Digital forensics focuses on the digital devices that may have been used to commit a crime or to provide supporting evidence to link a suspect to a crime such as murder, theft of intellectual property, distribution of indecent images, burglary, drugs, and many others.
The term “digital forensics” was originally used for the use of computers, but as technology has evolved, it has now come to refer to any digital device that can store data. The evidence found on any device can be pieced together to form a story of what happened when the crime was committed. This evidence can then be used in a court of law if and when required or for other instances, such as Human Resources during employment (alleged misdemeanour, disclosure of sensitive information or theft).
Though digital forensics is a wide discipline, it has only five main branches. Each branch derives its name from the type of data it examines and analyses.
Database forensics is a division of digital forensics that focuses on databases. It often has to do with the analysis of stored data or data living in databases.
This includes some of the digital evidence types we discussed above, this includes metadata, volatile data, replicant, and sometimes residual.
A database forensics expert will review the timestamps associated with the activities in question. This will give cues and clues as to what a user was doing on the computer. Another source of evidence for database investigators is the Transaction Log Data Files.
Database forensics can be used in various ways when uncovering digital evidence. Some of the most common uses include detecting suspicious activity, discovering database loopholes, and guarding against cybercrimes.
Computer forensics remains one of the broadest branches of digital forensics and likely the oldest. This branch first emerged with the rising use of computers among the public. It focuses on investigating, analysing, and understanding data from a computing device.
The most common end goal of computer forensic science is prosecution. But this branch of forensics can also prove helpful in unearthing reasons for failure in digital devices.
A quick example would be when an operating system crashes. Investigators will depend on computer forensics to figure out the cause of the failure.
With 16 billion mobile devices around the world, it is no wonder mobile device forensics exists. More people today depend on their mobile devices than their personal computers.
Most consumers’ mobile devices house their personal information, are connected to their bank accounts, and contain other sensitive data like their location.
This increasing dependence means mobile devices are the perfect place for investigators to look when in search of digital evidence.
Mobile device forensics is the gathering, analysis, and presentation of data scientifically gathered from mobile devices. From mobile devices, investigators can review a user’s search history, financial records, location patterns, and conversations.
Mobile device forensics is used in different industries such as the military, business, and law enforcement.
The third subset of digital forensics on our list revolves around the investigation of computer network traffic. If investigators suspect that a particular network is responsible for spreading viruses or is being used to steal information, they will lean on network forensics to solve the problem.
During a network investigation, forensic scientists are out to find the source of an attack or network event, the path it took, and the techniques used in the attack.
There are two ways to analyse a network event, but the investigators don’t get to choose the method; the method picks itself. Depending on the stage of the attack, investigators can either use the postmortem approach or the real-time investigation technique.
In the postmortem approach, the event has already occurred and leaves investigators with clues they can piece together to find out how the event occurred and possibly who was behind it. In a real-time investigation, the event is still ongoing. This allows scientists to analyse the event as it occurs.
Some network attacks are:
Forensic Data Analysis (FDA) is a branch of digital forensics that encompasses aspects of every branch of digital forensics. FDA, much like database forensics, involves studying information from storage devices. And like network forensics, it includes the analysis of data on a network.
Therefore, FDA is an exploration of data to understand trends and enhance digital routes. Simply put, forensics data analysis looks into data to prove fraudulent activities and improve security.
Digital evidence is the bedrock of digital forensics. It refers to all information and data that is stored on or communicated by a digital device.
In its earlier days, digital evidence and forensics focused on computers. But in today’s digital landscape, digital evidence comes from mobile devices, hard drives, or even cloud accounts.
This integration of technology into our daily lives puts digital evidence at the forefront of criminal investigations. We are not only talking about cybercrimes – digital evidence is an important resource in an array of different crimes.
The history of digital evidence journeys far back, there are recorded events dating as far back as the ’70s and ’80s. At that time, digital forensics was in the hands of government officials with a background in computers. In the UK, digital forensics was first embraced by the Metropolitan Police which formed a unit called the Fraud Squad.
It was not until the ’90s that this branch of science was born and accurately termed. Several governing bodies came together in this same era to produce standards and procedures that would regulate digital evidence. This help us to further understand how binary information is collected, stored, and analysed.
In 1998, the Association of Chief Police Officers produced the first Good Practice Guide for Digital Evidence. The next year followed a revision of the ISO Guide 25. This was a collaboration between the ISO and the IEC, which resulted in new guidelines for laboratories.
The new International Organisation for Standardisation guidelines were later revised in 2005 and again in 2017. The guidelines have worked to standardise laboratory testing and calibration and so minimise inaccuracy in evidence gathering and reporting.
There are a number of reasons why digital forensics is so important, it can help identify criminals whilst retrieving valuable information to present in a court of law and persecute:
There are different types of digital evidence laboratories can collect. Below, we have covered the top seven forms processed by most laboratories.
At the helm of digital evidence, we have logs. Logs are digital files that summarise an electronic event and they are part of the visible data family.
The information found in logs includes the time an event was initiated, raw text and the source of the activity.
