Tech?Update!: Digital Forensics
Date: 05-30-2012 | Category: Tech?Update!
Digital forensics or digital forensic science is the part of forensic science which focusses on extracting, recovering and investigating objective evidence of criminal activity from all kinds of devices capable of storing digital data. This is relevant for court cases, but there are applications in the private sector, too (e.g. internal corporate investigations, intrusion investigation).
Originally called "computer forensics", it was renamed digital forensics as more and more different types of digital devices became available, requiring the development of new and different tools. The extent of digital forensics is also determined by legal considerations as national laws define and restrict the extent of the analysis of digital data (data privacy issues etc.). In the following, we will look at the technical aspects of digital forensics.
The Technical Process of Digital Forensics
Digital forensics is a relatively young discipline which started in the 80s with live analysis on media: To extract evidence, investigators would examine computers from within the operating system with the help of sysadmin tools. However, as data could be modified by these procedures, claims of evidence tampering were raised. As a consequence, forensic tools are used today to first create an exact copy of a piece of digital media and then perform "live media forensics" with the help of special software tools.
The forensic process consists of three steps:
- Data acquisition (seizure) or imaging by creating a "forensic duplicate" of the media without modifying the original data.
- Analysis of extracted data for evidence with the help of special tools and methodologies. Common procedures include keyword searches, retrieving deleted files, extracting registry information etc.
- A written report of the evidence recovered, including conclusions drawn from the analysis of the data and reconstructions of events or actions.
To acquire and analyze data for investigation, highly specialized software tools are required. Judges need to be sure that the forensic tools utilized for investigation are acceptable and reliable. In the United States, the Daubert Standard is used to determine the admissibility of forensic tools and processes. It requires that the technologies and software tools used for investigation need to be empirically tested, peer reviewed, replicable by other experts, etc.
The technical aspects of digital forensics are also determined by the type of digital devices involved. Thus, digital forensics branches into computer forensics, network forensics, database forensics and mobile device forensics. Especially this last branch has to face the challenge of dealing with the proprietary aspects of mobile devices.
The Development of Standards and Unresolved Issues
Forensic processes and all legal aspects connected to it make demands on forensic software tools so there is a need for standardization. However, many unresolved issues make this difficult. Experts attribute this to the wide variety and size of available digital media, the availability of encryption to consumers, the continuing emergence of new operating systems, file formats, and the adherent legal aspects and limitations.
Great Quality Software Forensic Tools
Software tools developed for digital forensics are highly specialized. There are Open Source Tools (e.g. Helix, LiveView), but practitioners cannot rely on direct support if in need for it. Commercial software solutions (e.g. Blade, EnCase, FTK Manager) are rather costly. To ensure the integrity of the investigation, these software tools need to be registered and properly licenced. Often the verification of evidence requires that experts use several tools.
Much of this software is dongle-protected. Craig Wilson of Digital Detective, a UK provider of leading digital forensic software products, explains:
“One of the growth areas in digital forensics is the use of USB dongles for the licencing of software. Whilst forensic practitioners will each have licences for their everyday tools, there are an increasing number of tools which are used on an ad-hoc basis, and when these tools are expensive a laboratory will often purchase just one copy. If these tools are licenced by USB dongle, the problem arises of how best to keep this expensive piece of plastic safe, yet also available for everyone when they need it."
Our myUTN-80 dongle server is a perfect solution for keeping these valuable dongles safe in one place and making them available for users when necessary.