If you have been in the tech world for a while, you might have come across this phrase, ‘digital forensics’, and might know something or everything there is to know about it. Or if you are new here, you might be scratching your head trying to figure out what this might be. Let’s dive into what digital forensics is and some misconceptions you might have or have heard before.
What is digital forensics?
Digital forensics is a branch of forensic science. It focuses on recovering, investigating, and preserving digital data found in digital devices that are related to cybercrime. Its process involves identifying, preserving, analysing, and documenting digital evidence to present in a court of law when required.
Some common misconceptions
What comes to your mind when you hear digital forensics?
Maybe you think about some of the crime TV shows you have seen, and how quick and easy gathering and analysing digital data seems. You might be afraid of its implications, and, for example, that all your data will be scrutinised by someone, if your device ever needs to be examined.
You might think it’s a cool and glamorous job. You might also think that digital forensic practitioners are these genius hackers, who can get away with just about everything.
However, the truth cannot be further from fiction.
Firstly, gathering digital data usually takes days, depending of course on the size of the data set. There is a lot of endless waiting on progress bars and a lot of “copy-paste-verify”.
Analysing data is also not a walk in the park. There are usually hundreds of thousands, if not millions of artefacts extracted from a device (including for example pictures, videos, log files, system files, etc.). Nobody has the capacity to go through these one by one. Usually keywords or other tactics are used to sift through these huge data sets. Examiners also tend to have more than one cases at once.
It can be a cool and glamorous job. However, you will have to deal with disturbing cases, for example ones that involve pornography. A lot of it. Including illegal and disturbing versions of it. Especially if you work for a law enforcement agency.
There are some genius hackers undoubtedly in digital forensics, however, a digital forensic practitioner is usually bound by several very thorough standard operating procedures. They also have to comply with laws and regulations.
You cannot talk about digital forensics without mentioning the ACPO guidelines. ACPO stands for the Association of Chief Police Officers. ACPO provides a good practice guide for police forces in England, Wales and Northern Ireland. It discusses four essential principles all digital forensics practitioners should know. These principles are:
Principle 1: No action taken by law enforcement agencies; persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.
Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3: An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
What are the different fields in digital forensics?
There are several sub-fields within digital forensics. These include (but not limited to):
- Network forensics: monitoring and detecting a system’s network traffic to extract data
- Vehicle forensics: extraction and analysis of data from vehicle computer systems
- Computer forensics: extraction and analysis of data from computer storage
- Mobile device forensics: extraction and analysis of data from mobile devices
- Memory forensics: extraction and analysis of data from volatile memory (RAM)
There are some other fields that are interconnected with digital forensics. You might find that these are mentioned under the DFIR (Digital Forensics Incident Response) umbrella:
- E-Discovery: or electronic discovery is identifying, collecting, and producing electronically stored information. This is in response to a request for the production of digital evidence in civil litigation, dispute resolution, or an investigation
- Incident Response: structured approach to handle various types of security incidents, cyber threats, and data breaches.
As a general piece of advice, I would say know what you get into. Don’t get into digital forensics, because it sounds fancy and exciting. Don’t have hopes that it will be all/mostly high profile, exciting investigations, where your help is crucial for the resolution (catching the bad guy, exposing a harassing employee, etc.).
Because most of the time, it won’t be like that. That’s not where you start. And you might never get to a level which might be close to that.
Get into digital forensics for the right reasons. Get into digital forensics, because you have a passion for anything relating to digital devices and for data analysis.