Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data.
What is evidence?
Evidence, broadly construed, is anything presented in support of an assertion. This support may be strong or weak. The strongest type of evidence is that which provides direct proof of the truth of an assertion. At the other extreme, evidence such as circumstantial evidence is merely consistent with an assertion but does not rule out other contradictory assertions. In law, rules of evidence govern the types of evidence that are admissible in a legal proceeding. Types of legal evidence include testimony, documentary evidence, and physical evidence. The parts of a legal case which are not in controversy are known, in general, as the "facts of the case." Beyond any facts that are undisputed, a judge or jury is usually tasked with being a trier of fact for the other issues of a case. Evidence and rules are used to decide questions of fact that are disputed, some of which may be determined by the legal burden of proof relevant to the case. Evidence in certain cases (e.g. capital crimes) must be more compelling than in other situations (e.g. minor civil disputes), which drastically affects the quality and quantity of evidence necessary to decide a case.
What kinds of cases may need computer forensic evidence?
A forensic investigation can be initiated for a variety of reasons. The highest profiles are usually with respect to criminal investigation or large scale civil litigation. However, digital forensic services can be of value in a wide variety of situations. Digital forensics is the methodology used to ensure that electronic evidence is properly acquired and handled. It is well documented in the media that computer or digital evidence has provided the substantial evidence in high profile cases. Information in all areas of business and personal life has electronic/digital files and information being created, stored and transmitted on computer systems. It makes it necessary to consider what digital evidence may exist in every case.
What are common scenarios that require a digital forensic investigation?
Examples include: • Employee internet abuse • Unauthorized disclosure of corporate information and data • Industrial espionage • Damage assessment (following an incident) • Criminal fraud and deception cases • Protection, no contact, or anti-harassment orders. This includes any order that either clearly expresses or that has incorporated by law that telephone, e-mail, or other types of electronic communications are considered a violation. • General criminal cases where computers are alleged to be an instrument of crime or information
How is a computer forensic investigation approached?
1. Collection - involves the evidence search, evidence recognition, evidence collection and documentation. 2. Examination - facilitates the visibility of evidence, while explaining its origin and significance. It involves revealing hidden and obscured information as well as relevant documentation. 3. Analysis - looks at the product of the examination for its significance and probative value to the case. 4. Reporting - entails writing a report outlining the examination process and pertinent data recovered from the overall investigation.
Is there anything that should NOT be done during an investigation?
It is important to avoid modifying the data. Even information as small as date/time stamps may be sources of relevant information in a case where the questions that need to be answered relate to when something happened.
How much do computer forensic investigations typically cost?
The cost of a computer forensic investigation varies greatly, depending on the number and types of systems involved as well as the complexity of the recovery of evidence. The proper framing of the questions to be answered is critical to the management of examinations. A complete examination of a single Terabyte hard drive may have over 200,000,000 pages of electronic information and may take between 15 to hundreds of hours or more to examine. The examination time can depend on the amount of data, types of data, condition of the media and data, and the questions to be answered. A reasonable quote can be obtained prior to the start of the examination if complete and accurate information about the systems and the scope of the examination is made clear to the examiner. The examination time could increase or decrease, depending upon the type of operating system used, the type of data contained within the system, and the size and amount of data in question.
Can evidence be recovered from tablets, PDA’s, cell phones, recorders and digital cameras?
Yes. Evidence can be extracted from virtually any electronic device or component that has non-volatile memory.
What types of digital media devices can potentially hold data?
iPads and laptops
Smartphones and most other cell phones
MP3 music players, iPods
USB Memory Devices
PDAs (Personal Digital Assistants)
CD-ROMs & DVD’s
In what types of cases can a digital forensic examiner make a contribution?
Virtually any type of case can potentially require the services of a digital forensic examiner. Some examples include: Criminal Defense, including Fraud, Embezzlement, Harassment, Identity Theft, Sex Crimes, Military; Administrative; Civil Litigation, Corporate, Construction, Communications, Employment, Education, Environmental, Intellectual Property, Maritime, Medical Malpractice, Securities, Bankruptcy, Health Care, Probate, Real Estate, Insurance, Sexual Harassment, Discrimination, Labor, Landlord-Tenant, Torts, including Personal Injury, Employment, Workers' Compensation, OSHA, Whistle Blower; Family Law including Divorce, Child Custody, Child Support, Spousal Support, Maintenance or Alimony and Property Distribution.
Simply think of where the evidence that would support the allegations would be found in these cases. Similarly, exculpatory evidence may also be found on computer systems for these types of actions.
Why should your client have their own digital forensic expert to review the government's reports?
As good as the law enforcement investigators are, and as neutral as some may remain, you can still gain an edge if you discover exculpatory evidence not found by the government. If you rely on a government forensic examiner to do this work, you risk exposing the evidence that you are seeking to the prosecuting government entity.
What can a Computer Forensic examination provide?
Data Recovery of deleted computer files, including hidden files even after a hard drive has been reformatted or repartitioned. Passwords for password protected or encrypted files
Determination and Discovery of:
Web sites that have been visited
Files that have been uploaded or downloaded
When files (docs, pictures, etc.) were last accessed/deleted
User login times and passwords
Attempts to conceal, destroy, or fabricate evidence
Text that was removed from a document's final version
Faxes sent or received on a computer
Email, texts, webmail and attachments, even if deleted
Other types of communications strings (IM chat logs)
Can deleted emails be recovered?
Deleted emails can be recovered in the majority of cases, but there is no guarantee. It depends on the relevant factors. For example, if the emails have not been completely overwritten, then the email should be recoverable. However, if they have been partly overwritten, the possibility is lessened. Additionally, if the file was fragmented before it was deleted, recovery may be very difficult, but it is possible.
Can deleted files be recovered?
There is a very good chance that a computer forensics investigator can recover deleted files from the subject’s hard drive. When a file is deleted using standard methods, the contents of the file are not erased from the hard drive.
What are the disadvantages of not calling a computer forensic expert immediately?
It is essential to understand that the operating system of a computer continually overwrites data on the hard drive and does so in a random pattern. This means that the longer a computer is used, the more likely it is that evidence will be lost. Fortunately, the operating system frequently records evidence in several places simultaneously. So, if the data is overwritten in one area, it may still reside in another. However, it is impossible to tell whether the data that is most important to you will survive the constant use of the computer. The simple act of turning the computer on or looking through files can potentially damage the very data you’re seeking. The file creation dates can change, files can be overwritten, and evidence can be corrupted.
Why use a computer forensic firm to evaluate digital evidence?
While you may have access to experienced IT resources, it is unlikely these individuals are trained in forensic protocols that can result in destruction and spoliation of evidence due to improper methods. The preservation, extraction, and analysis of digital evidence in a forensically sound manner require access to specialized hardware and software as well as the knowledge to utilize these tools. Perhaps most important of all, digital forensics must be performed by an unbiased third party. Claims of evidence tampering or fabrication will be presented by opposing counsel in almost every case. A respected digital forensics firm can demonstrate forensically sound methods that are court-approved and impartial. As an expert witness, a digital forensics firm can also provide opinions and conclusions relative to the findings.
For additional questions about digital forensic services, email us at firstname.lastname@example.org.
TRITECHFORENSICS Discovery is a division of Tri-Tech Forensics. 8770 Trade St., Leland, NC 28451 | 910-457-6600