Notes: Digital forensics

What is Digital Forensics?

  • Definition (UK Forensic Science Regulator): The process by which information is extracted from data storage media (e.g., devices, systems associated with computing), rendered into a usable form, processed and interpreted for the purpose of obtaining intelligence for use in investigations, or evidence for use in criminal proceedings.

  • Overview:

    • Can be used to gather evidence in many criminal investigations.

    • Legislations on agencies' powers to access communications continues to be debated.

    • The forensic science regulator required all digital forensics practitioners undertaking criminal justice work to be accredited by 2017 (ISO 17025), but accepts this will be challenging.

    • Encryption and cloud storage can inhibit digital forensics investigations.

Digital Forensic Process

  • Identification: Recognizing and locating digital evidence.

  • Preservation: Protecting the integrity of the evidence.

  • Acquisition: Obtaining a forensically sound copy of the evidence.

  • Analysis: Examining the evidence to extract relevant information.

  • Reporting: Presenting the findings in a clear and concise manner.

  • Challenges: Lack of resources, volume of work (increase in digital devices), new technology, encryption, cloud storage.

Types of Digital Evidence

  • Examples: Mobile phones, computers (laptops/desktops), external storage (USB sticks, hard drives), cloud accounts, CCTV, smart home devices, vehicles.

  • Sources of Evidence: Social media, emails, messaging apps, web Browse history, location data, documents, images/videos.

Device Categories & Considerations

  • Home Computers/Laptops/Servers:

    • Considerations: Hard drives, volatile memory (RAM), network connections, multiple users.

  • Mobile Phones:

    • Considerations: Call logs, SMS, GPS, app data, cloud sync.

  • Other Devices: CCTV, drones, smartwatches, gaming consoles.

Legal Aspects

  • Legislation: Police and Criminal Evidence Act (PACE), Regulation of Investigatory Powers Act (RIPA), Data Protection Act (DPA), Computer Misuse Act (CMA).

  • Warrants & Authorisations: Necessary for lawful access to digital evidence.

Challenges in Digital Forensics

  • Encryption: Makes data inaccessible without keys.

  • Cloud Storage: Data is not physically on a device, requiring cooperation from service providers.

  • Volume of Data: Exponential growth in data makes analysis time-consuming.

  • Anti-Forensics: Techniques used by suspects to hide or destroy evidence.

  • New Technologies: Rapid evolution of technology constantly presents new challenges.

  • AI & Online Offending: Increasing use of AI in creating indecent material; law enforcement warns offenders will be caught.

Case Study | Operation Colindale (The Murder of Aya Hachem | 2020)

  • Overview: One of the longest-running and most complex investigations by Lancashire Constabulary, with added challenges from the COVID-19 pandemic.

  • Digital Evidence Collected:

    • 3959 exhibits generated.

    • 120 phones.

    • 180 digital storage devices.

    • 80,000 hours of CCTV seized.

    • Extensive CCTV and telephone enquiries looking at the time before, during, and after the incident.

    • 30 vehicles seized.

  • Outcome:

    • 7 men were convicted on Tuesday, August 3, 2021.

    • A woman was found guilty of manslaughter.

    • They will serve a total of 216 years between them.