Digital forensics or digital forensic science is a branch of cybersecurity focused on the recovery and investigation of material found in digital devices and cybercrimes. Digital forensics was originally used as a synonym for computer forensics but has expanded to cover the investigation of all devices that store digital data.

    As society increases its reliance on computer systems and cloud computing, digital forensics becomes a crucial aspect of law enforcement agencies and businesses. Digital forensics is concerned with the identification, preservation, examination, and analysis of digital evidence, using scientifically accepted and validated processes, to be used in and outside of a court of law.

    While its roots stretch back to the personal computing revolution in the late 1970s, digital forensics began to take shape in the 1990s and it wasn't until the early 21st century that countries like the United States began rolling out nationwide policies.  

    Today, the technical aspect of an investigation is divided into five branches that encompass seizure, forensic imaging, and analysis of digital media.

    What is the Purpose of Digital Forensics?

    The most common use of digital forensics is to support or refute a hypothesis in a criminal or civil court:

    • Criminal cases: Involving the investigation of any unlawful activity by cybercriminals. These cases are usually carried out by law enforcement agencies and digital forensic examiners.
    • Civil cases: Involving the protection of rights and property of individuals or contractual disputes between commercial entities were a form of digital forensics called electronic discovery (eDiscovery).

    Digital forensics experts are also hired by the private sector as part of cybersecurity and information security teams to identify the cause of data breaches, data leaks, cyber-attacks, and other cyber threats.

    Digital forensic analysis may also be part of incident response to help recover or identify any sensitive data or personally identifiable information (PII) that was lost or stolen in a cybercrime.

    What is Digital Forensics Used For?

    Digital forensics is used in both criminal and private investigations.

    Traditionally, it is associated with criminal law where evidence is collected to support or negate a hypothesis before the court. Collected evidence may be used as part of intelligence gathering or to locate, identify or halt other crimes. As a result, data gathered may be held to a less strict standard than in traditional forensics.

    In civil cases, digital forensic teams may help with electronic discovery (eDiscovery). A common example is following unauthorized network intrusion. A forensics examiner will attempt to understand the nature and extent of the attack, as well as try to identify the attacker.

    As encryption becomes more widespread, forensic investigation becomes harder, due to the limited laws compelling individuals to disclose encryption keys.

    What is the Digital Forensics Investigation Process?

    There are a number of methodologies for the forensic process, which define how forensic examiners should gather, process, analyze, and extract data. Digital forensics investigations commonly consist of four stages:

    1. Seizure: Prior to actual examination, the digital media is seized. In criminal cases, this will be performed by law enforcement personnel to preserve the chain of custody.
    2. Acquisition: Once the assets are seized, a forensic duplicate of the data is created, using a hard drive duplicator or software imaging tool. Then the original drive is returned to secure storage to prevent tampering. The acquired image is verified with SHA-1 or MD5 hash functions and will be verified again throughout the analysis to verify the evidence is still in its original state.
    3. Analysis: After the acquisition of the evidence, files are analyzed to identify evidence to support or contradict a hypothesis. The forensic analyst usually recovers evidence material using a number of methods (and tools), often beginning with the recovery of deleted information. The type of data analyzed varies but will generally include email, chat logs, images, internet history, and documents. The data can be recovered from accessible disk space, deleted space, or the operating system cache.
    4. Reporting: Once the investigation is complete, the information is collated into a report that is accessible to non-technical individuals. It may include audit information or other meta-documentation.

    What Tools Do Digital Forensic Examiners Use?

    In the 1980s, very few digital forensic tools existed, which forced forensic investigators to perform live analysis, using existing sysadmin tools to extract evidence. This carried the risk of modifying data on the disk which led to claims of evidence tampering.

    The need for software to address this problem was first recognized in 1989 at the Federal Law Enforcement Training Center and resulted in the creation of IMDUMP and SafeBack. DIBS, a hardware and software solution, was released commercially in 1991.

    These tools create an exact copy of a piece of digital media to work on while leaving the original disk intact for verification. By the end of the 1990s, the demand for digital evidence meant more advanced tools such as EnCase and FTK were developed, allowing analysts to examine copies of media without live forensics.

    There is now a trend towards live memory forensics using tools such as WindowsSCOPE and tools for mobile devices.

