The 9 Digital Forensics Phases and How They Work

The world of technology is an ever-expanding universe that takes different forms depending on who is looking. For some, the world of information technology is a magnificent landscape of information and communication potential exceeding all that came before. To others, it is an ever-shifting battlefield between criminal hackers and cybersecurity professionals. While one breaches networks to take advantage of personal data, the other safeguards it by creating firewalls and launching counterattacks. 

The world of cybersecurity is one of constant evolution and conflict, as those who are trusted to protect our private information must keep abreast of new techniques and programs. Despite the skill and knowledge cybersecurity professionals have, they are not infallible, and sometimes hackers can bypass security measures.

While the idea that cybercriminals can succeed in their endeavors might be concerning, cybersecurity personnel and law enforcement have tools and techniques to apprehend them. As part of the cybersecurity field, cybersecurity and law enforcement professionals created a process known as digital forensics to help authorized personnel locate the source of a hostile breach. From there, law enforcement personnel can apprehend the hacker and apply the appropriate legal charges. 

Digital forensics is an extremely complex process that stops cybercriminals from resuming their activities. Without an in-depth education, it is impossible to grasp the concept fully. However, certain digital forensics phases are worthy of understanding regardless of prior education.

What is Digital Forensics?

While it is easy to say you have a general idea of digital forensics, given the existence of crime shows like CSI: Cyber or Criminal Minds, where a dramatized equivalent is shown, the reality is a little less advanced. While it is true that digital forensics is a revolutionary tool fit for the modern age of information technology, it is never as rapid as those television programs lead you to believe. 

Digital forensics is a branch of the same forensic science used by crime scene investigators that focuses on crimes using information technology like computers, mobile phones, tablets, etc. The rise of digital forensics began when Florida ratified the Florida Computer Crimes Act in 1978. In 1980, federal laws followed suit to recognize the crimes using earlier computer models.

To apply digital forensics, law enforcement professionals require an assortment of tools, programs, and skills that will enable them to access protected data. While most television shows portray this as a single “tech whiz” forensic technician breaking into a criminal’s network, the reality is less exciting. 

Digital Forensics Expert

Digital forensics requires warrants, like all forensic assessments, and is generally used to acquire logs from legally confiscated devices, confirm alibis, verify search history, and so on. Aggressive hacking attempts by law enforcement are generally reserved for members of international defense agencies.

It is also important to note that most digital forensic tools have limitations that make them fallible in certain situations. The media portrayal of digital forensics has tainted the public’s understanding of what digital forensics is capable of and the process the forensic technicians must follow. In most cases, digital forensics has a 9-phase program law enforcement professionals follow to apprehend the cybercriminal. These 9 phases cover different parts of the forensic process and ultimately connect to help the law enforcement agency make a righteous arrest.

Phase 1: First Response

Perhaps the most important part of digital forensics is the initial response made by the forensic team. In most crimes, the first few hours are among the most important since it gives the criminals less time to cover their tracks. This is no different with digital forensics since hardware can be destroyed and evidence lost forever. While technicians can almost always recover cloud data, it is still important that the forensic team be prepared to launch a prompt response. The first response phase of digital forensics begins when a security incident occurs and a report is made to the proper channels.

First Response Phase

Once the report comes in, the forensic team must immediately begin their investigation by proceeding to the site of the incident. Whether it was a network breach or a device was associated with a crime, the team must immediately deploy to begin the forensic process in earnest.

Phase 2: Search and Seizure

The next phase of digital forensics is the acquisition of evidence sources. When a forensic team is tasked with searching for evidence, they often need to access the device where that information is stored. With the proper warrants, a forensic technician is permitted to seize your computer, mobile device, and any other technology that can store data. 

Searching For Evidence

This is accomplished by having investigators seize the devices so long as the warrant is valid. For example, a warrant permitting an investigator to seize your phone does not necessarily mean they can seize your laptop. When cybercrimes are suspected, most warrants allow the seizure of all devices capable of the crime. Search and seizure is important to every type of case, but cybercrimes authorize the seizure of specific items.

Phase 3: Evidence Collection

Once the investigators have seized the devices associated with the cybercrime, the forensic technicians can begin their work. Collecting evidence is not as simple as opening the device and uncovering the suspect’s secrets. Cybercriminals tend to hide the evidence of their deeds with just as much digital protection as what they breached to access information. They might even try to purge the information from the device to hide their guilt. 

Electronic Evidence Collection

For this reason, digital forensic technicians must employ various forensic programs and tools to decrypt and recover data. Even data that has been deleted can be forensically recovered from the device’s hard drive. Through these techniques, forensic technicians can collect data proving or disproving the suspect’s involvement in cybercrime.

Phase 4: Securing of the Evidence

When collecting evidence to prove criminal activity, there is a sacred trust called chain of custody that preserves the integrity of the evidence. This chain of custody determines how the evidence is stored, who can access it, who authenticates it, etc. While the technicians collect the evidence, they do not necessarily examine it or retain control over it.

Securing Electronic Evidence

Any evidence found on the devices must be secured and stored per the chain of custody used for that specific case. This means the evidence cannot be tampered with or altered to implicate or exonerate the suspect. If it comes to light that the forensic team did not store the data following the chain of custody, the case could lead to a mistrial, and a potential criminal could go free.

