What is digital forensics?
The goal of digital forensics is to preserve any evidence in its most original form while performing a structured investigation by collecting, identifying and validating the digital information in order to create a timeline of events (Techopedia).
As the use of technology is growing rapidly around the world, cybercrime continues to rise in scale and complexity. Nowadays, companies are being targeted by cyber criminals more than ever and it has been estimated that the cost of ransomware will be around $265 billion (USD) annually by 2031 (Cyber Crime Magazine).
This not only demonstrates that the cyber world needs to be secured but also, in an event of cyber incident, knowledge of digital forensics is vital in order to stop, deter and punish the criminals.
Digital forensics can be used in civil cases (e.g. corporate environment) or criminal cases (e.g. law enforcement). The role of a digital forensics practitioner is to identify, preserve, analyse and present the digital evidence (i.e. any information of probative value) in a manner that is legally acceptable. This means that a digital forensic investigator is required to create a timeline of events explaining who did what, where and when?
Digital forensics guidelines
In any forensics investigation, the digital forensics practitioners follow the ACPO guidelines (Associate of Chief Police Officers) to ensure the admissibility of the evidence to court. All forensic practitioners working in this field must abide by these codes, including the following four principles:
In May 2021, the College of Policing released the Authorised Professional Practice Extraction of material from digital devices document, developed based on the current updated UK laws, including 10 principles in assisting the digital forensics practitioners.
Areas in digital forensics
Digital forensics can be focused in several areas, including computer forensics, memory forensics, network forensics, mobile forensics, IoT forensics and open source intelligence.
Computer forensics is related to the forensic investigation in hard disks obtained from PCs and laptops. In a crime scene, if the seized computer is left turned on by the user, the information stored on RAM (Random Access Memory) can be very valuable in showing the user’s activities just before being detained. The digital evidence on RAM is volatile; therefore, expertise on how to complete the forensic investigation process (memory forensics) is required.