Digital forensics

Last updated

in air pictures of FLETC, where US digital forensics standards were developed in the 1980s and '90s FLETC Glynco-aerial.gif
in air pictures of FLETC, where US digital forensics standards were developed in the 1980s and '90s

Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery, investigation, examination, and analysis of material found in digital devices, often in relation to mobile devices and computer crime. [1] [2] The term "digital forensics" was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data. [1] With roots in the personal computing revolution of the late 1970s and early 1980s, the discipline evolved in a haphazard manner during the 1990s, and it was not until the early 21st century that national policies emerged.

Contents

Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil courts. Criminal cases involve the alleged breaking of laws that are defined by legislation and enforced by the police and prosecuted by the state, such as murder, theft, and assault against the person. Civil cases, on the other hand, deal with protecting the rights and property of individuals (often associated with family disputes), but may also be concerned with contractual disputes between commercial entities where a form of digital forensics referred to as electronic discovery (ediscovery) may be involved.

Forensics may also feature in the private sector, such as during internal corporate investigations or intrusion investigations (a special probe into the nature and extent of an unauthorized network intrusion).

The technical aspect of an investigation is divided into several sub-branches related to the type of digital devices involved: computer forensics, network forensics, forensic data analysis, and mobile device forensics. [3] The typical forensic process encompasses the seizure, forensic imaging (acquisition), and analysis of digital media, followed with the production of a report of the collected evidence.

As well as identifying direct evidence of a crime, digital forensics can be used to attribute evidence to specific suspects, confirm alibis or statements, determine intent, identify sources (for example, in copyright cases), or authenticate documents. [4] Investigations are much broader in scope than other areas of forensic analysis (where the usual aim is to provide answers to a series of simpler questions), often involving complex time-lines or hypotheses. [5]

History

Prior to the 1970s, crimes involving computers were dealt with using existing laws. The first computer crimes were recognized in the 1978 Florida Computer Crimes Act, [6] which included legislation against the unauthorized modification or deletion of data on a computer system. [7] Over the next few years, the range of computer crimes being committed increased, and laws were passed to deal with issues of copyright, privacy/harassment (e.g., cyber bullying, happy slapping, cyber stalking, and online predators), and child pornography. [8] [9] It was not until the 1980s that federal laws began to incorporate computer offences. Canada was the first country to pass legislation in 1983. [7] This was followed by the US Federal Computer Fraud and Abuse Act in 1986, Australian amendments to their crimes acts in 1989, and the British Computer Misuse Act in 1990. [7] [9]

1980s–1990s: Growth of the field

The growth in computer crime during the 1980s and 1990s caused law enforcement agencies to begin establishing specialized groups, usually at the national level, to handle the technical aspects of investigations. For example, in 1984, the FBI launched a Computer Analysis and Response Team and the following year a computer crime department was set up within the British Metropolitan Police fraud squad. As well as being law enforcement professionals, many of the early members of these groups were also computer hobbyists and became responsible for the field's initial research and direction. [10] [11]

One of the first practical (or at least publicized) examples of digital forensics was Cliff Stoll's pursuit of hacker Markus Hess in 1986. Stoll, whose investigation made use of computer and network forensic techniques, was not a specialized examiner. [12] Many of the earliest forensic examinations followed the same profile. [13]

Throughout the 1990s, there was high demand for these new, and basic, investigative resources. The strain on central units lead to the creation of regional, and even local, level groups to help handle the load. For example, the British National Hi-Tech Crime Unit was set up in 2001 to provide a national infrastructure for computer crime, with personnel located both centrally in London and with the various regional police forces (the unit was folded into the Serious Organised Crime Agency (SOCA) in 2006). [11]

During this period, the science of digital forensics grew from the ad-hoc tools and techniques developed by these hobbyist practitioners. This is in contrast to other forensics disciplines, which developed from work by the scientific community. [1] [14] It was not until 1992 that the term "computer forensics" was used in academic literature (although prior to this, it had been in informal use); a paper by Collier and Spaul attempted to justify this new discipline to the forensic science world. [15] [16] This swift development resulted in a lack of standardization and training. In his 1995 book, High-Technology Crime: Investigating Cases Involving Computers, K. Rosenblatt wrote the following:

Seizing, preserving, and analyzing evidence stored on a computer is the greatest forensic challenge facing law enforcement in the 1990s. Although most forensic tests, such as fingerprinting and DNA testing, are performed by specially trained experts the task of collecting and analyzing computer evidence is often assigned to patrol officers and detectives. [17]

2000s: Developing standards

Since 2000, in response to the need for standardization, various bodies and agencies have published guidelines for digital forensics. The Scientific Working Group on Digital Evidence (SWGDE) produced a 2002 paper, Best practices for Computer Forensics, this was followed, in 2005, by the publication of an ISO standard (ISO 17025, General requirements for the competence of testing and calibration laboratories). [7] [18] [19] A European-led international treaty, the Convention on Cybercrime, came into force in 2004 with the aim of reconciling national computer crime laws, investigative techniques, and international co-operation. The treaty has been signed by 43 nations (including the US, Canada, Japan, South Africa, UK, and other European nations) and ratified by 16.

