Digital forensics is the overall science of recovery and investigation of material found on all types of digital devices. Computer forensics is a branch of digital forensics that focuses on evidence found on computers and digital storage media such as hard drives or usb drives. Typically these branches are used during investigations that involve cybercrime or regular crimes that have evidence stored on some type of device. With the increased popularity of laptops, smartphones, embedded systems and other internet of things devices, almost all crime involves some type of computer system. Therefore, being able to extract evidence from computers while following all of the required procedures that makes that evidence admissible in court is a very unique and important skillset for law enforcement, military and private investigations.
Types of Digital Forensics
Disk Forensics
This area focuses on extracting data from storage media such as a hard drives by searching for active, modified or deleted files. For example this would recover deleted files that could be used as evidence or prove that a file was created and modified at a certain time.
Network Forensics
This is related to monitoring and analyzing traffic between different computers on a network. You can think of it as eavesdropping on a conversation, the goal is to collect the information being transmitted and use it as evidence.
Memory Forensics
This niche focuses on recovering data from system memory (system registers, RAM or cache). This is important because many times data or malware is only found in memory and never saved to the hard drive (disk), so it’s important to be able to extract this information directly from memory.
Mobile Device Forensics
As the name suggests this area focuses on examining, extracting and analyzing evidence found on mobile devices such as smartphones, iPads etc. Some of things that professionals extract are phone contacts, call logs, audio and video.
Automotive Forensics
This branch focuses on the recovery of digital evidence or data stored in automotive modules, networks and messages sent to automotive systems. This can include things like gps locations, paired devices, user addresses etc. As cars become more advanced, integrate with more devices like people’s smartphones and become more autonomous, this area could become much more popular.
Database forensics
This branch studies and examines databases and their related metadata. This would involve trying to prove when records were created, who accessed the information and when.
Drone Forensics (UAV Forensics)
Drone forensics focuses on the processing and forensics analysis of unmanned air vehicles (UAV’s). This is particularly useful for military use as drone’s can contain a lot of useful information such as flight path data, geo-location of important areas (launch and landing sites), metadata, wifi data and bluetooth/paired devices.
Where is Digital forensics used?
Digital forensics primarily has three main use cases.
Firstly, it is used in criminal investigations. So if a crime has been committed many times people may have video, text messages or files stored on their smartphones and computers that contain valuable evidence. Sometimes people will try to hide or delete that information before getting arrested. This is where digital forensics comes into play in helping to get that information off the device, prove its validity and help the police get a conviction.
Secondly, it can be used in corporate/private investigations. This can be investigating employee misconduct. For example if an employee is suspected of stealing intellectual property from the company, digital forensics may be used to see if that employee accessed the file, downloaded it, emailed it or put it on a USB drive.
Thirdly, it is used following a cyberattack. When a company is hacked, digital forensics is important to uncover exactly how the hack happened, what the hacker did on the systems and confirming that the hacker’s access has been removed once all of the security work has been completed.
Recap
Digital forensics is the science of recovering data from different types of digital devices including computers, smartphones, drones or cars. It’s important because in modern day crime there is almost always a digital component whether it’s GPS, text messages, video, audio or pictures. It’s critical that law enforcement and even private companies are able to extract this information from a device, even if the evidence has been deleted or password protected, this is what makes digital forensics so important.