Digital forensics is a discipline of forensic science and is commonly used to collect, preserve, analyze, and present data in a scientifically sound manner.
Not to be confused with data recovery, digital forensics itself does include the ability to recover data, in addition to its unique preservation and collection capabilities.
This article will focus on the benefits and challenges involved when it comes to digital forensics.
What are the Pro and Cons of Digital Forensics
The benefits and pitfalls of digital forensics are listed down below.
Advantages
Here are the seven (7) advantages of using digital forensics.
1. Better than relying on memory
Having the exact file on hand is always better than basing it on memory.
Using digital forensics techniques to recover files always serve as a better way, as compared to relying solely on memory.
For example, retrieving emails or conversations that happened some years ago can prove the intention and implication of certain parties involved.
Digital forensics can also reconstruct full or partial files, such as a previously-visited webpage that is no longer available.
The ability to uncover the actual file beats all other descriptions or collaborative evidence.
2. Preservation of Data
When using digital forensics, a forensic image is acquired from a physical device (e.g., phone, laptop, etc.).
This image is an exact bit-by-bit copy of the contents of the device extracted, and it cannot be altered in any way.
A forensic analyst can safely examine the image without worrying about contaminating the data integrity or changing its timestamps.
In short, there will be no changes done to the image, and data is therefore preserved.
3. Admissibility in Court
Forensic images are admissible in a court of law as digital evidence because it preserves the data, no one can alter any files, and it is a bit-by-bit exact copy of the extracted data from the physical device.
The digital forensics methodology is a scientific process based on computer science that will result in a constant, repeatable outcome every time.
Therefore it is a reliable and consistent means of producing digital evidence.
4. Better Analysis of Data
Files, folders, and system artifacts can be examined in detail.
- Metadata analysis can collaborate findings and results, such as looking at file timestamps (e.g., data modified/created), author of a document, location based on a photo taken by the phone, etc.
- File association can be determined quickly, for example, by tracing a PDF document found in the Downloads folder that is the result of the user visiting a certain website and downloading it from the web browser.
- System files such as from the operating system used can be used to determine when is the last time the computer was shut down, how many users were there and log files showing user activity.
5. Identifying a User to a Person
Forensic analysts can use the files found to tie the person as the owner of the physical device.
This can be done in several different ways;
- The logins and passwords found in Notes or documents that identify the owner
- The photos and videos of the owner found inside the device
- The files and metadata bearing the name of the owner
6. Recovery of Deleted Files
Digital forensics can recover certain deleted files, depending on how much of the file reside remains.
When conditions are favorable, it is technically possible to recover files that had been previously overwritten or deleted in a full or partial state.
Most digital forensics tools can do this, and you can go specifically to file carving tools if you have more in-depth file recovery needs.
7. Crime Deterrence
Law enforcement agencies who use digital forensics to retrieve digital evidence, are using their findings and statistics to educate the public on the risks and pitfalls of falling prey to hackers and misuse.
Prevention and education serve as crime deterrence purposes, in a bid to lower the future cybercrime rate.
The forensic tools and technical capabilities used in digital forensics can also be used to deter others from even trying to commit certain crimes.
Disadvantages
Here are the seven (7) disadvantages of using digital forensics.
1. Too Specialized
When it comes to studying and training in this area, this field of study can be too specialized and too niche.
Digital forensics started with the invention of digital devices, such as mobile phones and personal computers. Therefore it only starts somehow from the late 1990s to the early 2000s onwards.
From an academic point of view, schools are not well-equipped with the right lecturers as the professionals are currently still working in the workforce.
From a training standpoint, it can be confusing where to start as there are several sub-disciplines of digital forensics. Some of the common ones are;
- Computer forensics (PCs, Mac, mass storage devices. etc)
- Mobile forensics (phones and tablets)
- Cloud forensics (Gmail, iCloud, etc)
- Network forensics (intranet)
- Memory forensics (examining RAM dumps)
To get into this field, you are likely required to be recruited by law firms, law enforcement, or even private investigative companies.
2. Expensive Tools
Commercial forensic software and hardware tools are generally expensive in terms of cost since they are very specialized and require lots of research & development to come out with forensic capabilities.
Commercial software typically requires recurring annual renewal as well and the cost can add up to a substantial amount over a long period of time.
Moreover, it is a good forensic practice to compare two (2) different tools when it comes to extracting digital evidence from devices as no one software can do everything.
In doing so, the cost of owning multiple software can add up.
It is also possible to rely on free, open-source forensic tools. However, most do not come with technical support if you need assistance or a proper guide and some may be using a command-line interface.
Unless you are technically competent, you are likely to rely on commercial tools since they are easier to use.
3. Expensive Training
Digital forensics training is known to be expensive as it is taught by the current forensic practitioners who are still working in the current workforce.
There are two (2) types of digital forensics training one can choose from;
- Vendor-specific training (e.g. by EnCase or Cellebrite and taught using their own tools)
- Vendor-neutral training (e.g. by SANS Institute and taught using a variety of different forensic tools)
Most digital forensics courses tend to travel internationally and one should be prepared to cater to travel and accommodation costs as well.
Prior to attending these training courses, it is also recommended that participants have some hands-on experience with the software or hardware first to familiarise themselves.
4. Difficult to Learn
You will be learning file systems (e.g. NTFS, exFAT), operating systems (e.g. Windows, macOS), system artifacts (e.g. Windows registry), and the features of the software or hardware being taught.
Most of this knowledge can be very hard to self-taught without attending any courses since it requires hands-on with these commercial tools.
You need to have a certain level of computer proficiency before deciding to learn digital forensics.
5. Longer Processing Time
Data is ever-increasing on mobile phones and computers. It is now common to have 1 TB of data storage on our devices.
Since digital forensics involves examining data, it will take a longer processing time as data increases.
For example, it is common for a mobile phone to have at least 20 different apps or more. This means having to process and analyze more data types for forensic analysts.
6. Need for Custom-built Forensic Computers
To acquire forensic images from devices and to analyze these large data, you require a powerful custom-built computer to handle the processing requirements.
Technical requirements may include;
- Larger storage drive for forensic images
- Faster CPU processors to acquire and analyze data faster
- More RAM memory for data processing
This additional cost has to be catered into the budget.
7. Processes, Documentation, and Presentation
If the purpose of using digital forensics is to admit the digital evidence in Court, the forensic analyst may have to take the stand to present his/her evidence.
This also means the possibility of cross-examination by the other legal counsel.
The chain of evidence, custodians involved, and proper forensic methodology used are crucial here.
The process of retrieving the evidence may be questioned, and the parties involved in handling the physical device may be called upon to give evidence in Court.
In gist, be prepared to explain and account for the entire process of handling and retrieving evidence. Forensic analysts need to be competent in their understanding of what they are doing.
