Types of Digital Forensics
Digital forensics is a highly specialized area that covers myriad kinds of investigations.
1. Disk Forensics
When it comes to retrieving data from storage devices by looking for files that are current, altered, or erased, disk forensics is the method of choice. An example of disk forensics in action is the investigation of a hard drive to recover the deleted files, hidden partitions, and configuration settings.
2. Network Forensics
Network forensics is a sub-branch of digital forensics and involves monitoring and analyzing computer network traffic to collect important information and legal evidence. A typical instance is searching the network log files to determine if any unauthorized attempts of access have been made by a perpetrator.
3. Wireless Forensic
It is a division of network forensics. The main aim of wireless forensics is to provide the tools necessary to collect and analyze data from wireless network traffic. A good example would be the investigation of wireless access points to identify unknown devices accessing the network and detect any unauthorized access.
4. Database Forensics
This branch of digital forensics relates to the study and examination of databases and their related metadata. An example of database forensics investigation would entail the examination of the database logs to determine unauthorized access or changes to the data.
5. Malware Forensics
The identification of malicious code falls under the purview of malware forensics. This branch helps to study their payload, viruses, worms, etc. Malware forensics is often employed to identify the origin of malware and to determine how it was deployed and used in attacking the system.
6. Email Forensics
In email forensics, specialists recover and analyze emails, including deleted emails, calendars, and contacts. For example, it entails the investigation of a user’s account to determine whether any email threats were sent or received, and if so, to whom.
7. Memory Forensics
This is a process of extracting data from the system memory (RAM, cache, system registers) in its original form and then separating the data from the raw dump. An instance would be the investigation of a workstation’s memory dump to identify a password used to access a secure system.
8. Mobile Phone Forensics
The process of inspecting and extracting data from mobile devices is called mobile phone forensics. It allows you to access contacts from a phone and SIM card, as well as the call history and messages. You can also view and play audio and video files on the device. An example of mobile phone forensics would be the examination of a mobile device recovered from a suspect to identify any call or message related to an ongoing investigation.
Takeaway: Digital forensics plays a critical role in investigating digital crime. Depending on the evidence available, various types of digital forensics may be employed to extract essential data and evidence required for a successful investigation and prosecution.
Digital Investigation Types
When it comes to digital investigations, there are two main types: public investigations and private investigations. These categories refer to who initiated the investigation and the type of cases involved.
1. Public Investigations
They are criminal cases managed by government law enforcement agencies. These investigations are conducted according to the laws of the country and follow three main stages: complaint, investigation, and prosecution.
During the first stage, a complaint is received, which can come from a victim, witness, or even the police. In the investigation stage, digital forensics is used to gather evidence, which involves analyzing computer systems, mobile devices, and other digital media. Finally, the prosecution stage involves presenting the evidence in court to prosecute the accused.
2. Private Investigations
These investigations are usually initiated by corporations to investigate computer-related issues like policy violations, wrongful termination, and the leaking of enterprise secrets. There are no formal rules that govern the cases, as each organization follows its own rules.
However, private investigations should be conducted following the same strict procedures as public investigations. This is because private investigations can later move to the court and become official criminal cases. In other words, you still use digital forensics to collect evidence and must obtain the evidence presented in court following a chain of custody and other protocols.
Examples of public investigations include criminal cases such as hacking, online fraud, and child exploitation. On the other hand, private investigations may include internal misconduct, harassment, and intellectual property theft.
Takeaway: Both types follow strict procedures and use digital forensics to collect evidence. Understanding the differences between the two types is essential to ensure that investigations are conducted as efficiently and effectively as possible.
Who are digital forensic investigators?
The importance of a digital forensic investigator cannot be overstated. Depending on the situation, forensic investigators play a significant role in confirming or dispelling whether a resource or network is compromised. They are also tasked with determining the extent of damage due to an intrusion and answering the who, what, when, where, how, and why questions.
Gathering data in a forensically sound secure manner is one of the primary duties of a forensic investigator. They meticulously collect and preserve evidence to ensure that it can be analyzed without being damaged or contaminated, which could otherwise vitiate the investigation or render the evidence inadmissible.
Handle and analyze evidence to identify useful information for the investigation. Investigators must be skilled in working with multiple data types and technologies to extract evidence from computers and network devices that has been modified or deleted.
Preparing an accurate report is also their main task. This includes explaining their findings in a format that is easily understood and following standard reporting formats. The report outlines the investigation process, details the collected evidence, and offers recommendations on how to prevent similar incidents from happening in the future.
Besides, a digital forensic investigator may be required to present admissible evidence in court as a subject-matter expert. They should educate juries, judges, and lawyers, using layman’s terms, on the technical details of the evidence and explain how their findings led to the conclusions.
Takeaway: A digital forensic investigator is an essential part of modern forensic analysis, serving to identify evidence, analyze data, and present findings. Without their work, crimes committed through computers and digital devices would be more difficult to prosecute, leaving victims without a justice system to advocate on their behalf.
What is Digital Evidence?
Digital forensics investigations play a crucial role in solving crimes by acquiring, preserving, examining, and presenting digital evidence in a court of law. Digital evidence, also known as electronic evidence, refers to any information that is stored or transmitted in digital format. This could include data found on computers, laptops, cell phones, tablets, PDA hard drives, USB thumb drives, SD cards, and all data stored using various storage device media, CD/DVDs, operating systems, and database logs.
Importantly, digital evidence is acquired in a forensically sound manner i.e., the process of acquiring data so its authenticity and integrity are preserved all through the legal interpretation. This makes it admissible in a court of law.
Digital evidence can take various forms, including:
- Email messages and attachments
- User account info such as usernames, passwords, and personal pictures for both online accounts and local computer users.
- Digital photo, audio, and video
- Messaging history
- Web browsing history
- Files generated by accounting programs
- All types of electronic files, including spreadsheets, bookmarks, and database files
- Data in volatile memory
- Registry info in Windows-based systems
- Networking devices records
- Printer spooler files
- ATM transaction logs
- Fax and copier machine logs
- Electronic door lock logs
- GPS track logs
- Digital data extracted from home appliances such as smart TVs and refrigerators
- Surveillance video recordings
- Encrypted and hidden files
Please note that digital files have associated metadata: data about data. Some metadata is automatically generated by applications while others are set by users such as file creation and alteration date/time, author name, comments, and email addresses.