What is digital forensics and what are the techniques of collecting digital forensics?
Digital forensics is defined as the process of collection, analysis, preservation, identification, extraction, investigation, documentation and reporting of computer or digital evidence so that it can be admissible in the court-of-law. Moreover, it is a formal process of finding out evidence from heap of digital or electronic media such as computer, server, network, databases, file systems, mobile devices, log management and so on media.
Digital evidence nowadays is part-and-parcel of almost all criminal and civil investigations or cases and digital forensics involvement is crucial for law enforcement investigations. Moreover, it focuses on the recovery and investigation of things found in electronic or digital devices and cybercrime scenes.
Phases of digital forensics processes and investigations involve the following major phases:
- First response: this is the action taken right after the occurrence of a security incident. The professionalism
- Search and seizure: The digital forensics professionals search for the devices involved in carrying out the cybercrime. The professionals will then carefully seize all devices to extract information out of each device.
- Collect the evidence: The digital forensics experts use the acquired devices to collect data through forensic methodologies for handling of the evidence
- Secure the evidence: The forensic professionals should have access to safe and secure environment where they can safeguard the evidence. It is in this phase that professionals determine whether the collected data is accurate, authentic and accessible or not.
- Data acquisition: This phase is where the process of retrieving Electronically Stored Information (ESI) from the suspected digital assets. This will help the professionals to gain some insight into the incident as whole and validity of the evidence.
- Data analysis: Digital forensics professionals scan the acquired data to find out admissible information that they can present to the court-of-law. Furthermore, the professionals examine, identify, separate, convert and model the data to transform it into useful information.
- Evidence assessment: In this phase, the professionals relate the evidential data to the security incident. In addition, they should conduct thorough evidence assessment as per the scope of the case under consideration.
- Evident preservation: The preservation phase ensures that potentially discoverable information and evidence is protected against alteration or deletion. Thus, digital forensics investigations should follow strict evidence preservation processes and should employ Electronic Discovery Reference Model (EDRM) of e-Discovery purposes.
- Chain of custody: An evidence must meet the relevancy, materiality, authenticity, and competency requirements before being admitted into the court-of-law. In order to maintain the integrity and uniqueness of evidence, a chain of custody must be established, without which evidence may be rendered inadmissible in court-of-law. Therefore, chain of custody is highly crucial component of digital forensics investigation. It documents everyone who handles evidence including the digital forensics professionals, the law enforcement officers and the lawyers who involved in the data collection, usage and investigation processes.
- Document and reporting: In this phase, the digital forensics professionals document and report all the findings as per the admissibility requirements of the court-of-law.
- Testify as an expert witness in court-of-law or administrative investigations: The digital forensics investigators should professionally present the expert witness to affirm the accuracy of the evidence.
Digital forensics can be broadly categorized into the following types:
- Computer forensics
- Network forensics
- Mobile devices forensics
- Database forensics
- Forensic data analysis
- IoT forensics
The most common digital forensics tools include the following;
- FTK imager
- The Sleuth Kit
- Xplico
- Bulk Extractor
- PALADIN
- Hex Editor Neo
- X-Ways Forensics
- OSForensics
- Wireshark
- Magnet RAM capture
- Registry Recon
- EnCase
- ProDiscover Forensic
- CAINE
- Volatility Framework