Basics of Digital Forensics and Evidence

The science of forensics is essentially the study of legal issues and pursuit of answers to legal questions by applying scientific knowledge using technology. There are two specific cases where legal system becomes involved are; first, is when a private party, such as a business, requires facts to support a civil action like a lawsuit. The second instance occurs when a crime is suspected or has been committed. Now, in both cases, a forensics investigator, or rather a practitioner of forensic science must check the current available resources to find facts that are supported by the available resources. And more so, the facts help answer the questions expected or asked by the legal system.

Forensics Investigations

There are differences between investigations initiated within the private business sector differ much from investigations initiated by public officials for criminal investigations. The most significant difference is the potential impact from the investigation. Private sector investigations potentially result in any or all the following events:

  • The loss/gain of money or goods
  • The loss or retention of employment
  • Potential disciplinary actions
  • Criminal charges

The most frequent cause for an investigation in the public sector is criminal activity which has the potential to incarcerate private citizens. In very few cases, a public investigation will involve the liability of public officials in issues involving public safety and these investigations can result in the loss of public taxpayer funds, or may influence new legislation. Since most public investigations involve crimes and the criminals that commit them, the term public investigation will be used synonymously with criminal investigation in the rest of the text.

The monetary costs associated with legal action are notable motivators for forensics in investigations. In public investigations, prosecution can take years and cost millions of taxpayer dollars in court costs. Suspects in the prosecution must legal defense which comes at a cost and, even if ultimately proven innocent, defendants in legal cases may suffer loss of reputation and employment. If the prosecution fails to successfully convict, the suspect entitled to restitution for losses to reputation or wages. To make matters worse, the suspect will likely have to pursue a private legal action to recoup damages which result in yet more costs.

Legal actions in the private sector are not exempt from monetary motivators. Private sector legal action can extend over several years and cost millions in private funds. Besides the potential monetary costs, private sector cases often bear a high cost in time and inconvenience for all participants.The likelihood of successful legal action whether it be private or public increases substantially as the confidence level in the facts of the investigation increase.

For example, private sector cases are often examining facts to assess if a company policy or employment contract violated. With very few exceptions, public sector investigations that involve law enforcement such as investigations that result from a crime occurring or in cases where a crime is suspected to have occurred.

Private investigations have the potential of revealing criminal activity. Though the technology and tools for gathering facts are the same or similar in private and public sector cases, the procedure to gather the two will differ much. Even though they differ, the two rules are rarely incompatible; but do need agreement with all private parties including the forensics investigators, and private sector attorneys as well as local law enforcement and public attorneys to keep up confidence levels in the facts of the investigations.

Forensics Investigators

Forensic investigators is trained to be a professionals who apply the science of forensics. They apply skills to many sciences and disciplines such as geology, physics, chemistry, toxicology and many more. Therefore, forensics can be defined as the application of diverse scientific disciplines to the answering of legal questions. The first function of a forensics investigator is to assess the legality and appropriateness of collecting evidence. The nature of investigations requires that evidence collection and analysis be performed in full compliance with the law. Both public and private investigations must respect the rights of private citizens.

Once probable cause is established, a call for is issued. With call for in hand, law enforcement is granted the right to search for only specific evidence of a crime but is allowed to collect any evidence in “plain sight” that is clear and telling that any crime has been committed.

Another function of the forensics investigator is to support an exact “chain of custody” of all evidence gathered in a case. The chain of custody is a simple record of what the evidence is who gathered it, when it was gathered, and who accessed it. An exact chain of custody is required to prevent contamination or even the appearance of contamination of the evidence. The chain of custody is equally important in both public and private investigations.


Whether public or private, the facts of a case emerge from evidence in an investigation. Evidence is best defined as anything real or ephemeral that reveals and objectively proves the facts of an investigation. Evidence is generally used to prove the facts that a crime was committed; the suspect committed or did not commit a crime, the order of events during the commission of a crime, the motive:

The forms of the evidence can be either; blood evidence, material traced evidence, finger prints, private or personal records, public records, drug content, surveillance evidence, confession and testimony.

During an investigation, two very different roles emerge in the field of forensics. The first role is that of evidence collection. This role requires relatively limited experience, training, and qualifications. An investigator in this role will often travel to the scene of a crime or can be called to prepare evidence for the second role. The second role is that of evidence analysis. Here, evidence is reviewed, assessed, and analyzed for facts and conclusions.

Electronic Evidence Discovery May Shift To The Mobile Computer Forensic Specialist

As the computing world advances and especially as the world of the wireless computing advances, there are certainly going to be instances where the services of a mobile computer specialist will be required.

The mobile arena now includes hand-held devices with comprehensive capability, in fact there are many more wireless units than desktops.The complexities of today`s wireless units such as iPods, iPads, Smartphones and tablet computers now have the same computing power of PC`s that were manufactured within the last decade. With cutting-edge technology such as infrared and bluetooth now integrated in to mobile computers, the advances in mobile computing are rapidly surpassing those of the desktop computer.

The hand-held device now includes a wide variety of units and can include video cameras, iPods,digital recorders or any hand held units.Mobiles may differ from the desktop computer in the way that they operate. The mobile computer forensic field now shifts from hard drive recovery to electronic evidence discovery of hand held units.

The mobile operating systems and hardware standards may change more frequently as new advances are introduced. New versions may be introduced several times within the product year, whereas computer software, may be revised annually or bi-annually. There are many different platforms in the wireless computing arena which makes the job of the mobile computer forensic specialist even more challenging and additionally, there may be variations within each communication technology. There are several variations of the 802.11 which is the standard used by all wireless networks. Shorter range wireless communication involves the use of Bluetooth, while within even shorter ranges, communication is handled by the infrared light waves.

Mobile computer forensics does not only involve mobile phones and the approach is not yet standardized due to the rapid advances and multiple operating platforms. The main reason for the state of affairs is that many manufacturers are pushing different standards in hardware, interfaces, operating systems and protocols. As a result, mobile forensics cannot be treated in the same way as static computer forensics, even though the concepts, may appear to be similar. The mobile forensic specialist job may rely less on technology and more on skills, procedures and problem-solving ability and the approach can be different.

Perhaps the most important forensic component of the mobile phone would be the Subscriber Identity Module card which is used to authenticate the user and verify the services. Alternatively, this information can be embedded in the phone. Forensic information may also be available in external Secure Digital cards that can be used by most mobile devices.

The mobile forensic field is primarily concerned with the acquisition of mobile phone data and there are tools, both hardware and software. Another challenge for the mobile forensic specialist is to keep up with the avalanche of changes in the mobile computing industry. Mobile forensic software may behind the curve with regard to the new mobile technologies and you should be aware of the various tools both forensic and non forensic that can be used.

The new burgeoning field of mobile arena is sure to offer satisfying available opportunities and challenges for the mobile computer forensic specialist.