Digital Forensics: What it is and How it works [2021]

By Leonard Cucos •  Updated: 07/29/21 •  13 min read

Digital Forensics – a term you may have come across before on blogs, TV, or even mainstream movies and wonder what is it and how it works? You may have even tried to understand it and feel lost.

This article aims to help you build a solid foundation in digital forensics, and I hope that you will become one of the much-needed experts in this field one day.

Let’s start with simple things such as digital forensics processes and techniques and walk our way up towards more exciting topics like methodology, best practices, and digital trends.

What is Digital Forensics – Definition

Digital forensics is preserving, acquiring, documenting, analyzing, and interpreting evidence discovered on different kinds of storage media. It is not restricted to laptops, desktops, tablets, and mobile devices and includes data in transit sent across public or private networks. 

It is critical to recognize that “forensics” is a science in and of itself, including extremely well-documented best practices and techniques in an attempt to determine whether or not something exists.

Digital Forensics Components

In certain instances, digital forensics includes the finding and recovery of data utilizing various techniques and technologies at the investigator’s disposal. Investigations into digital forensics include, but are not limited to:

To understand where all these are coming from, we will need to learn a bit of history first.

The History of Digital Forensics

Although forensic science [including the first documented fingerprints] has been around for more than a century, digital forensics is a considerably more recent discipline regarding the digitized world, having gained prominence mainly with the advent of personal computers in the 1980s.

Consider the fact that the FBI established the world’s first real forensic sciences lab in 1932, which may be used to help you understand the idea of digital forensics, which is still relatively new.

When digital forensic investigations were first introduced, some of the first tools were developed in FBI labs around 1984. These early digital forensic investigations were spearheaded by the FBI’s specialized Computer Analysis and Response Team [CART], which was responsible for assisting with digital investigations at the time.

When digital forensics emerged as a distinct profession in the 1990s, it expanded significantly due to the cooperation of many law enforcement agencies and heads of divisions working together and even meeting regularly to share their knowledge and experience.

The FBI held one of the first official conferences in 1993. The International Law Enforcement Conference on Computer Evidence, which was held in conjunction with the event, was primarily concerned with the need for established standards and processes in the field of digital forensics and evidence collection.

Numerous conferences led to creating organizations that deal with digital forensics standards and best practices, among other things. For example, the SWGDE was established in 1998 by the Directors of the Federal Crime Laboratory System

The SWGDE was in charge of developing the generally accepted best standards for computer evidence, which were extensively implemented. 

SWGDE collaborated with a variety of other organizations, including the highly regarded and well-established American Society of Crime Laboratory Directors [ASCLD], which was founded in 1973 and has since played an essential role in the ongoing development of best practices, procedures, and training in the field of forensic science.

However, it wasn’t until the early 2000s that the FBI created an official Regional Computer Forensic Laboratory [RCFL], which is still today. The National Program Office [NPO] was formed in 2002. It serves as a coordinating and supporting organization for the Royal Canadian Mounted Police [RCMP] throughout the country.

We’ve seen several law enforcement agencies, including the FBI, the Central Intelligence Agency [CIA], the National Security Agency [NSA], and the Government Communications Headquarters [GCHQ], each with their entire cybercrime divisions, whole digital forensics labs, and dedicated onsite and field agents, work together assiduously to take on tasks that are nothing short of Sisyphean in nature.

Several advancements have occurred in the Caribbean and Latin America in cybercrime and security and the rest of the world. For instance, the Caribbean Community Implementation Agency for Crime and Security [CARICOM IMPACS] published the CARICOM cybersecurity and cybercrime action plan [CCSCAP] a few years ago. 

The CCSCAP aims to address vulnerabilities within the CARICOM states while also providing guidelines for best practices that would aid cybercrime detection and investigation. The CCSCAP can be found here

Our technology has advanced significantly from the days of floppy disks, magnetic disks, and dial-up internet access, and we now have Secure Digital [SD] cards, Solid-State Drives [SSDs], and fiber-optic internet connections capable of transmitting data at gigabit rates. You can visit the Interpol website to find more information on cybercrime and the current cyber threats.

Digital Forensic Methodology

Given that forensics is a science, digital forensics involves the availability of appropriate best methods and processes to accomplish consistent results time and time again while also providing proof of evidence, data preservation, and data integrity that can be replicated if necessary.

It is crucial to conduct digital forensics in a manner that can be accepted and submitted in a court of law, even though many individuals are not doing digital forensics to be used as evidence in a legal proceeding. 

It should always be possible to maintain data integrity regardless of whatever tools are utilized. The methodology employed, including the processes and results of your research, should always allow for that to happen.

As indicated above, sticking to the best practices can help ensure that original evidence is not tampered with. Or in the case of investigating devices and data in a live or production environment, it can help showcase well-documented proof that necessary measures were taken during the investigation to prevent possible tampering with the evidence, thus safeguarding the evidence’s integrity. 

It is highly recommended that if you are new to digital forensics, get acquainted with some of the different techniques and procedures that are accessible and commonly used within the profession’s community.

So, you should embrace many standards and methods to guarantee that your investigations are based on solid scientific principles and practices. There’s no place for guessing here.

Digital Forensics Best Practices

Here are the three most important best practice documents and guidelines that you should get familiar with as a digital forensics investigator:

1. The ACPO Good Practice Guide for Digital Evidence.

ACPO, now known as the National Police Chiefs’ Council [NPCC], published a document in 2012 called the ACPO Good Practice Guide for Digital Evidence, which can be downloaded as a PDF file. 

