In general, the goal of digital forensic analysis is to identify digital evidence for an investigation. An investigation typically uses both physical and digital evidence with the scientific method to draw conclusions.
Examples of investigations that use digital forensics include computer intrusion, unauthorized use of corporate computers, child pornography, and any physical crime whose suspect had a computer.
3 Phases of Digital forensics
Digital forensics has three major phases:
- Acquisition
- Analysis
- Presentation
Acquisition Phase of Digital forensics
The Acquisition Phase saves the state of a digital system so that it can be later analyzed. This is analogous to taking photographs, fingerprints, blood samples, or tire patterns from a crime scene. As in the physical world, it is unknown which data will be used as digital evidence so the goal of this phase is to save all digital values. At a minimum, the allocated and unallocated areas of a hard disk are copied, which is commonly called an image. Tools are used in the acquisition phase to copy data from the suspect storage device to a trusted device. These tools must modify the suspect device as little as possible and copy all data.
Analysis Phase of Digital forensics
The Analysis Phase takes the acquired data and examines it to identify pieces of evidence. There are three major categories of evidence we are looking for:
- Inculpatory Evidence: That which supports a given theory
- Exculpatory Evidence: That which contradicts a given theory
- Evidence of tampering: That which can not be related to any theory, but shows that the system was tampered with to avoid identification This phase includes examining file and directory contents and recovering deleted content. The scientific method is used in this phase to draw conclusions based on the evidence that was found.
Presentation Phase of Digital forensics
The Presentation Phase though is based entirely on policy and law, which are different for each setting. This phase presents the conclusions and corresponding evidence from the investigation. In a corporate investigation, the audience typically includes the general counsel, human resources, and executives. Privacy laws and corporate policies dictate what is presented.
