Digital forensics. Chances are, you’re more likely to picture a scene from a crime TV drama than cybersecurity. Although it stems from forensic science, digital forensics remains an important component of the field of cybersecurity. But how important is it for you?

Digital forensics refers to uncovering and interpreting electronic data. According to Techopedia, “the goal of the process is to preserve any evidence in its most original form while performing a structured investigation by collecting, identifying and validating the digital information for the purpose of reconstructing past events.”

A brief history

Following the advent of computer crimes in the 1970s – 1980s era, governments from around the world began introducing laws and different mechanisms to combat the problem. Canada is said to be the first country to pass legislation that incorporated computer offenses. As the years went by, technology progressed rapidly. Soon the need for procedures to tackle computer crimes became increasingly significant.

By the early 2000s, different bodies and agencies published guidelines for digital forensics. In 2002, a paper was submitted by the Scientific Working Group on Digital Evidence titled, “Best practices for Computer Forensics”. In 2004, a European lead international treaty signed by 43 countries, the Convention on Cybercrime, came into effect. A year later, ISO 17025 – general requirements for the competence of testing and calibration laboratories, came about.

The exponentially growing technology means that digital forensics will also continue to grow. Particularly for businesses, since most rely on technology for their day-to-day operations.

The digital forensics process

The digital forensics process boils down to five stages. The first is identification. Here, potential sources of evidence are identified. This includes devices as well as the key custodians and location of data. The second stage is preservation. The relevant Electronically Stored Information (ESI) is protected by capturing visual images of a particular scene. Additionally, the relevant information is documented along with how it was acquired in the first place.

The next stage, collection, collecting the potentially relevant information. Sometimes, this may involve removing electronic devices, imaging certain types of data, etc. Following up is the analysis. This is an in-depth systematic process. The idea is to draw conclusions with the evidence available.

Finally, comes the reporting part. Ideally, if proper procedures and methodologies were followed, other competent forensic investigators should be able to draw the same conclusions.

Evidence handling

With regard to the acquisition and handling of forensic analysis, the Scientific Working Group on Digital Evidence and the National Institute of Justice have designed best practices. It’s important that the evidence collection part of the procedure is performed with the utmost care. The simple reason being that the legal matters that follow afterward greatly depend on this. As such,

  • The proper protocol should be followed for evidence acquisition. This is irrespective of whether it’s digital or physical
  • Certain situations may call for special handling. For example, a situation where tampering with a device would cause vital data to be affected
  • All artifacts, physical and/or digital should be collected, retained and transferred using a preserved chain of custody
  • All materials should be date and time-stamped. This includes stating who collected the evidence and the location it is being transported to after initial collection
  • Throughout the period of transferring possession, logs should be maintained at all times proper access controls should be established where evidence storage is concerned. Additionally, these access controls should also be tracked to ensure that only authorized personnel has access to evidence

Similar to physical evidence, digital evidence can also get contaminated. Usually, a forensic investigator will image the data. In other words, an exact copy of the original data. This is done so that the original data wouldn’t be used for the analysis process.

The image is created either via software or hardware. Following this, comes the data analyzing part. Here, there are many considerations that need to be made when proceeding further. Some of these include aspects such as encryption, metadata and/or deleted files, etc.


If the data in question is encrypted, there are two ways to go about decrypting it. One way is to decrypt through the device owner’s key. Of course, this would only work if the encryption was done via the owners of the device. Alternatively, the forensic investigator would have to rely on other decryption mechanisms.


Metadata can provide a lot of details about a certain digital item or data. For example, metadata from a photo could reveal information such as the make and model of the camera used to take the photograph. Metadata enables better insight into the data in question.

Deleted files

Sometimes it’s necessary to recover deleted files to further an investigation. Ideally, recovering deleted files is entirely possible as long as the storage space that was used to store the data previously hasn’t been overwritten.

Types of digital forensics

Like all aspects of technology, digital forensics is a constantly evolving field. However, there are few subcategories of digital forensics. Each of these tends to focus on different aspects of the technology industry.

Computer forensics

This refers to digital evidence found on computers, laptops storage media, etc that supports investigations and legal proceedings.

Network forensics

Monitoring, capturing, storing and/or analysis of network activities or events. The aim is to identify the source of any intrusion, attack, or any other similar problem incident.

Mobile devices forensics

As the name implies, this refers to the collection of electronic evidence via mobile phones, tablets, SIM cards or even game consoles.

Digital image forensics

Digitally acquired photographic images are validated for their authenticity. The metadata would help the investigator in this case.

Digital audio/video forensics

This is the collection and analysis of evidence in the form of sound and/or video. What’s important here, is to validate whether a particular sound or video recording has been tampered with or if it is retained in its original state.

Memory forensics

Also called live forensics, the process refers to collecting evidence from the RAM of a running computer.

Selecting a forensics firm

Often times law firms and other relevant parties would look for a suitable company that can undertake digital forensics. Although there are a number of factors that depend on selecting a particular company, few general things would include,

  • Range of expertise required. Forensic work can vary in terms of the depth of technicality needed. Different firms offer digital forensics services to different levels
  • Pricing, flat fee per incident
  • Time and material
  • How the forensics firm follows guidelines and protocols
  • How the skill level of the employees in the forensics firm compare to the services they offer

When considering cybersecurity, digital forensics isn’t something that may not be what comes to mind at first glance. One report claims that cybercrime damages could be as high as $6 trillion by 2021. While the actual numbers would obviously vary over time. But it goes to show the importance of digital forensics and the vital role it would play on a global scale.

Digital forensics