Thursday, September 11, 2008

What is digital forensics?

Below is an excerpt from an article I wrote for an upcoming issue of NC Jury View.

Whenever I speak with an attorney for the first time, two questions invariably come up: “What can you do?”, and “What can you do for me?”


It would seem that both questions are easy to answer, but in reality, it is not. Here’s why. Let’s say that you are talking to an architect and ask her the same two questions.

Since everyone already has an idea of what an architect does and what a house is, including the things normally included in a house such as kitchens and baths and bedrooms, it is simple to reply, “I can design houses’, followed by “I can design a custom house for you.”

The challenge is that few people know what digital forensics is, and for the most part, don’t really have any idea of the inner workings of a computer or digital camera or a cell phone.

So, let’s begin at the beginning: What is digital forensics?

Digital forensics is the acquisition, preservation, analysis and presentation of electronically stored information.

Acquisition is where the chain of custody begins and where there is the most danger of destroying or missing evidence. The actual task of acquisition is physically collecting potential sources of electronic evidence and then copying the data from an electronic storage device such as a computer hard drive, USB drive, media card or from a cell phone in a forensically sound manner.

Making a forensic copy of a hard drive or other electronic media is not the same as making a backup or a normal copy. A forensic copy will capture all of the data on the device, including deleted data and hidden data. A backup copy or a normal copy will not. This is where people get themselves into trouble by relying on their local computer guy to make a copy. Unless your local computer guy has the forensic tools and training, he is not going to get an exact copy of all the data and he is very likely to destroy evidence in the process. The copy your local computer guy makes will probably not stand up in court under the best evidence rules if the other side has someone to challenge it.

Preservation of the evidence is simply making absolutely certain that the original is not modified in any way and is protected from being modified, either intentionally or inadvertently. This process also happens prior to and during the acquisition of the evidence. Preserving the original is critical in order to comply with accepted standards and the Federal Rules of Evidence.

Analysis is the stage that most everyone is primarily interested in. However, before the analysis phase of the examination takes place, depending on which side of the case the examiner is on, prosecution or defense, plaintiff or defense, rules will normally have been set that govern the scope of the examination.

Is this a private search or a government search? Does it fall under the rules of 4th amendment searches or under the rules of the Electronic Communications Privacy Act?

Depending on the type of case, what the examiner can look for in the evidence may be restricted by a search warrant or by a judge or by a non-disclosure agreement. Even if this is an examination in a civil or domestic case prior to any litigation, privacy issues must be dealt with and the examiner must be cognizant of and abide by the rules of the law governing searches and disclosure.

Once the above have been decided, the forensics examiner then uses forensic tools and knowledge to recover data from the acquired evidence; data such as internet history, web pages, email, pictures, documents, spreadsheets and anything else of interest. And in the case of cell phones; call logs, text messages, ringtones, contact lists, calendars, pictures and videos.

Presentation is the final stage of the examination and involves presenting the findings of the examination to the client. Depending on the situation, the presentation of the findings may include detailed written reports with supporting data, and in some cases, testimony in a court of law.

A competent digital forensics examiner will always approach every stage of the process with the intention of having to defend his findings via testimony in a court of law, in the presence of an opposing expert, even if the possibility of litigation is slim.

No comments:

Post a Comment

I have moderated my comments due to spam.