How it works and how it can benefit ordinary people as well as law enforcement
Digital forensics is a branch of forensic science that concentrates on the recovery and investigation of data found on digital devices, including computers, smartphones, external hard drives and memory cards.
In addition to its role in law enforcement, digital forensic techniques are also used in private investigations, in everything from catching a cheating spouse to investigating cyberbullying, corporate espionage or determining copyright. So, how does it work and how can it benefit ordinary people as well as law enforcement?
The origins of digital forensics
Computer forensics took off in the 1980s with the growth of personal computers. As computing grew, so did computer crime, and in 1984, the FBI started its Computer Analysis and Response Team.
One of the first big successes of digital forensics was tracking down the hacker Marcus Hess, a German citizen who hacked into military and industrial computers in the United States, Europe and east Asia, and sold the information to the Soviets. He was caught in 1986 by the astronomer and systems administrator Clifford Stoll, who discovered Hess’s activities while tracking down a $0.75 accounting error at Lawrence Livermore Laboratory in California.
Like Stoll, many of the early specialists in digital forensics developed their own software and digital tools. By the 2000s, standards and processes had been developed for digital forensics tools and for their use by law enforcement.
How digital forensics work
In order to access information in a computer, the first step is usually to create a duplicate of the memory (RAM), sometimes using a piece of hardware called a write blocker or disk controller. This intercepts commands and prevents the data on the hard drive from being erased or written over.
Because of the growth of cloud computing and the huge amounts of data now being created, a method called logical imaging is often used instead of making a physical copy of all the data on a hard drive. A logical image is an image of the active (or visible) data on a logical partition of a hard drive. This is similar to what a user might see when using My Computer on Windows or the Finder on a Mac. The logical image doesn’t include deleted files or file fragments, but it does allow an investigator to quickly scan the contents of a hard drive and then copy over only the files and folders that are most relevant to the investigation.
Once copies are made, investigators use an algorithm called a hash to check that the copy is accurate. They then extract and analyse the information using different software tools. These are designed to conduct keyword searches, recover deleted files and extract information such as user accounts.
As digital forensics has become more sophisticated, so has anti-forensics software, which is designed to hide information and hamper investigation. This type of software includes programmes that change file headers, for example, by renaming a jpg as an mp3 file. Other software can divide files up into small sections and then hide these sections in other files, or hide files in the unused space on the hard drive, called slack space.
Anti-forensic tools can also change the metadata attached to files. Metadata includes information like when a file was created or last altered, making it appear as though a file does not exist or has never been accessed. There are also programmes that will erase data if an unauthorised user tries to access the system.
Data can also be hidden using encryption. There are programmes designed to crack encryption, but as encryption algorithms become more complex they also become are harder to crack.
As digital forensics becomes more complex, there is a growing need for more SaaS digital forensics innovations. At Springwise, we have seen the growth in security platforms and encryption, it may now be time for a similar growth in SaaS platforms that help to process digital forensics.
10th June 2019