THE BASICS OF

DIGITAL
FORENSICS
WHAT IS DIGITAL FORENSICS?

© 2022 Exterro, Inc. // exterro.com PAGE 1

 CHAPTER 1:
What Is Digital Forensics?

A Working Definition of Digital Forensics

Digital forensics is the process through which skilled investigators identify,
preserve, analyze, document, and present material found on digital or electronic
devices, such as computers and smartphones. Originally the term primarily
applied to criminal investigations, focusing on the use of digital evidence in
the prosecution of a crime, but it has expanded to include many other types of
investigations in recent years. The goal of a digital forensics investigation is to
preserve the evidence as it exists while also uncovering information that helps the
investigator reconstruct past events and understand not just how, but also why,
they occurred the way they did.

National Institute of Standards and Technology Definition of

Digital Forensics
In its strictest connotation, [digital forensics is] the application of computer
science and investigative procedures involving the examination of digital
evidence - following proper search authority, chain of custody, validation
with mathematics, use of validated tools, repeatability, reporting, and
possibly expert testimony.

The Difference between Digital Forensics and E-Discovery

E-Discovery and digital forensics share many critical elements. Both attempt to
identify and preserve electronic information—often for a matter of litigation. But
differences emerge rapidly after that. In e-discovery, the information is preserved
and collected, but then it is passed on to legal experts for analysis and use in
the course of resolving a civil matter. There are occasions when conducting
e-discovery may require the use of digital forensic techniques, but more often

© 2022 Exterro, Inc. // exterro.com PAGE 2

 than not the standards required by civil litigation are lower than those necessary
for a criminal investigation.

Originally, digital forensics was mainly the domain of law enforcement

professionals investigating the digital fingerprints left behind while committing
a crime. In digital forensics, the investigator who isolates and preserves the digital
information proceeds to analyze it, using it to tell the story of what happened in
an event in question. In the past few years, though, increasingly private sector
forensics professionals conduct investigations of data breaches, cyber-incidents,
regulatory/compliance infractions, or human resources violations for
private enterprises.

Differences between E-Discovery and Digital Forensics

E-Discovery Digital Forensics

Civil litigation Criminal trials

Historically private sector Historically public sector

Data collected and analyzed by

Data passed to legal expert
investigator

Preserve then collect data Duplicate (image) data then analyze

“Defensibility” standard “Forensically sound” standard

The Goals of Digital Forensics

At a technical level, the goal of digital forensics is traditionally defined (including
by the US government Cybersecurity and Infrastructure Security Agency, CISA) as “to
identify, collect, preserve, and analyze data in a way that preserves the integrity
of the evidence collected so it can be used effectively in a legal case.” There is
broad consensus on the technical goal, as Interpol, the International Criminal
Police Organization, offers a very similar definition as well: “to extract data from the
electronic evidence, process it into actionable intelligence and present the findings
for prosecution. All processes utilize sound forensic techniques to ensure the
findings are admissible in court.”

The Interpol definition of digital forensics makes clear a key distinction between
forensics and e-discovery: the focus on preserving evidence so it is admissible in
court. Typically, forensic investigators work on images—validated duplicates of the
material present on the original device—rather than working with the original or
“live” systems.

© 2022 Exterro, Inc. // exterro.com PAGE 3

 Non-technically speaking, the goal of the digital forensic process
is to understand what happened, when, and why based on the
evidence found on any given digital device. As Gus Dimitrelos of
CyberForensics.com, with over 25 years of digital forensic
investigatory experience, explained on a recent episode of the
FTK Over the Air podcast, “The binary data doesn’t care about innocence or guilt.
It gives you the information that you need to make your expert conclusions.”

Digital Forensics and Cybersecurity

Digital forensics and cybersecurity share much in common, as the skill sets and
knowledge required for both are very similar. But there is a crucial distinction.
Cybersecurity’s focus is protecting data and electronic systems and preventing
intrusions or criminal activity from happening; digital forensics focuses on
understanding what happened after a cybersecurity event or crime. While private
sector cybersecurity and digital forensics teams often work together in the same
larger line of business (usually information technology), their focus and goals are
very different.

Digital Forensics in Action : Solving the BTK Murders

One of the most famous digital forensic investigations
was the investigation that led to the conviction of
Dennis Rader for 10 murders that occurred in the
Wichita, Kansas, area between the mid-1970s and the
early 1990s. In 2004, the case was considered a “cold
case.” Rader began communicating with local media using
the alias “Bill Thomas Killman,” a reference to the “bind, torture, kill” modus
operandi he had used in the murders.

After a series of communications with various media outlets, Rader sent

a floppy disk (remember those?) containing his writings to the police;
unbeknownst to Rader, it still contained artifacts of a Microsoft Word file.
Metadata from the document indicated its source was Christ Lutheran
Church and an author named “Dennis” had last modified the document.
Investigators were able to determine that Dennis Rader was president
of the church council at Christ Lutheran Church in Wichita, eventually
arresting him for the crimes to which he pleaded guilty in 2005.

