The field of digital forensics originated in the 1980s in the United States and is heavily influenced by the US legal system. However, there are notable differences between the US and European legal systems, resulting in variations in the practice of digital forensics in Europe.
In the Italian language, there is no direct translation for the term “forensics.” However, it is commonly rendered as “forense.” Therefore, the term “digital forensics” is translated as “informatica forense” or “criminalistica digitale” in Italian.
Definition
Digital Forensics is the combination of two distinct topics:
- Forensics is the application of scientific analysis methods to reconstruct evidence.
- Digital (or Computer) Forensics is the application of scientific analysis methods to digital data, computer systems, and network data to reconstruct evidence.
This is a scientific discipline that involves the identification, preservation, analysis, and presentation of digital evidence and require processes and methodologies that must be repeatable and reliable, while also being legally admissible and do not alter the evidence. Source of evidence used in court could come from a variety of sources, from the physical world to the testimony of witnesses and even from the digital world. The primary goal of digital forensics is to reconstruct the evidence, which is the process of piecing together the evidence to determine what happened.
Considering the “Daubert standard” (coming from the US system), the rule 702 states that
The expert witness is a witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if:
- The expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue.
- The testimony is based on sufficient facts or data.
- The testimony is the product of reliable principles and methods.
- The expert has reliably applied the principles and methods to the facts of the case.
The Daubert standard sets forth criteria for evaluating the admissibility of expert testimony. Two key elements to consider are relevance and reliability. Relevance means that the expert testimony must be directly applicable to the specific task or issue at hand. Reliability requires that the scientific knowledge or methodology on which the expert relies is based on sound scientific principles and methods.
In order to meet the reliability requirement, the scientific method or methodology used by the expert must be robust and well-established. This means that it should be based on repeatable experiments and observations, and capable of being tested and potentially falsified. Additionally, the expert’s scientific knowledge and methods should have undergone peer review and publication in reputable scientific journals. By ensuring that expert testimony meets the standards of relevance and reliability, the Daubert standard aims to promote the use of scientifically valid evidence in legal proceedings.
The scientific method is the key to the Daubert test for “scientific”. Scientific means two important things:
- Repeatable: this concept was developed in 1650 by Galileo Galilei, who said that “sensate esperienze e necessarie dimostrazioni” (sensible experiences and necessary demonstrations). In a document he wrote that:
"So far as experiments go, they have not been neglected by the Author; and often, in his company, I have attemped in the following manner to assure myself that theacceleration actually experienced by falling bodies is that above described."
This means that the experiment must be repeatable and the results must be the same.
- Falsifiable: this concept was developed by Karl Popper (1934) in his book “The Logic of Scientific Discovery”.
"In so far as a scientific statement speaks about reality, it must be falsifiable: and in so far as it is not falsifiable, it does not speak about reality."
This means that a scientific statement must be possible to prove it wrong. There will be a way to prove the opposite of a statement (if this one is a scientific statement). Something like, “There is a God” is not a scientific statement because it is not falsifiable.
The scientific methodology is necessary because, when we present evidence in court, we must be able to prove that the evidence is reliable and that the methods used to obtain the evidence are reliable. Source of evidence used in court could come from a variety of sources, from the physical world to the testimony of witnesses.
The Daubert test considers several scientific factors when evaluating expert testimony:
- General acceptance: The theory or technique used by the expert must be widely accepted in the scientific community. This means that the methodologies and techniques employed should be considered reliable and trustworthy.
- Peer review: The expert’s work should have undergone rigorous peer review and been published in reputable scientific journals. This ensures that the research has been scrutinized and validated by other experts in the field.
- Testability: The theory or technique should be capable of being tested and has ideally been tested in practice. This allows for the evaluation of its reliability and accuracy.
- Error rate: The known or potential rate of error associated with the theory or technique should be acceptable. Experts must demonstrate a low error rate in their work to be considered reliable.
- Independence: The research conducted by the expert should be independent of the specific litigation. It should not be influenced by any intention to support a particular side in the case.
These factors help determine the scientific validity and reliability of expert testimony, ensuring that only evidence based on sound scientific principles is presented in legal proceedings.
Example Of Forensic Engagements
| Situations And Constraints | Crimes And Events (Examples) |
|---|---|
| Internal investigations (inside an organization) | Child pornography |
| Criminal investigations (defense or prosecution) | Fraud |
| Pst-mortem of a system to asses damage or define recovery strategy | Cyber extortion/threats |
| Research (honeypot, etc) | Espionage |
| Copyright infringements | |
| Policy violations |
Phases of a forensic investigation
A forensic investigation typically consists of four phases:
- Source acquisition: In this phase, data is collected from various sources such as computers, smartphones, or other digital devices. The goal is to gather all relevant information that may be useful for the investigation.
- Evidence identification: Once the data is collected, it is carefully analyzed to identify potential evidence. This involves examining files, documents, emails, chat logs, and any other digital artifacts that may be relevant to the case.
- Evaluation: After the evidence is identified, it is evaluated to determine its significance and relevance to the investigation. This involves assessing the credibility and reliability of the evidence, as well as its potential impact on the case.
- Presentation: Finally, the evidence is presented in a clear and organized manner, typically in the form of a forensic report. This report summarizes the findings of the investigation and provides a detailed analysis of the evidence. The report may be used in court to support the case or to provide expert testimony.
Each phase of the forensic investigation is crucial in building a strong case and ensuring that the evidence is admissible in court. It requires a combination of technical expertise, analytical skills, and adherence to legal and ethical standards.