HOME

TheInfoList



OR:

Digital forensics (sometimes known as digital forensic science) is a branch of
forensic science Forensic science, also known as criminalistics, is the application of science to criminal and civil laws, mainly—on the criminal side—during criminal investigation, as governed by the legal standards of admissible evidence and criminal ...
encompassing the recovery, investigation, examination and analysis of material found in digital devices, often in relation to mobile devices and
computer crime A cybercrime is a crime that involves a computer or a computer network.Moore, R. (2005) "Cyber crime: Investigating High-Technology Computer Crime," Cleveland, Mississippi: Anderson Publishing. The computer may have been used in committing the ...
. The term digital forensics was originally used as a synonym for
computer forensics Computer forensics (also known as computer forensic science) is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensica ...
but has expanded to cover investigation of all devices capable of storing digital data. With roots in the personal computing revolution of the late 1970s and early 1980s, the discipline evolved in a haphazard manner during the 1990s, and it was not until the early 21st century that national policies emerged. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before
criminal In ordinary language, a crime is an unlawful act punishable by a state or other authority. The term ''crime'' does not, in modern criminal law, have any simple and universally accepted definition,Farmer, Lindsay: "Crime, definitions of", in C ...
or civil courts. Criminal cases involve the alleged breaking of laws that are defined by legislation and that are enforced by the police and prosecuted by the state, such as murder, theft and assault against the person. Civil cases on the other hand deal with protecting the rights and property of individuals (often associated with family disputes) but may also be concerned with contractual disputes between commercial entities where a form of digital forensics referred to as
electronic discovery Electronic discovery (also ediscovery or e-discovery) refers to discovery in legal proceedings such as litigation, government investigations, or Freedom of Information Act requests, where the information sought is in electronic format (often refe ...
(ediscovery) may be involved. Forensics may also feature in the private sector; such as during internal corporate investigations or intrusion investigation (a specialist probe into the nature and extent of an unauthorized network intrusion). The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence. As well as identifying direct evidence of a crime, digital forensics can be used to attribute evidence to specific suspects, confirm
alibi An alibi (from the Latin, '' alibī'', meaning "somewhere else") is a statement by a person, who is a possible perpetrator of a crime, of where they were at the time a particular offence was committed, which is somewhere other than where the crim ...
s or statements, determine intent, identify sources (for example, in copyright cases), or authenticate documents. Investigations are much broader in scope than other areas of forensic analysis (where the usual aim is to provide answers to a series of simpler questions) often involving complex time-lines or hypotheses.


History

Prior to the 1970s crimes involving computers were dealt with using existing laws. The first
computer crime A cybercrime is a crime that involves a computer or a computer network.Moore, R. (2005) "Cyber crime: Investigating High-Technology Computer Crime," Cleveland, Mississippi: Anderson Publishing. The computer may have been used in committing the ...
s were recognized in the 1978 Florida Computer Crimes Act, which included legislation against the unauthorized modification or deletion of data on a computer system. Over the next few years the range of computer crimes being committed increased, and laws were passed to deal with issues of
copyright A copyright is a type of intellectual property that gives its owner the exclusive right to copy, distribute, adapt, display, and perform a creative work, usually for a limited time. The creative work may be in a literary, artistic, educatio ...
, privacy/harassment (e.g.,
cyber bullying Cyberbullying or cyberharassment is a form of bullying or harassment using electronic means. Cyberbullying and cyberharassment are also known as online bullying. It has become increasingly common, especially among teenagers, as the digital s ...
, happy slapping, cyber stalking, and
online predator Online predators are individuals who commit child sexual abuse that begins or takes place on the Internet. Conceptions Internet-facilitated crimes against minors involve deceit and begin with adults communicating with children over the Internet ...
s) and
child pornography Child pornography (also called CP, child sexual abuse material, CSAM, child porn, or kiddie porn) is pornography that unlawfully exploits children for sexual stimulation. It may be produced with the direct involvement or sexual assault of a ...
. It was not until the 1980s that federal laws began to incorporate computer offences. Canada was the first country to pass legislation in 1983. This was followed by the US Federal ''
Computer Fraud and Abuse Act The Computer Fraud and Abuse Act of 1986 (CFAA) is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law (), which had been included in the Comprehensive Crime Control Act of 1984. The law pro ...
'' in 1986, Australian amendments to their crimes acts in 1989 and the British ''Computer Misuse Act'' in 1990.