The issue of training also received attention. Commercial companies (often forensic software developers) began to offer certification programs, and digital forensic analysis was included as a topic at the UK specialist investigator training facility, Centrex. [7] [11]

In the late 1990s, mobile devices became more widely available, advancing beyond simple communication devices, and were found to be rich forms of information, even for crime not traditionally associated with digital forensics. [20] Despite this, digital analysis of phones has lagged behind traditional computer media, largely due to problems over the proprietary nature of devices. [21]

Focus has also shifted onto internet crime, particularly the risk of cyber warfare and cyberterrorism. A February 2010 report by the United States Joint Forces Command concluded the following:

Through cyberspace, enemies will target industry, academia, government, as well as the military in the air, land, maritime, and space domains. In much the same way that airpower transformed the battlefield of World War II, cyberspace has fractured the physical barriers that shield a nation from attacks on its commerce and communication. [22]

The field of digital forensics still faces unresolved issues. A 2009 paper, "Digital Forensic Research: The Good, the Bad and the Unaddressed" by Peterson and Shenoi, identified a bias towards Windows operating systems in digital forensics research. [23] In 2010, Simson Garfinkel identified issues facing digital investigations in the future, including the increasing size of digital media, the wide availability of encryption to consumers, a growing variety of operating systems and file formats, an increasing number of individuals owning multiple devices, and legal limitations on investigators. The paper also identified continued training issues, as well as the prohibitively high cost of entering the field. [12]

Development of forensic tools

During the 1980s, very few specialized digital forensic tools existed. Consequently, investigators often performed live analysis on media, examining computers from within the operating system using existing sysadmin tools to extract evidence. This practice carried the risk of modifying data on the disk, either inadvertently or otherwise, which led to claims of evidence tampering. A number of tools were created during the early 1990s to address the problem.

The need for such software was first recognized in 1989 at the Federal Law Enforcement Training Center, resulting in the creation of IMDUMP [24] (by Michael White) and in 1990, SafeBack [25] (developed by Sydex). Similar software was developed in other countries; DIBS (a hardware and software solution) was released commercially in the UK in 1991, and Rob McKemmish released Fixed Disk Image free to Australian law enforcement. [10] These tools allowed examiners to create an exact copy of a piece of digital media to work on, leaving the original disk intact for verification. By the end of the 1990s, as demand for digital evidence grew, more advanced commercial tools such as EnCase and FTK were developed, allowing analysts to examine copies of media without using any live forensics. [7] More recently, a trend towards "live memory forensics" has grown, resulting in the availability of tools such as WindowsSCOPE.

More recently, the same progression of tool development has occurred for mobile devices; initially investigators accessed data directly on the device, but soon specialist tools such as XRY or Radio Tactics Aceso appeared. [7]

Forensic process

A portable Tableau write-blocker attached to a hard drive Portable forensic tableau.JPG
A portable Tableau write-blocker attached to a hard drive

A digital forensic investigation commonly consists of 3 stages:

Acquisition does not normally involve capturing an image of the computer's volatile memory (RAM) unless this is done as part of an incident response investigation. [28] Typically the task involves creating an exact sector level duplicate (or "forensic duplicate") of the media, often using a write blocking device to prevent modification of the original. However, the growth in size of storage media and developments such as cloud computing [29] have led to more use of 'live' acquisitions whereby a 'logical' copy of the data is acquired rather than a complete image of the physical storage device. [26] Both acquired image (or logical copy) and original media/data are hashed (using an algorithm such as SHA-1 or MD5) and the values compared to verify the copy is accurate. [30]

An alternative (and patented) approach (that has been dubbed 'hybrid forensics' [31] or 'distributed forensics' [32] ) combines digital forensics and ediscovery processes. This approach has been embodied in a commercial tool called ISEEK that was presented together with test results at a conference in 2017. [31]

During the analysis phase an investigator recovers evidence material using a number of different methodologies and tools. In 2002, an article in the International Journal of Digital Evidence referred to this step as "an in-depth systematic search of evidence related to the suspected crime." [1] In 2006, forensics researcher Brian Carrier described an "intuitive procedure" in which obvious evidence is first identified and then "exhaustive searches are conducted to start filling in the holes." [5]

The actual process of analysis can vary between investigations, but common methodologies include conducting keyword searches across the digital media (within files as well as unallocated and slack space), recovering deleted files and extraction of registry information (for example to list user accounts, or attached USB devices).

