Digital Forensics

Core activities

The Digital Forensics field of expertise is described below.

Experts within the Digital Forensics field of expertise deal with digital material. Digital material covers all manifestations, input, output and processing of digital systems. A digital system processes information in discrete units. This contrasts to an analogue system in which a continuous representation of information is present. Digital material can occur in various sources, and the Digital Forensics field of expertise is characterised by a growing number of potential sources. This can be software, hardware or a combination of both.

Digital Forensics seek to examine - depending on the precise question posed - whether discovered digital evidence can be linked to natural persons. In order to achieve this, an expert will in principle carry out a reconstruction of how digital evidence ended up on the material to be examined.

Experts in the Digital Forensics field of expertise are in principle able to carry out every phase of Digital Forensics (data collection, data examination and data analysis) themselves. An expert can have parts of the data collection, data examination or data analysis phases carried out by someone else.

The activities which fall within the Digital Forensics field of expertise are:

1. Data collection: Data collection involves the correct preservation (e.g. by copying) of digital data sources. Collection either means securing the original or taking a forensic copy of the data. Preservation implies the digital evidence is preserved so that it can be collected later (if necessary). For example, a company can be asked to preserve existing backup tapes by ensuring they are no longer recycled. If necessary they can be collected later.

Knowledge of the following areas amongst others is thereby crucial: digital storage media (hard disks, multimedia memories etc.), data communications, mobile phones, and embedded digital devices. In this phase an expert must be familiar with the various collection options, and he must be able to assess which collection option should be applied to a specific case. The expert must also have knowledge of the possible locations where evidence might be found. Finally the expert needs to know what knowledge and/or skills are required in order to safeguard evidence and minimise the impact on the source material.

2. Data examination: Data examination relates to the investigation of forensic images of digital data sources in order to find potential evidentiary data. without interpreting the resultant findings in the context of the case. It may thereby be possible that the expert sets up their own experiment. In this phase the expert must be able to differentiate which evidence may and may not be relevant, and the expert must make this evidence suitable for in-depth analysis.

3. Data analysis: Data analysis involves the analysis, reconstruction, interpretation and providing a qualitative opinion of the evidence which is obtained from the digital data sources. In this phase the expert must be able to make a substantiated assessment. Interpreting is the crucial activity that sets data analysis apart from data examination.

Boundaries of the field of expertise

It is important that an expert is able to identify the limits of his expertise and act accordingly. This means that an expert must be able to recognise immediately that his own expertise or specialism is not adequate to carry out the digital forensic examination.

Interpretation that extends outside of the digital field does not come under the Digital Forensics field of expertise. Examples of activities that emphatically do not come under the Digital Forensics field of expertise are:

  • Identification and comparison of persons and/or objects that might be visible on image fragments
  • Interpreting what might be audible on audio fragments
  • Interpreting what might be possible with an electronic analogue circuit
  • Measurements in (image) fragments
  • Photogrammetry: determine the position/velocity of the vehicle
  • Facial comparison: is the robber the same person as the suspect?