Digital forensics or digital forensic science is a branch of cybersecurity focused on the recovery and investigation of material found in digital devices and cybercrimes. Digital forensics was originally used as a synonym for computer forensics but has expanded to cover the investigation of all devices that store digital data.
As society increases its reliance on computer systems and cloud computing, digital forensics becomes a crucial aspect of law enforcement agencies and businesses. Digital forensics is concerned with the identification, preservation, examination, and analysis of digital evidence, using scientifically accepted and validated processes, to be used in and outside of a court of law.
While its roots stretch back to the personal computing revolution in the late 1970s, digital forensics began to take shape in the 1990s and it wasn't until the early 21st century that countries like the United States began rolling out nationwide policies.
Today, the technical aspect of an investigation is divided into five branches that encompass seizure, forensic imaging, and analysis of digital media.
What is the Purpose of Digital Forensics?
The most common use of digital forensics is to support or refute a hypothesis in a criminal or civil court:
- Criminal cases: Involving the investigation of any unlawful activity by cybercriminals. These cases are usually carried out by law enforcement agencies and digital forensic examiners.
- Civil cases: Involving the protection of rights and property of individuals or contractual disputes between commercial entities were a form of digital forensics called electronic discovery (eDiscovery).
Digital forensics experts are also hired by the private sector as part of cybersecurity and information security teams to identify the cause of data breaches, data leaks, cyber attacks, and other cyber threats.
What is Digital Forensics Used For?
Digital forensics is used in both criminal and private investigations.
Traditionally, it is associated with criminal law where evidence is collected to support or negate a hypothesis before the court. Collected evidence may be used as part of intelligence gathering or to locate, identify or halt other crimes. As a result, data gathered may be held to a less strict standard than traditional forensics.
In civil cases, digital forensic teams may help with electronic discovery (eDiscovery). A common example is following unauthorized network intrusion. A forensics examiner will attempt to understand the nature and extent of the attack, as well as try to identify the attacker.
As encryption becomes more widespread, the forensic investigation becomes harder, due to the limited laws compelling individuals to disclose encryption keys.
What is the Digital Forensics Investigation Process?
There are a number of methodologies for the forensic process, which define how forensic examiners should gather, process, analyze, and extract data. Digital forensics investigations commonly consist of four stages:
- Seizure: Prior to actual examination, the digital media is seized. In criminal cases, this will be performed by law enforcement personnel to preserve the chain of custody.
- Acquisition: Once the assets are seized, a forensic duplicate of the data is created, using a hard drive duplicator or software imaging tool. Then the original drive is returned to secure storage to prevent tampering. The acquired image is verified with SHA-1 or MD5 hash functions and will be verified again throughout the analysis to verify the evidence is still in its original state.
- Analysis: After the acquisition of the evidence, files are analyzed to identify evidence to support or contradict a hypothesis. The forensic analyst usually recovers evidence material using a number of methods (and tools), often beginning with the recovery of deleted information. The type of data analyzed varies but will generally include email, chat logs, images, internet history, and documents. The data can be recovered from accessible disk space, deleted space, or the operating system cache.
- Reporting: Once the investigation is complete, the information is collated into a report that is accessible to non-technical individuals. It may include audit information or other meta-documentation.
What is the History of Digital Forensics?
Before the 1970s, there were no laws specific to dealing with cybercrimes. Any cybercrimes that were committed were treated as normal crimes with existing laws.
The first cyber crimes were recognized in the 1978 Florida Computer Crimes Act. The 1978 Florida Computer Crimes Act included legislation against the unauthorized modification or deletion of data. As the range of computer crimes increased, state laws were passed to deal with copyright, privacy, harassment, and child pornography.
In the 1980s, federal laws began to incorporate computer offenses. Canada was the first country to pass legislation in 1983, with the United States following in 1986, Australia in 1989, and Britain's Computer Misuse Act in 1990.
Digital Forensics in the 1980s-1990s
The growth of digital crime in the 1980s and 1990s forced law enforcement agencies to establish specialized groups at a national level to handle technical investigations. In 1984, the FBI launched a Computer Analysis and Response Team and in 1985, the British Metropolitan Police fraud squat launched a computer crime department.
One of the first practical examples of digital forensics was Cliff Stoll's pursuit of Markus Hess in 1986. Hess is best known for hacking networks of military and industrial computers based in the United States, Europe, and East Asia. He then sold the information to the Soviet KGB for $54,000. Stoll was not a digital forensic expert but used computer and network forensic techniques to identify Hess.
In the 1990s there was a high demand for digital forensic resources and the strain on the central units led to regional or even local groups handling the load. This led to the science of digital forensics maturing from an ad-hoc set of tools and techniques to a more developed discipline.
By 1992, "computer forensics" was used in academic literature in a paper by Collier and Spaul that attempted to justify digital forensics as a new discipline. That said, digital forensics remained a haphazard discipline due to a lack of standardization and training.
