The Evolution of Digital Forensics

Like a trail of evidence criminals may leave behind after committing a crime; almost every digital activity
leaves virtual fingerprints. Even when culprits attempt to delete evidence and cover their tracks, with
the right methods, evidence, can be recovered. Over the last few decades, these types of digital
investigations and forensics methods have become critical to solving not only some of the most complex
criminal cases but also everyday workplace investigation cases involving employee data theft and other
insider threats.

What is Digital Forensics?

Digital forensics is the practice of leveraging computer science to investigate, gather, analyze, and
ultimately present evidence to courts intact and uncorrupted. The base word “forensics” is a Latin term
meaning “to bring to court,” which highlights the typical intent of the entire process. Though not all
investigations lead to formal court, especially in workplace investigations, the evidence gathered is used
to make judgments and conclusions regarding user activities and events. The United States Computer
Emergency Readiness Team (US-CERT) formally defines computer forensics as: “the discipline that
combines elements of law and computer science to collect and analyze data from computer systems,
networks, wireless communications, and storage devices in a way that is admissible as evidence in a
court of law.” Tom Loper from Bay Path University, says, “information assurance is like the police, and
digital forensics is like the detectives.” To sum it up, digital forensics is a methodology for collecting
computer-related evidence for use in both internal and external investigations, including court
presentation.

What Digital Forensics is not

Digital forensics investigators and analysts are not smoking guns allowed to look wherever or collect
evidence freely from a target. Like physical investigators leveraging a warrant to collect evidence on a
particular case, digital forensics professionals may only investigate assets that they’ve been warranted
to assess. The warranted investigation will have a scope limited to finding the piece of evidence required
for court or as specified by the company. Therefore, if a digital forensics investigator shows up to a
scene with a warrant to look for evidence of an employee illegally gambling using company resources,
they may do so. If that same investigator comes across evidence of theft or money laundering, they
must go back and request another warrant or permission; one for laundering and one for proof of theft.
Failure to procure proper rights either from a company stakeholder or law enforcement can render
digital evidence invalid or inadmissible in court.

The Standard Digital Forensics Process

There are four basic steps in the digital forensics process:

 Identifying – This is the practice of finding and collecting the suspected original source or asset
believed to contain evidence. (Example: The investigator has pinpointed a suspicious IP
address belonging to the laptop in Ohio. The digital forensics investigator may have a co-worker
send them the suspected laptop for analysis.)

 Preserving – This is the practice of ensuring the integrity of the collected evidence and
preserving a “digital trail” of the data or media. (Example: It’s essential to monitor how the
 computer and any copies of data have been handled since being taken from the employee,
along with who had access.)

 Analyzing – This is the investigative portion of the process where a forensics practitioner begins
looking into the acquired asset or medias data to find evidence of the suspected crime.
(Example: The investigator may look through documents, email and chat conversations, browser
website history, hard drives, and other user activities.)

 Reporting – This is the process of creating a report of findings from the investigation for
presentation to stakeholders and, in some cases, an attorney or jury in court. Reporting must
also be tailored to the audience. In a court case where the jury is not technically savvy, findings
must be explained in ways that are easy to understand for everyone. Failure to do so might
render even the most irrefutable evidence ineffective. (Example: A digital forensics investigator
may debrief a company’s technical leaders in detail and then give a high-level summary to the
general manager.)

The Importance of Digital Forensics Evidence

How you collect, handle, and preserve evidence during a workplace investigation is very important, as it
can make or break a case. Digital forensics is equivalent to assessing a crime scene or performing an
autopsy. When, for example, an employee is suspected of theft or other offenses, oftentimes, the crimes
may warrant legal action.

Here are some common types of evidence and how they will be perceived in court. One of the best
reasons to employ certified forensic professionals and leverage state of the art technology is that
navigating various types of evidence and steps needed to ensure admissibility can be complicated. A
robust digital forensics program requires the ability to investigate and capture evidence, as well as
navigate all of the legal, political, and technological guidelines associated. Preservation of evidence is
also a meticulous process, and failure to leverage best practices may render findings useless in court.

