INTRODUCTION TO DIGITAL FORENSICS
Technology, the internet, data it has all become inextricably linked to the majority of our lives. The rise of technology has revolutionized and molded the world in which we live today whilst simultaneously creating new obstacles and threats businesses and individuals should be aware of.
Digital forensics can be defined as:
“The use of scientifically derived and proven methods toward the preservation, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” 1
1 Gary L Palmer. (2001). A Road Map for Digital Forensic Research. Technical Report DTR-T0010- 01, DFRWS.
To put this simply, digital forensics involves the investigation of electronic devices including computers, mobile phones, storage devices (hard drives and memory cards), which have been utilized in an illegal or unauthorized manner. The purpose of this article is to provide some insight into what digital forensics is, why it has become so important in the modern world and an overview of digital forensic procedures.
THE IMPORTANCE OF DIGITAL FORENSICS
The emergence of the internet and technology has led to the emergence of new crimes and has prohibited practices which can be committed in the online world. Similarly, electronic devices, such as, cellphones and laptops have been used to store data, which has either been obtained illegally (through hacking or phishing scams for example) or which proves an offence has been committed (video footage of an incident).
The importance of digital forensics includes, but is not limited to, the following:
- Digital forensics may act as a preventative tool against certain malicious events being committed against an individual or company;
- It assists in identifying those involved in the commission of an offence and assists in tracing the events which lead to the commission of an offence;
- Digital forensics assist in securing convictions against those who have committed “cybercrimes”; and
- Digital Forensics assists in educating individuals and improving awareness about the risks and vulnerabilities posed within the online world.
Digital forensics acts not only as an important reactive tool which may be employed once an offence has been committed but it further acts as a proactive tool which may be used by companies and individuals to ensure they are adequately protected from any malicious digital conduct.
Digital forensics has become an important tool in the prosecution of criminal offences, where once the relevant data has been extracted and analysed, it may be presented as evidence in court. This will often take the form of a report compiled by the forensic investigator and may even require the investigator to give oral evidence during the trial, wherein they will explain the report and how they came to their findings.
Companies and individuals store majority of their sensitive information, such as, banking details, trade secrets and intellectual property information on electronic platforms. Digital forensics has and will continue to become increasingly important as this information needs to be protected from falling into the wrong hands.
DIGITAL FORENSIC PROCEDURE
Currently, there exists no standardized procedure which is adopted uniformly when digital forensic investigations are being conducted. Although, there exists a need for a standardized procedure, it may be better that a more flexible approach is adopted due to the rapid advancements in technology over the years.
There are, however, certain procedures which have been adopted over the years incorporating various phases within the forensic procedure to ensure optimum results are achieved. In general, the process of digital forensics incorporates four stages, namely:
- Preservation – this stage is primarily aimed at preventing any conduct which may prevent digital information being collected. It entails certain activities such as preventing individuals from using electronic devices, preventing and halting deletion processes and identifying the safest manner in which the relevant data may be collected.
- Collection – this stage includes both the physical removal of electronic devices as well as the extraction of data from these devices. It is important that this is done in a manner which maintains the integrity of the data.
- Examination – this stage consists of a search which is conducted on the electronic devices in a manner which systematically identifies and extracts the data which may be relevant to the investigation. This will entail the extraction of log files, relevant data files, etc.
- Analysis – this stage, in essence, involves an analysis of the information which has been extracted and drawing conclusions therefrom in relation to the specific investigation being conducted.
- Reporting – this is the final stage, which requires the forensic investigator to prepare a report which details their findings and conclusions, drawn from their forensic investigation and, if necessary, presenting such evidence in court.
The above outlines the general investigative process which is found in digital forensic investigations; however, certain specific digital forensic procedures may incorporate variations to the stages outlined above or certain additions thereto. By way of example, the Integrated Digital Investigation Model consists of various phases, such as:
- Readiness Phase;
- Deployment Phase;
- Physical Crime Scene Investigation Phases;
- Digital Crime Scene Investigation Phases; and
- Review Phase.
Whilst the process adopted in each unique digital forensic procedure exceeds the bounds of this article the above serves to show the variety of procedures which may be adopted during a digital forensic investigation.
THE FUTURE OF DIGITAL FORENSICS
Nobody can be certain what the future may hold, however, it is expected that digital forensics may become even more prevalent in South Africa in the years to come. In 2017 the Cybercrime and Cybersecurity Bill B6 (“the Bill”) was presented which seeks to give effect to a number of cybercrimes.
The Bill primarily deals with crimes involving data such as the unlawful accessing and obtaining of data which becomes a criminal offence under the Bill. Unlawfully acquiring another individual’s password and using data for unlawful purposes will further become a criminal offence.
The Bill proposes procedures and seeks to enable the South African Police Services to investigate, as well as search and seize data and devices, which have been used in cybercrimes. Cybercrimes are currently investigated in accordance with the Criminal Procedure Act 51 of 1997, however, this position will change when/if the Bill becomes legislation.
Whilst the Bill is only draft legislation currently, should the Bill be enacted digital forensics will become increasingly important in giving effect to the Bill. Digital forensics will be utilized to investigate the crimes which have been perpetrated in terms of the Bill. This will undoubtedly increase the prevalence of digital forensics not only within the private sphere but also within the public sphere as government develops and adopts their own digital forensic investigation procedures.
COVID-19 has forced many individuals to work remotely where possible, communicating with their colleagues exclusively through electronic platforms, such as, emails, Zoom, Microsoft teams etc. It has been speculated that many businesses may seek to adopt remote working measures even once a vaccine or cure for COVID-19 has been found.
This will create an even greater reliance on technological means of communicating, and transfer data and so this may create further risks and security requirements for such communications of transfers. Digital forensics will allow one to test and identify weaknesses in a company’s online systems and ensure they are protected to the fullest extent.
Finally, given the rapid increase in technology which has occurred in recent history and which will continue in the future, the developments of such technology will require adequate digital forensic mechanisms to ensure all measures are taken for the safety of a company/individual’s data. The importance of digital forensics cannot be understated and as can be seen from the above this importance will likely continue to grow in the near future.
CONCLUSION
As technology advances, so too will digital forensics which will become more advanced, accurate and prevalent in our society. As the importance of digital forensics increases individuals will be required to gain a knowledge into the practice to ensure they are adopting the most effective measures within their organizations or personal lives.
Digital forensics will further become an increasingly important tool in investigating crimes and other malicious practices which have been committed against an individual or company.
The purpose of this article is to shed some light on digital forensics and the practices which are utilized in this process in an attempt to provide the reader with a basic knowledge as to what digital forensics entails.
Schindlers Forensics has a wide array of experience which will prove to be essential in conducting in any digital forensic investigation which investigation will be tailored to your own personal needs. Should you require assistance please do not hesitate to contact us.