It can also be referred to as computer forensics, but technically speaking, the term only relates to recovery of evidence from a computer, and not the whole range of digital storage devices that may store digital data to be used as evidence. Computer forensics is also often referred to as cyber forensics.

In this book, as in the case of Forensic Laboratory, the term digital forensics is used.

Digital forensics can be used in civil and criminal cases or any other area of dispute. Each has its own set of handling requirements relevant to the jurisdiction in which the case is being investigated.

Typically, digital forensics involves the recovery of data from digital storage media that may have been lost, hidden, or otherwise concealed or after an incident that has affected the operation of an information processing system. This could be an accidental or deliberate act, carried out by an employee or outsider, or after a malware attack of any type.

No matter what the specific details of the case, the overview of processing a digital forensic case by the Forensic Laboratory follows the same series of processes, interpreted for the jurisdiction according to case requirements. The processes are as follows:

Inspection of numerous sources gives differing definitions of “Digital (or Computer) Forensics,” depending on the organization and its jurisdiction. They all contain some or all of the elements mentioned above (explicitly defined or implied). The Forensic Laboratory uses the following definition:

The use of scientifically derived, proved, and repeatable methods for:

to reconstruct relevant events relating to a given case.

The same processes and techniques are used for any digital media, whether it is a hard disk drive, a SIM card from a mobile phone, digital music players, digital image recording devices, or any other digital media.

Details of handling different types of cases are given in Chapter 9. A list of typical types of cases where the Forensic Laboratory has been involved is given in Appendix 1.

As the world increasingly embraces information processing systems and the Internet, there are more data being held on digital media. At the same time, an individual country’s Gross Domestic Product (GDPs) is being boosted by an increasing Internet-based component. The current percentage of the Internet economy in the GDP was calculated for the G20 by Boston^b and also produced an estimate for 2016 was also produced. This is reproduced below.

At the same time as the Internet economy has been growing, the size of local digital storage for personal computers has grown as can be seen in Appendix 2. IBM likes to think that they produced the first personal computer (the “PC” or Model 5150) on August 12, 1981; there were a number of personal computers in operation for years prior to this, including Tandy TRS, Apple, Nascom, Commodore PET, Texas Instruments, Atari, variety of CP/M machines, as well as those running proprietary operating systems. A random view of digital storage growth is given in Appendix 2.

While this table shows disks available for personal computer users, those available to corporate users or those with mainframes can have considerably larger capacities. Details of disk size nomenclature are given in Appendix 3.

The amount of growth of digital information worldwide is reported in real time on http://uk.emc.com/leadership/programs/digital-universe.htm.

At the same time, information processing systems of all types are being used to perpetrate or assist in criminal acts or civil disputes as well as just holding evidence relating to the matter. This rapidly changing technology has spawned a completely new range of crimes such as hacking (unauthorized access to a computer system or unauthorized modification to or disclosure of information contained in it) or distributed denial of service attacks. It can be argued that there are no new crimes just variations of old ones, but that legislation needs to be amended to handle new types of execution of offenses.^c Whatever the outcome of this argument, more and more information processing devices are used in the commission of criminal acts or are assisting in their execution. There are no hard and fast statistics for the total number of crimes committed where an information processing device is involved, but there are many “guesstimates.” All show increasing use. At the same time, corporate use of information processing devices and digital storage is increasing rapidly.

Given the rapid expansion of both information processing systems and stored data on digital media, it is not difficult to see that Digital Forensics, with its ability to search through vast quantities of data in a thorough, efficient, and repeatable manner, in any language, is essential. This allows material to be recovered from digital media and presented as evidence that may not otherwise be recoverable and presentable in a court.

At this stage, the needs of the corporate world and that of law enforcement (LE) differ on a number of levels:

Corporates are often loathe to involve LE in any incident for a variety of reasons, but legislation now exists in some jurisdictions to report any security incident that discloses personal information or that makes nominated individuals personally liable for breaches or other information security failures. In cases such as this, Digital Forensics may be called on not only to determine how the breach occurred but also to determine the effectiveness of the risk treatment (typically controls) in place to minimize the risk of unauthorized ac...