Unless you’ve been living under a rock or camping out in a cave in a remote mountain range, you have at least a rudimentary idea of what digital forensics, or, more accurately, digital forensic science is all about. We’ve all seen NCIS, with Abby and McGhee running diagnostics and tests on captured computers and cell phones to collect admissible evidence for the case du jour, and the lab techs for the FBI tracking suspects via their cell phones on Numb3rs. Surprisingly, these entertainment shows do a good job of portraying what digital forensics is all about.
What is Digital Forensics?
Digital forensic science, or the shorthand version, digital forensics is a branch of forensic science that evolved in response to the computer revolution. With the advent of personal computing in the late 1970s and the early 1980s, stunning new opportunities for crime opened up. As businesses came to rely on the new computers, opportunities for fraud and theft came along hand-in-hand with the new technology. Most people involved in the computer industry never even contemplated taking advantage of the technology, but there are always the “bad apples” who are not bothered by questions of ethics or by betraying trusts, so along with the computer industry, the computer crime industry flourished.
Digital forensics evolved along with computer crime. Just as police authorities used physical forensics to gather evidence, computer hobbyists analyzed computers seized from suspects for evidence, and developed rudimentary tools and processes. In the 2000s, law enforcement authorities around the world recognized the need for standard processes and tools, and set about defining them. Laws also needed updating, to reflect the rights of suspects and to define admissible digital forensic evidence.
Types of Digital Forensics
When someone mentions digital forensics, the first thought to pop into mind is computer forensics. After all, digital forensics evolved as a response to computer crime. However, the field has grown into five branches, as the digital world grew to include mobile devices, networks, and data. The data is divided into two areas – forensic data analysis and database forensics.
Computer forensics started the science of digital forensics. It evolved as a response to the wave of computer crime, arising out of the computer revolution. Computer forensics involves recovery of information from captured devices, such as desktop or laptop computers, embedded systems, and static memory. Information recovered includes log files, personal databases, and electronic documents.
Mobile Device Forensics
This branch arose in response to the rapid development of mobile (handheld) devices. Cell phones have grown from simple phones to devices smarter than most mainframes in the late 1960s and 1970s, with more memory and storage than a machine serving hundreds of users. Recovery of evidence from these devices is usually concentrated on call data and communications, rather than deleted data; however, data can be carried on these devices, and can be recovered for evidence as well. Location information is also tracked, using onboard GPS information or cell tower location, in real time; this allows authorities to track suspected kidnappers, or to trail robbery suspects as they attempt to get away.
Network forensics evolved as the response to hacks and virus attacks. To get benefit from the mobility of our society, a business has to have a network – to authorize credit cards, to maintain a website, to run an online store, to communicate with other businesses of a similar nature; these businesses also maintain personal information on clients, and depending on the business, the information may contain sensitive identification data, such as a social security number. As these attacks happen, the network engineers attempt to track it back to its source while preventing it from doing harm. Networks operate in real-time, and often there are no logs; the traffic must be caught and monitored as the attack is in progress, making this branch reactive in nature. Network evidence must be captured at the point of attack, or there is no evidence.
Forensic Data Analysis
Forensic data analysis is the investigation of electronic documents, such as spreadsheets, for evidence of fraud or wrongdoing. Analysts look for patterns in the data that indicate something outside normal business is occurring.
Database forensics is the investigation of databases, including their metadata. Contents, log files, and in-RAM data are all analyzed, to produce a timeline of criminal activity or evidence of fraud. Relevant data is recovered, if necessary, to substantiate the evidence in the timeline.
Digital forensics is the new sheriff in town, the one who popped up in response to the new field of computer crime. It is an exciting, relevant area of study, and people proficient in it are in high demand. Degrees are offered in digital forensics and cyber security at many prestigious colleges and universities. If you have an inquisitive mind and a tenacious nature, this could be your own field of dreams – why not check it out?