Digital forensics – “computer forensics” in older terminology – is the discovery, recovery, and investigation of digital information. You will usually hear the term “digital forensics” in connection with the investigation of a crime. But it also applies to recovery of an accidentally deleted file, or a forgotten password. You might be surprised to learn what kinds of information can be discovered through digital forensics…
Digital Forensics and Evidence Discovery
Digital forensics, in the legal world, takes one of three forms. Forensic analysis involves recovery of evidence in order to support a legal hypothesis in criminal court. Detecting deleted files and undeleting them would be an example. “eDiscovery” is often used in civil litigation to compel one party to turn over copies of digital information believed to be in its possession. Freedom of Information Act demands made to government agencies can also be considered eDiscovery. “Intrusion investigation” delves into the nature, extent, and modus operandi of unauthorized network intrusions – the geeky equivalent of a burglary investigation.
In digital forensics’ early days, most investigations were “live forensics.” That means investigators directly manipulated a hard drive, for example, to discover what was on it and recover deleted data. But tampering directly with evidence in live forensics poses the risk of altering the evidence, making it vulnerable to defense challenges. Nowadays, special software tools such as SafeBack and DIBS preserve the original evidence while making backup copies for forensic examination. These tools document the backup and tinkering done on data to preserve the “chain of evidence” required by courts.