Types of evidence:

 Real Evidence: Tangible and physical objects such as disk drives, tablets, and phones. Note that
this usually does not include the data on the devices.

 Direct Evidence: Testimony from a first-hand witness who states what they experienced with
their five senses.

 Circumstantial Evidence: Evidence to support circumstances for a point or other evidence.

 Collaborative Evidence: Evidence to support collective elements or facts of the case.

 Hearsay: Information that is not first-hand knowledge, normally inadmissible in a case.

Rules of Evidence:

 Best Evidence Rule – The courts prefer the best evidence possible. Evidence should be accurate,
complete, relevant, authentic, and convincing.
  Secondary Evidence – This is common in cases involving Information Technology. Logs and
documents from the systems are considered secondary evidence.

 Evidence Integrity – It is vital that the evidence’s integrity cannot be questioned. This is often
done by creating hashes on copied evidence. Note that forensic analysis is done on copies, and
never the originals. Investigators can then compare hashes on both original and copy before and
after the forensics to ensure nothing has changed.

 Chain of Custody – This process ensures the integrity of the evidence by tracking how it’s been
managed. Common elements of concern when it comes to evidence are:

 Who handled it?

 When did they handle it?

 What did they do with it?

 Where did they handle it?

Evolution of evidence

Initially, computer-generated records such as log files were considered hearsay, therefore, inadmissible
in court. Case law and updates to the Federal Rules of Evidence have changed that. Rule 803 provides
for the admissibility of a record or report that was “made at or near the time by, or from information
transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity,
and if it was the regular practice of that business activity to make the memorandum, report, record or
data compilation.” This changed the game regarding the critical role that digital evidence can play in
investigations and convictions. It essentially means that activity logs recorded as a part of standard
business operations are now admissible. This bolstered the need for employers to have forensic
investigation software to monitor user activity, collect activity logs, and securely manage them in case
there is ever a need to leverage the data in a legal capacity.

Why digital forensics?

Security breaches have increased by 11% since 2018, and 67% since 2014, according to Accenture.
(stand out)

Digital forensics programs enable entities to investigate these breaches, which involve a variety of issues
such as intellectual property theft, phishing attacks, data destruction, financial fraud, and more.

Some advanced and specialized programs can also support the recovery of encrypted data, which can be
beneficial following a ransomware attack. Ransomware attacks, a significant threat to companies today,
hold data hostage in exchange for a demanded payment or “ransom.”

Security breaches have increased by 11% since 2018, and 67% since 2014, according to Accenture.
(format to stand out)

What are the current challenges in Digital Forensics?

Evidence can be hard to collect and preserve: Digital evidence by default can be fragile, volatile, large in
volume, and contain very sensitive content. Data can be quickly destroyed by power surges, natural
disasters, human error, intentional tampering, extreme hot or cold temperature conditions, or
electromagnetic fields. Protecting evidence from all of these variables can pose a challenge.
Furthermore, privacy preservation is another aspect that can confound an investigation. For example,
trying to re-enact location and address to prove accountability may not be possible if certain privacy
protections are in place in the geographic location.

Cloud environments make evidence collection harder: The cloud poses another risk and challenge both
in accuracy and complexity. As data travels throughout the world and is stored in other time zones or
virtual environments instead of on physical machines, getting times correct is a challenge. A synced
timeline can be another critical element that makes or breaks evidence collection. Lastly, due to the
dynamic nature of cloud environments retrieving evidence may be impossible when, for example, an
entire Amazon Web Services virtual server can be deleted almost instantly with the push of a button.

Expertise is limited: Hiring cybersecurity talent and can be a challenge. The niche world of digital
forensics proves to be an even greater issue. It’s important to have qualified investigators on board;
however, staffing a digital forensics team is not always an option for smaller businesses.

