Skip to content

Digital Forensic Examination 101 — Part 1

Digital Forensic Examination also known as Forensic Science is used to recover digital data, this science is often used to find evidence on computers, usb keys, and mobiles but forensic examination can
also be used to recover data after a computer crash.  This tutorial will try to help you understand the basics of forensic examination on computers – mobiles and the different problems faced by forensic examiners.

To make it easier, I will set a few questions and I will try to develop the answer, then I will go on with an example of forensic examination, and finally I will develop a small Android Forensic Application. binaryThe project will be stored on GitHub (here) and finally the entire tutorial will be available on SecITs (here).

  • What is a computer crime, and is forensic examination always related to computer crimes ?
  • What are forensic examiners doing ?
  • How to become a forensic examiner ?
  • How strict should a forensic examiner be ?
  • Forensic examiners VS the law ?
  • Differences between forensic examination on computers and mobile devices ?
I will now try to answer the questions as precisely as possible, do not hesitate to comment the answers if you have any doubt.
What is a computer crime, and is forensic examination always related to computer crimes ?
Forensic examination is not always related to computer crimes, or to crimes in general. Forensic examination can be used to retrieve data on a broken computer, or can be used by hackers to retrieve data on your computer. Forensic examination also helps to fight crime in general, i.e. In an accounting fraud case, the crime has not been committed via a computer, however, the computer might contain some evidence, as well as the mobile phone, or the iPod device etc. This leads us to the first part of the question, defining a computer crime.
A computer crime can be interpreted in multiple ways, in this case we will assume that computer crimes are all of the following :
  1. A crime committed with a computer.
  2. A crime committed against a computer (target).
  3. A crime committed on via/on or with  a digital media/device.

What are forensic examiners doing ?

There is a hierarchy of forensic examiners, I will divide them in multiple categories :

  1. First Respond Patrols
  2. Investigators
  3. Specialists
  4. High Tech Examiners
  5. Researchers
First Respond Patrols, Investigators are usually the one on first lines, the bottom of the pyramid. They use tools to find evidence, recover data and write reports. They also might have to go with police on crime scenes to make on site investigations.
Specialists and high tech examiners, are usually holding a master degree, they usually read the reports back, however they also might be involved in research, tool creation, and might still have hands on the tools for practice.
Researchers usually hold a PhD in Computer Science, and are exploring new techniques, and new technologies related to forensic examination, however, some of the researchers also investigate crime scenes too.
Note: It is important to understand that investigation conducted at tome levels described above might involve pedophile crimes as well, and that being a forensic examiner is not an easy job every day.

How to become a forensic examiner ?
Becoming a forensic examiner depends on what you want to do, as explained before there are different level of forensic examiners the first way I would advertise is to go to universities such as the University of Abertay Dundee and follow courses such as this or this as an undergrad, or this, this and this as a postgraduate. However, it is also possible to become a forensic examiner by following a Computer Science cursus and having forensic examinations as hobby. There are multiple communities of ethical hackers and white hat on the web which are advertising for challenges. Doing a PhD might also help you to reach the top of the pyramid and become a digital forensic researcher in a University.

How strict should a forensic examiner be ?  

A forensic examination is a very strict job, all the action performed during the investigation should be recorded on a notebook, each of the action should also be performed on a duplicated image of the original support.

The investigation performed by the forensic examiner will determine if the suspect is guilty or not, at the end of the investigation the forensic examiner will have to hand a partial report back to the court including all the findings, actions, notes. Each of the actions performed during the investigation should be able to be reproduced by another forensic examiner during another forensic examination.

The job of a forensic examiner is very stressful,for example, data should never be altered,data should not be compromised, the written report should be partial, and should not include feelings. The forensic examiner should always stay aware that he is cannot judge, and that its report will help the court to take the right decision in favor or in disfavor of a suspect.

The forensic examiner might also be obliged to testify in a court, on his actions on the device, or on the case. This may add pressure on the shoulders of a forensic examiner.

Key words : Partial, Strict, Organized, Structure, Reports.

Forensic examiners VS the law ? 

As said in the previous question, each action performed on a device will have consequences, and the law is strict. Forensic examiners cannot make errors, they have to write a detailed report about their findings, the data gathered, the pictures encountered and the commands they were running on the image or on the hard drive / mobile device / usb key etc they received. Forensic examiners will always be the one responsible if something goes wrong during an investigation and forensic examiners might have to testify in front of a court, they  might also have to face the suspect. A forensic examiner has a lot of responsibilities, being partial organized and strict as explained before.

A forensic examiner has to follow standards during an investigation, such as the ACPO guide lines. These standards will be described in the second part of this tutorial.

Differences between forensic examination on computers and mobile devices ?

Forensic examination is a tricky field.

i.e. computers can be accessed at any time, they can also be dissembled, hard drives can be taken away and investigated in another place, while mobile devices are running on battery, do not possesses hard drives, but flash drives and do not follow the same architecture. Below some problems occurring with mobile devices :

Mobile devices can run closed operating systems such as iOS, or Android, some “parts” might not be accessible,  be encrypted, be protected via a code or a pattern, can run out of battery, and data might not be accessed easily.

Some proprietary / open source softwares exist,and are updated following the multiple devices on the market, but as we know, mobile devices are following an exponential growth at the moment, and it can make the life of a forensic examiner a nightmare. In the last tutorial we will explore a way of doing a “small forensic examination” on an Android Device, and develop a small forensic framework in Java. This application will try to overcome the problems described above and will help forensic examiners to retrieve data from smartphones.

This was the first part of  “Digital Forensic Examination 101”, in part2 we will see how to conduct a forensic examination on a fake computer case.

Note: These series of articles / tutorials are meant to be as exhaustive as possible, I would therefore appreciate your comments and I will edit / correct / update  the articles accordingly. If you have any questions feel free to ask in the comments, or contact me via the contact form [here

Post a Comment

Your email is never published nor shared. Required fields are marked *