A Brief Introduction to Digital Forensics

While most organizations realize that the integrity and security of electronic devices and digital data is more important than ever before, it’s becoming increasingly important that they prioritize the ability to understand, comprehend, examine, and investigate events related to their digital assets. As recent accounts illustrate, companies face dire consequences if they do not take great care when considering not only the security of their data, but also the implementation of their security programs.  Critical to this initiative is the field of digital forensics.  The term forensics in and of itself can refer to anything related to, used in, or suitable for a court of law (American Academy of Forensic Sciences, n.d.).  Traditional forensics has focused on gathering and preserving evidence, investigating events, and determining the best way to present gathered information in a court of law.  Digital forensics, therefore, serves two purposes:  analyzing digital evidence related to an event or crime that occurred in the physical world – for example, the emails of a suspected terrorist; and investigating crime that inherently involved information systems – for example, hackers accessing unauthorized data (Garfinkel, 2013). 

Description of Digital Forensics

Photo by  João Silas  on  Unsplash

Photo by João Silas on Unsplash

Digital Forensics can be defined as the discovery and examination of all evidence located on all things electronic or digital, including computers, mobile devices, networks, and even video game consoles (Garfinkel, 2013).  As electronic devices and their associated digital storage are more commonplace than ever before, it is easy to see how their involvement in crime or other undesired events must be considered during any investigation.  For example, when considering bank fraud, it would literally be impossible to accomplish without leaving some digital traces.  For that reason, it is imperative that investigators have the appropriate tools, methods, and knowledge to gather digital evidence, present digital evidence in court, and prove that the evidence is authentic. 

Similarly, the advent of mobile devices such as smart phones, tablets, and other portable devices have made digital forensics critical to the investigation of crimes that do not occur directly through the use of electronics.  For example, a robbery may be captured on video by a passerby using the camera on their smart phone and could therefore be presented as evidence.  In fact, even text message history can be used as evidence if it is collected and obtained in the correct manner.  Text message history is often used to determine intent, timelines, and other facts of any given case, such as drug dealing.

Business Value of Digital Forensics

When implemented properly, a Digital Forensics program can deliver incredible business value.  It is certain that a company will encounter a breach of policy, law, or regulation at some point throughout its course of business.  When a negative event occurs, the impact it will have on the overall business operations is directly related to the ability of the company to collect, preserve, and authenticate evidence while investigating the occurrence.  Just as society must have the means to police itself and its citizens, so too must a business possess the tools to investigate negative situations and take actions to rectify them moving forward.

Consider the example of a manufacturing company that produces parts for an airplane.  If any of the parts were to fail during a flight test for any reason, the company must be able to trace the error back to its origin and resolve the manufacturing issue. As the entire manufacturing process is now digitized, this will require analyzing and investigating digital processes and data to determine which process or resource failed and address it.  For example, if the part was designated as passing its quality assurance test, even though the test value was outside of tolerance, then the digital records would show that the test value was incorrectly entered by an employee.  Simply having the means in place to trace and troubleshoot issues like this internally before they become far more impactful (such as if the faulty part were to make it into production aircraft) can save companies money and resources, as well as protect human lives.

In addition to helping protect and recover corporate data and processes, digital forensics can also be used to examine and prove when something did not occur (Garfinkel, 2013).  For example, if a data breach were to occur, a company could face severe financial consequences, in addition to permanent damage to its reputation and brand.  By using digital forensics, however, a company could potentially show that the exposed data was not confidential or sensitive in nature – thereby lessening the impact of the breach. 

Digital Forensics Methodology

Photo by  Bill Oxford  on  Unsplash

Photo by Bill Oxford on Unsplash

The preservation of evidence is critical to digital forensics. Central to this concept is evidentiary material, which can be defined as any items that have the potential to become evidence once formally admitted in a court of law (Whitman & Mattord, 2017). If evidentiary material is collected in such a way that a portion, no matter how small, of its data has been altered, lost, or damaged, a crafty defense team can make a convincing argument that the evidence is false or not admissible.

For this reason, it is imperative that those charged with collecting the potential evidence do so in a way that will avoid any potential legal pitfalls or open the door for questions around its authenticity or integrity. Whitman and Mattord (2017) recommend that any digital forensic activities utilize a methodology consisting of the following steps:

            1)      Identify relevant items of evidentiary value

            2)      Acquire the evidence without alteration or damage

            3)      Take steps to ensure that the evidence can be verified as authentic and unaltered.

            4)      Analyze the data without risking modification or unauthorized access.

            5)      Report the findings to the proper authority.

Perhaps the most important of these steps when considering preservation of evidence is the way in which one can verify the evidence as authentic. One such way is by utilizing a third party service with the expertise to properly collect, verify, analyze, and report their findings while keeping the chain of custody and authenticity of the data intact. These firms will often use specialized tools, software packages, and complex algorithms to accomplish their tasks. It also helps that bringing in a 3rd party will eliminate the perception of bias associated with digital forensic activities being conducted internally.

References

American Academy of Forensic Sciences. (n.d.). Retrieved May 5, 2018, from https://www.aafs.org/students/choosing-a-career/what-is-forensic-science/

Garfinkel, S. L. (2013). Digital forensics. American Scientist, 101(5), 370-377.

Whitman, M., & Mattord, H.J. (2017).  Management of information security.  Boston, MA: Cengage Learning.

Further Reading in Information Security: