A discipline that combines elements of law and computer science in order to collect and analyze computer data from a variety of computer systems, networks, storage devices, and other devices using digital communications as the source and flow of information in a way that is admissible as evidence in a court of law.

While often used interchangeably, digital forensics includes computer forensics as well as forensics on all other digital devices capable of storing digital data Network forensics Mobile device forensics Cloud forensics Smart watch, Activity tracking device forensics, etc.

Digital forensics investigation requires substantial knowledge of computer systems, file systems, OS, networking systems, hardware, etc.

DF investigation may not need to have the deepest understanding on CS theories but must have a familiarity with a wide range of subject matter.

computer network intrusion, DDOS attack, ransomware attack

Internet child pornography Cyber stalking and bullying Identity theft Pirated computer software Forgery or falsification of documents Corporate fraud Terrorism and national security

According to a study, almost 95 percent of criminals leave evidence which could be investigated through computer forensic procedure.

Investigation is getting difficult and challenging Criminals are getting smarter data-hiding/security technologies (cryptography, steganography) are getting better Computer systems are getting complex & vary.

Everything that enters a crime scene does two things. It leaves part of itself behind, and it takes part of the scene with it.

Physical evidence cannot be wrong or wholly absent. Only human failure to find it, study and understand it, can diminish its value

Something that can establish or disprove a fact.

Things you can carry to court and show

Files, log, e-mail

To support or validate other evidence types

To recreate or explain other evidence

Financial and asset data, credit card data, emails

Chat log, photo/video, image editing software, internet/sns activity, movie files, relevant file and directory names

Network user ID and IP addresses, virus and spyware, system logs, etc.

Evidence presented came from where he/she claims

was not altered in any way during examination, and there was no opportunity for it to have been replaced or altered in the interim 

Evidence must have a bearing on the event being investigated. Information about unrelated crime cannot be used as an evidence for the case.

• Should be no question about the truth of the investigator’s conclusion
  • Use standardized/verified forensics tools and methods (see the Daubert guideline).
  • Investigator qualification

Different regulation applies to internal/civil/criminal investigations while criminal investigation is most restrictive in terms of legal requirements

• Evidence presented in court should be original and the actual item investigated or examined
• Federal Rules of Evidence consider a printout of computer data to be "original" if it can be read by sight and if it accurately represents the stored data
• A proper forensic image (copy) can be considered Best evidence if the original evidence has been returned to its owner

• Evidence presented in court should be original and the actual item investigated or examined
• Federal Rules of Evidence consider a printout of computer data to be "original" if it can be read by sight and if it accurately represents the stored data
• A proper forensic image (copy) can be considered Best evidence if the original evidence has been returned to its owner

• The Case of Daubert v. Merrill Dow Pharmaceuticals (1993) established new criteria to determine the reliability, relevancy, and admissibility of scientific evidence.
• Guidelines for entering technical evidence into U.S. Court:
  • Has the procedure been published in Journals and generally accepted?
  • Had the procedure been independently tested and what is the error rate?

• Not well met for digital evidence due to some challenges
• Procedure details of tools are not available
  • Intellectual Property Rights (IPR) concerns for proprietary tools
  • Open source tools are not well documented
• Some basic testing by NIST, no formal/rigorous testing result of the file system tools

A critical function of investigation that continuously records log information of each and every action that is taken on or against a piece of evidence and of every movement that evidence makes from the moment an object is identified as having evidentiary value.

Critical for evidence admissibility

To prohibit unreasonable searches and seizures and require warrants to be judicially sanctioned ad supported by probable cause.

To prevent the government from ever forcing a citizen to provide self-incriminating testimony.

• No password for protected/encrypted data can be forcefully acquired (even if you have a warrant to search the computer)

• Clearly state what you are searching for.
• Clearly state the area in which you are authorized to search
• Be signed by a judge

• 18 U. S. Code  § 2703 - Required disclosure of customer communications or records
• Used to search email accounts where search is performed by the service provider

• The "plain view" doctrine says that an officer can seize evidence that is in plain view as long as:
  • The officer is legally present at the site of the evidence
  • The officer can legally access the evidence
  • The officer has probable cause to believe that the evidence or contraband is related to a crime
• A device can be seized in case there is owner's written consent which acknowledges future forensic examination by trained examiner

• Internal Investigations
  • In case of violation of company policies and guidelines
• Civil Investigations
  • In case of Intellectual Property Rights risk, company's network security breach, unauthorized use of company resource
  • E.g., Intrusion, DoS attack, malicious code/ comm, misuse, etc.
• Criminal Investigations

• Not subject to the same "search and seizure" rules and Fourth Amendment issues
• Often involve misuse or abuse of company assets, falsification of data, discrimination, harassment, and similar matters likely to involve litigation

• E.g., employees who violate the company's security policy
  • Investigator can often  trace and neutralize these threats without the involvement of law enforcement
  • If illegal activity is found, police involvement is necessary

• Used for incident response and forensic analysis
  • Forensic computers
  • Write-blocking devices
  • Imaging devices (disk duplicator)
  • Data wiping devices
  • Encryption hardware

• Digital forensics is a discipline that collect and analyze data from computing devices to find court-admissible evidence
• Digital forensics require knowledge on law and computer science as well as various forensic hardware and software tools
• Digital evidence must be authentic, reliable, relevent, integrity guarenteed, legally obtained to be admissible to a court
• Well-tested/accepted mobile and lab forensic HW tools are critical for forensic investigation