As a small introduction to the new "Digital Forensics" group in the Octopus Cybercrime Community I want to give a brief overview about this interesting field. In the course of this article I will try to answer some common questions, explain why digital forensics is important for Cybercrime cases and how it can support your investigations.
While this article is quite basic I will also publish articles on some more advanced topics in the following weeks.
What is digital forensics?
Digital Forensics is a branch of forensic science related to the acquisition, processing, analysis and reporting of evidence that is stored on computer systems, digital devices and other storage media with the aim of admissibility in court.
How does a typical digital forensics examination work?
Figure 1: Workflow in digital forensics examinations
After the case investigator has identified and seized sources of electronic evidence the exhibits gets handed over to the forensic examiner. The typical workflow in a digital forensics examination (see fig. 1) starts with the acquisition of the electronic evidence. Creating a copy of the original evidence in a forensically sound manner is crucial for the admissibility of the evidence in court. During that process the examiner has to ensure and verify that no changes are made to the original evidence and that the copy does exactly match the original.
The next step in the digital forensics workflow is the processing. This basically involves filtering all data down to just a subset of data that needs to be analysed in the analysis step, ensuring that the most promising case relevant data gets prioritised. The processing also includes basic data recovery tasks to ensure that really all data gets filtered.
The most time consuming step in the workflow is the analysis. In this step the experienced analyst has to examine all allocated and deleted data as well as partial fragments to find evidence that is relevant for the case.
In the last step, the presentation, the forensic examiner creates a report for the court. It is essential to formulate the text as little technical as possible because Judges and prosecutors most of the times do not have an informatics background. The presentation step finally ends with presenting the evidence in court.
Which areas belong to digital forensics?
Digital forensics include a whole bunch of sub branches. Figure 2 provides an overview of the areas that belong to the broad field of digital forensics.
Figure 2: Digital Forensics and its' sub branches.
Why are digital forensics examination important for everyone working with in the field of Cybercrime?
Cybercrime - as well as a lot of other crimes nowadays - involves computer systems that either were used to commit the crime or at least used to store case related information or communication. Thous in nearly every Cybercrime case computer systems, mobile phones or other electronic devices can contain important information that can prove someones guilt or at least give valuable indications. If you think of security incidents not only the computer system of the suspect but also the compromised server need to be analysed by forensic specialists.
How digital forensics can help your investigations
Digital forensics can show you which websites were visited with a certain user account on a computer system, which searches were conducted, which files were download, which software was started and even which USB devices were connected to a system. It can also extract information on which files were deleted by the user, which files were opened recently, which phone calls were made with a mobile phone, which messages were sent and received, which cell towers and wireless access points the device was connected to, where photos were taken and so on and so forth. The possibilities of digital forensics supporting your investigations are nearly endless.
What are the current challenges of digital forensics?
In my next articles I will cover some of the current challenges of digital forensics.