Digital forensics (sometimes known as digital forensic science) is a branch of forensic science which encompasses the recovery and investigation of material found in digital devices, often undertaken in relation to computer crime. The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data.
Investigations using digital forensics are usually prompted by a suspected attack (DDOS attack, break-in, theft, etc.). A critical feature of digital forensics is to produce evidence to standards legally admissible in a court of law. The burden of proof resulting from the evidence admitted varies between criminal, and civil or commercial courts.
This means that where litigation or criminal prosecution is likely there is a requirement on those who run or own computers to identify and preserve digital material which the legal system says should be disclosed to opponents in civil litigation and to defendants accused of crimes.
Digital forensics and admissible evidence
Businesses, public and not-for-profit organisations, as well as many individuals must expect to find themselves involved in legal proceedings from time to time. When that happens they will need to be able to produce admissible, reliable evidence in support of their position. In civil proceedings, they will also be required to disclose the existence of any material which might assist their opponent. In criminal cases, where the organisation has been the victim of, or scene of, a crime, there will also be an expectation that admissible reliable evidence can be produced. Even if you are not directly involved in a dispute, you and your organisation may be the subject of a court order to produce certain documents which are essential to the proceedings.
Often, a great deal of this evidence will be digital. Most organisations now use digital devices and data extensively, both for their own internal purposes and for communication to the outside world - with customers, suppliers, the public and the government. Some of the digital records that are created will be formal, part of the central operations of that business.
But many more digital records required in legal proceedings will be informal. Informal records may include casual emails, social networking messages and comments, and activity that takes place on an employee's own personal computer or smart device. It's now estimated that around 80 per cent of the world's data was created over the past two years with the use of social media and networking sites expanding the volume on an unprecedented scale.
Reacting to the needs of the legal system is a non-trivial exercise. Few organisations are usually well-prepared. Although many businesses now understand the need for and have disaster recovery plans, it is still the case that a Forensic Readiness Plan in an organisation is rare.
8-step approach to forensic readiness
- Identify the key threats likely faced by your organisation.
- Identify what types of evidence you are likely to need if civil or commercial litigation, or criminal proceedings are likely.
- Identify how far you may have that evidence already.
- Identify what you will need to do to secure additional essential evidence.
- Discover enough of your counter-party’s use of computers to be able to negotiate disclosure.
- Familiarise yourself with potential legal problems such as legal admissibility, data protection, human rights, limits to surveillance, obligations to staff and others, and disclosure in legal proceedings.
- Identify the management, skills and resources implications for your organisation.
- Turn the results into an action plan – which will need regular revision as the organisation and its digital infrastructure develops.