1980s–1990s: Growth of the field

The growth in computer crime during the 1980s and 1990s caused
law enforcement agencies A law enforcement agency (LEA) is any government agency responsible for the enforcement of the laws. Jurisdiction LEAs which have their ability to apply their powers restricted in some way are said to operate within a jurisdiction. LEA ...
to begin establishing specialized groups, usually at the national level, to handle the technical aspects of investigations. For example, in 1984 the FBI launched a ''Computer Analysis and Response Team'' and the following year a computer crime department was set up within the British
Metropolitan Police The Metropolitan Police Service (MPS), formerly and still commonly known as the Metropolitan Police (and informally as the Met Police, the Met, Scotland Yard, or the Yard), is the territorial police force responsible for law enforcement and ...
fraud squad. As well as being law enforcement professionals, many of the early members of these groups were also computer hobbyists and became responsible for the field's initial research and direction. One of the first practical (or at least publicized) examples of digital forensics was Cliff Stoll's pursuit of hacker
Markus Hess Markus Hess, a German citizen, is best known for his endeavours as a hacker in the late 1980s. Alongside fellow hackers Dirk Brzezinski and Peter Carl, Hess hacked into networks of military and industrial computers based in the United States, Eur ...
in 1986. Stoll, whose investigation made use of computer and network forensic techniques, was not a specialized examiner. Many of the earliest forensic examinations followed the same profile. Throughout the 1990s there was high demand for these new, and basic, investigative resources. The strain on central units lead to the creation of regional, and even local, level groups to help handle the load. For example, the British
National Hi-Tech Crime Unit The National Hi-Tech Crime Unit (NHTCU) previously formed part of the National Crime Squad, a British Police organisation which dealt with major crime. The National Hi-Tech Crime Unit was created in 2001 as a result of an Association of Chief Poli ...
was set up in 2001 to provide a national infrastructure for computer crime; with personnel located both centrally in London and with the various regional police forces (the unit was folded into the Serious Organised Crime Agency (SOCA) in 2006). During this period the science of digital forensics grew from the ad-hoc tools and techniques developed by these hobbyist practitioners. This is in contrast to other forensics disciplines which developed from work by the scientific community. It was not until 1992 that the term "computer forensics" was used in
academic literature Academic publishing is the subfield of publishing which distributes academic research and scholarship. Most academic work is published in academic journal articles, books or theses. The part of academic written output that is not formally pu ...
(although prior to this it had been in informal use); a paper by Collier and Spaul attempted to justify this new discipline to the forensic science world. This swift development resulted in a lack of standardization and training. In his 1995 book, "''High-Technology Crime: Investigating Cases Involving Computers''", K. Rosenblatt wrote:


