Awareness of Digital forensics examination

1. Tell me about your professional background.

a. What is your current job title?

Respondent 1: CID Expert (Forensic Examiner) Police

Respondent 2: Forensic Expert (Police)

b. What are your primary job duties?

Respondent 1: Currently, my basic job is with the Extraction of data and analysis. I also work on
reporting and interpretation of the data.

Respondent 2: Custody management. Data Analysis, Reporting and chain

a. How long have you been a (digital forensics examiner/attorney)?

Respondent 1: 7 years experience in both in-house and field.

Respondent 2: 4 years

2. Do you feel your knowledge of digital forensics is adequate to fulfil your job duties?

Respondent 1: Hmm,I believe every day we need to learn new things and upgrade ourselves. I can’t say
I understand and know every side of the forensic process, but when it comes to extraction, I can say I am
very good at it.

Respondent 2: Yes. Due to my IT background, I can understand and follow the protocols in our industry.

3. The following questions are related to common knowledge of digital devices/technologies.

a. Please name a few items you would consider to be digital evidence.

Respondent 1:
 Analogical Evidence
 Anecdotal Evidence
 Circumstantial Evidence
 Digital Evidence.
 Forensic Evidence
Respondent 2:

 Information found on a mobile device.

 Information on a computer.
 Information on a pendrive or harddrive.

b. How do you primarily learn about emerging technologies?

Respondent 1:
1. research,
2. Journals and Technology publications.
3. Training
 4. Webinars.

Respondent 2:
1.Mostly I read on Google Technologies update news
2.Also, I do online self-learning courses
3.Also, I have a technology group we share ideas.
4. On a scale of 1 to 5 describe your familiarity with IT, computers, and forensics.
Where 1= low; 2=below average; 3=average; 4= above average; 5=High

Respondent 1:

1 2 3 4 5
Digital Evidence 5
Computer Forensic Process 5
Computer Technology 5
Internet Applications 5

Respondent 2:

1 2 3 4 5
Digital Evidence 5
Computer Forensic Process 4
Computer Technology 4
Internet Applications 5

5. Do you feel the involvement of forensic evidence, in general, makes a case more or less
complicated than a case not involving forensic evidence?

Respondent 1: Yes

Respondent 2: Yes

a. Why do you feel this way?

Respondent 1: The majority of individual does not understand how this forensic
investigation work. And this will make our work very difficult to explain.
Respondent 2: Well, looking at our current system, very few people under technology and
the dangers it may pose. so general I feel with the involvement of forensic evidence, you
may need professionals to do a very comprehensive analysis to explain their findings. I
also I am of the view that very few people may understand the result. This may pose
more challenges

b. Does your feeling depend on the type of forensic evidence?

Respondent 1: Yes
Respondent 2: Yes

Digital Forensics (Digital forensic scientist only)

10. Is there any standardized procedure you follow during any forensics examination?
Respondent 1: Yes. But basically, Every case may be treated separately. This is because not all
cases may not run in the same order. But in the case of extraction, the same protocol is
followed
Respondent 2: Not precisely. Most cases run the same way. But some cases are more technical and complex
in nature and more analysis needs to take place.

11. What procedure do you use during forensic examinations?

We basically for this step to arrive at our result.

Respondent 1:

1. Collection – This is provided by the Crime Department

2. Examination - This done when we have a court order to procced
3. Cloning: A replica of the device or data is created.
4. Extraction- data is retrieve from the device
5. Analysis – The is done on the device
6. Reporting – we document the finding
7. Interpretation – We may or may not be ask to testify in court base on the gravity of the
evidence provided

Respondent 2:

1. Collection: for crime scene

2. Examination: Court approval for investigations.
3. Cloning: The same version of the device is cloned
4. Extraction- data is retrieved from the cloned device.
5. Analysis: This is where all the technical examinations are done.
6. Reporting: we document the finding
7. Interpretation: This may be done in court or to lawyers of the accused person

12. Do you use any software/application/algorithm to extract evidence from a digital device?

Respondent 1: Yes: Cellebrite

Respondent 2: Cellebrite.
Factors Influencing Digital forensics
13. From a scale of 1 to 5 describe how the following influences digital forensics investigation.
Where 1= low; 2=below average; 3=average; 4= above average; 5=High

Respondent 1:

Factors 1 2 3 4 5
Heterogeneous sources of data 3
Expanding the diversity of digital devices 5
Diversity of data 5
anti-forensics (such as artefact wiping, data hiding, trail 5
obfuscation, data encryption, and attacks against
computer forensics tools and processes)
Big volume of data 5
Legal requirements such as compliance with the law 5
Efficiency of digital forensic departments 5

Respondent 2

Factors 1 2 3 4 5
Heterogeneous sources of data 5
Expanding the diversity of digital devices 4
Diversity of data 4
anti-forensics (such as artefact wiping, data hiding, trail 5
obfuscation, data encryption, and attacks against
computer forensics tools and processes)
Big volume of data 5
Legal requirements such as compliance with the law 5
Efficiency of digital forensic departments 5