The evidence recovered is analyzed to reconstruct events or actions and to reach conclusions, work that can often be performed by less specialized staff. [1] When an investigation is complete the data is presented, usually in the form of a written report, in lay persons' terms. [1]

Application

An example of an image's Exif metadata that might be used to prove its origin En exif data.png
An example of an image's Exif metadata that might be used to prove its origin

Digital forensics is commonly used in both criminal law and private investigation. Traditionally it has been associated with criminal law, where evidence is collected to support or oppose a hypothesis before the courts. As with other areas of forensics this is often a part of a wider investigation spanning a number of disciplines. In some cases, the collected evidence is used as a form of intelligence gathering, used for other purposes than court proceedings (for example to locate, identify or halt other crimes). As a result, intelligence gathering is sometimes held to a less strict forensic standard.

In civil litigation or corporate matters, digital forensics forms part of the electronic discovery (or eDiscovery) process. Forensic procedures are similar to those used in criminal investigations, often with different legal requirements and limitations. Outside of the courts digital forensics can form a part of internal corporate investigations.

A common example might be following unauthorized network intrusion. A specialist forensic examination, into the nature and extent of the attack, is performed as a damage limitation exercise, both to establish the extent of any intrusion and in an attempt to identify the attacker. [4] [5] Such attacks were commonly conducted over phone lines during the 1980s, but in the modern era are usually propagated over the Internet. [33]

The main focus of digital forensics investigations is to recover objective evidence of a criminal activity (termed actus reus in legal parlance). However, the diverse range of data held in digital devices can help with other areas of inquiry. [4]

Attribution
Meta data and other logs can be used to attribute actions to an individual. For example, personal documents on a computer drive might identify its owner.
Alibis and statements
Information provided by those involved can be cross checked with digital evidence. For example, during the investigation into the Soham murders the offender's alibi was disproved when mobile phone records of the person he claimed to be with showed she was out of town at the time.
Intent
As well as finding objective evidence of a crime being committed, investigations can also be used to prove the intent (known by the legal term mens rea). For example, the Internet history of convicted killer Neil Entwistle included references to a site discussing How to kill people.
Evaluation of source
File artifacts and meta-data can be used to identify the origin of a particular piece of data; for example, older versions of Microsoft Word embedded a Global Unique Identifier into files which identified the computer it had been created on. Proving whether a file was produced on the digital device being examined or obtained from elsewhere (e.g., the Internet) can be very important. [4]
Document authentication
Related to "Evaluation of source," meta data associated with digital documents can be easily modified (for example, by changing the computer clock you can affect the creation date of a file). Document authentication relates to detecting and identifying falsification of such details.

Limitations

One major limitation to a forensic investigation is the use of encryption; this disrupts initial examination where pertinent evidence might be located using keywords. Laws to compel individuals to disclose encryption keys are still relatively new and controversial. [12] But always more frequently there are solutions to brute force passwords or bypass encryption, such as in smartphones or PCs where by means of bootloader techniques the content of the device can be first acquired and later forced in order to find the password or encryption key. It is estimated that about 60% of cases that involve encrypted devices, often go unprocessed because there is no way to access the potential evidence. [34]

The examination of digital media is covered by national and international legislation. For civil investigations, in particular, laws may restrict the abilities of analysts to undertake examinations. Restrictions against network monitoring or reading of personal communications often exist. [35] During criminal investigation, national laws restrict how much information can be seized. [35] For example, in the United Kingdom seizure of evidence by law enforcement is governed by the PACE act. [7] During its existence early in the field, the "International Organization on Computer Evidence" (IOCE) was one agency that worked to establish compatible international standards for the seizure of evidence. [36]

In the UK, the same laws covering computer crime can also affect forensic investigators. The 1990 Computer Misuse Act legislates against unauthorized access to computer material. This is a particular concern for civil investigators who have more limitations than law enforcement.

An individual's right to privacy is one area of digital forensics which is still largely undecided by courts. The US Electronic Communications Privacy Act places limitations on the ability of law enforcement or civil investigators to intercept and access evidence. The act makes a distinction between stored communication (e.g. email archives) and transmitted communication (such as VOIP). The latter, being considered more of a privacy invasion, is harder to obtain a warrant for. [7] [17] The ECPA also affects the ability of companies to investigate the computers and communications of their employees, an aspect that is still under debate as to the extent to which a company can perform such monitoring. [7]

Article 5 of the European Convention on Human Rights asserts similar privacy limitations to the ECPA and limits the processing and sharing of personal data both within the EU and with external countries. The ability of UK law enforcement to conduct digital forensics investigations is legislated by the Regulation of Investigatory Powers Act. [7]

Digital evidence

Digital evidence can come in a number of forms PersonalStorageDevices.agr.jpg
Digital evidence can come in a number of forms

When used in a court of law, digital evidence falls under the same legal guidelines as other forms of evidence, as courts do not usually require more stringent guidelines. [7] [37] In the United States, the Federal Rules of Evidence are used to evaluate the admissibility of digital evidence. The United Kingdom PACE and Civil Evidence acts have similar guidelines and many other countries have their own laws. US federal laws restrict seizures to items with only obvious evidential value. This is acknowledged as not always being possible to establish with digital media prior to an examination. [35]

Laws dealing with digital evidence are concerned with two issues:

The ease with which digital media can be modified means that documenting the chain of custody from the crime scene, through analysis and, ultimately, to the court, (a form of audit trail) is important to establish the authenticity of evidence. [7]

Attorneys have argued that because digital evidence can theoretically be altered it undermines the reliability of the evidence. US judges are beginning to reject this theory, in the case US v. Bonallo the court ruled that "the fact that it is possible to alter data contained in a computer is plainly insufficient to establish untrustworthiness." [7] [38] In the United Kingdom, guidelines such as those issued by ACPO are followed to help document the authenticity and integrity of evidence.

