Digital forensics or digital forensic science is a branch of forensic science focused on the recovery and investigation of material found in digital devices and cybercrimes. Digital forensics was originally used as a synonym for computer forensics but has expanded to cover the investigation of all devices that store digital data.
As society increases reliance on computer systems and cloud computing, digital forensics becomes a crucial aspect of law enforcement agencies and businesses.
Digital forensics is concerned with the identification, preservation, examination and analysis of digital evidence, using scientifically accepted and validated processes, to be used in and outside of a court of law.
While its root stretch back to the personal computing revolution in the late 1970s, digital forensics begun to take shape in the 1990s and it wasn't until the early 21st century that countries like the United States begun rolling out nation-wide policies.
Today, the technical aspect of an investigation is divided into five branches that encompass the seizure, forensic imaging and analysis of digital media:
- Computer forensics
- Mobile device forensics
- Network forensics
- Forensic data analysis
- Database forensics
Table of contents
- What is the purpose of digital forensics?
- What is digital forensics used for?
- What is the digital forensics investigation process?
- What is the history of digital forensics?
- What tools do digital forensic examiners use?
- What are the legal considerations of digital forensics?
- What are the different branches of digital forensics?
- What degrees and certifications are useful for digital forensics?
- What jobs are available in digital forensics?
- How UpGuard can improve your cybersecurity
The most common use of digital forensics is to support or refute a hypothesis in a criminal or civil court:
- Criminal cases: Involve the alleged breaking of laws and law enforcement agencies and their digital forensic examiners.
- Civil cases: Involve the protection of rights and property of individuals or contractual disputes between commercial entities where a form of digital forensics called electronic discovery (eDiscovery) may be involved.
Digital forensics experts are also hired by the private sector as part of cybersecurity and information security teams to identify the cause of data breaches, data leaks, cyber attacks and other cyber threats. Digital forensic analysis may also be part of incident response to help recover or identify any sensitive data or personally identifiable information (PII) that was lost or stolen in a cybercrime.
Digital forensics is used in both criminal and private investigations.
Traditionally, it is associated with criminal law where evidence is collected to support or negate a hypothesis before the court. Collected evidence may be used as part of intelligence gathering or to locate, identify or halt other crimes. As a result, data gathered may be held to a less strict standard than traditional forensics.
In civil cases, digital forensics may help with electronic discovery (eDiscovery). A common example is following unauthorized network intrusion. A forensics examiner will attempt to understand the nature and extent of the attack, as well as try to identify the attacker.
As encryption becomes more widespread, forensic investigation becomes harder, due to the limited laws compelling individuals to disclose encryption keys.
There are a number of process models for digital forensics, which define how forensic examiners should gather, process and analyze data. That said, digital forensics investigations commonly consist of four stages:
- Seizure: Prior to actual examination digital media is seized. In criminal cases, this will be performed by law enforcement personnel to preserve the chain of custody.
- Acquisition: Once exhibits are seized, a forensic duplicate of the data is created. Once created using a hard drive duplicator or software imaging tool then the original drive is returned to a secure storage to prevent tampering. The acquired image is verified with SHA-1 or MD5 hash functions and will be verified again throughout analysis to verify the evidence is still in its original state.
- Analysis: After acquisition, files are analyzed to identify evidence to support or contradict a hypothesis. The forensic analyst usually recovers evidence material using a number of methods (and tools), often beginning with the recovery of deleted information. The type of data analyzed varies but will generally include email, chat logs, images, internet history and documents. The data can be recovered from accessible disk space, deleted space or from the operating system cache.
- Reporting: Once the investigation is complete, the information is collated into a report that is accessible to non-technical individuals. It may include audit information or other meta-documentation.
Before the 1970s, cybercrimes were dealt with existing laws.
The first cyber crimes were recognized in the 1978 Florida Computer Crimes Act. The 1978 Florida Computer Crimes Act included legislation against the unauthorized modification or deletion of data.
As the range of computer crimes increased, state laws were passed to deal with copyright, privacy, harassment and child pornography.
In the 1980s, federal laws began to incorporate computer offences. Canada was the first country to pass legislation in 1983, with the United States following in 1986, Australia in 1989 and Britain's Computer Misuse Act in 1990.
The growth in cyber crime in the 1980s and 1990s force law enforcement agencies to establish specialized groups at a national level to handle technical investigations.
In 1984, the FBI launched a Computer Analysis and Response Team and in 1985, the British Metropolitan Police fraud squat launched a computer crime department.
One of the first practical examples of digital forensics was Cliff Stoll's pursuit of Markus Hess in 1986. Hess is best known for hacking networks of military and industrial computers based in the United States, Europe and East Asia. He then sold the information to the Soviet KGB for $54,000. Stoll was not a digital forensic expert but used computer and network forensic techniques to identify Hess.
