dfm covers

A Digital Forensics Lab by Any Other Name

A Digital Forensics Lab By Any Other Name

Christa Miller explores the notion that digital forensics laboratories may once have been specialized, but increasing case complexity demands broader capabilities across disciplines

The fundamental mission of a digital forensics laboratory – the legally defensible collection, preservation, and analysis of evidence—may be the same, but budget, staffing and governance drive how different labs accomplish this task.

A digital forensics laboratory might handle one or more of the following functions:

• Computer Forensics

• Video Forensics

• Forensic Audio

• Image Analysis

• Mobile Device Forensics

• Incident Response

• e-Discovery/Litigation Support

• Data Recovery

Law enforcement and non-law enforcement labs often handle these areas differently. Law enforcement labs focus on collecting digital evidence that supports criminal allegations. If they find exculpatory information that is also reported by the examiner, but is not necessarily the examination’s focus (as it is for examiners working criminal defense cases). Law enforcement examiners look for evidence in data areas under the user’s control, as well as in unallocated space not under the user’s control.

Civil examiners focus on litigation support, which is not something law enforcement examiners are generally concerned with. Litigation requires most of the recovered information to come from user-controlled areas of the storage media. This can be accomplished through a variety of methods, which are considered specifically as sound computer forensic practices.

Thus the actions of both law enforcement and non- law enforcement laboratories can be similar in tools and methodology, but these actions can occur differently for reasons related to their ultimate purpose and use by the court. Because tools and methodology are similar, however, both types of labs face likewise similar challenges. First, the proliferation of smaller-sized, yet larger-capacity media means that forensic examiners increasingly find themselves handling complex cases that overlap each of the eight sub-disciplines. Additionally, large data sets continue to be a problem. As the volume of digital evidence grows, so does the requirement for sufficient space to archive the cases until they are adjudicated. Finally, with each function a laboratory handles, a different skill set is required—as well as toolkits to accomplish the job.

How Labs Support Forensics Professionals

Skill sets were noted in a February podcast at Bank Information Security, during which Rob Lee, a director at MANDIANT, told interviewer Tom Field: “The cases that we’re now experiencing require forensic professionals to be able to be comfortable with doing forensics across multiple machines, across different environments and give different case types all the way up to where you could be investigating advanced hackers that are moving within your organization.”

Indeed, within corporate environments, digital forensic examiners tend to be generalists rather than specialists: they deal with both inside and outside threats, with regulatory issues, with civil lawsuits. Even though the forensic work across disciplines may be the same, some differences exist. Incident response, for instance, might be called “data mapping” when applied to regulatory matters.

Also different can be specific areas of focus. An examiner who deals mainly with outside threats may focus on servers, routers, switches and firewalls, while an examiner dealing with inside threats is more likely to focus on authorized user access. Ultimately, however, each examiner’s job is still to find the source of information. To that end, the generalist does not have to know how to configure switches or routers, but knowing what those pieces of equipment do are helpful. Likewise, it is not necessary to be a programmer to follow source code, but understanding programming can be very beneficial. Thus the forensic lab, whatever its mission, must be able to support this variety of examiners and their examinations in a way that protects the integrity of both stored and collected data. Even if a case never sees the light of a courtroom, data collection, preservation and analysis must adhere to standards almost as strict as those for a criminal case.

Gathering digital evidence for civil cases doesn’t follow standards as stringent as for criminal cases, but there is still a chain of custody and security issues. A lab might be imaging the PCs of chief executive or chief financial officers at large corporations. These people are custodians of sensitive information—the company’s ‘crown jewels’ of trade secrets and intellectual property, and/or customers’ private data.


The full article appears in Issue 3 of Digital Forensics Magazine, published 1st May 2010. You must log in with a valid subscription to read on...


Please make cache directory writable.

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Andrew Harbison

Andrew Harbison is a Director and IT Forensics Lead at Grant Thornton


Coming up in the Next issue of Digital Forensics Magazine

Graph Database Technology

Attackers examine how your assets are connected, looking for a vulnerable part of the network, and navigating via methods such as “spear phishing.” What they’re really doing is abstracting out the graph of your networked systems, which is the set of security dependencies. Read More »

Fraudulent Use of Digital Images and Detection Survey

This article looks at the basic concepts related to image forgery; the types, detection procedure algorithms and all possible techniques to detect malicious signatures ibased on forgery types and detection techniques. Read More »

Subscribe today

Discovery in the Cloud: An Investigator’s Close Look at Unexpected Risks and Challenges

Documents residing in cloud storage accounts are increasingly coming into scope in digital forensic investigations such as IP theft, regulatory, corruption, merger clearance and civil matters.  Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the future issues