Digital investigators, particularly in criminal investigations, have to ensure that conclusions are based upon factual evidence and their own expert knowledge. [7] In the US, for example, Federal Rules of Evidence state that a qualified expert may testify “in the form of an opinion or otherwise” so long as:

(1) the testimony is based upon sufficient facts or data, (2) the testimony is the product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case. [39]

The sub-branches of digital forensics may each have their own specific guidelines for the conduct of investigations and the handling of evidence. For example, mobile phones may be required to be placed in a Faraday shield during seizure or acquisition to prevent further radio traffic to the device. In the UK forensic examination of computers in criminal matters is subject to ACPO guidelines. [7] There are also international approaches to providing guidance on how to handle electronic evidence. The "Electronic Evidence Guide" by the Council of Europe offers a framework for law enforcement and judicial authorities in countries who seek to set up or enhance their own guidelines for the identification and handling of electronic evidence. [40]

Investigative tools

The admissibility of digital evidence relies on the tools used to extract it. In the US, forensic tools are subjected to the Daubert standard, where the judge is responsible for ensuring that the processes and software used were acceptable.

In a 2003 paper, Brian Carrier argued that the Daubert guidelines required the code of forensic tools to be published and peer reviewed. He concluded that "open source tools may more clearly and comprehensively meet the guideline requirements than would closed-source tools." [41]

In 2011, Josh Brunty stated that the scientific validation of the technology and software associated with performing a digital forensic examination is critical to any laboratory process. He argued that "the science of digital forensics is founded on the principles of repeatable processes and quality evidence therefore knowing how to design and properly maintain a good validation process is a key requirement for any digital forensic examiner to defend their methods in court." [42]

One of the key issues relating to validating forensic tools is determining a 'baseline' or reference point for tool testing/evaluation. There have been numerous attempts to provide an environment for testing the functionality of forensic tools such as the Computer Forensic Tool Testing (CFTT) programme developed by NIST ". [43]

To allow for the different environments in which practitioners operate there have also been many attempts to create a framework for customizing test/evaluation environments. [44] [45] [46] These resources focus on a single or limited number of target systems. However, they do not scale well when attempts are made to test/evaluate tools designed for large networks or the cloud which have become more commonplace in investigations over the years. As of 2024 the only framework that addresses the use of remote agents by forensic tools for distributed processing/collection is that developed by Adams [47]

Branches

Digital forensics investigation is not restricted to retrieve data merely from the computer, as laws are breached by the criminals and small digital devices (e.g. tablets, smartphones, flash drives) are now extensively used. Some of these devices have volatile memory while some have non-volatile memory. Sufficient methodologies are available to retrieve data from volatile memory, however, there is lack of detailed methodology or a framework for data retrieval from non-volatile memory sources. [48] Depending on the type of devices, media or artifacts, digital forensics investigation is branched into various types.

Computer forensics

Private Investigator & Certified Digital Forensics Examiner imaging a hard drive in the field for forensic examination. Digital Forensics - Imaging a hard drive in the field.jpg
Private Investigator & Certified Digital Forensics Examiner imaging a hard drive in the field for forensic examination.

The goal of computer forensics is to explain the current state of a digital artifact; such as a computer system, storage medium or electronic document. [49] The discipline usually covers computers, embedded systems (digital devices with rudimentary computing power and onboard memory) and static memory (such as USB pen drives).

Computer forensics can deal with a broad range of information; from logs (such as internet history) through to the actual files on the drive. In 2007, prosecutors used a spreadsheet recovered from the computer of Joseph Edward Duncan to show premeditation and secure the death penalty. [4] Sharon Lopatka's killer was identified in 2006 after email messages from him detailing torture and death fantasies were found on her computer. [7]

Mobile device forensics

Mobile phones in a UK Evidence bag Mobiles.JPG
Mobile phones in a UK Evidence bag

Mobile device forensics is a sub-branch of digital forensics relating to recovery of digital evidence or data from a mobile device. It differs from Computer forensics in that a mobile device will have an inbuilt communication system (e.g. GSM) and, usually, proprietary storage mechanisms. Investigations usually focus on simple data such as call data and communications (SMS/Email) rather than in-depth recovery of deleted data. [7] [50] SMS data from a mobile device investigation helped to exonerate Patrick Lumumba in the murder of Meredith Kercher. [4]

Mobile devices are also useful for providing location information; either from inbuilt gps/location tracking or via cell site logs, which track the devices within their range. Such information was used to track down the kidnappers of Thomas Onofri in 2006. [4]

Network forensics

Network forensics is concerned with the monitoring and analysis of computer network traffic, both local and WAN/internet, for the purposes of information gathering, evidence collection, or intrusion detection. [51] Traffic is usually intercepted at the packet level, and either stored for later analysis or filtered in real-time. Unlike other areas of digital forensics network data is often volatile and rarely logged, making the discipline often reactionary.

