Computer Forensics: Following the Digital Bread Crumbs


Phillip Rodokanakis, CFE, EnCE, ACE, DFCP
U.S. Data Forensics, LLC
Herndon, Va.

During the execution of search warrants in the late 1980s and early 1990s, investigators would examine every piece of paper we could get our hands on. We would look at computers, scratch our heads and wonder, “How do we access the digital data they contained?” At the time we had no protocols or tools to retrieve and examine digitally stored data.

Computer forensics was reportedly coined in 1991 at the first training session sponsored by the International Association of Computer Investigative Specialists (IACIS). Since that time, the term has become accepted in the computer security field and the legal profession. Recent technological advances have introduced computing capabilities to all kind of new devices, like PDAs (Personal Digital Assistants), smartphones, iPads, etc. Accordingly, the term digital forensics was introduced to cover all types of digital devices that have become commonplace in our daily lives.

Even though these terms are widely recognized now, they invoke different thoughts as to what this discipline really entails. Some think that computer forensics involves the collection of digital files from computer systems in order to present them in searchable electronic databases. Others believe that they may involve a forensic review of electronic data stored in large databases. So what is computer or digital forensics?

Just like when a fingerprint examiner performs an examination of latent fingerprint impressions found at a crime scene with the goal of linking them to the known fingerprints of a suspect, a digital forensics expert examines computer and digital storage systems to identify relevant evidence that is stored on digital storage devices and which may link a suspect to the case under investigation. In particular, Computer Forensics deals with the acquisition, preservation, identification, extraction, analysis and documentation of digital evidence.

CFEs must familiarize themselves with the type of data that can be obtained from digital forensic examinations. A thorough examination of storage devices by a competent digital forensic examiner may yield evidence that is otherwise unavailable. I have been involved in a number of cases where the digital forensic examination led to finding the “smoking gun” literally in a matter of hours, whereas traditional investigative approaches would have taken months to identify the culprits, if ever.

As trial attorneys rely more and more on proving cases through the introduction of digital evidence, new litigation support technologies and services have evolved. Computer or digital forensics is one such example, where specially trained professionals use basic investigative and IT skills to find evidence that is left behind on digital storage devices. Additionally, the introduction and authentication of digital evidence in a court of law usually requires testimony by an expert witness, meaning that digital forensic examiners must also qualify as expert witnesses.

To learn more about digital forensics, go here.

Electronic Discovery, or eDiscovery, is another example of a technology that has evolved from the use of digital evidence. Want to know more about eDiscovery? Tune in next month.