News

Show News Categories  

Exclusive: What is 'Digital Forensics'?

September 7, 2017 | Technology

Digital Forensics describes the process of identification, preservation, analysis and documentation of electronic data for investigative and judicial purposes in such a manner that the integrity, accuracy and reliability is carefully maintained.

Computers, mobile devices and servers contain a massive treasure trove of information that can be used in a digital forensics investigation.

  • Did someone backdate an electronic document?
  • Did an employee email company trade secret documents to his personal email address?
  • Did a security camera capture footage of an accident?
  • Was electronic evidence produced in a reasonably usable format?
  • Did an employer send harassing text messages to an employee?
  • Did a company hide or destroy electronic evidence?
  • Was an email manufactured after the fact?
  • Was a computer intentionally used to download illegal content?

Digital forensics, such as those offered by The Investigators include the following services:

  • Advice to clients regarding legal requirements of search and seizure.
  • Advice to clients regarding legal requirements from New Zealand High Court Search Order applications.
  • Assistance in planning of investigations.
  • Complete search of scene and collection of all electronic storage media.
  • Creation of a bit-by-bit backup copy of computers.
  • Creation of a second backup set (clone) to minimise risk during the investigation.
  • Analysis and location of all data/evidence.
  • Data recovery of all lost or deleted data.
  • Decryption of data and cracking of passwords.
  • Location and analysis of emails.
  • Analysis of Internet activities.
  • Location of evidence relating to any other offence.
  • Physical and/or electronic report to client.
  • Appear as an expert witness in court.

The Process of Electronic Forensic Investigation

1.   Evidence Integrity Is Paramount

  • Client should have authority to authorise the investigation without contradicting New Zealand legislation.
  • Client should give clear instruction on specified investigation purpose, scope, key information including but not limited to particular searching phrases, clues, contacts and  timelines.

2.   Evidence Acquisition

  • Photograph the computer and scene.
  • Diagram and label all cords.
  • Document all device model numbers and serial numbers according to the case number.
  • Check and image hard drives using a write blocker (photograph the steps and record imaged data hash value to ensure its integrity).
  • Package all components using anti-static evidence bags.
  • Seize all additional storage media.
  • Keep all media away from magnets, radio transmitters and other potentially damaging elements.
  • Sign chain of custody form.

3.   Evidence Extraction

  • Determine appropriate digital forensic tools used for to extract  imaged data.
  • Sign chain of custody form for evidence handover.
  • Use appropriate digital forensic tools to extract collected evidence data and verify its integrity.
  • Perform keyword search across the evidence data; recover deleted data or decrypt encrypted data if necessary.
  • Document, screenshot and photograph the steps for investigation report.

4.   Evidence Analysis 

  • Determine appropriate digital forensic tools used for to analyse extracted data.
  • Sign chain of custody form for evidence handover if required.
  • Use appropriate digital forensic tools to verify evidence data integrity and review the time and data stamps contained in the file system (e.g., last modified, last accessed, created, change of status) to link files of interest to the timeframe relevant to the investigation.
  • Examine files and file contents in correlation to the investigation.
  • Verify the ownership and possession of examined files and activities.
  • Document, screenshot and photograph the steps for investigation report.

5.   Case Documents and Report 

  • Maintain the initial request for assistance with the case file.
  • Maintain the notes of interviews.
  • Maintain a copy of chain of custody documentation.
  • Include in the notes dates, times, description and results of actions taken.

6.   Chain of Custody

  • Document and photograph the location and condition of all evidence with created case number.
  • Systematically collect items of evidence, marking and recording each item with unique number.
  • Record the date, time, personnel and purpose for every transfer of evidence.
  • Store evidence in a secure, climate-controlled location, away from other items that might alter or destroy digital evidence.

If you feel that police are not doing enough to help you or taking the matter seriously enough; a Private Investigator with experience in Cyber Crime Investigations is a good choice when it comes to resolving your case.

We have a full time forensics expert as part of our Auckland Team. Eitan has been a resident in New Zealand for 20 years and speaks fluent English and Chinese.

He was previously with the Royal New Zealand Defence Force and is currently studying toward a PHD in Computer Forensics.

Qualifications

  • Master of I.T. Forensic 2nd Class 1st Division Honors (Cloud Computing & Data Encryption) Auckland University of Technology 2012 – 2014
  • BSC (Hons) in Mathematics, Victoria University of Wellington 2002
  • BSC in Computer Science and Mathematics, Victoria University of Wellington 1998 – 2001

Click here to learn more about our cyber crime services. Call us on 0800 747 633, or click here to email our team of experienced Private Investigators.

Article by: Mike Gillam