Nowadays, computers are mainly used to commit crimes! To solve these kinds of cases, investigators need to do a forensic examination of digital evidence. In this write-up, we will be going to discuss the complete scenario of extraction and analysis of digital evidence regarding cybercrimes in an understandable manner.
Understanding About Digital Evidence in Criminal Investigations
Digital evidence is the information converted in binary form which is mainly associated with electronic crimes (e-crimes), such as credit card fraud or child pornography, etc. It can be derived from a mobile phone, a computer hard drive, or others. However, this evidence is now used to conduct mostly all kinds of crimes, not just e-crimes. Asan example: suspect’s mobile phone files or emails contain potential evidence regarding their intention, their relationships with other suspects, and whereabouts at the time, etc.
To collect relevant digital evidence and to fight with e-crimes, law enforcement agencies conduct a forensic examination of digital evidence, also known as computer forensic examination process.
When conducting a forensic evidence examination, the following steps are undertaken while handling digital evidence.
Step 1: Preparation for Digital Evidence Investigation Process
Itis the first and most important part of the digital evidence collection process. Just prepare the directories or space on separate secure media files to extract or recover evidence data files from suspected devices.
Step 2: Extraction of Data for Digital Forensic Evidence Examination
Indigital evidence investigation, this stage contains two different types of data extractions i.e., physical extraction and logical extraction. The physical extraction phase is used to recover the data within the entire physical drive. Whereas the logical extraction phase identifies the data from the installed operating system, application, and file system.
During the physical level extraction, digital evidence in criminal investigations extracted from the drive instead of the file system on the drive. It involves methods like file carving, keywords research, partition table or unused space extraction, etc.
- In a forensic examination of computer evidence, keyword research in physical extraction may help the examiner. They generally used to extract data that may not be accounted for the file system or operating system.
- File carving functionalities are mainly processed across the physical drive. It may assist to recover useable data or files that may not account for the operating system and file system.
- Indigital forensic evidence examination, investigate the partition structure of data helps to find out the file system data. It also determines the physical size of the accounted hard drive.
During the forensic examination of digital evidence, logical extraction of evidence takes place. In this level of extraction, data is based on the file system. It includes areas such as deleted files, active files, unallocated file space, slack space, etc.
- While extracting the file system data, multiple things might include such as file attributes, file names, file attributes, date and time stamp of the file, location of the data file, etc.
- Reduce data by identifying and eliminating the files, through comparison of authenticated hash values and calculated hash values.
- In order to pertinent to the digital evidence investigation, the extracted information may include the proper file name and extension, file content, file header, and location of the data file.
- Extraction of password-protected files, compressed data, encrypted files, recovered deleted files may also help in finding the evidence for the investigation.
Related Article: Best Email Forensics Tool
Step 3: Extracted Data Analyzation
This stage includes the interpretation of digital evidence in criminal investigations which helps to determine the significance of data in the case. It may also require a review of legal authority and services to obtain computer evidence, analytical and investigative leads. The following are the attributes while analyzing the data.
- Timeframe analysis
- Data hiding analysis
- Installed applications and files analysis
- Ownership and Possession of the devices
Step 4: Documentation and Reporting
During the last stage of forensic examination of the digital evidence process, make sure to consider each step’s results of extraction and analysis once again. After completing the digital evidence collection process, make a report and mention the proceedings and findings of the case in the report. The investigator has to submit the report which includes a detail description of the findings of the examination process.
While undergoing a forensic examination of digital evidence, there is a proper procedure that needs to be followed to trace the potential artifact. With this blog, we have described detailed information that involves the procedure to gather and handle the digital evidence. One can check out the different stages of the computer forensic examination process with the help of this blog.
Suggestion: Some examples of forensics examination software which can be used by the Investigator for forensic examination of digital evidence: https://www.systoolsgroup.com/digital-forensics.html