Pretty much every detective show on TV includes digital forensics in the script. Whether the digital forensic expert is a nerd or an extravagant genius, they have to be there to solve cases. As always nothing is as magical as it appears to be on TV. But it is indeed hard work mixed with a stroke of genius!
What is Digital Forensics?
Digital forensics is a branch of forensic science that focuses on identifying, preserving, recovering, analyzing, and presenting facts found on digital devices, like:
- memory cards
- external hard drives
In other words, any device that stores data can be subject to digital forensic investigations.
Considering the impressive progress technology has made in the last decade and the proliferation of digital devices, digital forensics plays now an important part in many investigations and legal cases.
Even though digital forensic experts are not super-humans with access to alien technology to solve crimes in 30 seconds, they sure can make a big difference.
Digital forensics is used to recover digital evidence from various digital devices to solve crimes.
It can also be used by companies to prove violations of corporate policy.
The aim of digital forensics is to back or disprove various assumptions. For example, if an employee stole valuable data from a corporation, digital forensics can follow the crumbs left behind by their actions and provide evidence to prove the crime.
What about if you accidentally deleted important file from your computer?
You call a digital forensic expert.
Digital forensic experts reconstruct and analyze digital information. Their skills are usually used to solve incidents of hacking, computer attacks, but also to recover lost or stolen data.
The experts can recover data from damaged or erased hard drives and trace hacks. They also can conduct both internal and external investigations and work closely with private investigators and police officers.
All digital forensic investigations start with identifying where data is stored – servers, computers, flash drives, external hard disks etc. It’s very important to understand and evaluate the environment where the violation has been committed, so they can identify the potential storage devices.
Preserving the evidence is vital for the investigation. Only a piece of evidence unaltered in any way can be admissible in court, so digital forensic experts need to do anything they can to keep the “artifacts” in their original state.
A thorough and complete chain-of-custody paperwork and documenting is often very helpful to preserve the evidence.
There’s also the possibility to create a copy of the data found on the storage device and perform analysis on that copy while preserving the integrity of the evidence.
The recovery process includes recovering deleted data and files from digital devices. From intentionally deleted files and password-protected files to damaged or corrupted files, digital forensic experts have the ability to bring them back to life and analyze them.
Now that all evidence has been traced and gathered, it’s time for digital forensic experts to analyze it.
They use various programs and applications to analyze common artifact locations, like browser history, logs, and memory, as well as scripts and manual analysis to reach a conclusion.
Since any action performed on a computer can create up to five artifacts in various locations, digital forensic experts know exactly where to look for evidence.
Once the digital forensic investigation is complete, the experts need to write investigative reports. They present case reports that include all the documentation and artifacts gathered during the investigation to contribute to the investigation and help the persons instrumenting the case to reach a definitive conclusion.
However, it’s not the digital forensic expert’s job to reach the conclusion of the case or to worry if the case will be presented in front of a court of law. Their job ends once the investigative report is done! Digital forensics presents the digital facts, but the police and investigators solve the puzzles.