Attorneys are always looking for new forms of evidence for both criminal and civil matters. With the recent advances in digital forensic capabilities, many legal cases are incorporating digital evidence that, if properly (and legally) uncovered and examined, can be leveraged to help a case. I encourage organizations and attorneys to become more familiar with digital forensics to better understand how it can be leveraged in your future cases.
What is Digital Forensics?
Digital forensics is the science of examining a digital device in order to investigate and recover data. As digital devices such as mobile phones, tablets and smart watches have become integral to our daily lives, the interactions can provide traces and intricate details of user behavior or events. These traces can provide valuable information in legal proceedings and corporate investigations such as employee misuse of client/customer records, employee termination disputes, data breaches and more.
Deleted Does Not Mean Gone Forever
One common misconception is that when something has been deleted from a device, it cannot be recovered. Skilled digital forensic examiners can usually retrieve files that have been deleted from a computer.
When to Use Digital Forensics
Here are situations where digital forensics are effective:
- An employee is terminated and the organization wants to ensure the employee did not remove any customer records. Or perhaps, the employee did remove the records and the organization needs an objective third party assessment of how the employee removed those records and what they did with them.
- A data breach occurs and the organization needs to narrow down who was behind the breach and what data was at risk.
- An investigation where an individual’s whereabouts need to be proven by using cell phone data
Digital evidence can provide a wide range of information, from the smallest supporting detail to the smoking gun that breaks the case wide open. Even simply reviewing an individual’s web browsing history can provide supportive context during an investigation.
Since there are no two digital events that are identical, it is important that the examiner is trained to identify and extract the evidence from the device that is being analyzed. The examiner must be able to pull out any data that may be relevant to the case and provide context for the events. This data may include deleted files, fragments of files or purposely hidden files.
In any case, a digital forensics examination can provide information that may otherwise not be obtainable. With society’s growing reliance on technology, an investigation may not be showing the complete picture without the examination of what’s stored in digital devices.
I welcome your questions and comments below.
For weekly insights into cybersecurity, please sign up here: