IT Forensics, Computer Forensics, Digital Forensics, Cyber Forensics
What is IT Forensics?
IT Forensics, more commonly known in the industry as “digital forensics” is simply a way of telling a story of what happened through the examination of evidence found on digital sources like computers, cell phones, and other electronic evidence.
In the field of IT Forensics, digital forensics examiners collect the data, preserve it for analysis and produce our findings for clients, generally for use in a court of law. DFI Forensics strictly adheres to the protocols of the IT forensics process to ensure the admissibility of our findings in Court as well as the defensibility of our conclusions should they come into question by an opposing litigant or lawyer.
Process of digital forensics
Step 1: Evidence
The first step in the process is to acquire the digital evidence. IT forensics examiners use specialized tools and forensic software to do this in a manner that doesn’t disturb or interact with the original data in any way. For example, date and time stamps associated with operating system logs may be updated if the evidence is collected without using the tools and forensic software that DFI Forensics uses.
Step 2: Data preservation
Following the acquisition of digital evidence from the source, the data is preserved by DFI Forensics and a “working copy” is made from the original data. The analysis is conducted on the working copy of the evidence. DFI Forensics uses special tools to generate a uniquely identifying alpha-numeric “hash value” from the original and the working copy. Hash values are more accurate than a DNA match and we ensure a match prior to moving forward with our analysis.
Step 3: Data analysis
During the analysis stage of the digital forensics process, IT forensics examiners analyze the data acquired from the digital source. Using the expert training of a digital forensics examiner, the investigation seeks to determine what you need to know based on an examination of the evidence we have collected. Often, a theory or hypothesis of facts presented are sought to be confirmed, verified, corroborated or ruled out as a possibility.
IIn other words, we want to know what happened and sometimes our clients need to corroborate a client’s version of events or discredit the version of events being presented by the opposing party in a lawsuit. Every case is unique and DFI Forensics never truly knows what the evidence will tell us until we begin our analysis, however, we will always advise our clients to the best of our ability of what they can reasonably expect to learn from our investigations.
Step 4: Summary report
The final stage in the process is reporting our findings to the client. DFI Forensics will provide a written summary report of our findings and opinion along with digital copies of any evidence produced in the course of our IT forensics investigations. Often, our lawyer clients require written reports that comply with the various rules of court that apply in their jurisdiction.
How Can IT Forensics Help Me?
If you are a lawyer representing a client with an important lawsuit, an IT Forensics investigation can usually produce highly accurate evidence that tells the real story of the event that gave rise to the dispute.
Any trial lawyer seeking to strengthen their client’s case should strongly consider what evidence may be found on a computer, cell phone or IT network server that may corroborate the version of events put forward by their client.
Further, IT forensics is an area of expertise that only a trained and certified professional can present evidence on in court and any opinion expressed by an IT forensics expert must be supported by facts, proper methodology and accurately recorded notes or records of chain of custody of the digital evidence.
Written by Tyler Hatch, B.A., LL.B. | CCFE CMFE
Founder & CEO | Certified Digital Forensics Examiner
Digital Forensics | Litigation Support | Incident Response
Serving clients across North America with offices located in Vancouver, Langley, Calgary and Toronto.