What is Digital Forensics and How it is used in Investigations?
One evening, my 6-year old niece and I were casually talking about life when I asked her the “one” question every family member asks the kid in the room.
“What do you want to be when you grow up?”
You will not believe what she replied.
She said “I want to be..umm.. one of those people who look at everything on mobile phones, computers and laptops, read chats, check folders and catch criminals”
I was completely shocked.
The Millenial me instantly realised that kids these days don’t just dream to be doctors, engineers or lawyers. Their aspirations are aligned to new-age careers.
The age of social media and technology.
She wants to be a digital forensics investigator when she grows up. I’m guessing you want to be one too.
It’s also very common for people to have no clue about digital forensics.
So, here’s a quick and simple guide to digital forensics and how it’s used in investigations.
What is Digital Forensics?
Digital Forensics is a branch of Forensic Science that deals with tools & methods used to collect, preserve, validate, analyse, interpret, document and present digital evidence obtained from digital devices linked to criminals/criminal activity.
A few examples of Devices assessed for digital evidence include:
- Computers/PC/Laptops (the obvious)
- Mobile Phones
- Voice assistants
- Infotainment systems
- Drones
Based on the nature of specific processes involved in investigations, digital forensics has several branches based upon the type of digital devices in question.
Main branches of Digital Forensics include:
Network Forensics
Mobile Device Forensics
Computer Forensics
Forensic Data Analysis
Database Forensics
Network Forensics is growing increasingly popular as businesses today rely heavily on cloud and IoT devices for business operations.
Therefore, giving rise to cloud forensics and IoT forensics.
Likewise, the other branches structure out to sub-branches where digital forensic investigators can specialise in.
Types of Cases in Digital Forensics
- Criminal Case
Cases that involve breaking of laws set by government and law enforcement bodies that breach national and international security such as cybersecurity threats, cyber-attacks etc.
2. Civil Case
Cases that involve the protection of property and rights of individuals and commercial entities. Such as data breaches, data mining, hacking etc.
Digital Forensics Experts have a wide scope in both public and private sectors.
In the private sector, they can work within the security department of MNCs and large corporate bodies that have a designated department to handle all cybersecurity and information security cases.
For instance, Incident Response and eDiscovery departments that deal with security incidents.
What is the process of Digital Forensics Investigation?
Investigation processes vary as different countries have different process models in place.
Typically, it consists of four main stages:
1. Seizure
2.Acquisition
3.Analysis
4. Reporting
Firstly, the chain of custody is established and preserved by law enforcement personnel prior to the actual examination of the digital media that is involved.
Second process- ‘Acquisition’ involves creating forensic duplicates of data from the original drive using imaging tools to prevent tampering and loss of original device/drives.
This process also involves verification of acquired images using SHA-1 or MD5 hash functions to confirm if the evidence is in its original state.
Analysis, the next and most crucial step in investigations is when experts use methods and tools to get to the evidence.
In the case of deleted information, recovery is performed to unravel the missing bits.
Evidence is usually hidden away in cache files, deleted space and accessible storage places in addition to the obvious which are emails, call logs, chats, internet history and downloads.
The final step of investigation usually involves reporting of information obtained from the investigation.
This is usually presented in the form of documents and reports that can be interpreted by non-technical handlers.
What tools do Digital Forensic Examiners use?
Most interesting bit of every profession!
The tools you work on that make your profession choice enjoyable, every day, pretty much all your life.
Digital Forensic Investigators across the globe use EnCase and FTK to examine copies of media.
EnCase and FTK reduces the backlog process and eliminate the live analysis process used previously.
These software mainly help investigators search, pin-point and prioritize potential evidence in mobile devices and computers quickly to determine whether further investigation is warranted.
For security breaches, WindowsSCOPE is increasingly popular among digital forensics specialists across 20 countries.
It is an incident response tool that enables experts to perform live memory forensics for Windows computers.
Among open-source tools, HashKeeper and Wireshark are used to examine database files.
Autopsy and Encrypted Disk Detector (developed by Magnet Forensics) is used to examine hardware.
CAINE, a Ubuntu-based app is widely used during all four phases of digital investigation.
Other providers include Oxygen Forensics, AccessData and Cellebrite that develop digital forensics software solutions for government and law enforcement agencies.
In an umbrella view, tools fall under the following categories:
- Disk and Data Capture
- Mobile Devices analysis
- Windows analysis
- Mac OS analysis
- File analysis
- Network Forensics
- Database Forensics
- Email Analysis
- Internet Analysis
How is Digital Forensics useful in Investigation?
The obvious answer is obtaining artifacts and data pertaining to the criminal activity in question that link directly to the offender.
However, investigations also assist digital forensics specialists in other areas of inquiry, such as:
Alibis and statements
Information provided by individuals involved in the case in question is cross-checked with evidence obtained from devices found in crime scenes.
This helps digital forensic experts establish the correct facts in place.
Attribution
Logs and metadata obtained through investigation help in tracing back to owners. For example, personal documents on a computer drive help in identifying its owner.
Logs on the cloud help investigators track down the location and whereabouts of missing owners.
Intent
Experts can pinpoint and prove the intent behind crimes through investigations.
Internet history, downloads and other artifacts obtained serve as proof.
Evaluation of Source
Artifacts and meta-data are useful in the identification of the origin of data. Investigators can evaluate whether a file was originally produced in the device in the examination or downloaded from the internet.
Key Points
The field of Digital Forensics plays a vital role in the investigation of both criminal and civil cases involving technology.
From discovering artifacts that can serve as proofs to finding hidden clues, digital forensics experts work round-the-clock to solve intricate cases.
Incidents range from hacking, computer attacks to recovering lost/stolen data.
Investigation processes differ based on the type of device involved and regulations set by law enforcement within the diverse branches of digital forensics.
With the advancement of tools and software, investigators have to keep up to date with the latest developments in the industry.