Phase 5: Data Acquisition

The data acquisition stage is similar to evidence collection, though data acquisition specifically pertains to electronically stored information (ESI). While the evidence collection stage can include hardware, data acquisition is strictly about the data stored on the hardware.

Hard Drive Data Acquisition

Electronically stored information refers to any user-created documents or files stored on the device’s hard drive, including:

  • Microsoft Office or similar documents.
  • Video files.
  • Blueprints and maps.
  • Digital photographs.
  • Scanned images.
  • E-mails.
  • Digital audio files.

Other documents qualify, but these are some of the most commonly sought files on devices. These documents could pertain to the case and must be collected for examination. However, the technician recovering these documents must not compromise the integrity of the files while extracting them. Even an accidental keyboard tap that adds an extra letter to a Microsoft Word document is considered an alteration that invalidates the file as evidence.

Phase 6: Data Analysis

While acquiring evidence from seized devices is fundamental to any digital forensic investigation, it is not enough to only access the data. Once the evidence has been located, it must be analyzed to determine whether it is pertinent to the case. Once the chain of custody has been established, a technician can analyze the data for anything that might prove useful in a court setting or confirm that the suspect was involved in cybercriminal activity. 

Analyzing Evidence Data

This analysis helps prepare the law enforcement team for courtroom settings and justifying the prosecution’s case. It is also used to filter impertinent information from the evidence files, such as vacation photos or a list of pet names.

Phase 7: Evidence Assessment

Arguably the most important part of the process, the investigators must assess the information recovered and link it to the crime for which the suspect is accused. If none of the recovered data confirms the suspect’s involvement, the wrong person might have been accused. For this reason, investigators must compare the analyzed data to other details about the case that might not pertain to digital forensics. 

Evidence Assessment Phase

For example, if the suspect is accused of hacking a private network and recently researched the programs used by the victim, it might make them seem guilty. But if the suspect had no motive and their device showed no signs of recent hack attempts, they might have been a victim of coincidence. Conversely, if the victim has a history of hostility with the victim and there are signs of hacking software on the device, the case becomes stronger. Evidence assessment is the part of digital forensics that most closely connects with standard police work.

Phase 8: Documentation and Reporting

The next digital forensics phase occurs after the initial investigation is complete and preparations for a court case are underway. Once the evidence is collected, authenticated, analyzed, and assessed, it must be documented and reported under state and federal law. Any legal case, civil or criminal, requires evidence to be submitted as part of a discovery process. 

Documenting Electronic Evidence

The evidence must be approved by the judge overseeing the case, and the prosecution must send copies to the defense’s legal counsel to maintain fair knowledge of the case on both sides. It is illegal to surprise the defense with newly discovered documents from the devices halfway through the trial.

Every piece of evidence collected from the defendant’s devices must be submitted to discovery after phases 1 through 7 are complete. Otherwise, the evidence will be rendered inadmissible and useless in a court of law. It also jeopardizes the case since it makes the prosecution seem devious.

Phase 9: Expert Witness Testimony

Virtually every criminal case, cybercrime included, has an expert witness who can provide insight into the significance of the evidence. Criminal trials are presented to a jury of the defendant’s peers, and the jurors might not have the knowledge necessary to understand the importance of forensically recovered ESI. 

Expert Witness Testimony

When dealing with cybercrimes, they will almost certainly not know the significance of certain malware tools and how they relate to the case. For that reason, digital forensics teams serve as expert witnesses who can testify in court to confirm the importance of the evidence. They affirm the usefulness of the data using terminology that the jurors can understand. Doing so helps them connect the dots between what was recovered from the devices and the defendant’s guilt. 

While serving as an expert witness is not strictly technical, digital forensic technicians’ knowledge makes them as valuable as the information they collect.

Technically Speaking…

Digital forensics is one of the most important legal tools in the modern world. We live in a society where information technology stores virtually everything a criminal would need to destroy our lives: addresses, credit card information, passwords, and the list continues. While this technology has made life more convenient in thousands of ways, it has also made us more vulnerable. 

Cybersecurity is also one of the most important fields in modern society because those professionals can help secure our otherwise vulnerable data. When our firewalls fail, digital forensics can help prove who was responsible for the breach, what they stole, and prosecute them. Nevertheless, cybersecurity professionals remain our best line of defense against hack attempts.

Digital Forensics

That is why we at U.S. Cybersecurity have made it our mission to provide dependable cybersecurity services. While digital forensics will always be important, a quality cybersecurity team will help minimize the need for one to almost nil. We offer various services to help secure your information and counter cyberattacks that attempt to breach those safeguards. 

Unfortunately, there is no shortage of cybercriminals, and more rise from the shadows daily. We encourage you to visit our website and see if any of our services might interest you. We are standing by and ready to assist you with your cybersecurity needs at a moment’s notice.

Herman McCargo

Herman is a Microsoft Certified Security Engineer and Cybersecurity Specialist. He’s been in the technology field for over 20 years and has expertise working with the most critical technology infrastructures. He has a deep understanding of cyber risks, threat mitigation and prevention, and overseeing infrastructure.