4.3 Different types of digital forensics
Digital forensics is a constantly evolving scientific field with many sub-disciplines. Some of these sub-disciplines are:
- Computer Forensics – the identification, preservation, collection, analysis and reporting on evidence found on computers, laptops and storage media in support of investigations and legal proceedings.
- Network Forensics – the monitoring, capture, storing and analysis of network activities or events in order to discover the source of security attacks, intrusions or other problem incidents, i.e. worms, virus or malware attacks, abnormal network traffic and security breaches.
- Mobile Devices Forensics – the recovery of electronic evidence from mobile phones, smartphones, SIM cards, PDAs, GPS devices, tablets and game consoles.
- Digital Image Forensics – the extraction and analysis of digitally acquired photographic images to validate their authenticity by recovering the metadata of the image file to ascertain its history.
- Digital Video/Audio Forensics – the collection, analysis and evaluation of sound and video recordings. The science is the establishment of authenticity as to whether a recording is original and whether it has been tampered with, either maliciously or accidentally.
- Memory forensics – the recovery of evidence from the RAM of a running computer, also called live acquisition.
In practice, there are exceptions to blur this classification because the grouping by the provider is dictated by staff skill sets, contractual requirements, lab space, etc. For example:
- Tablets or smartphones without SIM cards could be considered computers.
- Memory cards (and other removable storage media) are often found in smartphones and tablets, so they could be considered under mobile forensics or computer forensics.
- Tablets with keyboards could be considered laptops and fit under computer or mobile forensics.
The science of digital forensics has a seemingly limitless future and as technology advances, the field will continue to expand as new types of digital data are created by new devices logging people’s activity. Although digital forensics began outside the mainstream of forensic science, it is now fully absorbed and recognised as a branch of forensic science.
- a.Based on your current understanding of the various types of digital evidence, how far do you think Locard’s Exchange Principle can be made to apply?
- b.Forensic data stored in electronic media differs in one important aspect from most physical evidence: how can this make the digital forensic scientist’s job easier than scientists dealing with blood or fibres?
- a.In visiting a website a visitor will leave a trace in the log file of the web server which includes the IP address that accessed the server. However some traces may only be transient; most routers do not store details of the packets passing through them (unless the NSA or GCHQ have tapped the router!). Data stored in electronic media differs from physical evidence in that a perfect copy (called an image) can be created and an investigator can perform tests on the copy without affecting the original. If the copy is destroyed or altered a new copy can be made at no cost. Physical evidence is usually irreparably altered or destroyed by testing.
- b.Locard’s Exchange principle applies even though there is no physical contact when computers connect to each other, but the trace may be transient and the trace easily lost, for example a packet passing through a router.
Activity 12 The Case of the Stolen Exams
There is a crisis for The Open University. Exam papers are circulating on eBay! Can our fearless forensic investigators find the source of the leak and ensure a successful prosecution?
Watch the short video The Case of the Stolen Exams, taking notes of what you see so that you can answer the following question:
Can you see any problems with the investigation?
Write down all the issues that you think might be a problem for securing a conviction.