By the late 1990s, mobile phones were more widely available and advancing beyond simple communication devices. Despite this, digital analysis of cell phones has lagged behind traditional computer media due to the proprietary nature of devices.
Rapid Growth of Cybercrime in the 2000s
Since 2000, various bodies and agencies have published guidelines for digital forensics in response to the need for standardization. Standardization became more important as law enforcement agencies moved away from central units to regional or even local units to try to keep up with demand.
For example, the British National Hi-Tech Crime Unit was set up in 2001 to provide a national infrastructure for computer crime, with personnel located centrally in London and with the various regional police forces.
In 2002, the Scientific Working Group on Digital Evidence (SWGDE) produced Best practices for Computer Forensics.
A European-led international treaty, the Convention of Cybercrime came into force in 2004 with the aim of reconciling national computer crime laws, investigation techniques, and international cooperation. The treaty has been signed by 43 nations (including the United States, Canada, Japan, South Africa, United Kingdom, and other European nations) and ratified by 16.
In 2005, an ISO standard for digital forensics was released in ISO 17025, General requirements for the competence of testing and calibration laboratories.
This was when digital forensics training began to receive more attention with commercial companies beginning to offer certified forensic training programs.
The field of digital forensics still faces issues. A 2009 paper, Digital Forensic Research: The Good, the Bad and the Unaddressed identified a bias towards Windows operating systems in digital forensics research despite widespread use of smartphones, UNIX and Linux-based operating systems.
In 2010, Simson Garfinkel pointed out the increasing size of digital media, widespread encryption, growing variety of operating systems and file formats, more individuals owning multiple devices, and legal limitations as key risks to digital forensics investigations. The paper also identified training issues and the high cost of entering the field as key issues. Other key issues include the shift toward Internet crime, cyber warfare, and cyber terrorism.
What Tools Do Digital Forensic Examiners Use?
In the 1980s, very few digital forensic tools existed, which forced forensic investigators to perform live analysis, using existing sysadmin tools to extract evidence. This carried the risk of modifying data on the disk which led to claims of evidence tampering.
The need for software to address this problem was first recognized in 1989 at the Federal Law Enforcement Training Center and resulted in the creation of IMDUMP and SafeBack. DIBS, a hardware and software solution, was released commercially in 1991.
These tools create an exact copy of a piece of digital media to work on while leaving the original disk intact for verification. By the end of the 1990s, the demand for digital evidence meant more advanced tools such as EnCase and FTK were developed, allowing analysts to examine copies of media without live forensics.
There is now a trend towards live memory forensics using tools such as WindowsSCOPE and tools for mobile devices.
Today, there are single-purpose open-source tools like Wireshark, a packet sniffer, and HashKeeper, a tool to speed up the examination of database files. As well as commercial platforms with multiple functions and reporting capabilities like Encase or CAINE, an entire Linux distribution designed for forensics programs.
In general, tools can be broken down into the following ten categories:
- Disk and data capture tools
- File viewers
- File analysis tools
- Registry analysis tools
- Internet analysis tools
- Email analysis tools
- Mobile devices analysis tools
- Mac OS analysis tools
- Network forensics tools
- Database forensics tools
What are the Legal Considerations of Digital Forensics?
The examination of digital media is covered by national and international legislation. For civil investigations, laws may restrict what can be examined. Restrictions against network monitoring or reading personal communications are common.
Likewise, criminal investigations may be restricted by national laws that dictate how much information can be seized. As an example, the seizure of evidence by law enforcement is governed by the PACE act in the United Kingdom. The 1990 computer misuse act legislates against unauthorized access to computer material which makes it hard for civil investigators in the UK.
One of the common considerations which are largely undecided is an individual's right to privacy. The US Electronic Communications Privacy Act (ECPA) places limitations on the ability of law enforcement and civil investigators to intercept and access evidence.
The act makes a distinction between stored communication (e.g. email archives) and transmitted communication (e.g. VOIP). Transmitted communication is considered more of a privacy invasion and is harder to obtain a warrant for.
Digital evidence falls under the same legal guidelines as other evidence.
In general, laws dealing with digital evidence are concerned with:
- Integrity: Ensuring the act of seizing and acquiring digital media does not modify the evidence (either the original or the copy).
- Authenticity: The ability to confirm the integrity of information. The chain of custody from the crime scene through analysis and ultimately to the court, in the form of an audit trail, is an important part of establishing the authenticity of the evidence.
Each branch of forensic science has its own guidelines on how to conduct investigations and handle data.
What are the Different Branches of Digital Forensics?
Digital forensics is no longer synonymous with computer forensics. It is increasingly concerned with data from other digital devices such as tablets, smartphones, flash drives, and even cloud computing.
In general, we can break digital forensics into five branches:
- Computer forensics
- Mobile device forensics
- Network forensics
- Forensic data analysis
- Database forensics
What is Computer Forensics?