In 2000, the FBI lured computer hackers Aleksey Ivanov and Gorshkov to the United States for a fake job interview. By monitoring network traffic from the pair's computers, the FBI identified passwords allowing them to collect evidence directly from Russian-based computers. [7] [52]

Forensic data analysis

Forensic Data Analysis is a branch of digital forensics. It examines structured data with the aim to discover and analyze patterns of fraudulent activities resulting from financial crime.

Digital image forensics

Digital image forensics (or forensic image analysis) is a branch of digital forensics that deals with examination and verification of an image's authenticity and content. [53] These can range from Stalin-era airbrushed photos to elaborate deepfake videos. [54] [55] This has broad implications for a wide variety of crimes, for determining the validity of information presented in civil and criminal trials, and for verifying images and information that are circulated through news and social media. [54] [56] [57] [55]

Database forensics

Database forensics is a branch of digital forensics relating to the forensic study of databases and their metadata. [58] Investigations use database contents, log files and in-RAM data to build a timeline or recover relevant information.

IoT Forensics

IoT forensics is a branch of Digital forensics that has the goal of identifying and extracting digital information from devices belonging to the Internet of things field, to be used for forensics investigations as potential source of evidence. [59]

See also

Related Research Articles

<span class="mw-page-title-main">Forensic science</span> Application of science to criminal and civil laws

Forensic science, also known as criminalistics, is the application of science principles and methods to support legal decision-making in matters of criminal and civil law.

<span class="mw-page-title-main">Computer forensics</span> Branch of digital forensic science

Computer forensics is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing, and presenting facts and opinions about the digital information.

<span class="mw-page-title-main">Trace evidence</span> Type of evidence of physical contact

Trace evidence occurs when objects make contact, and material is transferred. This type of evidence is usually not visible to the naked eye and requires specific tools and techniques to be located and obtained. Due to this, trace evidence is often overlooked, and investigators must be trained to detect it. When it comes to an investigation trace evidence can come in many different forms and is found in a wide variety of cases. This evidence can link a victim to suspects and a victim or suspect to the crime scene.

In evidence law, digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. Before accepting digital evidence a court will determine if the evidence is relevant, whether it is authentic, if it is hearsay and whether a copy is acceptable or the original is required.

Anti–computer forensics or counter-forensics are techniques used to obstruct forensic analysis.

The following outline is provided as an overview of and topical guide to forensic science:

<span class="mw-page-title-main">Forensic profiling</span> Study of trace evidence in criminal investigations

Forensic profiling is the study of trace evidence in order to develop information which can be used by police authorities. This information can be used to identify suspects and convict them in a court of law.

<span class="mw-page-title-main">Network forensics</span>

Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.

<span class="mw-page-title-main">Department of Defense Cyber Crime Center</span> United States defense organization

The Department of Defense Cyber Crime Center (DC3) is designated as a Federal Cyber Center by National Security Presidential Directive 54/Homeland Security Presidential Directive 23, as a Department of Defense (DoD) Center Of Excellence for Digital and Multimedia (D/MM) forensics by DoD Directive 5505.13E, and serves as the operational focal point for the Defense Industrial Base (DIB) Cybersecurity program. DC3 operates as a Field Operating Agency (FOA) under the Inspector General of the Department of the Air Force.

<span class="mw-page-title-main">Mobile device forensics</span> Recovery of evidence from mobile devices

Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers.

Forensic metrology is a branch of metrology applied to forensic sciences. Metrology has evolved various techniques for assessing the margin of error or uncertainty associated with measurements. Forensic laboratories and criminalistic laboratories perform numerous measurements and tests to support criminal prosecution and civil legal actions. Examples of forensic metrology include the measurement of alcohol content in blood using breathalyzers, quantification of controlled substances, and length measurements of firearm barrels. The results of forensic measurements are used to determine if a person is charged with a crime or may be used to determine a statutory sentencing enhancement. Other examples of forensic metrology includes tests that measure if there is a presence of a substance, latent print examination, questioned documents examination, and DNA analysis.

<span class="mw-page-title-main">Digital forensic process</span>

The digital forensic process is a recognized scientific and forensic process used in digital forensics investigations. Forensics researcher Eoghan Casey defines it as a number of steps from the original incident alert through to reporting of findings. The process is predominantly used in computer and mobile forensic investigations and consists of three steps: acquisition, analysis and reporting.

