Basics of Digital Forensics and Evidence

The science of forensics is essentially the study of legal issues and pursuit of answers to legal questions by applying scientific knowledge using technology. There are two specific cases where legal system becomes involved are; first, is when a private party, such as a business, requires facts to support a civil action like a lawsuit. The second instance occurs when a crime is suspected or has been committed. Now, in both cases, a forensics investigator, or rather a practitioner of forensic science must check the current available resources to find facts that are supported by the available resources. And more so, the facts help answer the questions expected or asked by the legal system.

Forensics Investigations

There are differences between investigations initiated within the private business sector differ much from investigations initiated by public officials for criminal investigations. The most significant difference is the potential impact from the investigation. Private sector investigations potentially result in any or all the following events:

  • The loss/gain of money or goods
  • The loss or retention of employment
  • Potential disciplinary actions
  • Criminal charges

The most frequent cause for an investigation in the public sector is criminal activity which has the potential to incarcerate private citizens. In very few cases, a public investigation will involve the liability of public officials in issues involving public safety and these investigations can result in the loss of public taxpayer funds, or may influence new legislation. Since most public investigations involve crimes and the criminals that commit them, the term public investigation will be used synonymously with criminal investigation in the rest of the text.

The monetary costs associated with legal action are notable motivators for forensics in investigations. In public investigations, prosecution can take years and cost millions of taxpayer dollars in court costs. Suspects in the prosecution must legal defense which comes at a cost and, even if ultimately proven innocent, defendants in legal cases may suffer loss of reputation and employment. If the prosecution fails to successfully convict, the suspect entitled to restitution for losses to reputation or wages. To make matters worse, the suspect will likely have to pursue a private legal action to recoup damages which result in yet more costs.

Legal actions in the private sector are not exempt from monetary motivators. Private sector legal action can extend over several years and cost millions in private funds. Besides the potential monetary costs, private sector cases often bear a high cost in time and inconvenience for all participants.The likelihood of successful legal action whether it be private or public increases substantially as the confidence level in the facts of the investigation increase.

For example, private sector cases are often examining facts to assess if a company policy or employment contract violated. With very few exceptions, public sector investigations that involve law enforcement such as investigations that result from a crime occurring or in cases where a crime is suspected to have occurred.

Private investigations have the potential of revealing criminal activity. Though the technology and tools for gathering facts are the same or similar in private and public sector cases, the procedure to gather the two will differ much. Even though they differ, the two rules are rarely incompatible; but do need agreement with all private parties including the forensics investigators, and private sector attorneys as well as local law enforcement and public attorneys to keep up confidence levels in the facts of the investigations.

Forensics Investigators

Forensic investigators is trained to be a professionals who apply the science of forensics. They apply skills to many sciences and disciplines such as geology, physics, chemistry, toxicology and many more. Therefore, forensics can be defined as the application of diverse scientific disciplines to the answering of legal questions. The first function of a forensics investigator is to assess the legality and appropriateness of collecting evidence. The nature of investigations requires that evidence collection and analysis be performed in full compliance with the law. Both public and private investigations must respect the rights of private citizens.

Once probable cause is established, a call for is issued. With call for in hand, law enforcement is granted the right to search for only specific evidence of a crime but is allowed to collect any evidence in “plain sight” that is clear and telling that any crime has been committed.

Another function of the forensics investigator is to support an exact “chain of custody” of all evidence gathered in a case. The chain of custody is a simple record of what the evidence is who gathered it, when it was gathered, and who accessed it. An exact chain of custody is required to prevent contamination or even the appearance of contamination of the evidence. The chain of custody is equally important in both public and private investigations.

Evidence

Whether public or private, the facts of a case emerge from evidence in an investigation. Evidence is best defined as anything real or ephemeral that reveals and objectively proves the facts of an investigation. Evidence is generally used to prove the facts that a crime was committed; the suspect committed or did not commit a crime, the order of events during the commission of a crime, the motive:

The forms of the evidence can be either; blood evidence, material traced evidence, finger prints, private or personal records, public records, drug content, surveillance evidence, confession and testimony.

During an investigation, two very different roles emerge in the field of forensics. The first role is that of evidence collection. This role requires relatively limited experience, training, and qualifications. An investigator in this role will often travel to the scene of a crime or can be called to prepare evidence for the second role. The second role is that of evidence analysis. Here, evidence is reviewed, assessed, and analyzed for facts and conclusions.