Criminals use forensics countermeasures: Forensic countermeasures, or anti-forensics, are tactics that
criminals and cyber attackers use to escape detection and cover their tracks. This is often common in
insider threat situations where employees have greater insight into internal processes and security
controls. In a workplace setting, this may take the form of an employee shattering a hard drive,
removing digital evidence from the premises, or using anonymity software to mask browser activity.
Unlike physical evidence, digital evidence is easy to hide, destroy, modify, sell, and transport without
leaving clues as to who the attacker was in the first place. Anti-forensics, therefore, poses a significant
challenge to workplace investigations. This is another reason why having certified forensics experts and
proper digital forensics software is vital.

According to experts, common anti-forensic methods can include encryption, steganography, covert
channels, hiding data in storage space, residual data wiping, tail obfuscation, attacking monitoring or
investigation technology, or even resorting to attacking the investigator.

Approaches to digital forensics for businesses and the “on-demand” trend

Services:

Outsourced:There are a variety of external vendors offering digital forensics services on-demand.
Instead of hiring an in-house team, you’d rely on expert forensic teams when you need them. These
providers often have varying levels of expertise and should be thoroughly vetted. In addition, there are
typically two pricing models to choose from when securing digital forensic services: “time &
materials” or “flat fee pricing.” While time and materials usually offer lower initial pricing, flat-fee
pricing allows a predictable cost without the by-the-hour rush of work.

In-house: If the entities’ cybersecurity posture is mature enough, investing in a small team or even just
one certified digital forensics expert can go a long way. There are various benefits to bringing forensics
in-house, including agility, ease of contact, familiarity with business infrastructure, predictable cost,
ability to get “court ready” without having to sign a new contract or non-disclosure agreement for each
investigation, and so on. You can also utilize your forensics team to aid your other information security
groups on investigations and help consult proactively by providing best practices against common cyber-
attacks.;

Technology:

There is a wide range of physical and digital technology that can support workplace investigations. The
appropriate method depends on the case. One concern has been that without robust training and
experience, some digital forensics tools cannot be utilized appropriately by non-experts. It is becoming
increasingly popular to find tailored solutions that monitor internal suspicious activity and provide user-
friendly “on-demand” digital forensics services such as automated data collection, data preservation,
analysis, and reporting. Next-generation forensic investigation software, for example, can comb through
user activity information, discover relevant information, create secure logs evidence, and deliver reports
to support workplace investigations. The most valuable solutions can enable key insights such as video
playback of activities, website activity, email recording, chat and IM, file and document tracking,
application and network activity, or keystroke logging. Whether it’s leveraged to investigate a workplace
policy violation such as gambling or intellectual property theft, or it’s used to monitor time stolen
through lost productivity, insider threat detection, and other monitoring tools are helping make setting
up workplace investigation programs easier for businesses.

Although forensic science itself (including the first recorded fingerprints) has been around for over 100
years, digital forensics is a much younger field as it relates to the digital world, which mainly gained
popularity after the introduction of personal computers in the 1980s.

For comparative purposes in trying to grasp the concept of digital forensics as still being relatively new,
consider that the first actual forensic sciences lab was developed by the FBI in 1932.

Some of the first tools used in digital forensic investigations were developed in FBI labs circa 1984, with
forensic investigations being spearheaded by the FBI’s specialized CART (Computer Analysis and
Response Team) which was responsible for aiding in digital investigations.

Digital forensics as its own field grew substantially in the 1990s, with the collaboration of several law
enforcement agencies and heads of divisions working together and even meeting regularly to bring their
expertise to the table.

One of the earliest formal conferences was hosted by the FBI in 1993. The main focus of the event,
called the International Law Enforcement Conference on Computer Evidence, was to address the need
for formal standards and procedures with digital forensics and evidence acquisition.

