Data inundates our daily lives. We create it, we consume it, and our activities in the physical and digital worlds are distilled into it. Data is collected, stored, aggregated, and used to make our lives more convenient, more connected, more safe; it is even used to sell us things. From the most private spaces of our lives to the most public, data is central. In our bedrooms, sleep monitoring devices, smart watches, connected baby monitors, and smartphones track our sleep and wake cycles.
Increasingly, our homes are connected to the Internet or other networks. This allows us to remotely control and monitor security systems, temperature, lighting, and to watch and communicate with our kids and pets remotely. Our vehicles contain computer systems that monitor and control everything from tire pressure, speed, and location to music preferences and communications. We use traffic monitoring apps and GPS navigation systems that track our location.
In our communities, surveillance and security video systems are constantly recording. The electrical grid, water and sewer systems, and traffic control systems that we rely on to keep us safe operate on networks. We vote electronically. We pay for our gas, food, and other necessities through point of sale devices, access our finances and pay bills online, and get cash from ATMs. Our communications frequently happen using smartphones, text messages, emails, social media, dating sites, and chat apps. We use electronic coupons and QR codes, and the stores we shop at monitor our movements via WiFi connections to our smart phones. Our entertainment needs are met through Netflix, Amazon TV, computer games and the latest game apps like Pokémon Go. The list goes on and on.
Nearly all aspects of our daily lives are impacted by data whether we are aware of it or not. The pace of data generation, collection, and exchange continues to increase at astounding rates. As our reliance on data has increased, the misuse of data and data systems as well as computer crimes have increased. Every digital interaction leaves traces, so it is often possible to apply specialized tools and techniques to determine what was done, when, and by whom. This is where digital forensics comes in.
Digital forensics is a specialized field within the forensic sciences focused on the recovery, preservation, and interpretation of digital information as evidence, whether in a court of law or elsewhere. In 2009, the National Academy of Science identified digital forensics as a sub-field of cyber security, and the American Academy of Forensic Sciences categorizes it under Digital and Multimedia Sciences. A constantly growing and changing field, digital forensics addresses a great deal of diversity in the technologies it covers. Digital forensics, sometimes also called cyber forensics, expands beyond the examination of standalone computers to accommodate the needs of the current complex digital world.
As defined by the Digital Forensics Research Workshop (DFRWS) in 2001, digital forensics is “the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.”
Digital forensics covers a growing number of related sub-fields and specialties. There are many areas where these sub-fields and specialties cross over and relate to each other. As the needs grow, so does research in specific areas, resulting in new specialties.
Computer forensics is the preservation, identification, acquisition, examination, and presentation of information found on computers relating to a criminal or civil investigation. This is not always the case, however, as computer forensics can also be used for intelligence purposes as well as other investigative reasons such as employment disputes and insurance claims. Computer forensics includes the examination of standalone data storage media such as external hard drives, USB thumb drives, CDs and DVDs. The goal of computer forensics is to examine digital evidence in a manner that preserves the integrity of the evidence, and to present facts and opinions about that evidence in a clear and understandable way.
There are numerous specialties within computer forensics including video forensics, vehicle infotainment system forensics, malware analysis forensics and RAM or volatile memory forensics, as well as others. Specialization in forensics related to various operating systems such as Linux, Mac, and Windows is also common, as forensic artifacts vary between operating systems.
Mobile Device Forensics
Smartphones and other mobile devices are an incredibly fast growing portion of the digital landscape. According to CTIA, industry estimates show smartphone purchases outnumbered computers (desktops, laptops and tablets) around 2016. They estimated that by 2020, Americans would access the Internet via mobile devices more than via PCs or any other type of wireless device. According to the National Institute for Standards in Technology (NIST), mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods. Mobile device forensics also includes examination of GPS devices, wearable devices, etc.
Network Forensics / Incident Response
Network forensics and incident response focuses on investigation of network related incidents like data breaches and network intrusions. Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Data traffic on networks is ephemeral in nature. Data is transmitted and then lost. Accordingly network investigations deal with volatile and dynamic information, necessitating that these investigations be proactive in nature.
The growing prevalence of cloud based data storage has pushed digital forensics to expand in order to address the challenges of preservation and collection of data in the cloud. According to the National Institute for Standards in Technology (NIST), cloud forensics is the application of scientific principles, technological practices and derived and proven methods to reconstruct past cloud computing events through identification, collection, preservation, examination, interpretation and reporting of digital evidence.
Internet of Things (IoT) Forensics
The Internet of Things, refers to networked physical objects. This includes everything from vehicles and buildings to toys and UAVs (drones), and other systems of devices. IoT presents new challenges to the digital forensics profession. Forensic examination of IoT systems can include components and concepts related to multiple sub-fields and specialties of digital forensics and often requires collaboration. For example, a UAV system includes the drone itself, a controller unit, attached cloud accounts, a ground control station (cell phone), and various sensors. Examination of artifacts from mobile operating systems, traditional operating systems, embedded Linux on the device itself, storage media, and flash memory chips may be necessary to obtain a full picture.