dfm covers

A Digital Forensics Lab by Any Other Name

A Digital Forensics Lab By Any Other Name

Christa Miller explores the notion that digital forensics laboratories may once have been specialized, but increasing case complexity demands broader capabilities across disciplines

The fundamental mission of a digital forensics laboratory – the legally defensible collection, preservation, and analysis of evidence—may be the same, but budget, staffing and governance drive how different labs accomplish this task.

A digital forensics laboratory might handle one or more of the following functions:

• Computer Forensics

• Video Forensics

• Forensic Audio

• Image Analysis

• Mobile Device Forensics

• Incident Response

• e-Discovery/Litigation Support

• Data Recovery

Law enforcement and non-law enforcement labs often handle these areas differently. Law enforcement labs focus on collecting digital evidence that supports criminal allegations. If they find exculpatory information that is also reported by the examiner, but is not necessarily the examination’s focus (as it is for examiners working criminal defense cases). Law enforcement examiners look for evidence in data areas under the user’s control, as well as in unallocated space not under the user’s control.

Civil examiners focus on litigation support, which is not something law enforcement examiners are generally concerned with. Litigation requires most of the recovered information to come from user-controlled areas of the storage media. This can be accomplished through a variety of methods, which are considered specifically as sound computer forensic practices.

Thus the actions of both law enforcement and non- law enforcement laboratories can be similar in tools and methodology, but these actions can occur differently for reasons related to their ultimate purpose and use by the court. Because tools and methodology are similar, however, both types of labs face likewise similar challenges. First, the proliferation of smaller-sized, yet larger-capacity media means that forensic examiners increasingly find themselves handling complex cases that overlap each of the eight sub-disciplines. Additionally, large data sets continue to be a problem. As the volume of digital evidence grows, so does the requirement for sufficient space to archive the cases until they are adjudicated. Finally, with each function a laboratory handles, a different skill set is required—as well as toolkits to accomplish the job.

How Labs Support Forensics Professionals

Skill sets were noted in a February podcast at Bank Information Security, during which Rob Lee, a director at MANDIANT, told interviewer Tom Field: “The cases that we’re now experiencing require forensic professionals to be able to be comfortable with doing forensics across multiple machines, across different environments and give different case types all the way up to where you could be investigating advanced hackers that are moving within your organization.”

Indeed, within corporate environments, digital forensic examiners tend to be generalists rather than specialists: they deal with both inside and outside threats, with regulatory issues, with civil lawsuits. Even though the forensic work across disciplines may be the same, some differences exist. Incident response, for instance, might be called “data mapping” when applied to regulatory matters.

Also different can be specific areas of focus. An examiner who deals mainly with outside threats may focus on servers, routers, switches and firewalls, while an examiner dealing with inside threats is more likely to focus on authorized user access. Ultimately, however, each examiner’s job is still to find the source of information. To that end, the generalist does not have to know how to configure switches or routers, but knowing what those pieces of equipment do are helpful. Likewise, it is not necessary to be a programmer to follow source code, but understanding programming can be very beneficial. Thus the forensic lab, whatever its mission, must be able to support this variety of examiners and their examinations in a way that protects the integrity of both stored and collected data. Even if a case never sees the light of a courtroom, data collection, preservation and analysis must adhere to standards almost as strict as those for a criminal case.

Gathering digital evidence for civil cases doesn’t follow standards as stringent as for criminal cases, but there is still a chain of custody and security issues. A lab might be imaging the PCs of chief executive or chief financial officers at large corporations. These people are custodians of sensitive information—the company’s ‘crown jewels’ of trade secrets and intellectual property, and/or customers’ private data.


The full article appears in Issue 3 of Digital Forensics Magazine, published 1st May 2010. You must log in with a valid subscription to read on...


Please make cache directory writable.

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

George Bailey

George Bailey is an IT security professional with over 15 years of experience


Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 39 on sale from February 2019:

Making Sense of Digital Forensic International Standards

To many the complexity of Standards, their numbering and obscure contents fail to make practical sense and confuse the entry points for effective use. A roadmap is provided in this paper for Standard information access and optimal use. Read More »

Evidentiary Challenges: Social media, the Dark Web, and Admissibility

This article takes a look at two categories of remote evidence: social media, and the dark web. We will also examine two interesting cases: The Target store credit card breach; and the civil case of Fero v Excellus Health Plan, Inc. Read More »

Subscribe today

Vehicle Data Forensics on Unsupported Systems

The article will help readers understand how to approach a vehicle from a digital forensics’ perspective, it will cover a range of infotainment units from popular manufacturers, data extraction methods and examples of data types found which may be considered intelligence and or used as digital evidence. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue