dfm covers

A Digital Forensics Lab by Any Other Name

A Digital Forensics Lab By Any Other Name

Christa Miller explores the notion that digital forensics laboratories may once have been specialized, but increasing case complexity demands broader capabilities across disciplines

The fundamental mission of a digital forensics laboratory – the legally defensible collection, preservation, and analysis of evidence—may be the same, but budget, staffing and governance drive how different labs accomplish this task.

A digital forensics laboratory might handle one or more of the following functions:

• Computer Forensics

• Video Forensics

• Forensic Audio

• Image Analysis

• Mobile Device Forensics

• Incident Response

• e-Discovery/Litigation Support

• Data Recovery

Law enforcement and non-law enforcement labs often handle these areas differently. Law enforcement labs focus on collecting digital evidence that supports criminal allegations. If they find exculpatory information that is also reported by the examiner, but is not necessarily the examination’s focus (as it is for examiners working criminal defense cases). Law enforcement examiners look for evidence in data areas under the user’s control, as well as in unallocated space not under the user’s control.

Civil examiners focus on litigation support, which is not something law enforcement examiners are generally concerned with. Litigation requires most of the recovered information to come from user-controlled areas of the storage media. This can be accomplished through a variety of methods, which are considered specifically as sound computer forensic practices.

Thus the actions of both law enforcement and non- law enforcement laboratories can be similar in tools and methodology, but these actions can occur differently for reasons related to their ultimate purpose and use by the court. Because tools and methodology are similar, however, both types of labs face likewise similar challenges. First, the proliferation of smaller-sized, yet larger-capacity media means that forensic examiners increasingly find themselves handling complex cases that overlap each of the eight sub-disciplines. Additionally, large data sets continue to be a problem. As the volume of digital evidence grows, so does the requirement for sufficient space to archive the cases until they are adjudicated. Finally, with each function a laboratory handles, a different skill set is required—as well as toolkits to accomplish the job.

How Labs Support Forensics Professionals

Skill sets were noted in a February podcast at Bank Information Security, during which Rob Lee, a director at MANDIANT, told interviewer Tom Field: “The cases that we’re now experiencing require forensic professionals to be able to be comfortable with doing forensics across multiple machines, across different environments and give different case types all the way up to where you could be investigating advanced hackers that are moving within your organization.”

Indeed, within corporate environments, digital forensic examiners tend to be generalists rather than specialists: they deal with both inside and outside threats, with regulatory issues, with civil lawsuits. Even though the forensic work across disciplines may be the same, some differences exist. Incident response, for instance, might be called “data mapping” when applied to regulatory matters.

Also different can be specific areas of focus. An examiner who deals mainly with outside threats may focus on servers, routers, switches and firewalls, while an examiner dealing with inside threats is more likely to focus on authorized user access. Ultimately, however, each examiner’s job is still to find the source of information. To that end, the generalist does not have to know how to configure switches or routers, but knowing what those pieces of equipment do are helpful. Likewise, it is not necessary to be a programmer to follow source code, but understanding programming can be very beneficial. Thus the forensic lab, whatever its mission, must be able to support this variety of examiners and their examinations in a way that protects the integrity of both stored and collected data. Even if a case never sees the light of a courtroom, data collection, preservation and analysis must adhere to standards almost as strict as those for a criminal case.

Gathering digital evidence for civil cases doesn’t follow standards as stringent as for criminal cases, but there is still a chain of custody and security issues. A lab might be imaging the PCs of chief executive or chief financial officers at large corporations. These people are custodians of sensitive information—the company’s ‘crown jewels’ of trade secrets and intellectual property, and/or customers’ private data.


The full article appears in Issue 3 of Digital Forensics Magazine, published 1st May 2010. You must log in with a valid subscription to read on...


Please make cache directory writable.

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Angus Marshall

Angus Marshall is an independent digital forensic practitioner, author and researcher


Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 42 on sale from February 2020:

Forensic Syntactical & Linguistic Investigation

Mark Iwazko presents a case study regarding a Forensic Syntactical & Linguistic investigation: Instructed by the Moscow General Council of one of the actual big four accountants. Read More »

Forensic Readiness: A Proactive Approach to Support Forensic Digital Analysis

An increasing number of criminal actions are inflicting financial and brand damage to organizations around the globe. An impressive number of such cases do not reach the courts, mainly because of the organization’s inefficiency to produce robust digital evidences that are acceptable in the courts of law. Read More »

Subscribe today

Using Error-Patterns for Attribution: An Applied Linguistics Technique

Corpus Linguistics within Second Language Acquisition has developed models of error patterns made by defined groups of second language learners. This knowledge base can be leveraged by a knowledgeable analyst to attribute content to a subset of authors. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue