Digital forensics

Criminal cases involve the alleged breaking of laws that are defined by legislation and enforced by the police and prosecuted by the state, such as murder, theft, and assault against the person.

[4] Investigations are much broader in scope than other areas of forensic analysis (where the usual aim is to provide answers to a series of simpler questions), often involving complex time-lines or hypotheses.

[7][9] The growth in computer crime during the 1980s and 1990s caused law enforcement agencies to begin establishing specialized groups, usually at the national level, to handle the technical aspects of investigations.

As well as being law enforcement professionals, many of the early members of these groups were also computer hobbyists and became responsible for the field's initial research and direction.

The strain on central units lead to the creation of regional, and even local, level groups to help handle the load.

[20] Despite this, digital analysis of phones has lagged behind traditional computer media, largely due to problems over the proprietary nature of devices.

A February 2010 report by the United States Joint Forces Command concluded the following: Through cyberspace, enemies will target industry, academia, government, as well as the military in the air, land, maritime, and space domains.

In much the same way that airpower transformed the battlefield of World War II, cyberspace has fractured the physical barriers that shield a nation from attacks on its commerce and communication.

[23] In 2010, Simson Garfinkel identified issues facing digital investigations in the future, including the increasing size of digital media, the wide availability of encryption to consumers, a growing variety of operating systems and file formats, an increasing number of individuals owning multiple devices, and legal limitations on investigators.

Consequently, investigators often performed live analysis on media, examining computers from within the operating system using existing sysadmin tools to extract evidence.

The need for such software was first recognized in 1989 at the Federal Law Enforcement Training Center, resulting in the creation of IMDUMP [24](by Michael White) and in 1990, SafeBack [25](developed by Sydex).

[10] These tools allowed examiners to create an exact copy of a piece of digital media to work on, leaving the original disk intact for verification.

By the end of the 1990s, as demand for digital evidence grew, more advanced commercial tools such as EnCase and FTK were developed, allowing analysts to examine copies of media without using any live forensics.

"[1] In 2006, forensics researcher Brian Carrier described an "intuitive procedure" in which obvious evidence is first identified and then "exhaustive searches are conducted to start filling in the holes.

"[5] The actual process of analysis can vary between investigations, but common methodologies include conducting keyword searches across the digital media (within files as well as unallocated and slack space), recovering deleted files and extraction of registry information (for example to list user accounts, or attached USB devices).

In some cases, the collected evidence is used as a form of intelligence gathering, used for other purposes than court proceedings (for example to locate, identify or halt other crimes).

In civil litigation or corporate matters, digital forensics forms part of the electronic discovery (or eDiscovery) process.

[33] The main focus of digital forensics investigations is to recover objective evidence of a criminal activity (termed actus reus in legal parlance).

[4] One major limitation to a forensic investigation is the use of encryption; this disrupts initial examination where pertinent evidence might be located using keywords.

The US Electronic Communications Privacy Act places limitations on the ability of law enforcement or civil investigators to intercept and access evidence.

The ability of UK law enforcement to conduct digital forensics investigations is legislated by the Regulation of Investigatory Powers Act.

US judges are beginning to reject this theory, in the case US v. Bonallo the court ruled that "the fact that it is possible to alter data contained in a computer is plainly insufficient to establish untrustworthiness.

[7] In the US, for example, Federal Rules of Evidence state that a qualified expert may testify “in the form of an opinion or otherwise” so long as: (1) the testimony is based upon sufficient facts or data, (2) the testimony is the product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case.

For example, mobile phones may be required to be placed in a Faraday shield during seizure or acquisition to prevent further radio traffic to the device.

In a 2003 paper, Brian Carrier argued that the Daubert guidelines required the code of forensic tools to be published and peer reviewed.

"[41] In 2011, Josh Brunty stated that the scientific validation of the technology and software associated with performing a digital forensic examination is critical to any laboratory process.

Computer forensics can deal with a broad range of information; from logs (such as internet history) through to the actual files on the drive.

[4] Sharon Lopatka's killer was identified in 2006 after email messages from him detailing torture and death fantasies were found on her computer.

It differs from Computer forensics in that a mobile device will have an inbuilt communication system (e.g. GSM) and, usually, proprietary storage mechanisms.

Unlike other areas of digital forensics network data is often volatile and rarely logged, making the discipline often reactionary.

in air pictures of FLETC , where US digital forensics standards were developed in the 1980s and '90s
A portable Tableau write-blocker attached to a hard drive
An example of an image's Exif metadata that might be used to prove its origin
Digital evidence can come in a number of forms
Private Investigator & Certified Digital Forensics Examiner imaging a hard drive in the field for forensic examination.
Mobile phones in a UK Evidence bag