Digital Forensics

Digital forensics is the practice of collecting evidence from computer systems to a standard that will be accepted in a court of law.

digital evidence is latent
- means that the evidence cannot be seen with the naked eye
- must be interpreted using a machine or process
- e.g., like DNA or fingerprints
formal steps must be taken to ensure the admissibility of digital evidence in court
- requires
  - physical evidence
  - documentation showing how evidence was collected and analyzed
    - without tampering or bias
two categories of incident investigations:
- legal investigations
- internal investigations
  - can turn into legal

Digital Forensics Process

A forensic investigation includes the following four phases:

Identification
- Ensure that the scene is safe
  - Threat to life or injury takes precedence over evidence collection
- Secure the scene to prevent contamination of evidence
- Record the scene using video
- identify witnesses for interview
- Identify the scope of evidence to be collected
Collection
- Ensure authorization to collect the evidence using tools and methods that will withstand legal scrutiny
- Document and prove the integrity of evidence as it is collected
- ensure that it is stored in secure, tamper-evident packaging
Analysis
- Create a copy of evidence for analysis
  - ensure the copy can be related directly to the primary evidence source
- integrity of evidence copies are verified by generating hashes of the files on a recurring basis in order to detect any unintended changes
- Use repeatable methods and tools to analyze the evidence
- Analyze evidence using tools which are known to produce trustworthy and legally defensible results
  - tested forensic tools is available from NIST: https://www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-testing-program-cftt
Reporting/Presentation
- create a report of the methods and tools used
- present findings and conclusions in accordance to the specific reporting requirements necessary