Digital forensics is forensic science applied to the recovery and analysis of information stored on digital devices. The relatively new field of science was first established to primarily investigate data from personal computers, however, today the discipline deals with data stored on any digital device and it is a vital component of cybercrime inquiries. Digital forensics plays an important role in cases of attribution, identifying data leaks within a company, and analyzing the damage associated with a data breach.
Image Credit: Microgen/Shutterstock.com
Those who work in digital forensics do important work in preventing cybercrime. Digital forensics can stop hackers from compromising secure data, which can have repercussions for organizations, employees, and the general public. The field of digital forensics is also fundamental to the recovery of lost or stolen data, helping to trace the source of a cyberattack, and producing detailed reports on cybercrime for the justice system. Digital forensics can be segmented into various distinct sectors, including computer forensics, forensic data analysis, mobile device forensics, and network forensics.
A history of digital forensics
The development of computer technology began picking up in the 1970s and 1980s, however, the importance of applying forensics to computer technology was not recognized as important at this time. During this time, those who are now considered the pioneers of early digital forensics were those who often worked within law enforcement who also had a personal interest in computing.
Law enforcement initially became interested in how data was stored on computers. As personal computers became more popular, law enforcement was increasingly confronted by cases involving the seizure, retention, and analysis of digitally stored data. It became evident that the way information was being stored was evolving. To focus on the nature of these digital records, the FBI launched the Magnet Media Program in 1984 as the country’s first official digital forensics program.
As the field of digital technology rapidly developed throughout the 1990s, as did the field of digital forensics. The discipline moved on from focussing on personal computers and began to cover the analysis and recovery of data stored in small local networks, and finally, it evolved to also encompass data sent and received via the internet. Once the internet had been established, the original term ‘computer forensics’ no longer served its purpose and it was replaced with the much broader concept of digital forensics.
Over the decades, digital forensics has continued to develop alongside the rapidly progressing field of technology and communications. Digital forensics now also covers network forensics, as well as sectors dedicated to investigating hacking attempts, security breaches, and data theft.
In recent years, computer processing has been incorporated into a growing number of devices, including cell phones, copy and fax machines, global positioning systems (GPS), and vehicles. This has continued the demand for the field of digital forensics to grow and evolve.
How does digital forensics assist investigations?
Regardless of the device in which the data inquest is stored, the process of digital forensics generally follows the same four stages. First, the digital evidence is collected. This usually involves seizing the devices involved in the investigation, such as computers/laptops, phones, and hard drives. Often, storage media is copied at the time of the seizure to keep the data for reference.
After collecting data, the next step is usually the examination of the data, which can be conducted with a variety of tools and techniques. The examination phase can be segmented into the steps of preparation, followed by extraction, and finally, identification. This final step of the examination phase involves determining what data is relevant to the case.
The analysis follows the examination stage. In this phase of the investigation, the data that has been collected and determined to be relevant is analyzed to either prove or disprove the case that is being built. Those analyzing the data are often looking for the answers to questions such as, who created the data? who edited the data? how was the data created? when was the data created?
Finally, once analyzed, the results of the investigation are synthesized and reported. Creating such reports are a vital skill in digital forensics as they are important for distilling large amounts of analytical information into key takeaways.
Digital Forensics | Davin Teo | TEDxHongKongSalon
Examples of tools used in digital forensics
There is no one-size-fits-all toolkit in digital forensics. The tools used depend on the data to be collected and analyzed. In general, a digital forensics toolkit will include single-purpose open-source tools, as well as multi-functional, powerful commercial software platforms with reporting capabilities.
As the digital world continues to evolve, as will the field of digital forensics. Digital data will continue to be vital to almost all industries, as well as its security. Digital forensics will continue to play an important role in data security and criminal investigations well into the future.
- Daniel, L. and Daniel, L., 2012. Digital Forensics. Digital Forensics for Legal Professionals, pp.17-23. https://www.sciencedirect.com/science/article/pii/B9781597496438000031
- Sachowski, J., 2016. Understanding Digital Forensics. Implementing Digital Forensic Readiness, pp.3-16. https://www.sciencedirect.com/science/article/pii/B9780128044544000010
- Sammons, J., 2014. Digital Forensics. Introduction to Information Security, pp.275-302. https://www.sciencedirect.com/science/article/pii/B9781597499699000134