Introduction to Digital Forensics/Types

Digital forensics is traditionally associated with criminal investigations and, as you would expect, most types of investigation centre on some form of computer crime. This sort of crime can take two forms; computer based crime and computer facilitated crime.


 * Computer based crime
 * This is criminal activity that is conducted purely on computers, for example cyber-bullying or spam. As well as crimes newly defined by the computing age it also includes traditional crime conducted purely on computers (for example, child pornography).


 * Computer facilitated crime
 * Crime conducted in the "real world" but facilitated by the use of computers. A classic example of this sort of crime is fraud: computers are commonly used to communicate with other fraudsters, to record/plan activities or to create fraudulent documents.

Not all digital forensics investigations focus on criminal behaviour; sometimes the techniques are used in corporate (or private) settings to recover lost information or to rebuild the activities of employees.

Types of investigation
There are four main types of investigation performed by digital forensics specialists. The first three are broadly similar in the activities the involve, but differ in terms of the legal restrictions and guidelines imposed as well as the type of digital evidence and form of report.


 * Criminal forensics
 * The largest form of digital forensics and falling under the remit of law enforcement (or private contractors working for them). Criminal forensics is usually part of a wider investigation conducted by law enforcement and other specialists with reports being intended to facilitate that investigation and, ultimately, to be entered as expert evidence before the court. Focus is on forensically sound data extraction and producing report/evidence in simple terms that a lay man will understand.


 * Intelligence gathering
 * This type of investigation is often associated with crime, but in relation to providing intelligence to help track, stop or identify criminal activity. Unless the evidence is later to be used in court forensic soundness is less of a concern in this form of investigation, instead speed can be a common requirement.


 * Electronic discovery (eDiscovery)
 * Similar to "criminal forensics" but in relation to civil law. Although functionally identical to its criminal counterpart, eDiscovery has specific legal limitations and restrictions, usually in relation to the scope of any investigation. Privacy laws (for example, the right of employees not to have personal conversation intercepted) and human rights legislation often affect electronic discovery.


 * Intrusion investigation
 * The final form of investigation is different from the previous three. Intrusion investigation is instigated as a response to a network intrusion, for example a hacker trying to steal corporate secrets. The investigation focuses on identifying the entry point for such attacks, the scope of access and mitigating the hackers activities. Intrusion investigation often occurs "live" (i.e. in real time) and leans heavily on the discipline of network forensics.

Evidence and analysis
Obviously the main aim of any investigation is to recover some form of digital evidence, objective data that is relevant to the examination. On top of that the investigator might be asked to make some form of analysis of that evidence; either to form an expert conclusion, or to explain the meaning of the evidence.

Here are some examples of the kind of analysis an examiner might be asked to undertake:
 * Attribution
 * Meta data and other logs can be used to attribute actions to an individual. For example, personal documents on a computer drive might identify its owner.


 * Alibis and statements
 * Information provided by those involved can be cross checked with digital evidence. For example, during the investigation into the Soham murders, the offenders alibi was disproven when mobile phone records of the person he claimed to be with showed she was out of town at the time.


 * Intent


 * As well as finding objective evidence of a crime being committed, investigations can also be used to prove the intent (known by the legal term mens rea). For example, the Internet history of convicted killer Neil Entwistle included references to a site discussing How to kill people.


 * Evaluation of source
 * File artifacts and meta-data can be used to identify the origin of a particular piece of data; for example, older versions of Microsoft Word embedded a Global Unique Identifier into files which identified the computer it had been created on. Proving whether a file was produced on the digital device being examined or obtained from elsewhere (e.g., the Internet) can be very important.


 * Document authentication
 * Related to "Evaluation of Source", meta data associated with digital documents can be easily modified (for example, by changing the computer clock you can affect the created date of a file). Document authentication relates to detecting and identifying falsification of such details.

Test yourself
Here's a quick test for this page, try to fill in the answers without cheating.

{ There are four common forms of forensic investigation + True - False
 * type="" }

{ eDiscovery is an investigation into criminal matters - True + False
 * type="" }

{ Which of these is Computer facilitated crime? - Child pornography - Spam + Fraud - Cyber-bullying
 * type="" }

{ Digital forensics is only used to investigate crime - True + False
 * type="" }