2000s: Developing standards

Since 2000, in response to the need for standardization, various bodies and agencies have published guidelines for digital forensics. The
Scientific Working Group on Digital Evidence The Scientific Working Group on Digital Evidence (SWGDE) is a group that brings together law enforcement, academic, and commercial organizations actively engaged in the field of digital forensics to develop cross-disciplinary guidelines and standa ...
(SWGDE) produced a 2002 paper, "''Best practices for Computer Forensics''", this was followed, in 2005, by the publication of an ISO standard ( ISO 17025, ''General requirements for the competence of testing and calibration laboratories''). A European led international treaty, the
Convention on Cybercrime The Convention on Cybercrime, also known as the Budapest Convention on Cybercrime or the Budapest Convention, is the first international treaty seeking to address Internet and computer crime (cybercrime) by harmonizing national laws, improving ...
, came into force in 2004 with the aim of reconciling national computer crime laws, investigative techniques and international co-operation. The treaty has been signed by 43 nations (including the US, Canada, Japan, South Africa, UK and other European nations) and ratified by 16. The issue of training also received attention. Commercial companies (often forensic software developers) began to offer certification programs and digital forensic analysis was included as a topic at the UK specialist investigator training facility,
Centrex Centrex is a portmanteau of central exchange, a kind of telephone exchange. It provides functions similar to a PBX, but is provisioned with equipment owned by, and located at, the telephone company premises. Centrex service was first installed ...
. Since the late 1990s mobile devices have become more widely available, advancing beyond simple communication devices, and have been found to be rich forms of information, even for crime not traditionally associated with digital forensics. Despite this, digital analysis of phones has lagged behind traditional computer media, largely due to problems over the proprietary nature of devices. Focus has also shifted onto internet crime, particularly the risk of cyber warfare and cyberterrorism. A February 2010 report by the United States Joint Forces Command concluded: The field of digital forensics still faces unresolved issues. A 2009 paper, "Digital Forensic Research: The Good, the Bad and the Unaddressed", by Peterson and Shenoi identified a bias towards Windows operating systems in digital forensics research. In 2010 Simson Garfinkel identified issues facing digital investigations in the future, including the increasing size of digital media, the wide availability of encryption to consumers, a growing variety of operating systems and file formats, an increasing number of individuals owning multiple devices, and legal limitations on investigators. The paper also identified continued training issues, as well as the prohibitively high cost of entering the field.


Development of forensic tools

During the 1980s very few specialized digital forensic tools existed, and consequently investigators often performed live analysis on media, examining computers from within the operating system using existing sysadmin tools to extract evidence. This practice carried the risk of modifying data on the disk, either inadvertently or otherwise, which led to claims of evidence tampering. A number of tools were created during the early 1990s to address the problem. The need for such software was first recognized in 1989 at the
Federal Law Enforcement Training Center The Federal Law Enforcement Training Centers (FLETC) serves as an interagency law enforcement training body for 105 United States government federal law enforcement agencies. The stated mission of FLETC is to "...train those who protect our hom ...
, resulting in the creation of IMDUMP (by Michael White) and in 1990, SafeBack (developed by Sydex). Similar software was developed in other countries; DIBS (a hardware and software solution) was released commercially in the UK in 1991, and Rob McKemmish released ''Fixed Disk Image'' free to Australian law enforcement. These tools allowed examiners to create an exact copy of a piece of digital media to work on, leaving the original disk intact for verification. By the end of the 1990s, as demand for digital evidence grew more advanced commercial tools such as EnCase and FTK were developed, allowing analysts to examine copies of media without using any live forensics. More recently, a trend towards "live memory forensics" has grown resulting in the availability of tools such as
WindowsSCOPE WindowsSCOPE is a memory forensics and reverse engineering product for Windows used for acquiring and analyzing volatile memory. One of its uses is in the detection and reverse engineering of rootkits and other malware. WindowsSCOPE supports acqu ...
. More recently, the same progression of tool development has occurred for
mobile device A mobile device (or handheld computer) is a computer small enough to hold and operate in the hand. Mobile devices typically have a flat LCD or OLED screen, a touchscreen interface, and digital or physical buttons. They may also have a physica ...
s; initially investigators accessed data directly on the device, but soon specialist tools such as XRY or Radio Tactics Aceso appeared.


