Digital Forensic Investigation

---

Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime.

A digital investigation program and capability can vary greatly between organizations. Investigators in small law-enforcement organizations may have a minimum set of skills for collecting and preserving evidence. Even then, their knowledge of information systems may be very limited, and their exposure may be confined to only crimes facilitated by computers rather than true cybercrimes that target computers, services, and data. Officers may not have the opportunity to learn the intricacies of computer networks and master operating systems. As a result, the program objectives for these small organizations may never go beyond evidence collection.

Five steps for conducting digital forensic investigation

The field of computer forensics investigation is growing, especially as law enforcement and legal entities realize just how valuable information technology (IT) professionals are when it comes to investigative procedures. With the advent of cyber crime, tracking malicious online activity has become crucial for protecting private citizens, as well as preserving online operations in public safety, national security, government and law enforcement. Tracking digital activity allows investigators to connect cyber communications and digitally-stored information to physical evidence of criminal activity; computer forensics also allows investigators to uncover premeditated criminal intent and may aid in the prevention of future cyber crimes. For those working in the field, there are five critical steps in computer forensics, all of which contribute to a thorough and revealing investigation.

• Policy and Procedure development: Whether related to malicious cyber activity, criminal conspiracy or the intent to commit a crime, digital evidence can be delicate and highly sensitive. Cybersecurity professionals understand the value of this information and respect the fact that it can be easily compromised if not properly handled and protected. An integral part of the investigative policies and procedures for law enforcement organizations that utilize computer forensic departments is the codification of a set of explicitly-stated actions regarding what constitutes evidence, where to look for said evidence and how to handle it once it has been retrieved. Prior to any digital investigation, proper steps must be taken to determine the details of the case at hand, as well as to understand all permissible investigative actions in relation to the case; this involves reading case briefs, understanding warrants and authorizations and obtaining any permissions needed prior to pursuing the case.
• Evidence Assessment :A key component of the investigative process involves the assessment of potential evidence in cyber crime. Central to the effective processing of evidence is a clear understanding of the details of the case at hand and thus, the classification of cyber crime in question. Prior to conducting an investigation, the investigator must define the types of evidence sought (including specific platforms and data formats) and have a clear understanding of how to preserve pertinent data. The investigator must then determine the source and integrity of such data before entering it into evidence.
• Evidence Acquisition :Perhaps the most critical facet of successful computer forensic investigation is a rigorous, detailed plan for acquiring evidence. Extensive documentation is needed prior to, during, and after the acquisition process; detailed information must be recorded and preserved, including all hardware and software specifications, any systems used in the investigation process, and the systems being investigated. Acquiring evidence must be accomplished in a manner both deliberate and legal. Being able to document and authenticate the chain of evidence is crucial when pursuing a court case, and this is especially true for computer forensics given the complexity of most cybersecurity cases.
• Evidence Examination :In order to effectively investigate potential evidence, procedures must be in place for retrieving, copying, and storing evidence within appropriate databases. Investigators typically examine data from designated archives, using a variety of methods and approaches to analyze information; these could include utilizing analysis software to search massive archives of data for specific keywords or file types, as well as procedures for retrieving files that have been recently deleted. Data tagged with times and dates is particularly useful to investigators, as are suspicious files or programs that have been encrypted or intentionally hidden.
• Documenting and Reporting :In addition to fully documenting information related to hardware and software specs, computer forensic investigators must keep an accurate record of all activity related to the investigation, including all methods used for testing system functionality and retrieving, copying, and storing data, as well as all actions taken to acquire, examine and assess evidence. Not only does this demonstrate how the integrity of user data has been preserved, but it also ensures proper policies and procedures have been adhered to by all parties. As the purpose of the entire process is to acquire data that can be presented as evidence in a court of law, an investigator’s failure to accurately document his or her process could compromise the validity of that evidence and ultimately, the case itself.