From a forensics point of view, log data can help laboratories identify who started an event, when they initiated it, and what information they targeted.
There are several common log data files within the digital network:
Through log forensics, companies can identify points of vulnerability in their systems and find ways to mitigate future attacks. Log forensics is also a great way to understand the lifecycle of an attack, reconstruct incidents, and identify attack patterns.
There is nothing like a high-resolution image of a culprit to solve a case or even a video stored in the cloud to retell how events took place. Another member of the visible data group, video footage and images are among some of the most communicative forms of digital evidence out there.
Not only can this type of evidence outline the incident in finer detail, but it can also help individuals identify suspects faster. Though videos and images are one of the most important resources, they actually come in an array of formats and these formats aren’t always easy to process.
Another challenge that rises from this data type is the resolution. If the integrity of your data is compromised, it will be both unusable and inadmissible.
This means to access and analyse this visual data, you will need access to compatible software.
The different types of video formats include:
Of all of the above formats, MP4 is clearly the most popular. These formats are usually a result of a mobile phone recording.
Metadata doesn’t only have its place in SEO. There is room for it in the digital forensics lab as well.
The first in our list of the invisible data category, metadata is often described as data about data. In a simple general discussion, this is accurate. But that is until you speak to data and forensic scientists.
They will tell you that metadata is underlying information that is not perceivable. This data holds a set of attributes about another form of data. It can be anything from when the file was created and who created it to where it is stored.
The most common example of metadata is the information you can see when you right-click on an image stored on your personal computer to reveal its properties.
During digital evidence collection, metadata can reveal the owner of a file in question and when the owner created it. With the aid of the right software, digital forensic investigators can also review the software used to create the file, down to the exact operating system model it uses. This makes it easier for them to narrow down potential perpetrators.
Volatile data is data that can be lost once the device powers off. For an interactive user experience, your computer will store your data on the RAM. This is because the RAM processes data faster, making for a more responsive system.
However, when your device turns off, the data stored on the RAM is deleted. This is where volatile data differs from persistent or non-volatile data.
Even when deleted, non-volatile data is recoverable. This is particularly true if the data has not been overwritten by another file.
But there is a place where these two meet. Should the RAM become full as you are working on a file, your data will be transferred onto the hard drive. This will turn your volatile data into persistent data.
This way, even when the device turns off, the volatile data now stored in that computer becomes recoverable.
Volatile data can reveal the activity on a device, files a user accessed, and sometimes their unsaved documents. Volatile data forms part of active data as it can reveal the live activities of a user on a device.
To access all proprietary volatile data, it is important to do so when the device is still on. This can reveal to digital investigators the type of activity the user was doing on the device.
Along with the RAM, volatile data resides in cache and CPU registries. Since this type of data is not easy to detect, it is part of the invisible data family.
Another great way to discover a suspect’s activities on their device is through replicant data. Replicant data is exactly what the name suggests. It is data that has replicated itself.
Sometimes to guard against data loss, a system will save a user’s file. This is most common in Microsoft Word. Should your device turn off unexpectedly, chances are you will still be able to recover what you were last working on in Word.
But this data retention method can also prove very helpful during digital evidence collection. When examined, replicant data sources can reveal what the user was up to on the device. The data can reveal information like what the last accessed file was or the last browser site visited.
Some examples of replicant data include web cache and cookies.
And finally, we have another member of the invisible data group: residual data. This is data that the user may have deleted but is still lingering on the computer.
Residual data can be recovered to trace a user’s journey through a computer. In data theft cases, recovered residual data is also used to depict the file a user had access to, and files they received and reviewed.
Digital evidence must only be examined by those trained and qualified to do so. For example, if a phone was stolen, someone may be able to search for the stolen device on an online shopping site, but they wouldn’t be able to access any valuable data on the device that would provide valuable clues. There is also a risk of evidence being destroyed if someone who is unqualified tries to obtain it themselves.
The process of handling a seized device follows a number of steps to ensure all of the necessary data is collected:
There are a variety of techniques that are used to gather and analyse evidence:
Steganography is something criminals use to hide data inside messages or files. Reverse steganography allows the examiner to compare the hash value of the original file to the altered file. This value will be different for both, even if the files look exactly the same at first glance.
Live analysis is the process of accessing data when the device is operating. Specific tools can be used to find volatile data that is stored in the cache or RAM. If live analysis is required, the device will be kept in the lab to ensure none of the evidence is lost.
This process involves analysing and cross-referencing information from multiple devices to find similarities. Similarities can lead to the detection of suspicious events. This technique is also known as anomaly detection.
This process enables analysis from digital activity that doesn’t generate digital artefacts. Digital artefacts can occur if a digital process alters the data. An example of this is text files, where content can be used to find evidence for a data theft that changes the file’s attributes.
Digital evidence is an important component of ensuring that any crime committed through a digital device is looked into as soon as possible, especially when regarding the privacy of your data.
At SYTECH Consultants, we offer a range of services to help you find the full story. From computer forensics to mobile phone forensics, we can help you find the evidence you need for your case. Contact us today to hear how our consultants can help you with digital evidence. Take a look at our Digital Forensics Services.