    Today, there are single-purpose open-source tools like Wireshark, a packet sniffer, and HashKeeper, a tool to speed up the examination of database files. As well as commercial platforms with multiple functions and reporting capabilities like Encase or CAINE, an entire Linux distribution designed for forensics programs.

    In general, tools can be broken down into the following ten categories:

    1. Disk and data capture tools
    2. File Viewers
    3. File analysis tools
    4. Registry analysis tools
    5. Internet analysis tools
    6. Email analysis tools
    7. Mobile devices analysis tools
    8. Mac OS analysis tools
    9. Network forensics tools
    10. Database forensics tools

    What are the Different Branches of Digital Forensics?

    Digital forensics is no longer synonymous with computer forensics. It is increasingly concerned with data from other digital devices such as tablets, smartphones, flash drives, and even cloud computing.

    In general, we can break digital forensics into five branches:

    1. Computer forensics
    2. Mobile device forensics
    3. Network forensics
    4. Forensic data analysis
    5. Database forensics

    What is Computer Forensics?

    Computer forensics or computer forensic science is a branch of digital forensics concerned with evidence found in computers and digital storage media. The goal of computer forensics is to examine digital data with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.

    It is used in both computer crime and civil proceedings. The discipline has similar techniques and principles to data recovery, with additional guidelines and practices designed to create a legal audit trail with a clear chain of custody.

    Evidence from computer forensics investigations is subjected to the same guidelines and practices as other digital evidence.

    What is Mobile Device Forensics?

    Mobile device forensics is a branch of digital forensics focused on the recovery of digital evidence from mobile devices using forensically sound methods.

    While the phrase mobile device generally refers to mobile phones, it can relate to any device that has internal memory and communication ability including PDA devices, GPS devices, and tablets.

    While the use of mobile phones in crime has been widely recognized for years, the forensic study of mobile phones is a new field, beginning in the late 1990s.

    The growing need for mobile device forensics is driven by:

    • Use of mobile phones to store and transmit personal and corporate information
    • Use of mobile phones in online transactions

    That said, mobile device forensics is particularly challenging due to:

    • Evidential and technical challenges such as cell site analysis which makes it possible to determine roughly the cell site zone from which a call was made or received but not a specific location such as an address
    • Changes in mobile phone form factors, operating systems, data storage, services, peripherals, and even pin connectors and cables
    • Storage capacity growth
    • Their proprietary nature
    • Hibernation behaviour is where processes are suspended when the device is off or idle

    As a result of these challenges, many tools exist to extract evidence from mobile devices. But no one tool or method can acquire all evidence from all devices. This has forced forensic examiners, especially those who wish to be expert witnesses, to undergo extensive training to understand how each tool and method acquires evidence, how it maintains forensic soundness, and how it meets legal requirements.

    What is Network Forensics?

    Network forensics is a branch of digital forensics focused on monitoring and analyzing computer network traffic for information gathering, legal evidence, or intrusion detection.

    Unlike other branches of digital forensics, network data is volatile and dynamic. Once transmitted, it is gone so network forensics is often a proactive investigation.  

    Network forensics has two general uses:

    1. Monitoring a network for anomalous traffic and identifying intrusions.
    2. Law enforcement may analyze capture network traffic as part of criminal investigations.

    What is Forensic Data Analysis?

    Forensic data analysis (FDA) is a branch of digital forensics that examines structured data in regard to incidents of financial crime. The aim is to discover and analyze patterns of fraudulent activities. Structured data is data from application systems or their databases.

    This can be contrasted to unstructured data that is taken from communication, office applications, and mobile devices. Unstructured data has no overarching structure and analysis, therefore, means applying keywords or mapping patterns. Analysis of unstructured data is usually done by computer forensics or mobile device forensics experts.

    What is Database Forensics?

    Database forensics is a branch of digital forensics related to databases and their related metadata. The cached information may also exist in a server's RAM requiring live analysis techniques.

    A forensic examination of a database may relate to timestamps that apply to the update time of a row in a relational database that is being inspected and tested for validity to verify the actions of a database user. Alternatively, it may focus on identifying transactions within a database or application that indicate evidence of wrongdoing, such as fraud.


    Related Services