Digital forensics is a branch of forensic science focused on recovery and investigation of artifacts found on digital devices. Any devices that store data (e.g. computers, laptops, smartphones, thumb drives, memory cards or external hard drives) are within the ambit of digital forensics. Given the proliferation of digital devices, there has been a ramp-up in use of digital forensics in legal cases and investigations.
How is Digital Forensics Conducted?
Scientific Working Group on Digital Evidence (SWGDE) is an industry consortium that defines the best practices and methodology for forensic evidence collection, analysis, and reporting. Additionally, the National Institute of Justice (NIJ) has a sub-practice devoted to Digital Forensics Standards and Capability Building and the American Bar Association has also published detailed guidance on Computer Forensics.
SWGDE and NIJ have developed best practices for the acquisition and handling of evidence for forensic analysis. Evidence collection should always be performed to ensure that it will withstand legal proceedings. Key criteria for handling such evidence are outlined below:
- The proper protocol should be followed for acquisition of the evidence irrespective of whether it physical or digital. Gentle handling should be exercised for those situations where the device may be damaged (e.g. dropped or wet).
- Special handling may be required for some situations. For e.g. when the device is actively destroying data through disk formatting, it may need to be shut down immediately to preserve the evidence. On the other hand, in some situations, it would not be appropriate to shut down the device so that the digital forensics expert can examine the device’s temporary memory.
- All artifacts, physical and/or digital should be collected, retained and transferred using a preserved chain of custody.
- All materials should be date and time stamped, identifying who collected the evidence and the location it is being transported to after initial collection.
- Proper logs should be maintained when transferring possession.
- When storing evidence, suitable access controls should be implemented and tracked to certify the evidence has only been accessed by authorized individuals.
Digital evidence has similar issues as physical evidence; it can get contaminated. So in most situations, a forensic investigator will “image” the data so that they can use that image for analysis rather than the original media. An image is an exact replica of the media being examined and is normally created bit by bit to ensure complete accuracy. That replica can be created either through hardware or software. Either is fine as long as it is certified for digital forensics.
Once the forensic investigator has the exact replica of the original, they get to the task of analyzing the data on the replica and deriving conclusions that the attorney can use. There are many considerations that come into play in that analysis. Some examples are outlined below:
If the data is encrypted, then decrypting that data becomes crucial for further analysis. If the encryption was conducted by technology systems of the entity that owned the devices, they may have keys that can decrypt the data. Otherwise, the forensic investigator has to use other decryption mechanisms to get to the data.
Critical files needed for the case may have been deleted in which case, a recovery may be possible depending on whether the space that the file acquired was overwritten or not.
Metadata is data about the files and can provide a lot of information. E.g. if the original file was 10 pages long but it was modified to a 6 pages long document, metadata can capture the fact that this change was done. This provides a line of inquiry to the forensic investigator to recover the remaining four pages if the document is meaningful.
Example Uses of Digital Forensics
- Cellphone forensics in distracted driving cases can provide a treasure trove of information about actions conducted by the driver. A cellphone forensic expert can recover what was happening on the cellphone at the time of the accident.
- Forensics on digital media and social media sites can be used to apportion responsibility in cases of cyberbullying.
- Law enforcement has dealt with unique challenges when trying to examine the devices of terrorism suspects. A great case in point is what happened with San Bernardino shooter. The FBI ultimately relied on a 3rd party to unlock his phone.
- Embezzlement and other accounting improprieties are a great example of collaboration between digital forensics experts and forensic accountants. The digital forensics expert recovers the data and forensic accountant analyzes and interprets the data to assist the attorney.
- Information in texts, emails, messaging services, or social media sites can provide evidence in the cases involving infidelity.
- Digital Forensics can be used in data breaches involving theft of corporate data including corporate and consumer records. It can help uncover critical information and support the prosecution of the attacker.
Criteria for Selecting a Forensic Firm
By now, it should be clear that most law firms need a digital forensics partner. There are many factors that come into play when making this decision. Some key considerations are provided below:
- Forensic work can range from being deeply technical (e.g. working with encrypted files or recovering deleted files) to being pretty straightforward (e.g. working with emails or texts when the login/password information is available). Law firms need to assess their specific requirements and look for that level of expertise in their forensic partners.
- Law firms should examine a potential partner on their expertise of the protocols outlined by SWGDE and NJI. An investigator that understands and follows the methodology outlined by these institutions demonstrates a higher degree of maturity and will, in general, be a better witness if that becomes necessary.
- Law firms should examine the skill level of the employees of the forensic firm. Individuals who are certified in digital forensics (e.g. Certified Computer Forensic Examiner, Certified Cyber Forensics Professional, GIAC Forensic Examiner (GCFE), GIAC Forensic Analyst, GIAC Network Forensic Analyst, GIAC Advanced Smartphone Forensics).
- Pricing Model
- Retainer: This would be a digital forensic firm that is on the retainer for the law firm. In a retainer model, the digital forensic firm will provide unlimited services until an upper limit (number of incidents or hours) has been reached. This model may be appropriate for law firms which have frequent digital forensics needs.
- Flat fee per incident: In this pricing model, the digital forensic firm charges a flat fee for investigating the entire incident. The fee is proportionate to the complexity of the investigation as best as can be determined. This may be appropriate if the digital forensics needs of the law firm are occasional.
- Time and material: In this pricing model, the digital forensics firm charges an hourly rate which can range from $200-$500 per hour depending on the skills of the investigator and complexity of the investigation. This may be appropriate for those situations where a law firm has a rare need for digital forensic services and the number of anticipated hours is small.
As the world continues to immerse deeper and deeper into digital technologies and devices, it will be critical for most law firms to develop a well thought out strategy for digital forensics. An understanding of this space and an appropriately crafted approach can help law firms attain positive outcomes in the cases and investigations involving electronic evidence. The goal of this article was to demystify this space and define high-level criteria that can be used to select a digital forensics investigations firm.
Dr. Anand Singh is the Chief Information Security Officer at Caliber Home Loans. He is also an adjunct faculty member at Mitchell Hamline School of Law and teaches Incident Management and Response as part of the Cybersecurity and Privacy Law Certificate.
Chris Kent is a seasoned cybersecurity expert specializing in threat identification, defense and response. Chris has built and managed Digital Forensics, Incident Response, Threat Intelligence, and Security Testing programs in the financial and national defense industries.