In the 1990s there was a high demand for digital forensic resources and the strain on the central units led to regional or even local groups to handle the load. This led to the science of digital forensic maturing from an ad-hoc set of tools and techniques to a more developed discipline.
By 1992, "computer forensics" was used in academic literature in a paper by Collier and Spaul that attempted to justify digital forensics as a new discipline. That said, digital forensic remained a haphazard discipline due to a lack of standardization and training.
By the late 1990s, mobile phones were more widely available and advancing beyond simple communication devices. Despite this, digital analysis of cell phones has lagged behind traditional computer media due to the proprietary nature of devices.
Since 2000, various bodies and agencies have published guidelines for digital forensics in response to the need for standardization. Standardization became more important as law enforcement agencies moved away from central units to regional or even local units to try keep up with demand.
For example, the British National Hi-Tech Crime Unit was set up in 2001 to provide national infrastructure for computer crime, with personnel located centrally in London and with the various regional police forces.
In 2002, the Scientific Working Group on Digital Evidence (SWGDE) produced Best practices for Computer Forensics.
A European lead international treaty, the Convention of Cybercrime came into force in 2004 with the aim of reconciling national computer crime laws, investigation techniques and international cooperation. The treaty has been signed by 43 nations (including the United States, Canada, Japan, South Africa, United Kingdom and other European nations) and ratified by 16.
In 2005, an ISO standard for digital forensics was released in ISO 17025, General requirements for the competence of testing and calibration laboratories.
This was when digital forensics training began to receive more attention with commercial companies beginning to offer certified forensic training programs.
The field of digital forensics still faces issues. A 2009 paper, Digital Forensic Research: The Good, the Bad and the Unaddressed identified a bias towards Windows operating systems in digital forensics research despite widespread use of smartphones, unix and linux based operating systems.
In 2010, Simson Garfinkel pointed out the increasing size of digital media, widespread encryption, growing variety of operating systems and file formats, more individuals owning multiple devices and legal limitations as key risks to digital forensics investigations. The paper also identified training issues and the high cost of entering the field as key issues. Other key issues include the shift toward Internet crime, cyber warfare and cyber terrorism.
In the 1980s, very few digital forensic tools existed forcing forensic investigators to perform live analysis, using existing sysadmin tools to extract evidence. This carried the risk of modifying data on the disk which led to claims of evidence tampering.
The need for software to address this problem was first recognized in 1989 at the Federal Law Enforcement Training Center and resulted in the creation of IMDUMP and SafeBack. DIBS, a hardware and software solution, was released commercially in 1991.
These tools create an exact copy of a piece of digital media to work on while leaving the original disk intact for verification.
By the end of the 1990s, the demand for digital evidence meant more advanced tools such as EnCase and FTK were developed, allowing analysts to examine copies of media without live forensics.
There is now a trend towards live memory forensics using tools such as WindowsSCOPE and tools for mobile devices.
Today, there are single-purpose open-source tools like Wireshark, a packet sniffer, and HashKeeper, a tool to speed up examination of database files. As well as commercial platforms with multiple functions and reporting capabilities like Encase or CAINE, an entire Linux distribution designed for forensics programs.
In general tools can be broken down into the following ten categories:
- Disk and data capture tools
- File viewers
- File analysis tools
- Registry analysis tools
- Internet analysis tools
- Email analysis tools
- Mobile devices analysis tools
- Mac OS analysis tools
- Network forensics tools
- Database forensics tools
The examination of digital media is covered by national and international legislation. For civil investigations, laws may restrict what can be examined. Restrictions against network monitoring or reading personal communications are common.
Likewise, criminal investigations may be restricted by national laws that dictate how much information can be seized. As an example, seizure of evidence by law enforcement is governed by the PACE act in the United Kingdom. The 1990 computer misuse act legislates against unauthorized access to computer material which makes it hard for civil investigators in the UK.
One of the common considerations which is largely undecided is an individual's right to privacy. The US Electronic Communications Privacy Act places limitations on the ability for law enforcement and civil investigators to intercept and access evidence.
The act makes a distinction between stored communication (e.g. email archives) and transmitted communication (e.g. VOIP). Transmitted communication is considered more of a privacy invasion and is harder to obtain a warrant for.
Digital evidence falls into the same legal guidelines as other evidence.
In general, laws dealing with digital evidence are concerned with:
- Integrity: Ensuring the act of seizing and acquiring digital media does not modify the evidence (either the original or the copy).
- Authenticity: The ability to confirm the integrity of information. The chain of custody from crime scene through analysis and ultimately to the court, in the form of an audit trail, is an important part of establishing the authenticity of evidence.
Each of the branches of digital forensics have their own guidelines on how to conduct investigations and handle data.
Digital forensics is no longer synonymous with computer forensics. It is increasingly concerned with data from other digital devices such as tablets, smartphones, flash drives and even cloud computing.
