First, let me articulate, I am not an expert in digital forensics. So warning… if you are an expert you may want to move on to the next article. This article is for fellow interns, aspiring private investigators, the computer challenged, or just to my fellow knowledge thirsty nerds.
It is no surprise that digital forensics is growing so fast. The world of cyber-crime is one of the world’s largest, growing crimes, costing an estimated $220 billion loss to businesses and individuals every year. Because digital forensics is a new and exploding discipline, it is important to understand the very basics of digital forensics and stay abreast of the evolving field.
Think about it, we use computers for just about everything…work, play, research, learn, communicate and making business transactions. With that comes unwanted criminal activity; individuals using computers to commit, enable and support unwanted activities on our networks and internet, ultimately affecting individuals, organizations and assets. Law enforcement and forensic investigators are being inundated with cases involving computer crime and electronic evidence.
Some of the typical types of cases involving computer crimes would include the following:
- Copyright infringement
- Money laundering
- Sexual Harassment
- Intellectual Property Theft
- Document tracking
- Illegal copying of software
- Unauthorized use of a computer
- Child pornography
The Digital Forensic Research Workshop (DFRWS) defines digital forensics as “the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.”
The forensic analysis of a computer’s data should of course always be performed by a qualified and certified Computer Forensic Analyst. You can find these individuals, on some of the following web sites:
In your search for a digital forensics expert make sure you do the following:
- Verify his/her credentials
- Get a copy of their resume
- Make sure they will make a good expert witness
- Have them explain the digital forensics process
- Verify their understanding their knowledge of the chain of evidence. There are laws, and legal processes that must be abided by. They should know and understand the Federal Rules of Evidence.
Just because someone works in computers, does not make them trained in digital forensics.
The Process: How do they do it?
In my research I found that the digital forensic specialist should have a road map to conduct a thorough investigation. Each case is always different of course so the process may vary time to time. Some of the steps of a digital investigation will include:
- Initial consultation – the specialist should understand the scope and goals of the case.
- Collection of evidence – it is important the specialist follows the Federal Rules of Evidence
- Conduction imaging of the data
- Verifying the authenticity and integrity of the data
- Analysis by a certified forensic analysis of the data, without altering the content of the data
- Documenting and reporting all findings in the examination
- Returning the computer
Securing the evidence is crucial!
The standards of admissible evidence should be followed. When the evidence is secured by the forensic specialist it is important that safeguards are taken to secure and collect the evidence that will not alter the evidence. As I stated before, the evidence should be obtained by a trained professional.
Some examples of digital evidence that is collected in these types of investigations are:
- Address books
- Digital Calendars
- Favorites and bookmarks
- Event logs
- Hidden and system files
- Temporary internet files
- Histories and internet activity
- Database files, documents and text files
For a much more detailed description and overview of forensics investigation, check out
- Mohay, Anderson, Collie, De Vel, and McKemmish, Computer and Intrusion Forensics, Artech House, 2003, (ISBN: 1580533698)
- Casey, Eoghan, Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet, 2d Ed, Academic Press, 2004 (0-12-163104-4)
- McKemmish, Rodney, “What is Forensic Computing?” Australian Institute of Criminology trends and issues in crime and criminal justice, June 1999 (last viewed at www.aic.gov.au on September 27, 20006).
- The Digital Forensic Research Workshop http://www.dfrws.org
- National Institute for Justice http://www.ncjrs.gov/pdffiles1/nij/199408.pdf