When people think of digital forensics, they often imagine CSI-type scenarios, where glamorous people employ advanced technology to solve complex crimes in 60 minutes (minus advertisement breaks).
However, similar to how Silent Witness portrays forensic pathologists, CSI and shows like it fails to portray a realistic approach to the process of digital forensics. In reality, the job is far less glitzy and more focused on methodical procedures and intelligent reasoning.
Digital forensics is the discipline of identifying, analysing, and presenting digital evidence found on electronic storage information devices, whilst preserving it in its original form. For example, earlier this year, a digital forensics team spent months analysing data and video footage from the Grenfell Tower disaster to piece together exactly what happened on the night of 14 June 2017. The work was extensive to say the least, ranging from mapping and analysing footage to extracting metadata, motion tracking, and projecting videos onto a 3-D model of the tower block. Ultimately, it was the availability of extensive video material, along with the building information from the Kensington and Chelsea planning website, which helped the team build a detailed picture of the circumstances which led to the deaths of 72 people, including children.
Digital forensics is not just used for court evidence. Companies facing investigations by external regulators employ digital forensic methods to find, analyse, and present evidence to answer the regulator’s questions. The process is also used in internal investigations and to uncover and provide information required during the due diligence process of an M&A.
The digital forensics process
Each jurisdiction has its own policies and procedures relating to digital forensics. For example, in America, the Scientific Working Group on Digital Evidence (SWDGE), which has a membership of around 70 digital forensic specialists from academic institutions, federal and state law enforcement agencies, and private research companies, outlines the best practices and methodology for forensic evidence collection, analysis, and reporting. In the European Union, the EU Agency for Network and Information Security produced a Digital Forensics Handbook. The European Anti-Fraud Office (OLOF) also has guidelines on digital forensic procedures.
Despite the different guidelines, the method of digital forensic operations is essentially the same, comprising of five stages:
- Identification – the first stage of a digital forensic exercise is to identify potential sources and locations of digital information and the possible custodians.
- Preservation – once the documents have been identified, they must be preserved. This is particularly important in criminal cases, where crime scenes need to be left intact, with photographs of the scene being taken. When ESI is collected, the methods used to extract the information must be documented meticulously, in case a challenge to the collection process is made in court.
- Collection – the next stage is to collect the ESI which has been identified. This may involve retrieving information from emails, the Cloud, servers, mobile phones, even drones. This exercise must be conducted in a legally defensible manner. It is crucial this is done by experienced individuals as it is very easy to render data unsubmittable in court if collected inappropriately. For example, many people’s first instinct is to use the copy and paste function when collecting emails, documents etc. However, this immediately compromises the documents original date.
- Analysis – this involves an in-depth search of the data identified. At the document review stage, analysers may use predictive coding, also known as ‘technology-assisted review’, to assist with searching the data. Predictive coding comprises of a system of complex algorithms ‘learned’ by the computer during a preliminary review of a selected sample of the documents. The computer will then use the algorithms to identify similar documents which will then be prioritised for manual review.
- Deliver/Reporting – It is crucial to consider how the analysed data will be delivered, especially in a criminal or civil case. Evidentiary requirements must be considered, or the data could be rendered inadmissible. Rather than leaving this to the end of the process, decisions on how the documents will be presented should be taken as and when necessary. In criminal law cases, the presentation of evidence obtained via digital forensics is set out in the Association of Chief Police Officers (ACPO) Good Practice Guide for Digital Evidence. In civil cases, the Civil Procedure Rules, in particular, Practice Direction 31B, will be used.
Anyone who is engaging in digital forensics activity must be diligent in taking notes around all activities performed in the first four steps.
Digital forensics and cyber security – two sides of the same coin?
There are multiple similarities between digital forensics and cyber security. There is a joke in the industry that cyber security experts are responsible for the security of the network and preventing hackers whilst digital forensic experts are to figure out what went wrong when cyber security experts fail.
There is truth in this statement; in fact, cyber security and digital forensics are so closely intertwined, one could not exist without the other. If a criminal breach has occurred, the vulnerabilities discovered by the digital forensic teams following investigation provide invaluable learning and feedback for the cyber security experts, allowing them to ensure it does not reoccur.
Digital forensics is closely related to both eDiscovery and cyber security. Without skills related to the former, the latter two cannot be achieved. And the need to employ technical digital forensic methods is increasing all the time; the investigation into the drone/s that closed Gatwick, the UK’s second busiest airport, will be watched intently by experts in the digital forensics field.