Digital Forensics
A Working Definition of Digital Forensics
Digital forensics involves skilled investigators identifying, preserving, analyzing, documenting, and presenting data found on digital devices like computers and smartphones. While the term originally referred to criminal investigations focused on using digital evidence in legal cases, it has broadened to encompass various types of investigations in recent years. The main objective of digital forensics is to maintain the integrity of the evidence while uncovering information that helps reconstruct past events, revealing not only how they happened but also why they unfolded in that particular way.
An Overview of the Forensic Investigation Process
Identification
Detect evidence found on digital devices.
Preserevation
Extract and safeguard data by creating a forensic image of the device(s).
Analysis
Rebuild the event’s narrative based on the data at hand.
Documentation
Record the story and the supporting evidence behind it.
Presentation
Share the narrative and supporting evidence with the relevant party.
Step One: During the identification process, the investigator (or team) must determine the evidence available on the device, its storage location, and the format in which it is stored.
Step Two: Preservation involves isolating, securing, and maintaining the data, while creating a copy or image for analysis and investigation. This process, referred to as “imaging” a device, ensures that the original evidence is preserved in its unaltered state, making it admissible in court.
Step Three: In the analysis phase, the forensic investigator pieces together data fragments to form a comprehensive narrative of the events surrounding the crime (or the matter under investigation).
Step Four: During the documentation process, the investigator compiles a record of the data that will be presented in court or any other venue where the investigation is being concluded.
Step Five: In their presentation, the investigator uses the documentation to clearly and persuasively outline the conclusions they have reached regarding the event in question.
Key Concept: Chain of Custody
The “chain of custody” is the procedure for managing physical or digital evidence during an investigation. To be legally admissible in court, evidence must be shown to have been handled through an unbroken chain of custody. This process tracks how, when, and by whom the items were collected, handled, analyzed, or otherwise managed throughout the investigation.
Forensics in Action: The OJ Simpson Case
Any gaps in the chain of custody can lead to evidence being deemed inadmissible. In the high-profile OJ Simpson murder trial, several pieces of evidence, including blood samples connecting Simpson to the crime scene, were held by officers for extended periods before being properly logged into the chain of custody. This oversight gave the defense an opportunity to suggest that the evidence could have been planted or tampered with, creating doubt in the minds of the jurors.