In general, we can break digital forensics into five branches:
- Computer forensics
- Mobile device forensics
- Network forensics
- Forensic data analysis
- Database forensics
Computer forensics or computer forensic science is a branch of digital forensics concerned with evidence found in computers and digital storage media. The goal of computer forensics is to examine digital data with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.
It is used in both computer crime and civil proceedings. The discipline has similar techniques and principles to data recovery, with additional guidelines and practices designed to create a legal audit trail with a clear chain of custody.
Evidence from computer forensics investigations is subjected to the same guidelines and practices of other digital evidence.
Mobile device forensics is a branch of digital forensics focused on the recovery of digital evidence from mobile devices using forensically sound methods.
While the phrase mobile device generally refers to mobile phones, it can relate to any device that has internal memory and communication ability including PDA devices, GPS devices and tablets.
While the use of mobile phones in crime has been widely recognized for years, the forensic study of mobile phones is a new field, beginning in the late 1990s.
The growing need for mobile device forensics is driven by:
- Use of mobile phones to store and transmit personal and corporate information
- Use of mobile phones in online transactions
That said, mobile device forensics is particularly challenging due to:
- Evidential and technical challenges such as cell site analysis which makes it possible to determine roughly the cell site zone from which a call was made or received but not a specific location such as an address
- Changes in mobile phone form factors, operating systems, data storage, services, peripherals and even pin connectors and cables
- Storage capacity growth
- Their proprietary nature
- Hibernation behavior where processes are suspended when the device is off or idle
As a result of these challenges, many tools exist to extract evidence from mobile devices. But no one tool or method can acquire all evidence from all devices. This has forced forensic examiners, especially those who wish to be expert witnesses, to undergo extensive training to understand how each tool and method acquires evidence, how it maintains forensic soundness and how it meets legal requirements.
Network forensics is a branch of digital forensics focused on monitoring and analyzing computer network traffic for information gathering, legal evidence or intrusion detection.
Unlike other branches of digital forensics, network data is volatile and dynamic. Once transmitted, it is gone so network forensics is often a proactive investigation.
Network forensics has two general uses:
- Monitoring a network for anomalous traffic and identifying intrusions.
- Law enforcement may analyze capture network traffic as part of criminal investigations.
Forensic data analysis (FDA) is a branch of digital forensics that examines structured data in regards to incidents of financial crime. The aim is to discover and analyze patterns of fraudulent activities. Structured data is data from application systems or their databases.
This can be contrasted to unstructured data that is taken from communication, office applications and mobile devices. Unstructured data has no overarching structure and analysis therefore means applying keywords or mapping patterns. Analysis of unstructured data is usually done by computer forensics or mobile device forensics experts.
Database forensics is a branch of digital forensics related to databases and their related metadata. Cached information may also exist in a server's RAM requiring live analysis techniques.
A forensic examination of a database may relate to timestamps that apply to the update time of a row in a relational database that is being inspected and tested for validity to verify the actions of a database user. Alternatively, it may focus on identifying transactions within a database or application that indicate evidence of wrongdoing, such as fraud.
Traditionally, digital forensics practitioners came from a general computer science background, were experienced sysadmins who were comfortable with many of the tools used in digital forensics, or they learnt on the job in an apprentice model.
Due to increased demand for digital forensics and increasing specialization, universities, colleges and online education providers now offer degrees or certifications in digital forensics such as:
- Purdue University's Cybersecurity and Forensics Lab offers a master's degree with in cyber forensics
- Utica College offers a bachelor's degree in cybersecurity and information assurance with cybercrime investigations and forensics as a concentration
- Champlain College offers an online bachelor's degree in computer forensics
- The City University of New York offers an online master's degree in digital forensics and cybersecurity
- The University of Maryland University College offers an online master's degree in digital forensics and cybersecurity
- SAN offers a Global Information Assurance Certification (GIAC), Certified Forensic Examiner and Certified Forensic Analyst certifications
Jobs in digital forensics have titles like investigator, technician or analyst depending on specialization and seniority, with the majority of jobs in the public sector such as law enforcement, state or national agencies or crime labs.
That said, due to increasing cybersecurity risk, many organization are being to hire their own digital forensic specialists to help prevent and identify the causes of cyber attacks like malware, ransomware like WannaCry or social engineering attacks like social media phishing. Increasing usage of third-party vendors means cybersecurity has never been more important. Digital forensics may also help with vendor risk management and third-party risk management. Third-party risk and fourth-party risk have never been higher.
And it's a pretty lucrative career path. According to PayScale, the average forensic computer analyst earns around $72,000 a year and maxes out around $116,000.
UpGuard BreachSight's typosquatting module can reduce the cyber risks related to typosquatting and vulnerabilities, along with preventing breaches, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
We can also help you continuously monitor, rate and send security questionnaires to your vendors to control third-party risk and improve your security posture, as well as automatically create an inventory, enforce policies, and detect unexpected changes to your IT infrastructure.