Digital forensics or digital forensic science is a branch of cybersecurity focused on the recovery and investigation of material found in digital devices and cybercrimes. Digital forensics was originally used as a synonym for computer forensics but has expanded to cover the investigation of all devices that store digital data.
As society increases its reliance on computer systems and cloud computing, digital forensics becomes a crucial aspect of law enforcement agencies and businesses. Digital forensics is concerned with the identification, preservation, examination, and analysis of digital evidence, using scientifically accepted and validated processes, to be used in and outside of a court of law.
While its roots stretch back to the personal computing revolution in the late 1970s, digital forensics began to take shape in the 1990s and it wasn't until the early 21st century that countries like the United States began rolling out nationwide policies.
Today, the technical aspect of an investigation is divided into five branches that encompass seizure, forensic imaging, and analysis of digital media.
The most common use of digital forensics is to support or refute a hypothesis in a criminal or civil court:
Digital forensics experts are also hired by the private sector as part of cybersecurity and information security teams to identify the cause of data breaches, data leaks, cyber-attacks, and other cyber threats.
Digital forensic analysis may also be part of incident response to help recover or identify any sensitive data or personally identifiable information (PII) that was lost or stolen in a cybercrime.
Digital forensics is used in both criminal and private investigations.
Traditionally, it is associated with criminal law where evidence is collected to support or negate a hypothesis before the court. Collected evidence may be used as part of intelligence gathering or to locate, identify or halt other crimes. As a result, data gathered may be held to a less strict standard than in traditional forensics.
In civil cases, digital forensic teams may help with electronic discovery (eDiscovery). A common example is following unauthorized network intrusion. A forensics examiner will attempt to understand the nature and extent of the attack, as well as try to identify the attacker.
As encryption becomes more widespread, forensic investigation becomes harder, due to the limited laws compelling individuals to disclose encryption keys.
There are a number of methodologies for the forensic process, which define how forensic examiners should gather, process, analyze, and extract data. Digital forensics investigations commonly consist of four stages:
In the 1980s, very few digital forensic tools existed, which forced forensic investigators to perform live analysis, using existing sysadmin tools to extract evidence. This carried the risk of modifying data on the disk which led to claims of evidence tampering.
The need for software to address this problem was first recognized in 1989 at the Federal Law Enforcement Training Center and resulted in the creation of IMDUMP and SafeBack. DIBS, a hardware and software solution, was released commercially in 1991.
These tools create an exact copy of a piece of digital media to work on while leaving the original disk intact for verification. By the end of the 1990s, the demand for digital evidence meant more advanced tools such as EnCase and FTK were developed, allowing analysts to examine copies of media without live forensics.
There is now a trend towards live memory forensics using tools such as WindowsSCOPE and tools for mobile devices.
Today, there are single-purpose open-source tools like Wireshark, a packet sniffer, and HashKeeper, a tool to speed up the examination of database files. As well as commercial platforms with multiple functions and reporting capabilities like Encase or CAINE, an entire Linux distribution designed for forensics programs.
In general, tools can be broken down into the following ten categories:
Digital forensics is no longer synonymous with computer forensics. It is increasingly concerned with data from other digital devices such as tablets, smartphones, flash drives, and even cloud computing.
In general, we can break digital forensics into five branches:
Computer forensics or computer forensic science is a branch of digital forensics concerned with evidence found in computers and digital storage media. The goal of computer forensics is to examine digital data with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.
It is used in both computer crime and civil proceedings. The discipline has similar techniques and principles to data recovery, with additional guidelines and practices designed to create a legal audit trail with a clear chain of custody.
Evidence from computer forensics investigations is subjected to the same guidelines and practices as other digital evidence.
Mobile device forensics is a branch of digital forensics focused on the recovery of digital evidence from mobile devices using forensically sound methods.
While the phrase mobile device generally refers to mobile phones, it can relate to any device that has internal memory and communication ability including PDA devices, GPS devices, and tablets.
While the use of mobile phones in crime has been widely recognized for years, the forensic study of mobile phones is a new field, beginning in the late 1990s.
The growing need for mobile device forensics is driven by:
That said, mobile device forensics is particularly challenging due to:
As a result of these challenges, many tools exist to extract evidence from mobile devices. But no one tool or method can acquire all evidence from all devices. This has forced forensic examiners, especially those who wish to be expert witnesses, to undergo extensive training to understand how each tool and method acquires evidence, how it maintains forensic soundness, and how it meets legal requirements.
Network forensics is a branch of digital forensics focused on monitoring and analyzing computer network traffic for information gathering, legal evidence, or intrusion detection.
Unlike other branches of digital forensics, network data is volatile and dynamic. Once transmitted, it is gone so network forensics is often a proactive investigation.
Network forensics has two general uses:
Forensic data analysis (FDA) is a branch of digital forensics that examines structured data in regard to incidents of financial crime. The aim is to discover and analyze patterns of fraudulent activities. Structured data is data from application systems or their databases.
This can be contrasted to unstructured data that is taken from communication, office applications, and mobile devices. Unstructured data has no overarching structure and analysis, therefore, means applying keywords or mapping patterns. Analysis of unstructured data is usually done by computer forensics or mobile device forensics experts.
Database forensics is a branch of digital forensics related to databases and their related metadata. The cached information may also exist in a server's RAM requiring live analysis techniques.
A forensic examination of a database may relate to timestamps that apply to the update time of a row in a relational database that is being inspected and tested for validity to verify the actions of a database user. Alternatively, it may focus on identifying transactions within a database or application that indicate evidence of wrongdoing, such as fraud.
Related Services
National Contact #: 081 741-8946
WhatsApp: 081 741-8946
Intl WhatsApp: +27 81 741-8946
Fax #: (086) 546-6735
Email: info@rickcrouch.co.za
Copyright Rick Crouch | Rick Crouch & Associates | PSiRA Registration Number 2791975