Forensic process

A digital forensic investigation commonly consists of 3 stages: acquisition or imaging of exhibits, analysis, and reporting. Ideally acquisition involves capturing an image of the computer's volatile memory (RAM) and creating an exact
sector Sector may refer to: Places * Sector, West Virginia, U.S. Geometry * Circular sector, the portion of a disc enclosed by two radii and a circular arc * Hyperbolic sector, a region enclosed by two radii and a hyperbolic arc * Spherical sector, a po ...
level duplicate (or "forensic duplicate") of the media, often using a write blocking device to prevent modification of the original. However, the growth in size of storage media and developments such as cloud computing have led to more use of 'live' acquisitions whereby a 'logical' copy of the data is acquired rather than a complete image of the physical storage device. Both acquired image (or logical copy) and original media/data are hashed (using an algorithm such as
SHA-1 In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographically broken but still widely used hash function which takes an input and produces a 160- bit (20- byte) hash value known as a message digest – typically rendered as 40 hexa ...
or MD5) and the values compared to verify the copy is accurate. An alternative (and patented) approach (that has been dubbed 'hybrid forensics' or 'distributed forensics') combines digital forensics and ediscovery processes. This approach has been embodied in a commercial tool called ISEEK that was presented together with test results at a conference in 2017. During the analysis phase an investigator recovers evidence material using a number of different methodologies and tools. In 2002, an article in the ''International Journal of Digital Evidence'' referred to this step as "an in-depth systematic search of evidence related to the suspected crime." In 2006, forensics researcher Brian Carrier described an "intuitive procedure" in which obvious evidence is first identified and then "exhaustive searches are conducted to start filling in the holes." The actual process of analysis can vary between investigations, but common methodologies include conducting keyword searches across the digital media (within files as well as unallocated and slack space), recovering deleted files and extraction of registry information (for example to list user accounts, or attached USB devices). The evidence recovered is analysed to reconstruct events or actions and to reach conclusions, work that can often be performed by less specialised staff. When an investigation is complete the data is presented, usually in the form of a written report, in lay persons' terms.


Application

Digital forensics is commonly used in both criminal law and private investigation. Traditionally it has been associated with criminal law, where evidence is collected to support or oppose a hypothesis before the courts. As with other areas of forensics this is often a part of a wider investigation spanning a number of disciplines. In some cases, the collected evidence is used as a form of intelligence gathering, used for other purposes than court proceedings (for example to locate, identify or halt other crimes). As a result, intelligence gathering is sometimes held to a less strict forensic standard. In civil litigation or corporate matters digital forensics forms part of the
electronic discovery Electronic discovery (also ediscovery or e-discovery) refers to discovery in legal proceedings such as litigation, government investigations, or Freedom of Information Act requests, where the information sought is in electronic format (often refe ...
(or eDiscovery) process. Forensic procedures are similar to those used in criminal investigations, often with different legal requirements and limitations. Outside of the courts digital forensics can form a part of internal corporate investigations. A common example might be following unauthorized network intrusion. A specialist forensic examination into the nature and extent of the attack is performed as a damage limitation exercise, both to establish the extent of any intrusion and in an attempt to identify the attacker. Such attacks were commonly conducted over phone lines during the 1980s, but in the modern era are usually propagated over the Internet. The main focus of digital forensics investigations is to recover objective evidence of a criminal activity (termed
actus reus (), sometimes called the external element or the objective element of a crime, is the Law Latin term for the "guilty act" which, when proved beyond a reasonable doubt in combination with the ("guilty mind"), produces criminal liability in t ...
in legal parlance). However, the diverse range of data held in digital devices can help with other areas of inquiry. ;Attribution :Meta data and other logs can be used to attribute actions to an individual. For example, personal documents on a computer drive might identify its owner. ;Alibis and statements :Information provided by those involved can be cross checked with digital evidence. For example, during the investigation into the Soham murders the offender's alibi was disproved when mobile phone records of the person he claimed to be with showed she was out of town at the time. ;Intent :As well as finding objective evidence of a crime being committed, investigations can also be used to prove the intent (known by the legal term
mens rea In criminal law, (; Law Latin for "guilty mind") is the mental element of a person's intention to commit a crime; or knowledge that one's action (or lack of action) would cause a crime to be committed. It is considered a necessary element ...
). For example, the Internet history of convicted killer
Neil Entwistle Neil is a masculine name of Gaelic and Irish origin. The name is an anglicisation of the Irish ''Niall'' which is of disputed derivation. The Irish name may be derived from words meaning "cloud", "passionate", "victory", "honour" or "champion".. ...
included references to a site discussing ''How to kill people''. ;Evaluation of source :File artifacts and meta-data can be used to identify the origin of a particular piece of data; for example, older versions of
Microsoft Word Microsoft Word is a word processor, word processing software developed by Microsoft. It was first released on October 25, 1983, under the name ''Multi-Tool Word'' for Xenix systems. Subsequent versions were later written for several other pla ...
embedded a Global Unique Identifier into files which identified the computer it had been created on. Proving whether a file was produced on the digital device being examined or obtained from elsewhere (e.g., the Internet) can be very important. ;Document authentication :Related to "Evaluation of source," meta data associated with digital documents can be easily modified (for example, by changing the computer clock you can affect the creation date of a file). Document authentication relates to detecting and identifying falsification of such details.


