Technology touches just about everything people do. People communicate, make plans, shop, and find information on the web using a range of electronic devices. These include personal computers, laptops, tablets, and cellphones. This is why computer forensics has quickly become a routine aspect of the investigation process.
From the standpoint of law enforcement, it’s almost impossible to find a case today that doesn’t involve computer technology. It’s not unusual to find evidence of crime linked to a cell phone or laptop, sent by email, shared on social media, or kept in the cloud.
Police and investigators no longer need to depend on surveillance and interviews to help carry their investigations forward. By gaining access to digital devices, they’ll have hard data concerning a person’s online activities, personal interests, financial data, messages, thoughts, secrets, and records of contacts.
But what, exactly, is computer forensics? What are the steps in the digital forensic process?
Computer or digital forensics involves the collection and preservation of evidence from a specific computing device. It makes use of investigation and analytical procedures for the purpose of making the evidence suitable for presentation in court or legal proceedings.
The goal of computer forensics investigators is to perform a structured investigation and preserve a documented chain of evidence. This way, they can try to figure out exactly what transpired on a computer (or cellphone, laptop, or tablet) and the person or people responsible for certain activities on the device.
Steps in a Computer Forensics Investigation
Like any investigative process, a computer forensics investigation follows a systematic method designed to reveal crucial evidence needed in a criminal inquiry.
Below are the usual steps in the conduct of a digital forensics investigation:
1. Assessment of Evidence
The evaluation of potential computer evidence in a crime is an important aspect of the investigative process. A digital forensics investigator must possess a comprehensive grasp of the circumstances of the case at hand, as this is critical to effective evidence processing.
For example, if a law enforcement agency wants to prove that a person accused of bank armed robbery worked with an insider in committing the alleged crime, computer forensics investigators would go through cellphones, hard drives, email accounts, and other digital repositories with a fine-toothed comb. This way, they can find and assess any information that could be used as evidence showing the accused worked in collusion with parties working in the bank.
2. Acquisition of Evidence
After assessing the evidence, creating a forensic image (aka imaging) of it is the crucial next step. The imaging process is similar to copying evidence, except that it captures critical information such as metadata and data in unallocated space in addition to all evidence data (e.g., files and folders). This step is done to prevent any type of interference or tampering with the original evidence.
3. Preservation of Evidence
After imaging or a forensic picture has been made, the original evidence can be maintained in a secure location away from unauthorized individuals. The priority here is to ensure the evidence is kept intact, secure, and safe from humidity, extreme temperatures, tampering, and any other elements that could modify or harm it in any way.
4. Examination of Evidence
Digital forensics investigators customarily analyze and interpret data from specific archives using a range of methodologies and approaches. These could include utilizing specialized software to sift through massive collections of data for specific keywords or file types, and procedures for the retrieval of recently deleted files.
Of particular value to investigators is data containing times and dates, as well as suspicious files or programs that have been encrypted or purposefully hidden.
5. Documentation and Reporting
Computer forensic investigators are expected to maintain an accurate record of all activities related to an investigation. This entails accounting for all methods used to collect and store data. Any actions taken to acquire, examine, and assess evidence, and to fully document hardware and software specs-related information should also be included.
This is crucial for demonstrating how the integrity of user data has been meticulously kept. It also shows that all parties have followed protocol. Since the goal of the entire process is to collect evidence that’s admissible in a court of law, an investigator’s failure to adequately document their work could jeopardize the validity of the data or findings, as well as the case outcome.
Work with the Pros at Barefoot Private Investigations
Computer forensics investigations are now a necessary factor in criminal inquiries. However, to ensure the information gathered is admissible in a court of law, certain steps need to be followed in the identification, collection, preservation, analysis, and documentation of evidence.
Need help with gathering digital forensics evidence for a case or investigation?
We’ll be glad to help.