Digital forensics has existed for as long as computers have stored data that could be used as evidence. For many years, digital forensics was performed primarily by government agencies but has become common in the commercial sector over the past several years.
Digital forensics phases
The Electronic Acquisition Phase saves the state of a digital system so that it can be later analyzed. This is analogous to taking photographs, fingerprints, blood samples, or tire patterns from a crime scene. As in the physical world, it is unknown which data will be used as digital evidence so the goal of this phase is to save all digital values. At a minimum, the allocated and unallocated areas of a hard disk are copied, which is commonly called an image.
The Data Analysis Phase uses the acquired data and examines it to identify pieces of evidence. There are three major categories of evidence we are looking for:
- Inculpatory Evidence: That which supports a given theory
- Exculpatory Evidence: That which contradicts a given theory
- Evidence of tampering: That which cannot be associated with any theory, but shows that the system was tampered with to avoid identification.
This phase includes examining file and directory contents and recovering deleted content. Our patent-pending data analysis technique enables us to search for relevant information, develop insights and analyze the results very quickly. Our technology can perform analysis on digital content from multiple sources in various formats, structured or unstructured. Our techniques allow legal experts to spend more time developing their case instead of searching for information.
The Information Presentation Phase though is based entirely on policy and law, which are different for each setting. In this phase, we present the conclusions and corresponding evidence from the investigation in our patent-pending proprietary framework.