The paper describes best practices when conducting digital forensics investigations, with a particular emphasis on evidence acquisition. 

Afterward, the ACPO Good Practice Guide for Digital Evidence was accepted and adhered to by law enforcement agencies in England, Wales, and Northern Ireland, and you can download it here.

2. The Scientific Working Group on Digital Evidence’s [SWGDE] – Best Practices for Computer Forensics.

Best Practices for Computer Forensics is another helpful and more current paper, on best practices in digital forensics, in September 2014, which the SWGDE created. 

The SWGDE was founded in 1998 and now has over 100 members and contributors, including representatives from the Federal Bureau of Investigation [FBI], the Drug Enforcement Agency, the Department of Defense Computer Forensics Laboratory, and the National Aeronautics and Space Administration [NASA]

The procedures and best practices can still be applied to non-laboratory investigations by individuals who are not presently employed or have access to a formal computer forensics laboratory. 

This paper describes processes and practices used in a formal computer forensics laboratory context and covers many aspects discussed in this article so far. Note that SWGDE is not a document but a collection of guidelines for best practices and can be found here.

3. The Budapest Convention on Cybercrime 

The Budapest Convention, often known as the Convention on Cybercrime of the Council of Europe [CETS No.185], is the only legally binding international agreement on the subject of cybercrime. 

It acts as a template for any country wishing to establish comprehensive national laws against cybercrime and a framework for international collaboration amongst states that have signed on to the Treaty on the Prohibition of Cyber-criminality.

More information on the Budapest Convention on Cybercrime can be found here.

Why We Need Digital Forensics?

Some of us might be old enough to remember Windows 95, 3.x, and DOS. The computational power of today’s smartwatches, calculators, and Internet of Things [IoT] devices is considerably faster than that of personal computers and servers in the first generation used to run those operating systems. 

Hard drive sizes in 1995 were ranging from 4 GB to 10 GB – if you were lucky enough to afford one, whereas nowadays, you can get drives with capacities as large as 10 TB and higher.

Today, we have flash drives, SD cards, CDs, DVDs, Blu-ray discs, hybrid drives, and SSDs, but they are even more compact and efficient than the earlier floppy disks, which hold just 1.44 MB data on a three 1/4-inch disk. 

Furthermore, storing and hiding data using steganography, particularly on an NTFS [NT File System] disk. Encryption using BitLockerVeraCrypt, and TrueCrypt, adds to the complexity and length of today’s forensics investigations. 

On top of that, Microsoft enabled tamper-resistant full-disk encryption by default on Windows 11 via the Trusted Platform Module [TPM] to prevent hackers or malware from accessing data.

As technology advances, so does our grasp of programming languages, operating systems, and expertise in the use of digital gadgets. This also leads to more user-friendly interfaces that can do many of the same functions as the command-line interface [CLI], which expert users primarily utilize. 

Hiding vast quantities of data is also more accessible nowadays, since processor speeds, coupled with large amounts of random-access memory [RAM], including devices that can also serve as RAM, significantly outpace those of only three years ago.

We should also mention graphic cards such as ATI and NVIDIA, which quickly made their way into smartphones in recent years, drastically increasing the performance of mobile devices. 

Remember Gordon Moore‘s law stating that:

"The number of transistors on a microchip doubles every two years?" 

Well, that might soon change. Jensen Huang, NVIDIA’s CEO, stated that Moore’s Law is dying because graphics processing units [GPUs] will eventually replace central processing units [CPUs] due to GPUs’ performance and technological advancements, as well as their ability to handle artificial intelligence [AI].

When one looks at all the factors, the number of ways to perform a cybercrime has dramatically increased, with the list including malware and ransomware distribution, Denial-of-Service [DoS] and Distributed Denial of Service [DDoS] attacks, espionage, blackmail, identity theft, data theft, illegal online activities and transactions, and numerous other criminal activities. 

Many of these actions are anonymous since they take place over the Internet and often use disguised IP addresses and public networks, making it difficult for relevant authorities to identify locations and arrest individuals. Check out this Trend Micro website for additional information on the newest dangers and cybercrime headlines.

Digital forensics applies not just to storage media but also to network and Internet connections, IoT and mobile devices, and, in general, any device that can store, read, or send data. That’s everything we use today.

As a result, depending on the job at hand, we have a range of commercial and open-source tools at our disposal.

Due to current business models, including virtualized infrastructure and cloud services, it is necessary to have FAAS [Forensics As A Service], which brings together digital forensics tools, applications, research and analysis, and the ability to adapt to threats as a service.

Digital Forensics & Cybersecurity

So now that we understood what digital forensics is, how different is it from cybersecurity? 

The answer is simple: digital forensics is usually used in the court of law for, e.g., data breach investigations, while cybersecurity uses techniques to protect a computer or network devices from being breached.

Cybersecurity would be much less effective if it did not have access to the information provided by digital forensics. 

So you can see that even if digital forensics and cybersecurity are not the same things, they are inextricably linked.

Wrapping Up

To keep pace with technological development, digital forensics methods, tools, and skills must be updated regularly. This is important not only for combating cybercrime but also for offering accountability and recovering lost data. 

Did you find this article interesting? I have more for you. 

Have a look at the Cybersecurity section of this website. And who knows, your career as a digital forensics/cybersecurity specialist might be right behind the cornder.  

Leonard Cucos

Leonard Cucos is an engineer with over 20 years of IT/Telco experience managing large UNIX/Linux-based server infrastructures, IP and Optics core networks, Information Security [red/blue], Data Science, and FinTech.