Limitations

One major limitation to a forensic investigation is the use of encryption; this disrupts initial examination where pertinent evidence might be located using keywords. Laws to compel individuals to disclose encryption keys are still relatively new and controversial. but always more frequently there are solutions to
brute force Brute Force or brute force may refer to: Techniques * Brute force method or proof by exhaustion, a method of mathematical proof * Brute-force attack, a cryptanalytic attack * Brute-force search, a computer problem-solving technique People * Brut ...
passwords or bypass encryption, such as in smartphones or PCs where by means of bootloader techniques the content of the device can be first acquired and later forced in order to find the password or encryption key.


Legal considerations

The examination of digital media is covered by national and international legislation. For civil investigations, in particular, laws may restrict the abilities of analysts to undertake examinations. Restrictions against
network monitoring Network monitoring is the use of a system that constantly monitors a computer network for slow or failing components and that notifies the network administrator (via email, SMS or other alarms) in case of outages or other trouble. Network monito ...
, or reading of personal communications often exist. During criminal investigation, national laws restrict how much information can be seized. For example, in the United Kingdom seizure of evidence by law enforcement is governed by the PACE act. During its existence early in the field, the "International Organization on Computer Evidence" (IOCE) was one agency that worked to establish compatible international standards for the seizure of evidence. In the UK the same laws covering computer crime can also affect forensic investigators. The 1990 Computer Misuse Act legislates against unauthorised access to computer material; this is a particular concern for civil investigators who have more limitations than law enforcement. An individual's right to privacy is one area of digital forensics which is still largely undecided by courts. The US
Electronic Communications Privacy Act Electronic Communications Privacy Act of 1986 (ECPA) was enacted by the United States Congress to extend restrictions on government wire taps of telephone calls to include transmissions of electronic data by computer ( ''et seq.''), added new pr ...
places limitations on the ability of law enforcement or civil investigators to intercept and access evidence. The act makes a distinction between stored communication (e.g. email archives) and transmitted communication (such as
VOIP Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. The terms Internet t ...
). The latter, being considered more of a privacy invasion, is harder to obtain a warrant for. The ECPA also affects the ability of companies to investigate the computers and communications of their employees, an aspect that is still under debate as to the extent to which a company can perform such monitoring.
Article 5 of the European Convention on Human Rights Article 5 of the European Convention on Human Rights (Art.5 ECHR for short) provides that everyone has the right to liberty and security of person. Liberty and security of the person are taken as a "compound" concept - security of the person has n ...
asserts similar privacy limitations to the ECPA and limits the processing and sharing of personal data both within the EU and with external countries. The ability of UK law enforcement to conduct digital forensics investigations is legislated by the
Regulation of Investigatory Powers Act The Regulation of Investigatory Powers Act 2000 ( c.23) (RIP or RIPA) is an Act of the Parliament of the United Kingdom, regulating the powers of public bodies to carry out surveillance and investigation, and covering the interception of com ...
.