Many of these conferences resulted in the formation of bodies that deal with digital forensics standards
and best practices. For example, the SWGDE was formed by the Federal Crime Laboratory Directors in
1998. The SWGDE was responsible for producing the widely adopted best practices for computer
evidence (discussed later in this chapter). The SWGDE also collaborated with other organizations, such
as the very popular American Society of Crime Laboratory Directors (ASCLDs), which was formed in
1973 and has since been instrumental in the ongoing development of best practices, procedures, and
training as it relates to forensic science.
It wasn’t until the early 2000s, however, that a formal Regional Computer Forensic Laboratory (RCFL)
was established by the FBI. In 2002, the National Program Office (NPO) was established and acts as a
central body, essentially coordinating and supporting efforts between RCFL’s law enforcement.

Since then, we've seen several agencies, such as the FBI, CIA, NSA, and GCHQ, each with their own full
cyber crime divisions, full digital forensics labs, dedicated onsite and field agents, collaborating
assiduously in an effort to take on tasks that may be nothing short of Sisyphean, when considering the
rapid growth of technology and easier access to the internet and even the Dark Web.

With the advancement of technology, the tools for digital forensics must be regularly updated, not only
in the fight against cyber crime, but in the ability to provide accountability and for the retrieval of lost
data. We've come a long way since the days of floppy disks, magnetic drives, and dial-up internet access,
and are now presented with  SD cards, solid-state drives, and fiber-optic internet connections at Gigabit
speeds.

What is Digital Forensics? History, Process, Types, Challenges

ByLawrence WilliamsUpdatedNovember 12, 2022

What is Digital Forensics?

Digital Forensics is defined as the process of preservation, identification, extraction, and documentation
of computer evidence which can be used by the court of law. It is a science of finding evidence from
digital media like a computer, mobile phone, server, or network. It provides the forensic team with the
best techniques and tools to solve complicated digital-related cases.

Digital Forensics helps the forensic team to analyzes, inspect, identifies, and preserve the digital
evidence residing on various types of electronic devices.

In this digital forensic tutorial, you will learn:

 What is Digital Forensics?

 History of Digital forensics

 Objectives of computer forensics

 Process of Digital forensics

 Types of Digital Forensics

 Challenges faced by Digital Forensics

 Example Uses of Digital Forensics

 Advantages of Digital forensics

 Disadvantages of Digital Forensics

History of Digital forensics

Here, are important landmarks from the history of Digital Forensics:

 Hans Gross (1847 -1915): First use of scientific study to head criminal investigations

 FBI (1932): Set up a lab to offer forensics services to all field agents and other law authorities
across the USA.

 In 1978 the first computer crime was recognized in the Florida Computer Crime Act.

 Francis Galton (1982 – 1911): Conducted first recorded study of fingerprints

 In 1992, the term Computer Forensics was used in academic literature.

 1995 International Organization on Computer Evidence (IOCE) was formed.

 In 2000, the First FBI Regional Computer Forensic Laboratory established.

 In 2002, Scientific Working Group on Digital Evidence (SWGDE) published the first book about
digital forensic called “Best practices for Computer Forensics”.

 In 2010, Simson Garfinkel identified issues facing digital investigations.

Objectives of computer forensics

Here are the essential objectives of using Computer forensics:

 It helps to recover, analyze, and preserve computer and related materials in such a manner that
it helps the investigation agency to present them as evidence in a court of law.

 It helps to postulate the motive behind the crime and identity of the main culprit.

 Designing procedures at a suspected crime scene which helps you to ensure that the digital
evidence obtained is not corrupted.

 Data acquisition and duplication: Recovering deleted files and deleted partitions from digital
media to extract the evidence and validate them.

 Helps you to identify the evidence quickly, and also allows you to estimate the potential impact
of the malicious activity on the victim

 Producing a computer forensic report which offers a complete report on the investigation
process.

 Preserving the evidence by following the chain of custody.

Process of Digital forensics

Digital forensics entails the following steps:

 Identification

 Preservation

 Analysis
  Documentation

 Presentation

Process of Digital Forensics

Let’s study each in detail

Identification

It is the first step in the forensic process. The identification process mainly includes things like what
evidence is present, where it is stored, and lastly, how it is stored (in which format).

Electronic storage media can be personal computers, Mobile phones, PDAs, etc.