© 2022 Exterro, Inc. // exterro.com PAGE 4

 For more examples of how digital forensics plays a critical role in law
enforcement, read the following Exterro FTK® case studies:

LaPorte County Prosecutor’s Office Relies on FTK Lab to

Help Prosecute Criminals in Child Exploitation Cases

Aurora Police Department Relies on FTK® to Collect Key

Digital Evidence in Tragic Colorado Movie Theater Mass
Shooting

The Digital Forensics Process

The digital forensic process entails five steps: identification, preservation, analysis,
documentation, and presentation. While the next chapter of the Basics of Digital
Forensics will dig deeper into each of these steps, we’ll quickly summarize what
happens in a digital forensic investigation below.

IDENTIFICATION PRESENTATION ANALYSIS DOCUMENTATION PRESENTATION

Identify evidence Isolate and Reconstruct the Document the Present the narrative
present on digital preserve data in narrative of the narrative and and evidence to the
devices a forensic image event using evidence court or other
of the device(s) available data supporting it responsible party

Identification is the first step in any digital forensic investigation.

The investigator (or investigating team) must identify what
evidence is present on the device, where it is stored, and what
format it is stored in. Digital evidence can come in any variety of
formats (text messages, emails, images or video, web search
histories, documents, transactions, etc.) and on a variety of devices, including
computers, smartphones, tablets, fitness trackers, and more. Forensic investigators
are also particularly interested in a device’s behind-the-scenes data, or ‘artifacts’,
things like operating system data, registry files, Amcache files, SRUM data (system
resource usage), and power logs, to piece together the device user’s every action.

Preservation follows identification in digital investigations.

Preservation focuses on isolating the data, securing it, and
preserving it, while creating a copy, or image, that can be analyzed
and investigated. This is critical in digital investigations since the
actual evidence must be preserved in its original form to be
considered admissible as evidence in court. This requirement defines much of the
distinction between digital forensics and other forms of investigation. No one can

© 2022 Exterro, Inc. // exterro.com PAGE 5

 use or tamper with the original device; to do so would render it useless in a
criminal trial.

Analysis is the stage of a digital forensic investigation in which the

forensic scientist (or investigator) reconstructs the fragments of
data and creates a holistic narrative of what happened during the
crime (or matter being investigated). Forensic experts rely on the
evidence, first and foremost, but also their experience and expertise. It may often
take multiple efforts and examinations to arrive at a satisfactory theory of the
crime that happened.

Documentation prepares a record of the data to be presented in court

(or in whatever other venue that the investigation is being resolved). It
is a narrative recreation of the events in question, linked with the
evidence supporting the theory, that should be compelling to an
outside party that is charged with determining guilt or innocence.

Presentation is the final stage of the digital forensic process. The

investigator uses the documentation to explain the conclusions they
have drawn about the event in question. Whether the conclusion is
presented in a courtroom or in a written report, the investigator must
translate their expert conclusions into a comprehensible narrative that a non-
expert can understand and judge for themselves based on the details and
evidence presented.

What is a digital forensic toolkit?

Since digital forensics is a highly technical endeavor, forensic investigators require
professional-level technology to conduct their investigations in a manner that is
“forensically sound,” or compatible with the requirement to preserve the original
data, while manipulating an identical image to determine what the evidence
proves. Since the data is digital, the tools forensic investigators use by their nature
are software applications. The applications help investigators throughout
the process—that is, they may be used to:

» Preserve data
» Identify data
» Extract, copy, or image data
» Analyze data
» Document or present data to laypersons

© 2022 Exterro, Inc. // exterro.com PAGE 6

 Digital Forensic Software Types
» Disk capture » Registry analysis
» Data capture » Network forensics
» Email analysis » Decryption
» File analysis » Password crackers
» File viewers » File restoration
» Internet analysis » Drive defragmentation
» Mobile device analysis

Digital forensics tools can fall into many different categories, including disk
and data capture, email analysis, file analysis, file viewers, internet analysis,
mobile device analysis, network forensics, and registry analysis. They may help
investigators decrypt encrypted data, crack passwords, and recover deleted files.
Digital forensic tools may be specially crafted to work with computer data, mobile
phone data, or both.

What Are Jobs in Digital Forensics?

The best-known jobs in digital forensics are in the public sector—helping local,
state, and national-level police and law enforcement agencies
solve crimes by analyzing the digital footprint left behind. After all,
it has been said that “in terms of crime today, virtually every crime has a digital
footprint.” That means almost any police agency can benefit from having
professionals capable of securing, preserving, identifying, and analyzing digital
evidence. Not all of these professional roles need be full officers of the law—they
can also be lab technicians, analysts, and even programmers working behind the
scenes to solve crimes.

But today, more and more private sector organizations need forensic investigatory
capabilities. Whether they are media or journalistic outlets looking to break
stories, or enterprises that need to understand what happened in a cybersecurity
event or a regulatory compliance violation, they need investigators capable
of completing thorough, defensible, forensically sound investigations. Not all
private sector investigators come from law enforcement agencies—although
many do, as discussed in episode 14 of FTK Over the Air. Educational institutions
also train undergraduate and graduate students in digital forensics technology
and techniques, creating future generations of cybersecurity and digital forensic
professionals for both the public and private sectors alike.

Check out two recent Exterro FTK Case Studies

to learn how students are using FTK in Austria and
Louisiana to prepare for their professional careers.

© 2022 Exterro, Inc. // exterro.com PAGE 7