Digital evidence

When used in a court of law digital evidence falls under the same legal guidelines as other forms of evidence; courts do not usually require more stringent guidelines. In the United States the
Federal Rules of Evidence First adopted in 1975, the Federal Rules of Evidence codify the evidence law that applies in United States federal courts. In addition, many states in the United States have either adopted the Federal Rules of Evidence, with or without local v ...
are used to evaluate the
admissibility Admissibility may refer to: Law * Admissible evidence, evidence which may be introduced in a court of law * Admissibility (ECHR), whether a case will be considered in the European Convention on Human Rights system Mathematics and logic * Admissible ...
of digital evidence, the United Kingdom PACE an
Civil Evidence acts
have similar guidelines and many other countries have their own laws. US federal laws restrict seizures to items with only obvious evidential value. This is acknowledged as not always being possible to establish with digital media prior to an examination. Laws dealing with digital evidence are concerned with two issues: integrity and authenticity. Integrity is ensuring that the act of seizing and acquiring digital media does not modify the evidence (either the original or the copy). Authenticity refers to the ability to confirm the integrity of information; for example that the imaged media matches the original evidence. The ease with which digital media can be modified means that documenting the
chain of custody Chain of custody (CoC), in legal contexts, is the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of materials, including physical or electronic evidence. Of particula ...
from the crime scene, through analysis and, ultimately, to the court, (a form of audit trail) is important to establish the authenticity of evidence. Attorneys have argued that because digital evidence can theoretically be altered it undermines the reliability of the evidence. US judges are beginning to reject this theory, in the case ''US v. Bonallo'' the court ruled that "the fact that it is possible to alter data contained in a computer is plainly insufficient to establish untrustworthiness." In the United Kingdom guidelines such as those issued by
ACPO The Association of Chief Police Officers of England, Wales and Northern Ireland (ACPO) was a not-for-profit private limited company that for many years led the development of policing practices in England, Wales, and Northern Ireland. Established ...
are followed to help document the authenticity and integrity of evidence. Digital investigators, particularly in criminal investigations, have to ensure that conclusions are based upon factual evidence and their own expert knowledge. In the US, for example, Federal Rules of Evidence state that a qualified expert may testify “in the form of an opinion or otherwise” so long as: The sub-branches of digital forensics may each have their own specific guidelines for the conduct of investigations and the handling of evidence. For example, mobile phones may be required to be placed in a
Faraday shield A Faraday cage or Faraday shield is an enclosure used to block electromagnetic fields. A Faraday shield may be formed by a continuous covering of conductive material, or in the case of a Faraday cage, by a mesh of such materials. Faraday cage ...
during seizure or acquisition to prevent further radio traffic to the device. In the UK forensic examination of computers in criminal matters is subject to
ACPO The Association of Chief Police Officers of England, Wales and Northern Ireland (ACPO) was a not-for-profit private limited company that for many years led the development of policing practices in England, Wales, and Northern Ireland. Established ...
guidelines. There are also international approaches to providing guidance on how to handle electronic evidence. The "Electronic Evidence Guide" by the
Council of Europe The Council of Europe (CoE; french: Conseil de l'Europe, ) is an international organisation founded in the wake of World War II to uphold human rights, democracy and the rule of law in Europe. Founded in 1949, it has 46 member states, with a p ...
offers a framework for law enforcement and judicial authorities in countries who seek to set up or enhance their own guidelines for the identification and handling of electronic evidence.


