucial information that can make or break a case.

Format: Storing and preserving evidence in its original format is very important, and there are many tools that attempt to do this, including digital imaging.

Type: This defines what the evidence is: an email? A document or spreadsheet? A text message? Each type of evidence should have its own protocols for preservation and assessment.

The process of gathering digital evidence

The main role of digital forensics professionals is to gather data from a suspect’s device, either a computer, a mobile, or any other device, and deduce whether the person in question has committed a crime or has violated a company’s policy, rules and regulations. The internal ISO standard—ISO/IEC 27037 explicitly defines the rules and procedures for evidence identification, collection, acquisition, and preservation.

Identification: Identification is the act of searching, detecting, and documenting digital evidence. During this process, the DEFR (digital evidence first responder) must examine all devices used in the perpetration of a crime as well as those camouflaged devices, which seems irrelevant at first look. Additionally, the DEFR should take virtual components such as cloud computing into consideration (Federici, 2014; Chung et al., 2012).

Collection: Once the identification process is carried out, all identified devices should be transferred to the laboratory for analysis. Apart from these devices, the DEFR should also analyze any materials that could be related to the crime, such as paper notes, glass, hairs, or any other substances.

Acquisition: Acquisition is the process of collecting digital evidence from an electronic media. There are four methods for acquiring data: disk-to-disk copy, disk-to-image file, logical disk-to-disk file, and sparse data copy of a file or folder. The sparse acquisition is useful in the circumstances where there is too much data to acquire from RAID drives or large drives. While collecting digital evidence, the examiners must comply with the “Order of Volatility” rule that defines the order or sequence in which the digital evidence is collected. This order is maintained from highly volatile to less volatile data. Moreover, the appropriate tool must be used for acquisition purposes and always perform test acquisition on a test drive rather than on suspect drive. Besides, always validate acquisition with built-in tools such as a hexadecimal editor with SHA-1 or MD5 hashing functions.

Preservation: Digital preservation is the process of preserving digital evidence at a secure physical site so that it cannot be changed or altered. Only well-preserved evidence can be presented for court proceedings.

Computer Forensics Training

What next?

The optimal way to learn the ins and outs of digital forensics and prepare for your Computer Forensics cert exam is by taking Infosec Institute’s Computer and Mobile Forensics Bootcamp. This intensive, seven-day course includes investigating data from real forensics cases and preparing reports. It also comes with an exam pass guarantee for students who choose the Live Online option – if you don’t pass on your first try, we’ll let you try again for free! Take the next step in your digital forensics career and sign up today.

Be Safe

Section Guide

Stephen
Moramarco

View more articles from Stephen

You'll leave InfoSec Institute's Computer Forensics course with 3 industry certifications!

Section Guide

Stephen
Moramarco

View more articles from Stephen
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]