It is common for a digital forensic examiner to be asked two questions upon divulging job title. The first of these questions is almost always “What is that?” After a brief explanation of examining digital media for evidence, the first question is usually followed up with, “Is that like CSI then?”
The truth is that there are several elements of forensic science as portrayed in the media that do apply to digital forensics. The term “forensic” is increasingly used and possibly increasingly misunderstood. The word traditionally means “backward looking” and that’s exactly what we do. We get an idea of how digital equipment has been used to fulfil a purpose, whether genuine or nefarious.
Forensic science has always been about the ability to prove something in a legal setting. Forensic work of any description, whether it is DNA testing, fingerprint analysis or examining hard drives, involves a scientific test that can be reproduced by anyone with suitable training and capabilities. Ideally this happens in such a way that the original evidence remains as close to its original state as possible. With this in mind, digital forensics is perhaps one of the purest forms of forensic science; It is possible (and usually essential) to gain useful data from evidence without changing the original exhibit at all. This is possible because devices exist that can connect to a computer hard drive in such a way as to allow the viewing of data whilst preventing any data from being sent to the drive.
All subsequent examinations are undertaken on a copy of the original digital data, once that copy has been verified as being accurate, containing identical data. When items of value are identified, these can be provided in various report formats to suit the needs of a client in pursuing their case. The original computer can then be presented as evidence if required with its contents completely unaltered since the item was submitted for examination.
A follow-up question is, “What kind of items do you examine?” Examples of items we’ve examined include the obvious, such as laptops, desktop computers, mobile phones, tablet computers and their multiple add-on devices. The list is also extensive enough to include CCTV systems, cash registers, wireless routers, games consoles, digital television recorders and satellite navigation devices.
The examination of satellite navigation devices has progressed significantly in recent months and enables us to examine most makes and models for data relating to home destinations, previously visited destinations, planned routes and any saved locations and points of interest.
Mobile phone examinations are becoming increasingly useful in the majority of investigations. Whereas the data recovered from mobile phones once consisted of call logs, contact details and text messages, mobile phones can now hold substantially more information. The popular Apple iPhone can be used to do everything from ordering food and finding your car to purchasing online and tracking parcels. With thousands of applications available to the general public for a phone such as this, the capabilities of data retrieval from the iPhone are substantially more than a basic mobile phone, creating the term "smartphone" to describe the capabilities of such devices. The iPhone is by no means alone these days. Google's Android-powered phones and Microsoft's Windows Phones are competing in the smartphone market and using the number of "apps" as major selling points. As the capabilities of modern day phones increase, so does the amount of data available to a mobile phone examiner.
The recovery of deleted data from a mobile phone was once believed to be a pipedream. This is no longer the case. Industry leading forensic tools provide more and more methods for the recovery of data from mobile phones that was not possible in previous months or years. It is fair to say the examination of mobile phones has moved on at an impressive pace over the past three years.
With games consoles growing in storage capacity and functionality, these devices can also be a good source of important information. Users of these games consoles can communicate with others and browse the internet. Capabilities increase further when consoles are modified by their users to perform almost any action that can be undertaken on a home PC.
The question has been raised in Courts over the years about the reliability of digital evidence. Such evidence has passed every test, now that the this evidence has been proven as being more than four times more reliable than fingerprint evidence in terms of its accuracy and reliability. Courts tend to accept the validity of our standard methods of forensically copying hard drives, memory cards and other forms of digital evidence when tried and tested forensic methods have been used.