XRY is a digital forensics and mobile device forensics product by the Swedish company MSAB used to analyze and recover information from mobile devices such as mobile phones, smartphones, GPS navigation tools and tablet computers. It consists of a hardware device with which to connect phones to a PC and software to extract the data.

<span class="mw-page-title-main">FBI Science and Technology Branch</span>

The Science and Technology Branch (STB) is a service within the Federal Bureau of Investigation that comprises three separate divisions and three program offices. The goal when it was founded in July 2006 was to centralize the leadership and management of the three divisions. The mission of the STB is discover, develop, and deliver innovative science and technology so that intelligence and innovative investigation is enhanced.

Forensic search is an emerging field of computer forensics. Forensic search focuses on user created data such as email files, cell phone records, office documents, PDFs and other files that are easily interpreted by a person.

Advanced Digital Forensic Solutions, Inc. is a company based in Reston, Virginia, that develops tools for scanning suspect computers and digital devices to locate and extract data, a process known as digital forensics. Digital forensic tools scan mobile phones, computers and digital devices to collect intelligence or evidence of a crime to identify computers that contain content relevant to an investigation.

The Scientific Working Group on Digital Evidence (SWGDE) is a group that brings together law enforcement, academic, and commercial organizations actively engaged in the field of digital forensics to develop cross-disciplinary guidelines and standards for the recovery, preservation, and examination of digital evidence. It was supported by the United States Federal Bureau of Investigation, but after 2014 is under the National Institute of Standards and Technology.

<span class="mw-page-title-main">Minnesota Bureau of Criminal Apprehension</span> US state criminal investigative bureau

The Minnesota Bureau of Criminal Apprehension (BCA) is a statewide criminal investigative bureau headquartered in Saint Paul that provides expert forensic science and criminal investigation services. The BCA assists local Minnesota law enforcement agencies with complex investigations using the latest technology and techniques, and BCA personnel help secure arrests for violence-related and drug-trafficking crimes, among others. Notably, the BCA investigates killings by police and similar incidents.

<span class="mw-page-title-main">IoT forensics</span> Branch of digital forensics

IoT Forensics or IoT Forensic Science, a branch of digital forensics, that deals with the use of any digital forensics processes and procedures relating to the recovery of digital evidence which originates from one or more IoT devices for the purpose of preservation, identification, extraction or documentation of digital evidence with the intention of reconstructing IoT-related events. These events may reside across one or more configurable computing resources that are within close proximity to the location where the event has taken place.