Preservation

In this phase, data is isolated, secured, and preserved. It includes preventing people from using the
digital device so that digital evidence is not tampered with.

Analysis

In this step, investigation agents reconstruct fragments of data and draw conclusions based on evidence
found. However, it might take numerous iterations of examination to support a specific crime theory.

Documentation

In this process, a record of all the visible data must be created. It helps in recreating the crime scene and
reviewing it. It Involves proper documentation of the crime scene along with photographing, sketching,
and crime-scene mapping.
Presentation

In this last step, the process of summarization and explanation of conclusions is done.

However, it should be written in a layperson’s terms using abstracted terminologies. All abstracted
terminologies should reference the specific details.

Types of Digital Forensics

Three types of digital forensics are:

Disk Forensics:

It deals with extracting data from storage media by searching active, modified, or deleted files.

Network Forensics:

It is a sub-branch of digital forensics. It is related to monitoring and analysis of computer network traffic
to collect important information and legal evidence.

Wireless Forensics:

It is a division of network forensics. The main aim of wireless forensics is to offers the tools need to
collect and analyze the data from wireless network traffic.

Database Forensics:

It is a branch of digital forensics relating to the study and examination of databases and their related
metadata.

Malware Forensics:

This branch deals with the identification of malicious code, to study their payload, viruses, worms, etc.

Email Forensics

Deals with recovery and analysis of emails, including deleted emails, calendars, and contacts.

Memory Forensics:

It deals with collecting data from system memory (system registers, cache, RAM) in raw form and then
carving the data from Raw dump.

Mobile Phone Forensics:

It mainly deals with the examination and analysis of mobile devices. It helps to retrieve phone and SIM
contacts, call logs, incoming, and outgoing SMS/MMS, Audio, videos, etc.

Challenges faced by Digital Forensics

Here, are major challenges faced by the Digital Forensic:

 The increase of PC’s and extensive use of internet access

 Easy availability of hacking tools

  Lack of physical evidence makes prosecution difficult.

 The large amount of storage space into Terabytes that makes this investigation job difficult.

 Any technological changes require an upgrade or changes to solutions.

Example Uses of Digital Forensics

In recent time, commercial organizations have used digital forensics in following a type of cases:

 Intellectual Property theft

 Industrial espionage

 Employment disputes

 Fraud investigations

 Inappropriate use of the Internet and email in the workplace

 Forgeries related matters

 Bankruptcy investigations

 Issues concern with the regulatory compliance

Advantages of Digital forensics

Here, are pros/benefits of Digital forensics

 To ensure the integrity of the computer system.

 To produce evidence in the court, which can lead to the punishment of the culprit.

 It helps the companies to capture important information if their computer systems or networks
are compromised.

 Efficiently tracks down cybercriminals from anywhere in the world.

 Helps to protect the organization’s money and valuable time.

 Allows to extract, process, and interpret the factual evidence, so it proves the cybercriminal
action’s in the court.

Disadvantages of Digital Forensics

Here, are major cos/ drawbacks of using Digital Forensic

 Digital evidence accepted into court. However, it is must be proved that there is no tampering

 Producing electronic records and storing them is an extremely costly affair

 Legal practitioners must have extensive computer knowledge

 Need to produce authentic and convincing evidence

  If the tool used for digital forensic is not according to specified standards, then in the court of
law, the evidence can be disapproved by justice.

 Lack of technical knowledge by the investigating officer might not offer the desired result

Summary:

 Digital Forensics is the preservation, identification, extraction, and documentation of computer

evidence which can be used in the court of law

 Process of Digital forensics includes 1) Identification, 2) Preservation, 3) Analysis, 4)

Documentation and, 5) Presentation

 Different types of Digital Forensics are Disk Forensics, Network Forensics, Wireless Forensics,
Database Forensics, Malware Forensics, Email Forensics, Memory Forensics, etc.

 Digital forensic Science can be used for cases like 1) Intellectual Property theft, 2) Industrial
espionage 3) Employment disputes, 4) Fraud investigations.