A formal definition for digital forensics is provided in the glossary. The term digital forensics and computer forensics are used interchangeable in a variety of documents.
1.1 Digital Forensics and the Law
There are several legal precedents that regulate the presentation of forensic evidence in court proceedings. The standard is set by the Fourth Amendment (1791), which preserves the rights to secure person and property from search and seizure (see Summary section).
Additionally, the following acts also regulate digital forensic evidence:
1. The Stored Communications Act (18 U.S.C. § 2703(a)) regulates law enforcement officials access to stored communications older than 180 days old.
The defendants in the case Crispin v. Christian Audigier, argued that social media content could also be protected by the Stored Communication Act (SCA). This is so, even though the SCA became in 1986, even before the advent of social media.
- The Electronic Communications Privacy Act of 1986, further regulates the use of wiretaps from telephones and computers.
3. The 1978 Foreign Intelligence Surveillance Act (FISA)
FISA regulates electronic surveillance foreign powers and their agents. (By extension the FISA Courts also exists in the United States). In 2005, the National Security Agency was authorized to monitor and collect electronic communications from sources outside the United States. However, it was uncovered that sources within the USA were being targeted as well (Risen & Lichtblau, 2005).
USES OF DIGITAL FORENSICS
Digital forensics can be used in a variety of settings, including criminal investigations, civil litigation, intelligence, and administrative matters.
1.2 Definition of Digital Forensics
According to EC-Council (2017), the overall objective of all digital forensic phases (preservation, identification, extraction, interpretation, and documentation) is to detect a computer incident, identify the intruder, and prosecute the perpetrator in a court of law.
1.3 Objectives of Computer Forensics
EC-Council (2017) describes the overall objective of all computer forensic phases (preservation, identification, extraction, interpretation, and documentation) as to detect a computer incident, identify the intruder, and prosecute the perpetrator in a court of law.
It states that the main objectives of computer forensics can be summarized as follows:
- To recover, analyze, and preserve the computer and related materials in a manner that can be presented as evidence in a court of law
- To identify the evidence in a short amount of time, estimate the potential impact of the malicious activity on the victim, and assess the intent and identity of the perpetrator
1.4 Digital Forensics Methodologies
The first in the four-volume set of books from EC-Council (2017) provides a gentle introduction to computer forensics. It states that methodologies involved in computer forensics may differ depending upon the procedures, resources, and target company.
Forensic tools, it states, enable the forensic examiner to recover deleted files, hidden files, and temporary data that the user may not locate.
Further, it informs us that computer forensic methodologies consist of the following basic activities:
- Preservation: The forensic investigator must preserve the integrity of the original evidence. The original evidence should not be modified or damaged. The forensic examiner must make an image or a copy of the original evidence and then perform the analysis on that image or copy. The examiner must also compare the copy with the original evidence to identify any modifications or damage.
- Identification: Before starting the investigation, the forensic examiner must identify the evidence and its location. For example, evidence may be contained in hard disks, removable media, or log files. Every forensic examiner must understand the difference between actual evidence and evidence containers. Locating and identifying information and data is a challenge for the digital forensic investigator. Various examination processes such as keyword searches, log file analyses, and system checks help an investigation.
- Extraction: After identifying the evidence, the examiner must extract data from it. Since volatile data can be lost at any point, the forensic investigator must extract this data from the copy made from the original evidence. This extracted data must be compared with the original evidence and analyzed.
- Interpretation: The most important role a forensic examiner plays during investigations is to interpret what he or she has actually found. The analysis and inspection of the evidence must be interpreted in a lucid manner.
- Documentation: From the beginning of the investigation until the end (when the evidence is presented before a court of law), forensic examiners must maintain documentation relating to the evidence. The documentation comprises the chain-of-custody form and documents relating to the evidence analysis.
1.5 Cyber Crime
Cyber crime is defined as “any illegal act that involves a computer, its systems, or its applications.”
Cyber crimes are generally categorized by the following information:
- Tools of the crime: The tools of the crime are the evidence that the forensic investigator must analyze, process, and document. This may include various hacking tools used to commit the crime or the computer/workstation where the crime was committed. Forensic investigators usually take the entire system used, including hardware such as the keyboard, mouse, and monitor.
- Target of the crime: The target of the crime is the victim. The victim is most often a corporate organization, Web site, consulting agency, or government body. The target of the crime is also usually where the computer forensic investigator examines the crime scene. Since investigators are mainly dealing with digital rather than physical, this can often be a virtual environment. Cyber crimes include the following:
- Crimes directed against a computer
- Crimes in which the computer contains evidence
Crimes in which the computer is used as a tool to commit the crime
1.6 Locard’s Exchange Principle
Locard’s exchange principle says that in the physical world, whenever perpetrators enter or leave a crime scene, they will leave something behind and take something with them. Examples include DNA, latent prints, hair, and fibers.
The same holds true in digital forensics. Registry keys and log files can serve as the digital equivalent to hair and fiber. As with DNA, the ability to detect and analyze these artifacts relies heavily on the technology available at the time. Viewing a device or incident through Locard’s principle can be very helpful in locating and interpreting not only physical and digital evidence.
- Neubauer, D.W. & Fradella, H.F. (2017). America’s Courts and the Criminal Justice System, 17th Edition. Cengage, Boston.
- Risen, J., & Lichtblau, E. (2005, Dec 16). Bush Lets U.S. Spy on Callers Without Courts. Retrieved from NewYorkTimes.com: http://www.nytimes.com/2005/12/16/politics/bush-lets-us-spy-on-callers-without-courts.html
- Ritzer, G. & Stepnisky, J. (2017). Sociological Theory. Sage Publishing, California.
- Sammons, J. (2012). The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics. Syngress, Massachusetts.
- Thomas, J.H. & Bossler. (2016). Cybercrime in Progress. Routledge, New York.
- EC-Council (2017). Computer Forensics: Investigation Procedures and Response, 2nd Edition, Cengage Learning, ISBN: 9781305883475, 1305883470
- Zatyko, K. (2007). Commentary: Defining Digital Forensics, Accessed 2/14/2018 https://www.forensicmag.com/article/2007/01/commentary-defining-digital-forensics