Get Help

• Talk to a Data Tech
  (877) 510-5078

Hot Topic

• Digital Forensics: What does it take?

Newsletter

Get all the latest news, tips, and commentaries - sign up for our free newsletter.

Resources

• Fedora Linux
• Apache
• MariaDB (MySQL Database)
• Mod_Perl
• Redis key-value Store

Digital Forensics

By

In this article I will explain the definition of Digital Forensics, describe some necessary tools, biassedly point out the difference between open source and proprietary tools, and define what it takes to be a Digital Forensics Investigator (DFI).

A surprising array of answers may come from various IT professionals when asked "what is Digital Forensics?" Drilling it down to a separation of the words will help get to the true meaning.

Forensics is the application of scientific knowledge & technology to the interpretation and enforcement of the law. It drills down even further - to a day in court. What the DFI does with the available evidence may determine whether or not the testimony regarding that evidence is admissible.

The judge in any given case has the sole responsibility of determining the admissibility of all evidence and testimony presented in court.

Rule 702 of the Federal Rules of Evidence and the following cases guide the judge in determination of what is admissible:

• Daubert v. Merrell Dow Pharmaceutical (1993)
• Kumho Tire Co., Ltd v. Carmichael (1999)
• Coppolino v. State (1968 - a reference)

Based on the various experiences of presiding judges, this can be a very subjective process.

For the Digital Forensic Investigator (DFI), a good base starts with understanding the software being used to conduct the analysis. This is where open source comes in. Being able to examine the source code of the software used in the analysis can be an asset, but this is not where the value is - more on this below -. Open source vs. closed source software has no bearing on determining the admissibility of evidence.

The factors regarding admissibility:

• Are the facts obtained in the investigation relevant?
• Can the results (facts) be duplicated by other investigators using the same, or different acceptable tools?

The value of open source software (and the Linux community) has more to do with the technical knowledge of the DFI than the admissibility of evidence obtained. Open source techies are often more advanced than the graphical user interface "experts".

Open source software is generally command line driven with the added feature of a GUI component added to the top layer. Understanding the Linux command line interface (CLI) lends to the overall knowledge and expertise of the DFI. A DFI with CLI skills usually has skills in system administration and programming - all assets in the task of Digital Forensics.

So what does it take to be a Digital Forensic Investigator?
The best combination of skills, knowledge and expertise consists of traditional investigative skills with case development involving litigation and a broad range of Information Technology skills such as:

• System Administration
• Programming
• Network Administration
• Hardware Familiarity

On the system admin side, expertise with as many operating systems (OS) as possible is necessary, Linux being the most important (my bias, but for good reason). Of course, a deep understanding of Microsoft OS's is necessary, since many cases involve MS Window. This is just the tip of the iceberg on this subject.

Resources:

• The SleuthKit
• Open Source Forensics
• SANS Institute
• Command Line dd