What is Digital Forensics?

Digital Forensics and Evidence Discovery

Digital forensics, in the legal world, takes one of three forms. Forensic analysis involves recovery of evidence in order to support a legal hypothesis in criminal court. Detecting deleted files and undeleting them would be an example. "eDiscovery" is often used in civil litigation to compel one party to turn over copies of digital information believed to be in its possession. Freedom of Information Act demands made to government agencies can also be considered eDiscovery. "Intrusion investigation" delves into the nature, extent, and modus operandi of unauthorized network intrusions - the geeky equivalent of a burglary investigation.

In digital forensics' early days, most investigations were "live forensics." That means investigators directly manipulated a hard drive, for example, to discover what was on it and recover deleted data. But tampering directly with evidence in live forensics poses the risk of altering the evidence, making it vulnerable to defense challenges. Nowadays, special software tools such as SafeBack and DIBS preserve the original evidence while making backup copies for forensic examination. These tools document the backup and tinkering done on data to preserve the "chain of evidence" required by courts.

Hiding Your Tracks is Harder Than You Think

Digital forensics is used to discover more than the content of a hard drive or other digital device. It can be used to establish a person's intent or state of mind. For example, a suspect in a murder case whose Google search history includes "how to kill someone" may be in deep yogurt. Alibis can be refuted by mobile phone records that prove the phone (and, presumably, its owner) actually were not in Mexico when a crime was committed in Los Angeles. eDiscovery of ISPs' records can lead investigators to a computer that was used to download child p**n or email top-secret documents to Wikileaks. Credit and debit card transactions can reveal much about a suspect's movements and purchases.

The source of a digital document can sometimes be established through digital forensics. For example, older copies of Microsoft Word inserted a unique identifier into the "meta data" of every document which identified the specific computer on which the document was created. Related to source identification is "document authentication," the detection of alterations made to meta data and other data in a document. If the creation date of a digital copy of a contract has been altered, for example, document authentication techniques can detect the falsification and, in some cases, recover the true creation date.

Careers in digital forensics are pretty good investments. Digital crime is booming and trained digital forensics experts are in great demand. If you like delving into the technical underworld of computers or tracking down Web sites online, digital forensics may be just the job for you.

Do you have something to say about digital forensics? Post your comment or question below...