Author: Abdul Khader Sarmathy
Forensics is the application of science to the legal process. Digital forensics is a branch of forensic science covering the recovery and investigation of material found in digital devices, often in relation to computer crime. The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data.
Digital forensics investigations support or negate a hypothesis before criminal or civil courts have a variety of applications. It also features in the private sector; during internal corporate investigations where information technology is used to commit or conceal an offense.
The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.
Key Processes in Digital forensics
- Documentation and
- Presentation of computer evidence stored on a computer.
Digital forensics can be used to attribute evidence to specific suspects, confirm alibis or statements, determine intent, identify sources or authenticate documents in addition to identifying direct evidence of a crime.
Stages – Digital Forensics
A digital forensic investigation broadly consists of 3 stages: acquisition or imaging of exhibits, analysis, and reporting. Ideally, acquisition involves capturing an image of the computer’s volatile memory (RAM) and creating an exact sector level duplicate (or “Bit Stream Image”) of the storage media, often using a write blocking device to prevent modification of the original. However, the growth in the size of storage media and developments such as cloud computing have led to more use of ‘live’ acquisitions.The main focus of digital forensics investigations is to recover objective evidence of a criminal activity (termed actus reus in legal parlance). However, the diverse range of data held in digital devices can help with other areas of inquiry.
whereby a ‘logical’ copy of the data is acquired rather than a complete image of the physical storage device. Both acquired image (or logical copy) and original media/data are hashed using an algorithm such as SHA or MD5 and the values compared to verify the copy is accurate.
During the analysis phase, an investigator recovers evidence material using a number of different methodologies and tools.
The actual process of analysis can vary between investigations, but common methodologies include conducting keyword searches across the digital media (within files as well as unallocated and slack space), user activities, recovering deleted files and extraction of registry information etc.
The evidence recovered is analyzed to reconstruct events or actions and to reach conclusions, work that can often be performed by a specialist. When an investigation is complete the data is presented, usually in the form of a written report, in laypersons’ terms.
Digital forensics is commonly used in both criminal law and private investigation. Traditionally it has been associated with criminal law, where evidence is collected to support or oppose a hypothesis before the courts. As with other areas of forensics, this is often as part of a wider investigation spanning a number of disciplines. In some cases, the collected evidence is used as a form of intelligence gathering, used for other purposes than court proceedings.
In civil litigation or corporate matters, digital forensics forms part of the electronic discovery (or eDiscovery) process. Forensic procedures are similar to those used in criminal investigations, often with different legal requirements and limitations. Outside of the courts, digital forensics can form a part of internal corporate investigations.
Any data that is recorded or preserved on any medium in or by a computer system or other similar device that can be read or understood by a device. Digital evidence can come Attribution
Metadata and other logs can be used to attribute actions to an individual. For example, personal documents on a computer drive might identify its owner.
Alibis and statements
Information provided by those involved can be cross checked with digital evidence.
As well as finding objective evidence of a crime being committed, investigations can also be used to prove the motive.
Evaluation of source
File artifacts and meta-data can be used to identify the origin of a particular piece of data.
Related to “Evaluation of source,” meta-data associated with digital documents can be easily modified. Document authentication relates to detecting and identifying falsification of such details.
One major limitation to a forensic investigation is the use of encryption; this disrupts initial examination where pertinent evidence might be located using keywords. Laws to compel individuals to disclose encryption keys are still relatively new and controversial.
The examination of digital media is covered by national and international legislation. For civil investigations, in particular, laws may restrict the abilities of analysts to undertake examinations. Restrictions against network monitoring or reading of personal communications often exist.
An individual’s right to privacy is one area of digital forensics which is still largely undecided by courts.
In a number of forms. When used in a court of law digital evidence falls under the same legal guidelines as other forms of evidence; provided it has been collected and presented as per guideline laid down in the Evidence Act and Criminal Procedure Code applicable to the respective geographic location.
Laws dealing with digital evidence are concerned with two issues: integrity and authenticity. Integrity is ensuring that the act of seizing and acquiring digital media does not modify the evidence (either the original or the copy). Authenticity refers to the ability to confirm the integrity of information; for example, that the imaged media matches the original evidence. The ease with which digital media can be modified means that documenting the chain of custody from the crime scene, through analysis and, ultimately, to the court is important to establish the authenticity of evidence.
The admissibility of digital evidence relies on the tools used to extract it. In the US, forensic tools are subjected to the Daubert standard, where the judge is responsible for ensuring that the processes and software used were acceptable. Most of the developing countries are yet to fix this standard.
Digital Forensics vs. Digital Forensic Investigation
It will be more meaningful if we use the term “digital forensic investigation” over “digital forensics” because the process that is associated with “digital forensics” is much more similar to a physical crime scene investigation than to physical forensics. The “physical forensics” are used to answer a more limited set of questions than a general investigation. Physical forensics is used to “identify” a substance, which determines the class of the substance.
The process to determine how someone compromised a computer and identify what they had access to is much more involved than identification and individualization. It is a process of searching for evidence and then analyzing it. Therefore, I do think that digital investigation and digital forensic investigation are more accurate terms.