WHAT IS DIGITAL FORENSICS?
Digital Forensics can be defined as the investigation, recovery and analysis of data and evidence within digital devices (computers, smartphones, etc.). Digital forensic investigations should only be performed by trained and certified examiners who can ensure that the recovery and analysis of any and all evidence is not altered and will hold up in court.
An example of a typical digital forensics investigation
- A company suspects a former employee of stealing company data.
- A digital forensics investigator will be called in to inventory the computer, take photos, and preserve the computer’s data.
- He/she will make an exact duplicate copy of the computer’s hard drive as it exists that day without altering it.
- Afterwards, the investigator will use special tools to thoroughly investigate the duplicate copy for electronic evidence and create an unbiased report based on their findings.
- Throughout this process, the investigator will ensure proper Chain of Custody, a documentation process which shows where all pieces of evidence were at all times.
WHY DOES DIGITAL FORENSICS MATTER TO YOU?
Think about all of the digital devices you use on a daily basis – work computer, home computer, printers, servers, smartphones, tablets, even cloud services like Dropbox or iCloud. It might be a little unsettling to think that every piece of digital information on the many devices we use today could be used as digital evidence one day, even if we aren’t the ones accused of wrongdoing.
Types of cases involving digital forensics include:
- Government and large corporations: Large cases involving hacking and terrorism
- Businesses: Employee issues, accident investigations, theft, fraud
- Individual: Domestic conflicts, divorces, harassment/bullying, data recovery, and even simply learning what data lies on your child’s smartphone or PC.
WHAT KIND OF DIGITAL EVIDENCE MIGHT AN INVESTIGATOR FIND?
Regular files: Photos, Word documents, e-mails, videos, and even software can be considered digital evidence.
System and log files: Operating systems and software programs generate log files of things that happen behind the scenes on your computer.
Metadata: Every file on your computer has a set of metadata associated with it. Metadata can be described as “data about data.” For example, you might have a Microsoft Word document saved on your computer. The metadata might tell us the name of the author of the document, the date and time it was created and modified, how many times it was printed, where on the drive it is located, and much more.
Website data: When you visit a website, your computer makes a record of the address and date and time visited, and also downloads images that are on the web page. This allows for faster viewing of that webpage the next time you visit it, but also means remnants of websites you visit are stored on your computer.
Deleted files: In Windows, when you delete a file, it is not really deleted. Instead, the file essentially becomes invisible to Windows, but it still resides on your hard disk until something else overwrites it. Digital forensic examiners can sometimes recover these files.
WHAT SHOULD I DO WHEN FACED WITH A SITUATION INVOLVING POSSIBLE DIGITAL EVIDENCE?
The most important thing to remember when faced with a device potentially containing digital evidence is to contact an attorney and/or a digital forensics expert.
- Electronic devices containing potential evidence should be secured and access limited.
- Do not power on or use the device (computer, smartphone, etc).
- If the device is already turned on, do not turn it off without consulting an expert first.
- An investigation should be done quickly and only by a trained, certified individual.
Important evidence is often modified, lost or destroyed when untrained individuals attempt an examination. By using a device containing evidence, metadata of files on the computer are altered by opening the file or copying it without special tools. Even booting up a computer or shutting it down alters the metadata of system files. Additionally, using the device can cause deleted files to be lost forever, whereas they may have been recoverable before.
If you have a suspect computer or other electronic device, treat it like a crime scene, and don’t do anything without contacting your attorney or a trained digital forensics specialist.