Investigative tools

The admissibility of digital evidence relies on the tools used to extract it. In the US, forensic tools are subjected to the
Daubert standard In United States federal law, the ''Daubert'' standard is a rule of evidence regarding the admissibility of expert witness testimony. A party may raise a ''Daubert'' motion, a special motion ''in limine'' raised before or during trial, to exclude ...
, where the judge is responsible for ensuring that the processes and software used were acceptable. In a 2003 paper Brian Carrier argued that the Daubert guidelines required the code of forensic tools to be published and peer reviewed. He concluded that "open source tools may more clearly and comprehensively meet the guideline requirements than would closed source tools." In 2011 Josh Brunty stated that the scientific validation of the technology and software associated with performing a digital forensic examination is critical to any laboratory process. He argued that "the science of digital forensics is founded on the principles of repeatable processes and quality evidence therefore knowing how to design and properly maintain a good validation process is a key requirement for any digital forensic examiner to defend their methods in court." "


Branches

Digital forensics investigation is not restricted to retrieve data merely from the computer, as laws are breached by the criminals and small digital devices (e.g. tablets, smartphones, flash drives) are now extensively used. Some of these devices have volatile memory while some have non-volatile memory. Sufficient methodologies are available to retrieve data from volatile memory, however, there is lack of detailed methodology or a framework for data retrieval from non-volatile memory sources. Depending on the type of devices, media or artifacts, digital forensics investigation is branched into various types.


Computer forensics

The goal of computer forensics is to explain the current state of a digital artifact; such as a computer system, storage medium or electronic document. The discipline usually covers computers,
embedded system An embedded system is a computer system—a combination of a computer processor, computer memory, and input/output peripheral devices—that has a dedicated function within a larger mechanical or electronic system. It is ''embedded ...
s (digital devices with rudimentary computing power and onboard memory) and static memory (such as USB pen drives). Computer forensics can deal with a broad range of information; from logs (such as internet history) through to the actual files on the drive. In 2007 prosecutors used a
spreadsheet A spreadsheet is a computer application for computation, organization, analysis and storage of data in tabular form. Spreadsheets were developed as computerized analogs of paper accounting worksheets. The program operates on data entered in ...
recovered from the computer of Joseph Edward Duncan to show premeditation and secure the
death penalty Capital punishment, also known as the death penalty, is the state-sanctioned practice of deliberately killing a person as a punishment for an actual or supposed crime, usually following an authorized, rule-governed process to conclude that ...
. Sharon Lopatka's killer was identified in 2006 after email messages from him detailing torture and death fantasies were found on her computer.


Mobile device forensics

Mobile device forensics is a sub-branch of digital forensics relating to recovery of digital evidence or data from a
mobile device A mobile device (or handheld computer) is a computer small enough to hold and operate in the hand. Mobile devices typically have a flat LCD or OLED screen, a touchscreen interface, and digital or physical buttons. They may also have a physica ...
. It differs from Computer forensics in that a mobile device will have an inbuilt communication system (e.g.
GSM The Global System for Mobile Communications (GSM) is a standard developed by the European Telecommunications Standards Institute (ETSI) to describe the protocols for second-generation ( 2G) digital cellular networks used by mobile devices such ...
) and, usually, proprietary storage mechanisms. Investigations usually focus on simple data such as call data and communications (SMS/Email) rather than in-depth recovery of deleted data.
SMS Short Message/Messaging Service, commonly abbreviated as SMS, is a text messaging service component of most telephone, Internet and mobile device systems. It uses standardized communication protocols that let mobile devices exchange short text ...
data from a mobile device investigation helped to exonerate Patrick Lumumba in the
murder of Meredith Kercher Meredith Susanna Cara Kercher (28 December 1985 – 1 November 2007) was a British student on exchange from the University of Leeds who was murdered at the age of 21 in Perugia, Italy. Kercher was found dead on the floor of her bedroom. By the ...
. Mobile devices are also useful for providing location information; either from inbuilt gps/location tracking or via
cell site A cell site, cell tower, or cellular base station is a cellular-enabled mobile device site where antennas and electronic communications equipment are placed (typically on a radio mast, tower, or other raised structure) to create a cell, or adj ...
logs, which track the devices within their range. Such information was used to track down the kidnappers of Thomas Onofri in 2006.


