There are a lot of crime shows on TV, every case is solved in the space of a single episode, complex cases are blown wide open by a single fingerprint or strand of hair, and poor-quality photos or videos are magically enhanced to identify the bad guys before the credits start rolling. None of this is even remotely true. But such myths and misconceptions are an inseparable part of fictional crime shows. They’re also common in the real world of digital forensics.
One of these myths about digital forensics is that every case can be solved in just a few hours or days. Another is that all digital investigations follow a linear, step-by-step process as per an industry-accepted framework. Both beliefs are false. What are some other myths about digital forensics masquerading as the truth? This article explores a few of them.
Digital forensics is sometimes known as computer forensics, creating a myth that digital forensics investigators only work with computing devices. It’s true that originally the first such investigations were only limited to computers. But this was in the 1980s.
Since that time, the definition of “computing” itself has evolved to include hyper-connected networks, and a plethora of devices, from cell phones and GPS units to IoT sensors, personal devices, and even automobiles. All these devices are potential “threat vectors”, i.e. pathways used by bad actors to commit digital crimes, and launch cyber attacks through phishing, malware, social engineering, etc.
And that’s why, digital forensics now includes many:
Devices
Areas of expertise like security breaches, data theft and hacking attempts
Sub-fields like network forensics, wireless forensics, database forensics, etc.
Digital forensics is used to investigate digital crimes in both the private and public arena, so investigators may work with organizations’ security teams or with law enforcement officials. But they don’t work only on high-profile cases involving massive data thefts, hacking attempts, or serious crimes like digital terrorism or child pornography.
Digital forensics investigators work on all kinds of cases where tech-savvy investigations are required. They perform post-mortem analyses after cybercrimes, investigate internal company issues like policy compliance violations, intellectual property theft and patent disputes, and also investigate cases involving fraud or corporate espionage. Often, organizations require their help with data recovery, privacy and confidentiality breaches, IT security audits, and forgeries.
CSIs on TV may solve cases within the time constraints of 45-minute episodes. But real life is quite different. Depending on the type and scale of the case, an investigation can take anywhere from a few days, to several weeks or months.
Every investigation follows a detailed process with regards to data gathering, preservation, collection, analysis, reporting and presentation. Many factors affect how long it takes to obtain and study data, and extract useful results from it. To keep moving forward, investigators need device access, appropriate search parameters, tools, and official authorization.
Investigators also have to capture crime scene information, establish a chain of custody, document all evidence, reconstruct events, and present their findings to a court or to corporate management. All these steps take painstaking effort, skills and time. Moreover, each case is different, so even with the right frameworks and best practices, an investigation is rarely quick or smooth.
Another common myth about digital forensics perpetrated by TV shows and pop culture: forensic examiners can get away with breaking or bending the laws of their state/province or country. The reality is exactly the opposite!
Investigators cannot simply access any device, breach its security systems, and start peeking into its files or data. With any kind of case, they have to comply with relevant laws and/or rules, whether they relate to:
Incident identification
Investigation approach/strategy
Data collection, preservation and documentation
Evidence chain of custody, storage and labeling
Data analysis
Evidence presentation,
or any other step during the investigation.
Investigators must also ensure full transparency during the process, maintain detailed records, and take steps to ensure that no foul play occurs. Their efforts directly impact the outcome of a digital crime or cyber event, so they cannot afford to break rules.
In the modern Internet era, cybercrimes are worryingly commonplace. Digital forensics play an important role in investigating these crimes and finding the bad actors responsible. But a belief in common myths about digital forensics sets the wrong expectations about required effort and time, potential cost, and feasible results. We hope this article has busted some of your incorrect beliefs about digital forensics.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.