Why Does Digital Forensics Matter To Me?

Your data is not private!

In the privacy of our studies, offices, libraries, or wherever it is we have our computers, it may seem that we are alone, with no one looking over our shoulders. But every document we draft, every step through the Internet we take, is creating tracks through the digital environment in our computers. This fact has a number of implications, both useful and detrimental.

What happens when drafting a document?

Suppose we are drafting a Microsoft Word document. It would appear that we are simply typing a single document that we can then save (or not), or delete at will. But several things are going on behind the scenes. As soon as a document is started, even before giving it a name, an invisible document is mirroring what is being typed on the screen. This happens every time the document is opened after it is saved. When printing the document, another invisible file containing all or part the document is created as a buffer for the printer’s use. All the while, data from the document is being written into the computer’s virtual memory file, a kind of scratch pad the computer uses in order to speed things up. So the very act of writing a document and printing it puts all or part of the document in at least four different places.

What happens when a document is deleted?

When a document is deleted, one letter of the name of the document is changed so that the operating system ignores its presence (it essentially becomes invisible to the user) and allows it to be overwritten. Otherwise, not much really happens to the document right away. Over time, it may get overwritten – or it may not.

What happens when visiting a website?

The browser (Internet Explorer, Firefox, Safari) makes a record of the address of the website and the specific page that includes the date and time, it keeps a record of any “cookie” – data that the website gives the browser – this is called “Internet History”. The browser also downloads the little images (“thumbnails”) that are on the given web page. All of this information sits on the user’s computer, and the Internet history gets renewed regularly. Every week or so, the browser makes a whole new copy of the history file, deleting the old one. Of course, like with any other document, the deleted history file doesn’t go away – its name is changed and part or all of it may become overwritten in time.

Digital Forensics

A computer forensic expert, using various software tools can look underneath the images in Windows that a user sees. Using a range of computer forensics suites and data recovery tools, the “digital detective” can recover deleted files, and find thousands of otherwise lost snippets of Internet history, missing emails, and apparently erased images. These processes make up a big part of the science and art of digital forensics.

Good news / Bad News

Depending on your perspective, the ability to recover information that one might have thought gone – or never stored – can be helpful or hurtful. On the good news side, such information can help a defendant to prove his or her innocence, or fuel a counter-claim. Conversely, digital discovery can reveal wrongdoings thought hidden or lost.

For the individual, computer forensics can provide the gift of finding data thought long lost. For law enforcement, it can provide the digital evidence needed to prove cases in a wide variety of offenses, from threats to fraud to embezzlement to child or elder exploitation. For business, e-discovery can provide a remedy for stolen secrets or customers. For a defendant, skilful electronic discovery can help to disprove an opponent’s claims saving money, reputation, or even jail time. For lawyers, a whole other avenue of document discovery is opened up.

Digital forensics can be a boon or a bane, but the field is advancing quickly, gaining wider use, and is here to stay.

Subscribe to our free and informative weekly forensics newsletter!