WHY IS DIGITAL FORENSIC IMPORTANT TODAY
There is a prudent way to limit costs early on, however: Digital forensic collection. This means collecting the evidence first, while leaving the detailed data analysis for later, when it becomes clear the case will likely go to trial. Most digital forensic evidence is drawn from the hard disk drives of the computers in question. A “bit-level” image of a hard drive is an exact duplicate of the drive at the time the image is taken. You can take a bit-level image early, and use it later, if necessary. This phase of a digital forensic investigation is usually less than one quarter of the overall cost.
Digital evidence. It’s everywhere. Consider the ubiquitous nature of electronics: in our society, interaction with electronic devices is inevitable. Most of us interact with them hundreds, if not thousands, of times a day. And most of those devices are “smart” enough to retain information about who you are, and where you were, when you interacted. Add to this the massive amounts of digital information office workers deal with every day: emails, the web, calendars, word processors, spreadsheets, and security systems. It’s a vast amount of information. And, all of these systems collect “digital fingerprints” when they are used. This leads to large amounts of “indirect” information available to anyone who knows to look for it.
Imagine the time before we knew fingerprints were unique. Crime scenes held fingerprints and other forensic information, which was all literally overlooked. Footprints and blood evidence were examined. But since science didn’t know about blood types until about 100 years ago, even this important evidence was missed. This is the current state of much digital evidence. It might be there, it might not. Most people vaguely consider its usefulness. And since this is new technology, many people are frequently clumsy in their methods of dealing with it. But in almost all cases, the digital evidence is there. And we must be careful in handling it, because it is more fragile than other evidence. Even the simple act of turning a computer “on” can change and possibly destroy potentially useful digital evidence
So, sticking with our analogy of a physical crime scene, what would you do if you wanted to preserve as much physical evidence as possible?
You would leave it alone; You wouldn’t pick anything up. You wouldn’t touch anything. If you could avoid it, you wouldn’t even walk into the room. You would do everything to preserve all of that physical evidence exactly as it was at the time the crime was committed. The same principles apply to digital forensic evidence. If a computer is likely to hold evidence in its files then that device must not be disturbed. Simply opening files in their related applications (for example, in Microsoft Word) changes them, even if you “Don’t Save”.
• he proper protocol should be followed for acquisition of the evidence irrespective of whether it physical or digital. Gentle handling should be exercised for those situations where the device may be damaged (e.g. dropped or wet).
• Special handling may be required for some situations. For e.g. when the device is actively destroying data through disk formatting, it may need to be shut down immediately to preserve the evidence. On the other hand, in some situations, it would not be appropriate to shut down the device so that the digital forensics expert can examine the device’s temporary memory.
• All artifacts, physical and/or digital should be collected, retained and transferred using a preserved chain of custody.
• All materials should be date and time stamped, identifying who collected the evidence and the location it is being transported to after initial collection.
• Proper logs should be maintained when transferring possession.
• When storing evidence, suitable access controls should be implemented and tracked to certify the evidence has only been accessed by authorized individuals.
Digital evidence has similar issues as physical evidence; it can get contaminated. So in most situations, a forensic investigator will “image” the data so that they can use that image for analysis rather than the original media. An image is an exact replica of the media being examined and is normally created bit by bit to ensure complete accuracy. That replica can be created either through hardware or software. Either is fine as long as it is certified for digital forensics.
Once the forensic investigator has the exact replica of the original, they get to the task of analyzing the data on the replica and deriving conclusions that the attorney can use. There are many considerations that come into play in that analysis. Some examples are outlined below:
If the data is encrypted, then decrypting that data becomes crucial for further analysis. If the encryption was conducted by technology systems of the entity that owned the devices, they may have keys that can decrypt the data. Otherwise, the forensic investigator has to use other decryption mechanisms to get to the data.
Critical files needed for the case may have been deleted in which case, a recovery may be possible depending on whether the space that the file acquired was overwritten or not.
Metadata is data about the files and can provide a lot of information. E.g. if the original file was 10 pages long but it was modified to a 6 pages long document, metadata can capture the fact that this change was done. This provides a line of inquiry to the forensic investigator to recover the remaining four pages if the document is meaningful.