When the term “forensics” is heard, people tend to think of grisly television crime scene shows. Police vans roll up, people in white jumpsuits get out and start photographing and collecting everything from weapons, shoe prints and even dirt. The packaged evidence is brought to a lab for examination by experts who can determine what type of dirt it is, what foreign bodies are in it, and maybe how well it can be made into pottery, all in less than a day. This makes for good entertainment but the reality is forensics is much more involved and takes longer than TV leads on. Forensics is more than fingerprints and photographs. With modern advancements in banking, computers and cell phones, digital forensic investigation is quickly becoming a primary method of data and evidence collection for criminal or cybercrime cases.
Digital Forensics Investigation
What is Digital Forensics?
Digital forensics is the retrieval of data from computers and other digital storage devices. A digital forensics investigation can take an investigator through computers, cell phones, flash drives, SIM cards, and other electronic devices that transfer and store data. The digital forensics investigator, sometimes called a forensics analyst or examiner, can even retrieve data from virtual spaces as well. The type of investigation will vary depending on whether the investigator is working for a law enforcement agency, private agency, legal entities, or part of an industry. The collected data is sorted, stored, and used later for prosecution or other necessary legal proceedings.
What Are Digital Forensics Investigators?
In the course of a computer forensics investigation, an analyst may need to collaborate with law enforcement. That said, not all investigators are police officers or associated with the police. Just like there are “PI’s”, there are private investigators in the digital sector as well. They’re experts in their fields that extract, collect, process and analyze digital data and metadata. They document their findings through technical reports and note chain of custody for integrity purposes.
A digital analyst working for a private company may also be tasked to identify vulnerabilities, investigate breaches in cybersecurity, and attempt to retrieve data from corrupted or damaged devices. These skills require specialized training and certificates that include EnCase Certified Examiner, Certified Computer Examiner, GIAC Certified Forensic Analyst, and GIAC Certified Network Analyst, to name a few. When dealing with something as complicated as computer security and data, it’s no wonder why highly trained professionals are needed to accomplish the task.
Why Would I Need Digital Forensics Investigation?
Paper filing is a way of the past and almost everything is stored electronically. All of this data is like gold sitting in a digital safe. If someone were to crack the safe, they would make off with the data and reap the rewards leaving little trace behind. Digital forensics identifies what was stolen and can even trace if any information was copied or distributed. In some instances, the goal isn’t to steal data but to erase it. Through analysis, investigators can retrieve the lost data and help trace the source of the hack or breach point to identify the guilty person or persons.
Once the data is collected, the information can be used in courtroom proceedings, whether it be for criminal trials, civil trials, termination suits, copyright cases, or other disputed claims. The digital evidence is admissible if it establishes a fact of matter asserted in the case. The results need to be unaltered during the forensic process and need to be valid, reliable, and subject to peer review.
How Long Will This Take?
There’s an old saying: “Do you want it done fast or do you want it done right?” Just like physical crime scenes, digital crime scenes can take considerable time and effort to make sure all evidence is collected. If a key piece of evidence is not collected or is overlooked, the whole case may crumble.
The digital forensics process has six main steps when dealing with any digital forensics investigation:
- Identification
- Preservation
- Collection
- Examination
- Analysis
- Presentation
Each one of these steps takes time, but the length of time will vary depending on the type of investigation, type of device, and type of security. A cell phone can have its data copied in 4 to 8 hours. That’s simply for copying the files on the phone without examination or analysis. A complete examination on 100GB of data on a hard drive can have over 10,000,000 pages of electronic information and can take 15 to 35, or more, hours to examine, depending on the type of data that was recovered. Once that is done, the information still needs to be organized and sorted for proper presentation to whoever is viewing the data.
Managed Preservation Services
UnitedLex transforms the delivery of data collection and forensics projects through a comprehensive solution called Managed Preservation Services. By considering forensics alongside broader preservation topics such as legal hold and evidence management, UnitedLex enables clients to develop a consistent process that is right-sized, stays on top of new data sources, and offers global scale for forensics needs, both worldwide and close to home.
On every project, UnitedLex partners a forensics expert with a project manager that is dedicated to the preservation and forensics lifecycle. This structure provides clients with a focused team that learns the client’s data landscape, creates proactive solutions for data challenges, all while enhancing the defensibility of a project. Whether you are looking for full-scale solutions, flexible support for existing resources, or looking for more information, UnitedLex customizes their approach to match what each client needs. Book a meeting here or contact us online.