Digital forensics and eDiscovery: An introduction for beginners

Key points 

• Digital forensics is the process of uncovering and interpreting electronic data for use as evidence in an investigation 
• Digital forensics is a vital part of identifying and punishing cyber criminals who target companies and individuals with cyber attacks, but it also has a role in solving ‘offline’ crimes. 
• In most jurisdictions, there are standards and guidelines that digital forensics practitioners must follow to ensure that the evidence they find is robust (admissible in court, to regulators, insurers).  
• ‘Digital forensics’ is a broad term that covers specialist areas, such as computer forensics, memory forensics, network forensics, mobile forensics, IoT forensics and open source intelligence. 
• Electronic discovery (eDiscovery) and digital forensic investigations are both processes that deal with electronically stored information (ESI) in legal matters or investigations. However, they differ in their focus and the tools they require. 

A detective at the keyboard 

It is not just cyber criminals who leave behind trails of digital evidence. From the killer who Googles “how to clean a crime scene”, to a disgruntled employee who steals their company’s sensitive IP, a digital forensic specialist will be called on to help solve a range of civil and criminal cases. 

Dr Shahrzad Zargari is Course Leader in Cyber Security with Forensics at Sheffield Hallam University. She defines the role of a digital forensics practitioner as being, “to identify, preserve, analyse and present the digital evidence (i.e. any information of probative value) in a manner that is legally acceptable.”  

Like any other investigator, the digital forensic specialist must answer four fundamental questions: Who, what, where and when? 

Many jurisdictions prescribe how this evidence should be collected and presented. In the UK and Ireland, for example, digital forensic experts must follow the National Police Chiefs’ Council (NPCC) guidelines and the ten principles set out in the College of Policing’s Authorised Professional Practice: Extraction of materials from digital devices. (The NPCC guidelines were created in 2015, when the NPCC was known as the Association of Chief Police Officers (ACPO), so the NPCC guidelines are still often referred to as ‘the ACPO guidelines’.) 

Digital forensics: The growing weight of digital evidence 

Digital forensics is a fast-changing growth area that’s not just of interest to law enforcement. It has also become an umbrella term that covers distinct areas of expertise, including: 

• Computer forensics – the examination of computer hardware, particularly forensics, is more focused on data recovery and decryption, usually made from an image of the hard drive. It can be seen as more of a post-mortem of events that have already transpired. Cyber crime doesn’t have to be a factor: for example, a computer forensics expert can retrieve valuable lost data if a machine or network crashes for a wholly innocent reason. 
• IoT forensics – “internet of things” (IoT) is a broad term that can cover everything from a smart fridge to a complex network of traffic lights. The use of drones to smuggle contraband over prison walls is well documented, but that is at the more modest end of the scale. Cyber criminals can target entire countries through their critical infrastructure (such as their power grids or air traffic control systems). IoT forensics can therefore be especially difficult both because of the sophisticated technologies often in use and the legacy or proprietary systems that can often be used in manufacturing and other similar industries. 
• Memory forensics – accessing RAM (Random Access Memory) with specialist software. A skilled practitioner often needs to run this process, because a computer’s ‘memory dump’ holds data that can easily be damaged or lost during a recovery attempt. It provides a snapshot of the system that gives investigators a near real-time image of the processes and programs in operation while the system was in use. It is time-sensitive, as the information required is stored in volatile system memory, and if the system is restarted or powered off, then that information is ‘flushed’ from system memory. It’s particularly useful for identifying attacks or malicious behaviours that do not leave easily detectable tracks on hard drive data. 
• Mobile forensics – the recovery of digital evidence from mobile phones, tablets and other mobile devices can be challenging and involve multiple specialists because of the different operating systems and models in use. 
• Network forensics – analysing a computer network’s incoming and outgoing traffic, either as part of an incident response or threat hunting exercise. 
• Open source intelligence (OSINT) – a method used to collect and analyse publicly available information to support investigations, critical decision-making, and improve overall security posture. In the context of digital forensics, OSINT can be used to gather intelligence from various online sources to aid in an investigation. It’s also widely used in cyber security to discover vulnerabilities (a practice often called ‘technical footprinting’). 

eDiscovery: See you in court 

Electronic discovery (eDiscovery – sometimes referred to in the UK as eDisclosure) is the digital process of identifying, collecting, and producing electronically stored information (ESI) needed as evidence in a legal or regulatory matter.  
 
ESI covers a wide range of data types, such as emails, documents, presentations, databases, voicemail, audio and video files, social media, and cloud-based systems. 

The complexity of eDiscovery comes from the vast amount of electronic data that the average organisation creates and stores every day. ESI is more dynamic than physical evidence and often contains metadata, which includes information like time-date stamps, author and recipient information, and other properties.  

It’s crucial to preserve the original content and metadata of ESI to ensure defensibility of process and prevent claims of evidence tampering. This can be achieved by appropriately and proportionally applying a digital forensic approach to the preservation and collection of data. 

Once identified, all documents that might be relevant (including electronic and hard-copy materials) are analysed by specialist eDiscovery software to identify common themes and accelerate the elimination of irrelevant or duplicative information.  

This is not just to save time and costs – everything found during the eDiscovery process may be disclosed to counterparties and even end up on the public record. Care must be taken to identify data that may contain private, commercially sensitivity or legally privileged information. 

Often, courts and regulatory bodies will require that such processes be verified as a Statement of Truth from the parties involved, so it is important to ensure that oversight of any process is maintained by individuals with the appropriate level of seniority and expertise.  
 
As with most areas of digital technology, these complex fields are evolving all the time as advances in AI and machine learning create new challenges and demand new skill sets and areas of expertise. 

Please contact me and the team to find out more about how digital forensics can safeguard your organisation and its people.