Whether you watch every procedural TV show or occasionally catch a Law & Order rerun, you’ve surely seen the same scene over and over. With their sleeves rolled up and their hopes down, cops are hovering over grainy CCTV footage in a last-ditch effort to solve a case. “Wait a second,” one of them blurts out. “Zoom in.” The digital forensics analyst, in a single click of a button, pulls up a crystal-clear image with a clue that immediately reveals the perpetrator’s identity. “Great job. We got him,” says the lieutenant, breathing a sigh of relief. Cue the handcuffs, courtroom antics, and finally, the bad guy behind bars.
Besides the fact that this isn’t exactly how image analysis works in real life, there’s another issue with this trope.
Between the time a video is recorded and its presentation in court as digital evidence, a million things can go wrong. For the judge or jury to even see it, evidence must be legally admissible, meaning authentic, accurate, and complete. As Aaron Stillman, Head of Product Marketing at Tresorit, explains: “If a protest erupts at an airport and vandalism is caught by security cameras, you’ll probably have to turn the recording over to a lawyer, the authorities, the insurance company, and so on. But you also have to do it in a way that prevents the information from being tampered with and doesn’t break the chain of custody.”
In this article, we’ll take a deep dive into how to do just that, including what digital forensics is, what types of digital evidence can be collected, and what international standards and best practices exist to ensure the proper handling of digital forensic data.
What is digital forensics in cybersecurity? Definition and key considerations
As per the definition of the US National Institute of Standards and Technology (NIST), digital forensics is the field of forensic science that focuses on retrieving, storing, and analyzing electronic data that can benefit criminal investigations.
Traditionally, this involved information from computers, hard drives, mobile phones, and other data storage devices. Most recently, the Internet of Things has become the new frontier in digital forensics, adding a bevy of smart devices, networks, and environments to the mix. Think aerial drones, video gaming consoles, baby monitors, watches, garage doors, refrigerators, smoke detectors, and so on.
Looking back at the history of digital forensics, digital evidence was rarely at the center of a criminal investigation up until two decades ago. Today, it’s involved in nearly 90% of all crimes committed. Another factor driving the demand for digital forensics is the growing number of data breaches in businesses, with 83% of organizations having suffered data compromise in 2022 alone.
Digital forensics analysis is often a slow and labor-intensive process, exacerbated by challenges such as pulling data from damaged or destroyed devices, finding individual items of evidence among large amounts of data, and ensuring that information is captured reliably without being altered in any way.
How does digital forensics work? A very brief introduction to the digital forensics process
The main goal of digital forensics is to extract data from electronic forensics evidence, transform it into actionable intelligence, and present the findings for prosecution, as explained by the Interpol. Sound forensic techniques, tools, and procedures must be applied throughout this process to ensure that the findings are admissible in court.
The digital forensics analysis workflow typically begins with the identification phase, where potential sources of digital evidence are identified. Next, in the preservation phase, this data is carefully protected using a process that maintains its original state and prevents any possible data corruption or loss. This is often achieved by creating digital copies of the storage media.
The examination phase follows, in which the preserved data is methodically analyzed to extract relevant information, including deleted, encrypted, or hidden files. After the examination, the final phase is reporting. This includes detailing the steps taken during the investigation and any conclusions drawn based on the digital evidence, all in a way that is understandable by both technical and non-technical audiences.
Examples of digital evidence: from the most common to the truly bizarre
As previously explained, digital forensics evidence can come from a variety of sources. According to the United Nations Office on Drugs and Crime (UNODC), these mostly fall into the following categories:
- Digital devices, such as computers, external hard drives, flash drives, routers, smartphones, tablets, cameras, and smart televisions
- Internet-enabled home appliances, for example, refrigerators, washing machines, heating and cooling systems, and gaming consoles
- Public resources, including posts and connections on social media platforms, images, chat logs, websites, blog posts, and discussion forums
- Private resources, such as internet service providers’ logs of user activity and cloud storage providers’ records of user activity and content
Ohio resident Ross Compton’s case deserves an honorable mention here, which became the first instance where police officers had used cardiac pacemaker data to corroborate a story. And corroborate it did, leading to two felony charges of aggravated arson and insurance fraud, as reported by The Washington Post.
Beyond law enforcement and criminal justice: how the insurance sector makes use of digital forensics
Digital evidence is crucial for insurance companies in terms of validating claims and making accurate assessments.
For instance, in property insurance, digital photos or video footage from surveillance systems can serve as proof of burglary or damage caused by natural disasters. Another example is liability insurance, where digital records from businesses, such as incident reports or customer testimonials, can be retrieved to verify the circumstances surrounding an accident or injury.
The same goes for workers’ compensation claims. Medical records, accident reports, security footage, and witness statements can be of great help both in verifying the place, time, and extent of workplace accidents and in preventing insurance fraud, such as faking or deliberately prolonging injuries, or collecting benefits while earning an income from a side hustle.
In retail industry-related legal proceedings, digital evidence can again serve as an impartial witness. Data gathered from security cameras, location tracking data from mobile devices, or digital transaction records from point-of-sale systems are hard to dispute when used to prove, say, merchandise loss due to employee theft, vendor fraud, or shoplifting.
The four main branches of digital forensics: a breakdown with definitions and examples
1. Computer forensics
As defined by US Cybersecurity and Infrastructure Security Agency (CISA for short), computer forensic science is the “discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law.”
2. Network forensics
In essence, network forensics refers to the study of data in motion for the purposes of information gathering, legal evidence, or intrusion detection. Using network forensics techniques, it’s possible to recover the original content of emails, IM conversations, web browsing activities, and file transfers from network equipment.
