Indepth of Digital Forensics

Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Evidence might be sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. Since forensic science is the application of a scientific discipline to the law, the essence of all forensic disciplines concerns the principles applied to the detection, collection, preservation, and analysis of evidence to ensure its admissibility in legal proceedings. Computer forensics refers to the tools and techniques to recover, preserve, and examine data stored or transmitted in binary form.

. The computer forensics specialist must approach the retrieval process in a very detailed and methodical manner since any or all evidence discovered can then be used or help during discovery, depositions, or actual litigation. Ryan Purita, one of the leading computer forensic experts in private practice in Canada, and states, “In order for results to hold up in court, the file system under investigation must remain unaltered. If a single file has a time stamp later than the date and time that the file system was surrendered as evidence, an opposing lawyer can call the entire investigation into question. "You screw one little thing up," Purita explains, "and everything else is gone" in the case. Erin Kenneally echoes the importance of “evidence” collection and how meticulous and calculated steps should be taken during the retrieval of such evidence., “Whereas DNA analysis is performed on the original blood evidence, maintaining the sanctity of original evidence is a tenet of computer forensics, and analysis must be conducted on a copy of the original media (with a few, notable exceptions where circumstances preclude a copy being made)“ “Regardless of whether the discipline is computer forensics or fingerprinting, the driving question is not whether evidence exists but, rather, can investigators uncover and contextualize the evidence. Therefore, the challenges are: Where to look? What techniques will make the evidence apparent? And is the evidence admissible?

Though  in many organizations, incident response team already performs some activities of evidence collection, the need for collecting those evidence and preserving it in a systematic proactive approach is still an open issue. In order to investigate anti-forensics, organizations need to decide early what information to collect and preserve in a forensically sound manner.  Live (proactive) forensic investigations are hindered by lack of definitions of live forensics and standard procedures in live investigations. In addition, the authors suggested the automation and activation of evidence-collection tools in live investigations. This automation should involve minimal user intervention to improve the integrity of the evidence. Thus, a multi-component view of the digital forensics investigation process has been proposed. However, it is a high-level view of the investigation and, as such, cannot directly be operationalized to create automated tools. Additionally, the process described contains phases, such as service restoration, that lie outside the scope of the investigation.

It would be unwise to depend upon “audit trails and internal logs” in digital forensics investigation. In addition, note that a future digital forensics investigation process will only be possible if future tools and techniques make a proactive effort at evidence collection and preservation. The quality and availability of the evidence collected in the reactive stage of the investigation is more time consuming to investigate. Conversely, the proactive stage collects only potential evidence, which is less time consuming to investigate. In addition, a high-level proactive forensics system is proposed as ideal.