The Basics of Digital Forensics
In the first chapter of the Basics of Digital Forensics, we'll start with a high level overview of the field, what its goals are, and what process investigators use to conduct digital forensic investigations.
A Working Definition of Digital Forensics
Digital forensics is the process through which skilled investigators identify, preserve, analyze, document, and present material found on digital or electronic devices, such as computers and smartphones. Originally the term primarily applied to criminal investigations, focusing on the use of digital evidence in the prosecution of a crime, but it has expanded to include many other types of investigations in recent years. The goal of a digital forensics investigation is to preserve the evidence as it exists while also uncovering information that helps the investigator reconstruct past events and understand not just how, but also why, they occurred the way they did.
The Difference between Digital Forensics and E-Discovery
E-Discovery and digital forensics share many critical elements. Both attempt to identify and preserve electronic information—often for a matter of litigation. But differences emerge rapidly after that. In e-discovery, the information is preserved and collected, but then it is passed on to legal experts for analysis and use in the course of resolving a civil matter. There are occasions when conducting e-discovery may require the use of digital forensic techniques, but more often than not the standards required by civil litigation are lower than those necessary for a criminal investigation.
Originally, digital forensics was mainly the domain of law enforcement professionals investigating the digital fingerprints left behind while committing a crime. In digital forensics, the investigator who isolates and preserves the digital information proceeds to analyze it, using it to tell the story of “what happened” in an event in question. In the past few years, though, increasingly private sector forensics professionals conduct investigations of data breaches, cyber-incidents, regulatory/compliance infractions, or human resources violations for private enterprises.
National Institute of Standards and Technology Definition of Digital Forensics
In its strictest definition, digital forensics is the application of computer science and investigative procedures involving the examination of digital evidence - following proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possibly expert testimony.
The Goals of Digital Forensics
At a technical level, the goal of digital forensics is traditionally defined (including by the US government Cybersecurity and Infrastructure Security Agency, CISA) “to identify, collect, preserve, and analyze data in a way that preserves the integrity of the evidence collected so it can be used effectively in a legal case.” There is broad consensus on the technical goal, as Interpol, the International Criminal Police Organization, offers a very similar definition as well: “to extract data from the electronic evidence, process it into actionable intelligence and present the findings for prosecution. All processes utilize sound forensic techniques to ensure the findings are admissible in court.”
The Interpol definition of digital forensics makes clear a key distinction between forensics and e-discovery: the focus on preserving evidence so it is admissible in court. Typically, forensic investigators work on images—validated duplicates of the material present on the original device—rather than working with the original or “live” systems.
Non-technically speaking, the goal of the digital forensic process is to understand what happened, when, and why on any given digital device. As Gus Dimitrelos of CyberForensics.com, with over 25 years of digital forensic investigatory experience, explained on a recent episode of the FTK Over the Air podcast, “The binary data doesn’t care about innocence or guilt. It gives you the information that you need to make your expert conclusions.”
Digital Forensics in Action
One of the most famous digital forensic investigations was the investigation that led to the conviction of Dennis Rader for 10 murders that occurred in the Wichita, Kansas, area between the mid-1970s and the early 1990s. In 2004, the case was considered a “cold case.”
Rader began communicating with local media using the alias “Bill Thomas Killman,” a reference to the “bind, torture, kill” modus operandi he had used in the murders. After a series of communications with various media outlets, Rader sent a floppy disk (remember those?) containing his writings to the police; unbeknownst to Rader, it still contained artifacts of a Microsoft Word file.
Metadata from the document indicated its source was Christ Lutheran Church and an author named “Dennis” had last modified the document. Investigators were able to determine that Dennis Rader was president of the church council at Christ Lutheran Church in Wichita, eventually arresting him for the crimes to which he pleaded guilty in 2005.
Digital Forensics and Cybersecurity
Digital forensics and cybersecurity share much in common, as the skill sets and knowledge required for both are very similar. But there is a crucial distinction. Cybersecurity’s focus is protecting data and electronic systems and preventing intrusions or criminal activity from happening; digital forensics focuses on understanding what happened after a cybersecurity event or crime. While private sector cybersecurity and digital forensics teams often work together in the same larger line of business (usually information technology), their focus and goals are very different.