Network forensics

Network forensics is concerned with the monitoring and analysis of
computer network A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ...
traffic, both local and WAN/
internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, p ...
, for the purposes of information gathering, evidence collection, or intrusion detection.Gary Palmer, A Road Map for Digital Forensic Research, Report from DFRWS 2001, First Digital Forensic Research Workshop, Utica, New York, 7–8 August 2001, Page(s) 27–30 Traffic is usually intercepted at the packet level, and either stored for later analysis or filtered in real-time. Unlike other areas of digital forensics network data is often volatile and rarely logged, making the discipline often reactionary. In 2000 the FBI lured computer hackers Aleksey Ivanov and Gorshkov to the United States for a fake job interview. By monitoring network traffic from the pair's computers, the FBI identified passwords allowing them to collect evidence directly from Russian-based computers.


Forensic data analysis

Forensic Data Analysis is a branch of digital forensics. It examines structured data with the aim to discover and analyze patterns of fraudulent activities resulting from financial crime.


Digital image forensics

Digital image forensics (or forensic image analysis) is a branch of digital forensics that deals with examination and verification of an image's authenticity and content. These can range from Stalin-era airbrushed photos to elaborate deepfake videos. This has broad implications for a wide variety of crimes, for determining the validity of information presented in civil and criminal trials, and for verifying images and information that are circulated through news and social media.


Database forensics

Database forensics is a branch of digital forensics relating to the forensic study of
databases In computing, a database is an organized collection of data stored and accessed electronically. Small databases can be stored on a file system, while large databases are hosted on computer clusters or cloud storage. The design of databases spa ...
and their
metadata Metadata is "data that provides information about other data", but not the content of the data, such as the text of a message or the image itself. There are many distinct types of metadata, including: * Descriptive metadata – the descriptive ...
. Investigations use database contents, log files and in-
RAM Ram, ram, or RAM may refer to: Animals * A male sheep * Ram cichlid, a freshwater tropical fish People * Ram (given name) * Ram (surname) * Ram (director) (Ramsubramaniam), an Indian Tamil film director * RAM (musician) (born 1974), Dutch * ...
data to build a timeline or recover relevant information.


IoT Forensics

IoT forensics is a branch of Digital forensics that has the goal of identifying and extracting digital information from devices belonging to the
Internet of things The Internet of things (IoT) describes physical objects (or groups of such objects) with sensors, processing ability, software and other technologies that connect and exchange data with other devices and systems over the Internet or other com ...
field, to be used for forensics investigations as potential source of evidence.


See also

*
List of digital forensics tools During the 1980s, most digital forensic investigations consisted of "live analysis", examining digital media directly using non-specialist tools. In the 1990s, several freeware and other proprietary tools (both hardware and software) were created ...
*
Cyberspace Cyberspace is a concept describing a widespread interconnected digital technology. "The expression dates back from the first decade of the diffusion of the internet. It refers to the online world as a world 'apart', as distinct from everyday re ...
*
Forensic search Forensic search is an emerging field of computer forensics. Forensic search focuses on user created data such as email files, cell phone records, office documents, PDFs and other files that are easily interpreted by a person. Forensic search diff ...
* Glossary of digital forensics terms *
Outline of forensic science The following outline is provided as an overview of and topical guide to forensic science: Forensic science – application of a broad spectrum of sciences to answer questions of interest to a legal system. This may be in matters relating to ...


References


Further reading

* * * * * * *


Related journals

*
Journal of Digital Forensics, Security and Law
' *
International Journal of Digital Crime and Forensics
' *
Journal of Digital Investigation
' *
International Journal of Digital Evidence
' *
International Journal of Forensic Computer Science
' *
Journal of Digital Forensic Practice
' *
Small Scale Digital Device Forensic Journal
'


External links


Scientific Working Group on Digital Evidence

Digital Forensics Case Studies
{{DEFAULTSORT:Digital Forensics Forensic disciplines