7 Common Misconceptions About Digital Forensics

There’s something quite cathartic about dispelling myths and misconceptions – especially when it gives you the opportunity to genuinely educate others about your expertise in the process.

We often speak to legal and business professionals who admittedly don’t have a clear view or understanding about what digital forensics can achieve.

When faced with a need to investigate an individual or situation to gain a clearer view of a significant event, clients aren’t always aware of the depth of intelligence that can be garnered from digital evidence and how this information can be gathered.

As digital forensic practitioners, it is our job to assess the situation from the offset. During the initial stages of our engagement in an investigation, we have a duty to ascertain what we believe can be achieved and report back to legal teams about our proposed strategy.

During this period of consultation, common questions arise again and again, which is the precise reason why we have put this feature together in an attempt to educate and articulate some basic facts about digital forensics – hopefully dispelling any myths in the process.

1. It takes a long time

This isn’t wholly true. IT Group operates to a number of SLAs  – ranging from 24 hours to 7 days from the date we receive the device(s). However, no two cases are the same and turnaround times are dependent on what it is the client is seeking to achieve.

Often, the output of our preliminary findings serves to inform further direct avenues of investigation. 

2. It is only used in high profile cases

The media has built a false perception of digital forensics somewhat. Many believe that digital forensics is only applied in high-profile and complex cases of significant interest which is most certainly not the case. Nor is the associated cost that of media worthy glamour that one might infer comes with it.

We deal with cases ranging in size: from a single mobile phone through to large organisations with over 300 employees.

3. You won’t be able to recover exactly what I want

One of the biggest misconceptions is that once something is deleted, it’s unrecoverable.

There are very few artefacts from a device that cannot be recovered. Over time, deleted data becomes compressed within the storage on a device, however, it is still possible to recover items that were previously deleted. IT Group has a suite of forensic tool kits to be able to recover artefacts which were once deleted, no matter what the device type or media it was deleted from. These recovered files often provide the ‘smoking gun’ in an investigation.

4. The findings won’t be accurate enough

As part of standard practice we keep contemporaneous actions of everything we do during an investigation, ensuring any knowledgeable party can replicate our investigation should the accuracy of our findings be challenged.

5. It’s only a process for the courts

We deal with many enquiries from both individuals and companies, the majority of whom do not need a court-compliant report. We can write the findings of our investigation into an initial findings report, as easily as we can a Civil Procedure Rules Part 35 and Criminal Procedure Rules Part 19 compliant report.

6. “Surely my in-house IT team can do this”

We have encountered situations where management or stakeholders have enlisted their internal IT technicians to search for evidence. Put simply – this should not be done.

Asking your IT team, or even endeavouring to do it yourself, will undoubtedly muddy the evidential trail on the device.

7. It will damage my device

Devices themselves are not investigated. The device is only needed in the primary instance to perform a device acquisition. This involves using forensically sound acquisition tools (effectively conducting read-only access) to make an exact copy of the device (referred to in industry as an ‘image’).

The contents of the device are not modified in any way during this process and when the device is returned to the user nothing on the device will have changed. Once we have completed acquiring the forensic image, we no longer need the device and it can be returned.

Our investigation is conducted on the data taken from the forensic image of the device. We use a number of internal forensic tools to analyse the data in our dedicated forensic lab in Preston.