The Digital Forensics Process
The digital forensic process entails five steps: identification, preservation, analysis, documentation, and presentation. While the next chapter of the Basics of Digital Forensics will dig deeper into each of these steps, we’ll quickly summarize what happens in a digital forensic investigation below.
Identification is the first step in any digital forensic investigation. The investigator (or investigating team) must identify what evidence is present on the device, where it is stored, and what format it is stored in. Digital evidence can come in any variety of formats (text messages, emails, images or video, web search histories, documents, transactions, etc.) and on a variety of devices, including computers, smartphones, tablets, fitness trackers, and more. Forensic investigators are also particularly interested in a device’s behind-the-scenes data, or ‘artifacts’, things like operating system data, registry files, Amcache files, SRUM data (system resource usage), and power logs, to piece together the device user’s
every action.
Preservation follows identification in digital investigations. Preservation focuses on isolating the data, securing it, and preserving it, while creating a copy, or image, that can be analyzed and investigated. This is critical in digital investigations since the actual evidence must be preserved in its original form to be considered admissible as evidence in court. This requirement defines much of the distinction between digital forensics and other forms of investigation. No one can use or tamper with the original device; to do so would render it useless in a criminal trial.
Analysis is the stage of a digital forensic investigation in which the forensic scientist (or investigator) reconstructs the fragments of data and creates a holistic narrative of what happened during the crime (or matter being investigated). Forensic experts rely on the evidence, first and foremost, but also their experience and expertise. It may often take multiple efforts and examinations to arrive at a satisfactory theory of the crime that happened.
Documentation prepares a record of the data to be presented in court (or in whatever other venue that the investigation is being resolved). It is a narrative recreation of the events in question, linked with the evidence supporting the theory, that should be compelling to an outside party that is charged with determining guilt or innocence.
Presentation is the final stage of the digital forensic process. The investigator uses the documentation to explain the conclusions they have drawn about the event in question. Whether the conclusion is presented in a courtroom or in a written report, the investigator must translate their expert conclusions into a comprehensible narrative that a non-expert can understand and judge for themselves based on the details and evidence presented.
What is a Digital Forensic Toolkit?
Since digital forensics is a highly technical endeavor, forensic investigators require professional-level technology to conduct their investigations in a manner that is “forensically sound,” or compatible with the requirement to preserve the original data, while manipulating an identical image to determine what the evidence proves. Since the data is digital, the tools forensic investigators use by their nature are software applications. The applications help investigators throughout the process—that is, they may be used to:
- Preserve data
- Identify data
- Extract, copy, or image data
- Analyze data
- Document or present data to laypersons
Digital forensics tools can fall into many different categories, including disk and data capture, email analysis, file analysis, file viewers, internet analysis, mobile device analysis, network forensics, and registry analysis. They may help investigators decrypt encrypted data, crack passwords, and recover deleted files. Digital forensic tools may be specially crafted to work with computer data, mobile phone data, or both.
For more examples of how digital forensics plays a critical role in law enforcement, read the following Exterro FTK® case studies:
What Are Jobs in Digital Forensics?
The best-known jobs in digital forensics are in the public sector—helping local, state, and national-level police and law enforcement agencies solve crimes by analyzing the digital footprint left behind. After all, it has been said that “in terms of crime today, virtually every crime has a digital footprint.” That means almost any police agency can benefit from having professionals capable of securing, preserving, identifying, and analyzing digital evidence. Not all of these professional roles need be full officers of the law—they can also be lab technicians, analysts, and even programmers working behind the scenes to solve crimes.
But today, more and more private sector organizations need forensic investigatory capabilities. Whether they are medial or journalistic outlets looking to break stories, or enterprises that need to understand what happened in a cybersecurity event or a regulatory compliance violation, they need investigators capable of completing thorough, defensible, forensically sound investigations. Not all private sector investigators come from law enforcement agencies—although many do, as discussed in episode 14 of FTK Over the Air. Educational institutions also train undergraduate and graduate students in digital forensics technology and techniques, creating future generations of cybersecurity and digital forensic professionals for both the public and private sectors alike.