The
increase in criminal activities involving the use of electronics warrants a
structured investigation of criminal and civil litigations by employing
computer forensic analysis. Digital forensic analysis is a meticulous process
of uncovering data/ evidence that is relevant to the successful resolution of a
case. However, deploying digital forensics to aid investigation demands a team
of experienced computer forensic analysts, high end digital forensic tools and
equipment and an organized lab where evidence recovered can be converted to
structured reports thus helping the effective representation of defendants
during trials.
Here
is a detailed view of the process that can help you understand its role,
limitations and the activities involved if you are willing to pursue a career
in the stream.
Selecting
a Process of Investigation
Digital
Forensic has been a part of investigation procedures since 1984 when officials
started employing computer programs to uncover evidence hidden in electronics
and digital formats. The process has evolved to become more organized,
sophisticated and well equipped with latest tools and technologies. However,
choosing a particular method of investigation is the duty of the digital
forensic analyst. A messy process of analysis can lead to the accumulation of
random data and inconclusive evidence thus directly affecting the outcome of a
trial. It is important to construct a design plan and to choose appropriate
tools and software to conduct the investigation and ensure that not a single
step has been bypassed or ignored.
Acquisition
Once
the case study is completed and a strategy decided upon, the first basic step
involves the acquisition of data/ evidence in the form of digital documents,
videos, images, files, financial records, accounts, recent computer activity,
browsing history, emails and social media messages. Computer forensic analysts
are experts in finding evidence by recovering deleted files, emails, social
media activities, tracking and monitoring transactions, tapping into servers
and finding relevant data to support an investigation.
Also
a dedicated part of computer forensics involves retrieving information from
cell phones in the form of call records, location information, phonebook
details, text messages and other personal details like schedules, appointment
details, videos and image files. In this phase the analysts ensure that the
evidence has been retrieved using methodologies that abide by the law and are
done with proper approval of authorizing personnel.
Identification
This
phase requires analysts to separate the relevant discovery in digital format
and converting them into a form understood easily by laymen, judges and juries
alike. All the retrieved data can be preserved in the form of raw digital data. The raw data may then be culled and
processed. The resulting data can then be organized producing well systematized
reports using forensic tools. Organization
of the retrieved data is accomplished by using sophisticated forensic tools like
Forensic Toolkit (FTK), Mobile Phone Examiner (MPE+) and dtSearch as efficient
document search tools.
The
relevant data may be hosted on an evidence review platform, accessible via internet.
Evaluation
This
is the most important phase of digital forensic investigation which decides
whether authentic and conclusive evidence has been discovered and subsequently
determines the outcome of the litigation. The forensic analysts strive to find
whether the information obtained is legitimate evidence and whether it can be
presented during a trial. The components identified and preserved during the
previous phases are correlated, a timeline of events is established and an
inference is drawn that is relevant to the case and provides sufficient support
in favor of the defendant. The Evaluation phase is an important element of
effective representation of the client since it directly affects the successful
resolution of a case.
Admission
The
carefully constructed reports and material evidence are of no use if they are
discarded in a court of law as "inadmissible
evidence". Therefore
it is imperative that the proofs have been obtained using legal means, with
permission from the authorizing entity, and the evidence is relevant. This
factor will lend reliability to the evidence especially if it has been
retrieved by a Certified Computer Forensic Examiner and ensure that the
evidence is admissible at trial.