Data Forensics Expert Witness: Facebook Exposes Personal Data!

Unfortunately, this is not the first time Facebook has been in the news for its poor handling of data. In July 2012, there was a similar breach where a private security consultant used a piece of code to gather information on over 100 million profiles. This was not seen as a hot topic issue because the information gathered was not secured by the user, and therefore in the public domain. But, it does brings up some interesting points which many users seem to forget when they surf or post to social media.

For any social media sites, you should follow these rules:

Rule #1: Do not post private information on the internet, regardless of security or visibility options. If you are not comfortable with sharing your location with 1.1 billion users, it is strongly recommended you avoid posting that information. Be wary of who might use your profile against you.

Rule #2: Try to keep separate social media profiles for work and personal. LinkedIn and Facebook are perfect examples. LinkedIn, while useful for businesses, is not geared towards someone looking to keep in touch with friends and family. Facebook, is useful for both business and personal. But, keep in mind it is first and foremost a personal website.

Rule #3: Check your privacy settings. Facebook in recent years has really stepped up their game on how best to protect personal user data. One can now determine which posts and pictures can be seen by whom. You may decide you want your friends to see your new car, but do not necessarily want your jealous ex to know. This is done by simply changing the visibility setting on each post. It can also be done globally if you prefer.

Rule #4: The internet does not forget. Remember the ‘accidental’ drunken photo you posted online and thought you deleted? Odds are: somewhere out there remains a copy someone snagged before it was taken offline. This and other posts you might have created, could be used against you in a malicious manner. Think before posting. In other words: ‘Never post anything you don’t want printed on the front page of the paper.’

An amusing case to end on. A Wisconsin man claimed he could not pay child support. Yet he posted several pictures on his Facebook page showing him with several hundred dollars in cash. Needless to say, he is likely re-examining how best to protect his data as the judge at his hearing was not amused. He probably takes the phrase “think before you post” a little more seriously now.

Forensics For Technology – What Is It?

Forensics technology has become a broad field of investigation that refers to the scientific evidence used in criminal cases. This physical evidence is comprised of scientific collection, and its analysis. There are many new aspects of this type of technology geared toward evidence or establishing facts to be used in civil or criminal proceedings.

One of the technical areas that have much to offer is digital software. Criminals and terrorists have the opportunity to use a wide variety of electronic devices in their crimes. As crimes with a digital component are on the increase, it is necessary for law enforcement to have the equipment to counter these crimes. Digital forensic software has the capacity to recover data from a computer that has been reformatted or repartitioned

Other applicable software programs:

• A program capable of wiping a hard drive clean

• A spy type of software can locate hidden partitions, plus, quickly process large hard drives, and more.

• Images can be compresses into “flat” images from floppy disks for analysis

• A “partition manager” that examines all partitions on a hard drive and can switch them around or even hide them

• A new write blocker program protects computer information more effectively than past programs

The science which interprets image content is forensic image analysis. Several companies have produced efficient equipment that cut cost and speed up investigations. The equipment is designed to do comparison photography, analysis the content, photogrammetry (using photographs to make measurements) and to authenticate the image. Through a variety of techniques, mega data, pixil aspect ratios,and errors are utilized to extract information from video, photographs and animations. This is effective even when an individual has attempted to clock the evidence.

One of the newer tools is video forensics, which is primarily the scientific examination and evaluation of multimedia evidence in legal matters. The goal of this technology is to produce an accurate picture of evidence for a judge and jury to help determine the verdict in a civil or criminal case. In addition, this technology uses processing techniques to enhance video footage, refine grainy photographs, and to enhance a particular person or an object in a video footage, plus it converts digital video into specific formats for forensic analysis. This type of work is important in solving cases for law enforcement, security, surveillance and even military operations.

Data recovery is a process used for legal purposes to retrieve data from computers. It is much more difficult to erase all the information from a computer than most people realize. The purpose of data recovery is to retrieve lost or deleted information. The mined data is done using a process of collection, analysis, and then preservation. With the successful completion of these steps the computer expert will have the lost data to present to the court. This technology may be used in civil or criminal proceedings to provide evidence for the court.

If forensic describes evidence that can be used in court, then it also must cover the technology and science necessary to provide this evidence. A forensic investigation is conducted in a lawful manner, establishing facts and evidences that have been thoroughly examined, keeping in mind the chain of custody, to be presented in a courtroom. Subdivisions that exist under this area of investigation are firewall forensics, database forensics and mobile device forensics.