References

  1. 1 2 3 4 5 6 M Reith; C Carr; G Gunsch (2002). "An examination of digital forensic models". International Journal of Digital Evidence. CiteSeerX   10.1.1.13.9683 .
  2. Carrier, B (2001). "Defining digital forensic examination and analysis tools". International Journal of Digital Evidence. 1: 2003. CiteSeerX   10.1.1.14.8953 .
  3. "The Different Branches of Digital Forensics". BlueVoyant. 2022-03-08. Archived from the original on 2023-10-07. Retrieved 2023-09-09.
  4. 1 2 3 4 5 6 7 Various (2009). Eoghan Casey (ed.). Handbook of Digital Forensics and Investigation. Academic Press. p. 567. ISBN   978-0-12-374267-4.
  5. 1 2 3 Carrier, Brian D (7 June 2006). "Basic Digital Forensic Investigation Concepts". Archived from the original on 26 February 2010.
  6. "The Florida Computer Crimes Act, Probably the First U. S. Legislation against Computer Crimes, Becomes Law". History of Information. 1978. Archived from the original on 2010-06-12.
  7. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN   978-0-12-163104-8. Archived from the original on 2023-07-23. Retrieved 2016-11-06.
  8. Aaron Phillip; David Cowen; Chris Davis (2009). Hacking Exposed: Computer Forensics. McGraw Hill Professional. p. 544. ISBN   978-0-07-162677-4. Archived from the original on 22 June 2024. Retrieved 27 August 2010.
  9. 1 2 M, M. E. "A Brief History of Computer Crime: A" (PDF). Norwich University. Archived (PDF) from the original on 21 August 2010. Retrieved 30 August 2010.
  10. 1 2 Mohay, George M. (2003). Computer and intrusion forensics . Artechhouse. p.  395. ISBN   978-1-58053-369-0.
  11. 1 2 3 Peter Sommer (January 2004). "The future for the policing of cybercrime". Computer Fraud & Security. 2004 (1): 8–12. doi:10.1016/S1361-3723(04)00017-X. ISSN   1361-3723.
  12. 1 2 3 Simson L. Garfinkel (August 2010). "Digital forensics research: The next 10 years". Digital Investigation. 7: S64–S73. doi: 10.1016/j.diin.2010.05.009 . ISSN   1742-2876.
  13. Linda Volonino; Reynaldo Anzaldua (2008). Computer forensics for dummies. For Dummies. p. 384. ISBN   978-0-470-37191-6.
  14. GL Palmer; I Scientist; H View (2002). "Forensic analysis in the digital world". International Journal of Digital Evidence. Archived from the original on 9 January 2023. Retrieved 2 August 2010.
  15. Wilding, E. (1997). Computer Evidence: a Forensic Investigations Handbook. London: Sweet & Maxwell. p. 236. ISBN   978-0-421-57990-3.
  16. Collier, P.A.; Spaul, B.J. (1992). "A forensic methodology for countering computer crime". Computers and Law.
  17. 1 2 K S Rosenblatt (1995). High-Technology Crime: Investigating Cases Involving Computers . KSK Publications. ISBN   978-0-9648171-0-4 . Retrieved 4 August 2010.
  18. "Best practices for Computer Forensics" (PDF). SWGDE. Archived from the original (PDF) on 27 December 2008. Retrieved 4 August 2010.
  19. "ISO/IEC 17025:2005". ISO. Archived from the original on 5 August 2011. Retrieved 20 August 2010.
  20. SG Punja (2008). "Mobile device analysis" (PDF). Small Scale Digital Device Forensics Journal. Archived from the original (PDF) on 2011-07-28.
  21. Rizwan Ahmed (2008). "Mobile forensics: an overview, tools, future trends and challenges from law enforcement perspective" (PDF). 6th International Conference on E-Governance. Archived (PDF) from the original on 2016-03-03.
  22. "The Joint Operating Environment" Archived 2013-08-10 at the Wayback Machine , Report released, 18 February 2010, pp. 34–36
  23. Peterson, Gilbert; Shenoi, Sujeet (2009). "Digital Forensic Research: The Good, the Bad and the Unaddressed". Advances in Digital Forensics V. IFIP Advances in Information and Communication Technology. Vol. 306. Springer Boston. pp. 17–36. Bibcode:2009adf5.conf...17B. doi:10.1007/978-3-642-04155-6_2. ISBN   978-3-642-04154-9.
  24. Mohay, George M. (2003). Computer and Intrusion Forensics. Artech House. ISBN   9781580536301. Archived from the original on 2024-06-22. Retrieved 2020-10-25.
  25. Fatah, Alim A.; Higgins, Kathleen M. (February 1999). Forensic Laboratories: Handbook for Facility Planning, Design, Construction and Moving. DIANE Publishing. ISBN   9780788176241. Archived from the original on 2024-06-22. Retrieved 2020-10-25.
  26. 1 2 Adams, Richard (2013). "'The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice". Murdoch University. Archived (PDF) from the original on 2014-11-14.
  27. "'Electronic Crime Scene Investigation Guide: A Guide for First Responders" (PDF). National Institute of Justice. 2001. Archived (PDF) from the original on 2010-02-15.
  28. "Catching the ghost: how to discover ephemeral evidence with Live RAM analysis". Belkasoft Research. 2013. Archived from the original on 2015-08-12. Retrieved 2014-10-24.
  29. Adams, Richard (2013). "'The emergence of cloud storage and the need for a new digital forensic process model" (PDF). Murdoch University. Archived (PDF) from the original on 2016-04-05. Retrieved 2013-11-21.
  30. Maarten Van Horenbeeck (24 May 2006). "Technology Crime Investigation". Archived from the original on 17 May 2008. Retrieved 17 August 2010.
  31. 1 2 Richard, Adams; Graham, Mann; Valerie, Hobbs (2017). ISEEK, a tool for high speed, concurrent, distributed forensic data acquisition. 15th Australian Digital Forensics Conference 5-6 December 2017. Perth, Western Australia. Archived from the original on 22 June 2024. Retrieved 16 June 2020.
