Digital forensics is the process of uncovering and interpreting electronic data. The goal of the process is to preserve any evidence in its most original form while performing a structured investigation by collecting, identifying and validating the digital information for the purpose of reconstructing past events.
The context is most often for usage of data in a court of law, though digital forensics can be used in other instances.
The evidentiary nature of digital forensic science requires rigorous standards to stand up to cross examination in court. As a result, there have been efforts by organizations like the National Institute of Standards and Technology, which published the “Guide to Integrating Forensic Techniques into Incident Responses”.
Despite this, there are several challenges facing digital forensic investigators:
- How does one duplicate or preserve evidence without knowing the duplication itself inherently changed the data?
- Time lines are critical for showing who did what, and when. But digital time stamps are notoriously absent, or can easily be spoofed, in digital data.
- In order to be able to state conclusively that Action A caused Result B, the concept of repeatability must be introduced. This is very difficult with digital forensics.