3. Database forensics
Database forensics focuses on identifying, preserving, recovering, analyzing, and presenting facts about information found in databases. Scenarios that might call for database forensics tools include failure of a database, deletion of information from database, inconsistencies in the data of a database, and suspicious behavior of users, according to Infosec.
4. Mobile forensics
Mobile forensics is related to the recovery of digital evidence or data from a mobile device. Information that can be found on mobile devices and used as evidence in criminal proceedings includes, but isn’t limited to, call history, contact list, to-do lists, notes, texts, voicemail messages, historical geolocation data, and Wi-Fi connection information.
From search and seizure to scientific soundness: the legal considerations of digital forensics
While digital forensics can be an invaluable tool for both law enforcement and corporate investigators, legal concerns abound.
First things first, to make sure that digital evidence holds up in court and aids in delivering justice, it must be obtained lawfully. That is, in compliance with relevant search and seizure laws and privacy regulations. For example, the European Public Prosecutor’s Office (EPPO) sets forth different procedures and mechanisms for the collection of e-evidence depending on where the digital evidence is located, controlled, or stored.
The evidence’s journey from the crime scene to the courtroom must be meticulously documented. This process, called the chain of custody, is meant to track the movement of evidence through its collection, safeguarding, and analysis lifecycle. It involves documenting who handled the evidence, when it was collected or transferred as well as the purpose of the transfer.
Additionally, digital forensics experts must apply reliable principles and methods for evidence collection and analysis to achieve admissibility of digital evidence in court proceedings. The ISO/IEC 27041:2015 standard, for example, provides guidance on ensuring the validity and reliability of digital forensic tools and methods, while ISO/IEC 27042:2015 provides a common framework for the analysis and interpretation of digital evidence, points out the UNODC.
Global guidelines and standards for ensuring digital forensic integrity and legal compliance
1. ISO/IEC 27037
This international standard provides guidelines for specific activities in the handling of digital evidence, including identification, collection, acquisition, and preservation.
2. ISO/IEC 27041
This standard details the assurance requirements for the use of methods and processes in the investigation of cybersecurity incidents, including vendor and third-party testing.
3. ISO/IEC 27042
This standard offers guidance and best practices in relation to the analysis and interpretation of digital evidence, focusing on continuity, validity, reproducibility, and repeatability.
4. SWGDE Model Standard Operation Procedures for Computer Forensics
This document serves as a template for organizations, from single-person operations to forensics units and laboratory organizations, to develop their own SOPs.
5. ACPO Good Practice Guide for Digital Evidence
Developed by the UK’s Association of Chief Police Officers, this guide offers guidance on digital evidence handling to both law enforcement and non-law enforcement personnel.
6. Electronic Evidence – A Basic Guide for First Responders
Good practices for computer emergency response teams and law enforcement agencies, compiled by the European Union Agency for Cybersecurity, on how to handle digital evidence.
7. Electronic Discovery Reference Model (EDRM)
This model is widely used as a guiding framework for the discovery and recovery of digital data that is sought and secured with the intent of using it as evidence in legal proceedings.
8. Guidelines for Digital Forensics First Responders
Prepared by the Interpol, these technical guidelines contain best practices and advice on handling and using digital evidence during the search and seizure process.
The biggest challenges of secure digital evidence sharing – and how Tresorit can help overcome them
“We need to share security footage with airlines, the authorities, and insurance companies on a regular basis, and of course, when it comes to airports, any recording is sensitive,” a customer operating in the airport management space has recently told us. When sharing video or audio files that can serve as evidence in a criminal trial or claims adjudication process, preserving digital evidence integrity is paramount. But it’s not without major challenges.
Unauthorized access or leaks not only compromise investigations but also breach privacy laws. Tresorit, a zero-knowledge, end-to-end encrypted document productivity and digital trust platform, eliminates the need for back-and-forth emails and cumbersome file sharing methods like flash drives or zip files, and provides rigorous access controls to preserve the confidentiality and authenticity of digital evidence.
End-to-end encryption is the gold standard for securing communication, especially when coupled with zero-knowledge authentication. It means that every file on our users’ devices is encrypted with randomly generated encryption keys. Accessing files is only possible with a user’s unique decryption key that no one else, not even Tresorit, has knowledge of. This ensures that even if our servers were breached, no one would be able to read the contents of the files.
Advanced control features such as disabling downloads, allowing in-browser viewing as well as adding watermarks to documents, images, and videos help file owners prevent the unauthorized copying, access as well as potential corruption or tampering of digital evidence. Along with whoever they decide to share evidence files with.
These, on top of other Tresorit security and privacy controls, such as the ability to revoke access, limit downloads, opens, or viewing privileges to selected people, set up password protection or expiration date for share links, minimize the risk of critical digital evidence falling into the wrong hands.
In addition, Tresorit’s access logs allow you to track when your content was downloaded, from what IP address, and through what platform. User activity reports provide detailed insights into users’ link sharing and folder invitations history, along with the inventory of items shared with external collaborators. These reports can also be exported, establishing a verifiable chain of custody to prove evidence authenticity and integrity.
“Without these insurances, the prosecutor or defense attorney might argue that the evidence has been altered or tampered with, leading to having it thrown out of court,” points out Aaron. This can ultimately cost businesses not only the case, but a significant amount of money, plus reputational damage. “Tresorit’s file sharing solution has the potential to ease compliance pressures for businesses and even speed up claim processes and case timelines.”