Digital Forensics

Cultivating the next generation of “Digital Detectives”

Recent events throughout the world have changed and influenced how we think about the gathering of evidence. Soon after the attacks on the World Trade Center in New York City on September 11th, 2001, many young men and women volunteered to serve their country in many different ways. For those who did not choose the military, options included positions with law enforcement and security organizations. Ultimately, the combination of renewed emphasis on homeland security along with the popularity of mainstream television shows like CSI, Forensic Files and NCIS has created a huge demand for highly educated specialists in the discipline of digital forensics. This demand is now being met by the advent of specialized forensic courses popping up in colleges, universities, and even high schools throughout the United States.

Finding digital data that can be used as evidence to incriminate or exonerate a suspect accused in a legal or administrative proceeding is not easy to do. When the founding fathers of the modern computing era were designing the digital infrastructure as we know it today, security and temporal accountability issues were not at the top of their list of things to do. Today, primarily due to the lack of a “trusted” computing environment, conducting digital forensic investigations, although difficult, has become commonplace in both the government and commercial sectors.

Many new digital forensic specialists can expect to utilize their skill set in a wide variety of investigative situations, which may include some of the following:

• Digital Forensic Investigations — A forensic specialist could conduct independent inquiries into matters involving inculpatory or exculpatory digital evidence as a neutral third-party, as well as assisting current security investigations and accounting audits by corporate personnel.
• Audio/Video Forensics — A forensic specialist might possibly provide audio and video forensic investigative support to corporate investigative missions.
• Electronic Discovery — A forensic specialist might assist corporate General Counsel and external attorneys in the process of electronic discovery, to include the processing of discovery requests by legal firms and courts of jurisdiction.
• Forensic Audits: Sarbanes-Oxley & Accounting — A forensic specialist could assist in the audit of existing federal compliance programs and forensic accounting procedures.
• Forensic Audits: Positions of Trust — A forensic specialist might perhaps conduct media reviews for computer equipment utilized by key persons holding “positions of trust.”
• Forensic Audits: Exit Interviews — A forensic specialist could conduct “exit interviews” of computers (laptop & desktops) used by key employees both in-house and for clients. This digital interview process is essential both from a liability perspective and in advance of any potential “wrongful termination” litigation.
• Forensic Audits: Due Diligence — A forensic specialist might assist in any existing or new corporate due diligence procedures.
• Forensic Audits: Mergers/Acquisitions — A forensic specialist could assist in any existing or new corporate merger and acquisition procedures.
• Corporate Fraud Inquiries — A forensic specialist would possibly conduct digital forensic investigations involving corporate fraud issues.
• Regulatory Investigations — A forensic specialist might conduct digital forensic investigations involving federal and state regulatory issues.
• Risk Management Issues — A forensic specialist could conduct digital forensic procedures to eliminate risks within an electronic and networked environment.

Our next generation of “digital detectives” will have to possess the knowledge, skills, and experience to conduct complex, data-intensive forensic examinations involving multiple operating systems and file types. As mentioned previously, several colleges and universities across the United States and in the United Kingdom are currently involved in the creation of multi-disciplined curriculums that will offer undergraduate and graduate degrees in digital forensics. Until these programs become commonplace, however, learning how to conduct digital forensic operations will continue to be a combination of on-the-job training and vendor-based programs for most candidates new to this field of endeavor.

The skill sets that the digital forensic specialist must possess are varied. At a minimum, the specialist must have an in-depth knowledge of the criminal justice system, computer hardware, and software systems as well as investigative and evidence-gathering protocols. For example, the digital forensic specialist must become intimately familiar with the concepts of burden of proof, chain-of-custody, evidentiary analysis, and the rules of “best evidence.”

At a minimum, it is recommended that new digital forensics students take the CompTIA A+ Hardware training to become familiar with computer hardware. After a student is comfortable working with hardware, then it is time to move on to operating system fluency. Although there are hundreds of computer operating systems on the market today, it is recommended that the specialist become familiar with MS-DOS and the Microsoft Windows family. Oftentimes, digital forensic work will involve these platforms, with Linux and UNIX variations coming in at a close second place.

Over the past several years, many significant cases have been solved by the digital forensic specialist’s ability to “resurrect” files that were thought to have been erased, deleted, or otherwise destroyed by the suspect in the case. Finding the electronic “smoking gun” is by far one of the most rewarding aspects of this profession.

Today, when we look at which skill set is the most critical to have mastery over when dealing with digital forensics, it’s not the hardware, software, or even legal knowledge that is paramount. Being capable of articulating your investigative findings both verbally and on paper is what separates the amateurs from the professionals in this line of work. Many skilled technicians have solved complex digital forensic cases only to discover that due to sloppy record keeping and poor report-writing skills, they could not explain to a judge and jury how they found the smoking gun!

Finally, it is not just computers that harbor the binary code of ones and zeros, but an infinite array of personal digital devices. If it is discovered that one of these devices retains evidence of a crime or an incident, it will be up to one of our newly trained and educated digital detectives to find the digital evidence… in a forensically sound manner.