What is digital forensics?

The goal of digital forensics is to preserve any evidence in its most original form while performing a structured investigation by collecting, identifying and validating the digital information in order to create a timeline of events (Techopedia).

As the use of technology is growing rapidly around the world, cybercrime continues to rise in scale and complexity. Nowadays, companies are being targeted by cyber criminals more than ever and it has been estimated that the cost of ransomware will be around $265 billion (USD) annually by 2031 (Cyber Crime Magazine).

This not only demonstrates that the cyber world needs to be secured but also, in an event of cyber incident, knowledge of digital forensics is vital in order to stop, deter and punish the criminals.

Digital forensics can be used in civil cases (e.g. corporate environment) or criminal cases (e.g. law enforcement). The role of a digital forensics practitioner is to identify, preserve, analyse and present the digital evidence (i.e. any information of probative value) in a manner that is legally acceptable. This means that a digital forensic investigator is required to create a timeline of events explaining who did what, where and when?

Digital forensics guidelines

In any forensics investigation, the digital forensics practitioners follow the ACPO guidelines (Associate of Chief Police Officers) to ensure the admissibility of the evidence to court. All forensic practitioners working in this field must abide by these codes, including the following four principles:

• No action taken by law enforcement agencies, persons employed within those agencies, nor their agents, should change data which may subsequently be relied upon in court.
• In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
• An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
• The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.

In May 2021, the College of Policing released the Authorised Professional Practice Extraction of material from digital devices document, developed based on the current updated UK laws, including 10 principles in assisting the digital forensics practitioners.  

Areas in digital forensics

Digital forensics can be focused in several areas, including computer forensics, memory forensics, network forensics, mobile forensics, IoT forensics and open source intelligence.

Computer forensics is related to the forensic investigation in hard disks obtained from PCs and laptops. In a crime scene, if the seized computer is left turned on by the user, the information stored on RAM (Random Access Memory) can be very valuable in showing the user’s activities just before being detained. The digital evidence on RAM is volatile; therefore, expertise on how to complete the forensic investigation process (memory forensics) is required.

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

Network forensics refers to the investigation and analysis of the incoming / outgoing network traffic in a typical computer network when there is a cyber incident, such as threat hunting and incident response).

In most criminal cases, the likelihood that a mobile device was used is high but knowing how to preserve and extract the data from mobile devices, then analyse the evidence, is challenging due to a few factors – not least because data can be highly volatile. Mobile devices come in many models produced by various manufacturers and can have different operating systems.

Therefore, in a typical mobile forensics case, the forensic investigator is required to have the knowledge about that specific mobile device before starting the investigation – otherwise, one simple mistake can jeopardise the investigation and prevent the case from going to court due to inadmissible evidence.

In recent years, IoT devices are being used ever more in daily life, creating more digital evidence. However, the forensic investigation process in an IoT environment is challenging due to the nature of the technologies such as RFID, sensors and cloud computing.

Some of these challenges are related to the ambiguity of data location, data acquisition, volatility of data and the lack of forensics tools. One example of IoT devices used in criminal activities is the use of drones for smuggling drugs to prison or terrorist activities.

Open source intelligence (OSINT) can support investigations in relation to circumstantial evidence by enabling the investigators to gather the data that is publicly available. However, the effective use of OSINT can be challenging.

Digital forensics tools

There are many digital forensics tools developed by researchers or vendors to assist the forensics practitioners, some of which are well known. It is important to mention that digital forensics examiners are required to validate their findings; therefore, it is a common practice to use more than one tool to find the evidence.

For example, Cellebrite Physical Analyser software and Internet Evidence Finder (IEF) from Magnet are used in mobile forensics – however, IEF is well known software for social media and online investigation. CPA and IEF are also used in IoT forensics, as many IoT devices are configured by mobile application.

One of the best Open source tools for forensics investigation is Autopsy, which can be used on Windows and Linux platforms. Encase and FTK are used mainly for hard disks analysis in computer forensics. In order to conduct memory forensics, many forensics examiners’ choice of tools would be Volatility and Redline.

Free cyber security learning resources:

• edx
• Mooc
• Cybrary
• Codecademy
• Future Learn
• More courses