  32. Hoelz, Bruno W. P.; Ralha, Célia Ghedini; Geeverghese, Rajiv (2009-03-08). "Artificial intelligence applied to computer forensics". Proceedings of the 2009 ACM symposium on Applied Computing. ACM. pp. 883–888. doi:10.1145/1529282.1529471. ISBN   9781605581668. S2CID   5382101.
  33. Warren G. Kruse; Jay G. Heiser (2002). Computer forensics: incident response essentials . Addison-Wesley. p.  392. ISBN   978-0-201-70719-9.
  34. Forte, Dario (February 2009). "Do encrypted disks spell the end of forensics?". Computer Fraud & Security. 2009 (2): 18–20. doi:10.1016/s1361-3723(09)70023-5. ISSN   1361-3723. Archived from the original on 2024-06-22. Retrieved 2024-06-22.
  35. 1 2 3 4 Sarah Mocas (February 2004). "Building theoretical underpinnings for digital forensics research". Digital Investigation. 1 (1): 61–68. CiteSeerX   10.1.1.7.7070 . doi:10.1016/j.diin.2003.12.004. ISSN   1742-2876.
  36. Kanellis, Panagiotis (2006). Digital crime and forensic science in cyberspace. Idea Group Inc (IGI). p. 357. ISBN   978-1-59140-873-4.
  37. US v. Bonallo, 858F. 2d1427 (9th Cir. 1988), archived from the original.
  38. "Federal Rules of Evidence #702". Archived from the original on 19 August 2010. Retrieved 23 August 2010.
  39. "Electronic Evidence Guide". Council of Europe. April 2013. Archived from the original on 2013-12-27.
  40. Brunty, Josh (March 2011). "Validation of Forensic Tools and Software: A Quick Guide for the Digital Forensic Examiner". Forensic Magazine. Archived from the original on 2017-04-22.
  41. "Computer Forensics Tool Testing Program (CFTT)". Software and Systems Division Software Quality Group. NIST Information Technology Laboratory. 8 May 2017. Archived from the original on 30 January 2024. Retrieved 30 January 2024.
  42. https://www.researchgate.net/publication/236681282_On-scene_Triage_open_source_forensic_tool_chests_Are_they_effective Archived 2022-08-20 at the Wayback Machine ?
  43. "Archived copy" (PDF). Archived (PDF) from the original on 2024-01-30. Retrieved 2024-01-30.{{cite web}}: CS1 maint: archived copy as title (link)
  44. Hildebrandt, Mario; Kiltz, Stefan; Dittmann, Jana (2011). "A Common Scheme for Evaluation of Forensic Software". 2011 Sixth International Conference on IT Security Incident Management and IT Forensics. pp. 92–106. doi:10.1109/IMF.2011.11. ISBN   978-1-4577-0146-7. Archived from the original on 2024-04-16. Retrieved 2024-05-12.
  45. "Archived copy" (PDF). Archived (PDF) from the original on 2024-01-30. Retrieved 2024-01-30.{{cite web}}: CS1 maint: archived copy as title (link)
  46. Jansen, Wayne (2004). "Ayers" (PDF). NIST Special Publication. NIST. doi: 10.6028/NIST.SP.800-72 . Archived (PDF) from the original on 12 February 2006. Retrieved 26 February 2006.
  47. A Yasinsac; RF Erbacher; DG Marks; MM Pollitt (2003). "Computer forensics education". IEEE Security & Privacy. 1 (4): 15–23. doi:10.1109/MSECP.2003.1219052.
  48. "Technology Crime Investigation :: Mobile forensics". Archived from the original on 17 May 2008. Retrieved 18 August 2010.
  49. Gary Palmer, A Road Map for Digital Forensic Research, Report from DFRWS 2001, First Digital Forensic Research Workshop, Utica, New York, 7–8 August 2001, Page(s) 27–30
  50. "2 Russians Face Hacking Charges". Moscow Times . 24 April 2001. Archived from the original on 22 June 2011. Retrieved 3 September 2010.
  51. Burns, Matt (6 March 2020). "A quick guide to digital image forensics". CameraForensics. Archived from the original on 21 December 2022. Retrieved 21 December 2022.
  52. 1 2 Farid, Hany (15 September 2019). "Image Forensics". Annual Review of Vision Science. 5 (1): 549–573. doi:10.1146/annurev-vision-091718-014827. ISSN   2374-4642. PMID   31525144. S2CID   202642073. Archived from the original on 22 June 2024. Retrieved 21 December 2022.
  53. 1 2 Waldrop, M. Mitchell (16 March 2020). "Synthetic media: The real trouble with deepfakes". Knowable Magazine. Annual Reviews. doi: 10.1146/knowable-031320-1 . Archived from the original on 19 November 2022. Retrieved 19 December 2022.
  54. Pawelec, M (2022). "Deepfakes and Democracy (Theory): How Synthetic Audio-Visual Media for Disinformation and Hate Speech Threaten Core Democratic Functions". Digital Society: Ethics, Socio-legal and Governance of Digital Technology. 1 (2): 19. doi: 10.1007/s44206-022-00010-6 . PMC   9453721 . PMID   36097613.
  55. Westerlund, Mika (2019). "The Emergence of Deepfake Technology: A Review". Technology Innovation Management Review. 9 (11): 39–52. doi: 10.22215/timreview/1282 . ISSN   1927-0321. S2CID   214014129. Archived from the original on 2022-12-22. Retrieved 2022-12-21.
  56. Olivier, Martin S. (March 2009). "On metadata context in Database Forensics". Digital Investigation. 5 (3–4): 115–123. CiteSeerX   10.1.1.566.7390 . doi:10.1016/j.diin.2008.10.001.
  57. M. Stoyanova; Y. Nikoloudakis; S. Panagiotakis; E. Pallis; E. Markakis (2020). "A Survey on the Internet of Things (IoT) Forensics: Challenges, Approaches, and Open Issues". IEEE Communications Surveys & Tutorials. 22 (2): 1191–1221. doi: 10.1109/COMST.2019.2962586 . S2CID   213028057.

Further reading