Computer forensics or computer forensic science is a branch of digital forensics concerned with evidence found in computers and digital storage media. The goal of computer forensics is to examine digital data with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.
It is used in both computer crime and civil proceedings. The discipline has similar techniques and principles to data recovery, with additional guidelines and practices designed to create a legal audit trail with a clear chain of custody.
Evidence from computer forensics investigations is subjected to the same guidelines and practices as other digital evidence.
What is Mobile Device Forensics?
Mobile device forensics is a branch of digital forensics focused on the recovery of digital evidence from mobile devices using forensically sound methods.
While the phrase mobile device generally refers to mobile phones, it can relate to any device that has internal memory and communication ability including PDA devices, GPS devices, and tablets.
While the use of mobile phones in crime has been widely recognized for years, the forensic study of mobile phones is a new field, beginning in the late 1990s.
The growing need for mobile device forensics is driven by:
- Use of mobile phones to store and transmit personal and corporate information
- Use of mobile phones in online transactions
That said, mobile device forensics is particularly challenging due to:
- Evidential and technical challenges such as cell site analysis which makes it possible to determine roughly the cell site zone from which a call was made or received but not a specific location such as an address
- Changes in mobile phone form factors, operating systems, data storage, services, peripherals, and even pin connectors and cables
- Storage capacity growth
- Their proprietary nature
- Hibernation behavior where processes are suspended when the device is off or idle
As a result of these challenges, many tools exist to extract evidence from mobile devices. But no one tool or method can acquire all evidence from all devices. This has forced forensic examiners, especially those who wish to be expert witnesses, to undergo extensive training to understand how each tool and method acquires evidence, how it maintains forensic soundness, and how it meets legal requirements.
What is Network Forensics?
Network forensics is a branch of digital forensics focused on monitoring and analyzing computer network traffic for information gathering, legal evidence, or intrusion detection.
Unlike other branches of digital forensics, network data is volatile and dynamic. Once transmitted, it is gone so network forensics is often a proactive investigation.
Network forensics has two general uses:
- Monitoring a network for anomalous traffic and identifying intrusions.
- Law enforcement may analyze capture network traffic as part of criminal investigations.
What is Forensic Data Analysis?
Forensic data analysis (FDA) is a branch of digital forensics that examines structured data in regard to incidents of financial crime. The aim is to discover and analyze patterns of fraudulent activities. Structured data is data from application systems or their databases.
This can be contrasted to unstructured data that is taken from communication, office applications, and mobile devices. Unstructured data has no overarching structure and analysis, therefore, means applying keywords or mapping patterns. Analysis of unstructured data is usually done by computer forensics or mobile device forensics experts.
What is Database Forensics?
Database forensics is a branch of digital forensics related to databases and their related metadata. The cached information may also exist in a server's RAM requiring live analysis techniques.
A forensic examination of a database may relate to timestamps that apply to the update time of a row in a relational database that is being inspected and tested for validity to verify the actions of a database user. Alternatively, it may focus on identifying transactions within a database or application that indicate evidence of wrongdoing, such as fraud.
What Degrees and Certifications are Useful for Digital Forensics?
Traditionally, digital forensics practitioners came from a general computer science background, were experienced sysadmins who were comfortable with many of the tools used in digital forensics, or they learned on the job in an apprentice model.
Due to increased demand for digital forensics and increasing specialization, universities, colleges, and online education providers now offer degrees or certifications in digital forensics such as:
- Purdue University's Cybersecurity and Forensics Lab offers a master's degree in cyber forensics
- Utica College offers a bachelor's degree in cybersecurity and information assurance with cybercrime investigations and forensics as a concentration
- Champlain College offers an online bachelor's degree in computer forensics
- The City University of New York offers an online master's degree in digital forensics and cybersecurity
- The University of Maryland University College offers an online master's degree in digital forensics and cybersecurity
- SAN offers a Global Information Assurance Certification (GIAC), Certified Forensic Examiner and Certified Forensic Analyst certifications
What Jobs are Available in Digital Forensics?
Jobs in digital forensics have titles like an investigator, technician, or analyst depending on specialization and seniority, with the majority of jobs in the public sector such as law enforcement, state or national agencies, or crime labs.
That said, due to increasing cybersecurity risk, many organizations are going to hire their own digital forensic specialists to help prevent and identify the causes of cyber attacks like malware, ransomware like WannaCry, or social engineering attacks like social media phishing. Increasing usage of third-party vendors means cybersecurity has never been more important.
How UpGuard Can Improve Your Cybersecurity
UpGuard BreachSight's typosquatting module can reduce the cyber risks related to typosquatting and vulnerabilities, along with preventing breaches, avoiding regulatory fines, and protecting your customer's trust through cyber security ratings and continuous exposure detection.
We can also help you continuously monitor, rate, and send security questionnaires to your vendors to control third-party risk and improve your security posture, as well as automatically create an inventory, enforce policies, and detect unexpected changes to your IT infrastructure.