Concepts

Digital Investigation

Focus on:

• digital devices that have been involved in an incident or crime.

• a device used to:

  • commit a physical crime - e.g. a suspect used the internet to research a physical crime.

  • execute a digital event that violates a policy or law - e.g. an attacker gains unauthorized access to a computer, a user downloads contraband material, or a user sends a threatening e-mail, etc.

• the moment a violation is detected and an investigation is started to answer:

  • "what", "who", "when", and "how".

  • in some cases "where" and "why".

A digital investigation is

A scientific method is where we develop a hypothesis using evidence that we find and then test the hypothesis by looking for additional evidence that shows the hypothesis is impossible.

Digital evidence

Is a digital object that contains reliable information that supports or refutes a hypothesis. The digital evidence must be:

• Admissible;

• Authentic;

• Accurate;

• Complete.

Digital evidence is:

• Information stored or transmitted in digital formats or media, the content of which is evidence, whether material or merely indicative, of a particular incident or event;

• It is fragile and volatile, so the attention of a certified expert is required to ensure that the data of probative value are effectively isolated and extracted correctly and lawfully.

Challenges

• hard to control – it is very easy to create, modify, transmit, or delete data in a short amount of time.

• diversity and complexity – sometimes is hard to identify the digital evidence because information systems evolve too fast.