Information stored on a device can locate a suspect at the scene of a crime, help uncover motives or show criminal connections. For businesses, many of which have been or will be affected by a cyberattack in the near future, the skills of digital forensics professionals are invaluable in investigations that require the ability to decipher deep technical information. Organizations that hire a digital forensics professional receive first-hand information about their electronic data and how it might be interpreted in court or by an investigator. A digital forensic report provides the court with verified details about an incident and when it occurred. Digital forensics, sometimes called computer forensics or cyber forensics, is a branch of digital science that applies investigative and analytical techniques to collect and preserve evidence from a computing device.
In the United Kingdom, forensic examination of computers in criminal cases is governed by ACPO guidelines. There are also international approaches that provide guidance on the handling of electronic evidence. The Council of Europe’s Guide to Electronic Evidence provides a framework for law enforcement and judicial authorities in countries that wish to establish or improve their own guidelines for identifying and handling electronic evidence. In search of answers, digital forensics experts use their skills and knowledge of all elements of information systems and security to extract all relevant data. This includes a variety of computer hardware and software, network systems, and mobile devices and systems. Digital crime investigation involves the examination of computing devices, including mobile devices, software, network traffic analysis, storage analysis, media analysis, databases, and Internet of Things devices.
Many digital forensics experts are employed by governments or government contractors. The examination of digital media is governed by national and international legislation. Particularly in civil investigations, laws may limit the ability of analysts to conduct investigations. Often, there are restrictions against monitoring networks or eavesdropping on personal communications.
In another case, a Times investigation last year confirmed that 12,667 devices in 33 police departments were awaiting examination. The lengthy investigations show how a digital forensics team is overwhelmed by the sheer security incident response handling volume of digital evidence collected. It is a specialized procedure that involves the analysis of electronically stored information on electronic devices such as desktop computers, laptops and external hard drives.
The need for such software was first recognized in 1989 at the Federal Police Training Center, which led to the development of IMDUMP and, in 1990, SafeBack. Similar programs were developed in other countries; DIBS was launched in the United Kingdom in 1991, and Rob McKemmish provided Fixed Disk Image free of charge to Australian law enforcement agencies. These tools allowed auditors to create an exact copy of a digital disk, leaving the original disk intact for review. In the late 1990s, as demand for digital evidence increased, more advanced commercial tools such as EnCase and FTK were developed that allowed analysts to examine copies of media without the need for live forensic techniques. More recently, the trend toward “live memory forensics” has increased, leading to the availability of tools such as WindowsSCOPE.