What is digital forensics

Restoring the truth of what happened is the scope of digital forensics

In the Oxford Dictionary, digital forensics is defined as:"The application of forensic science technique to the computer-based material."
The main process is to conduct a forensic work on the digital information devices with rigorous and precise procedures and technique methods. When a company or an individual faces an emergency information problem, how to restore the truth of what happened is the scope of digital forensics.

In the Information Age, technology lawsuits are often the issues every corporation manager has to face. When it comes to law-related digital information problems, companies often suffer a great loss due to the neglect of the significance of digital evidence. According to the research of the University of California, Berkeley, over ninety-three percent of data output is in digital format stored in separate systems. The same research points out that over eighty-five percent of computer crimes or infringement cases leave footprints. Therefore, how to collect and analyze all digital evidence correctly, under the premises of the qualification of evidence, is the main task of digital forensics services.

There’s a saying in the forensic fields, ‘Say only what you can prove.’ In Digital forensic, we should use any information remained in the system, to do the analysis and to find out the evidence related to the cases. Not to make things up. Thus, it usually takes digital forensic workers much time in handling and analyzing the data. All the technological means are used to achieve one objective: ‘ The existing evidence shall always be found out.’

The procedure can be divided into the following steps:
First, identify the possible places of digital evidence, and then collect it under the premise of not destroying it. All the original evidence or images collected must be conserved under the rigorous preserve procedure. After that, start a series of analysis. Finally, present the results of the analysis in a complete forensic report.

People often consider lots of aspects but ignoring the methods and the procedure of digital forensics. As a consequence, much of the key data is destroyed due to the inappropriate operations. In that case, the best situation is that the data can still be recovered with the assistance of the professionals; otherwise, the data can be lost forever. What’s the worst is that generally, the managers might just accept the loss and miss the opportunity to protect the company’s rights due to the lack of knowledge in this area.

Scope of digital evidence

The scope of digital evidence is very wide, all the digital devices with usage logs are the target of evidence collection. All electronic devices with digital data are as follows:

  • Personal portable digital products: PDA、MP3 Player、Mobile Phone、USB Disk、Digital Camera、ebook reader and digital photo frame, etc.
  • All kinds of computers: PC 、NB、Pocket PC、IPC, etc.
  • Network devices: firewall、router、switch、and all kinds of network gateway devices.
  • Main frame: AIX、Solaris、HP Unix、AS 400, etc.
  • Data Storage: Tape、SAN、NAS、DAS、Disc、Flopy Disk、ZIP, etc.

Digital evidence image file

In order to prevent raw evidence from being destroyed, the first step of the forensic procedures is to create an image file of the evidence. The digital content of the image file must be exactly the same as the raw evidence. Therefore, we should make an image file by using Bit-Stream to copy from the first bit to the last one in the disk. Generally, we'll use MD5 or SHA1 HASH value to make sure the consistency between image files and raw evidence, and the digest value should be the same when the imaging process is successful. Also, we will mount the image files in read-only mode to do the further analysis.

Deleted data recover

Deleted data in the file systems might still exist in the storage device instead of being deleted clearly. Therefore, there’re several approaches to recover the data. The first one is to recover the file index from the file system. Usually, data can be recovered if the file index hasn’t been overwritten yet. Otherwise, we’ll have to recover data from unallocated areas. The difficulty of recovery depends on the file format and the divergence of the file. However, as long as the data still exists in the storage, we still have a chance to recover it.

Search for digital evidence

Search for digital evidence is an extremely significant part in all forensic analysis. Generally, there’re two methods. The first one is Linear Search, transfer the keywords into a proper encoding format, and then compare with the data on the disk. It is a very effective way to find out the data in unallocated areas or file slack areas. However, we have to consider more about the expression of keywords to avoid finding unwanted and unassociated data. The second way is to create an index by breaking words or sentences into keywords. It will take longer the first time it creates an index. But the searching speed will increase significantly after it is established. Though, how to judge the combinations of words and sentences as well as how to create an index of unallocated areas or file slack areas would be problems.

View of digital evidence

Since all data is stored in a binary digit (0 or 1), it’s unreadable for human even if the hexadecimal is used to observe the data. A good forensics software, thus, should provide an effective viewer to read the digital evidence. Also, it should support displaying multiple file formats and the expression of multi-media. Moreover, a good viewer should be intuitive for the forensics personnel to observe and analyze data, and the process of forensic work and the presentation of final result become easier.