Digital forensics studies laws and develops technologies for fighting computer crimes. Digital forensic investigations can be classified from various perspectives. Based on whether the target is a standalone computer or a computer network, we have computer forensics and network forensics respectively. Based on whether the target is software or hardware, we have software forensics and hardware forensics. Investigations of different applications require domain-specific knowledge, and so we also have application-specific forensics, such as database forensics, email forensics, and web forensics. While conducting digital forensic investigations, investigators have to follow constitutional and statutory laws and due process to ensure that the retrieved evidence will be accepted in courts. The timing of an investigation also plays an important role in determining what laws and policies an investigator should follow. We can therefore classify digital-forensic investigations into three categories based on the time that law enforcement officers conduct investigations. Proactive investigation is carried out before a cybercrime incident takes place; real time investigation is carried out during a cybercrime incident is taking place; retroactive investigation is carried out after the cybercrime incident took place.
Current practice and research often focus on a particular topic in each category of digital forensics, but they can also be cross studied. Let's have a look at these particular topics for each category. For computer forensics (cell phones included), the topics include imaging storage media, recovering deleted files, data carving, memory acquisition and analysis. For network forensics, the topics include p2p network scan for illegal content and forensic localization of suspects conducting crimes over wireless networks. Current practice of software forensics is focused on authorship analysis, i.e., on measuring software source code for legal or official purposes. The underlying assumption is that programmers tend to have distinct coding styles. Hardware forensics concerns retrieval of evidence from hardware and the topics include identification of recording and printing devices from photographs, videos and audios. There are various topics in database forensics, email forensics and web forensics.
Relevant laws can be discussed in terms of proactive investigation, real-time investigation, and retroactive investigation. Proactive investigation is related to the Fourth Amendment. Law enforcement officers need to take care of people’s law-protected privacy during the investigation. Otherwise, they may need subpoena or court orders. Real time investigation is related to either statutory laws or constitutional laws. Title III and the Pen Register Act apply in most cases here. Normally, law enforcement officers need court orders or search warrants to conduct a real-time investigation. Retroactive investigation is related to either statutory laws or constitutional laws, and the stored communications act applies in most cases here. In reality, law enforcement officers need subpoena, court orders, search warrants, or all of them to conduct a retroactive investigation.
At this time, the research of this center focuses on network forensics and laws. Visit Favorite Links for references to related work in digital forensics.
Current practice and research often focus on a particular topic in each category of digital forensics, but they can also be cross studied. Let's have a look at these particular topics for each category. For computer forensics (cell phones included), the topics include imaging storage media, recovering deleted files, data carving, memory acquisition and analysis. For network forensics, the topics include p2p network scan for illegal content and forensic localization of suspects conducting crimes over wireless networks. Current practice of software forensics is focused on authorship analysis, i.e., on measuring software source code for legal or official purposes. The underlying assumption is that programmers tend to have distinct coding styles. Hardware forensics concerns retrieval of evidence from hardware and the topics include identification of recording and printing devices from photographs, videos and audios. There are various topics in database forensics, email forensics and web forensics.
Relevant laws can be discussed in terms of proactive investigation, real-time investigation, and retroactive investigation. Proactive investigation is related to the Fourth Amendment. Law enforcement officers need to take care of people’s law-protected privacy during the investigation. Otherwise, they may need subpoena or court orders. Real time investigation is related to either statutory laws or constitutional laws. Title III and the Pen Register Act apply in most cases here. Normally, law enforcement officers need court orders or search warrants to conduct a real-time investigation. Retroactive investigation is related to either statutory laws or constitutional laws, and the stored communications act applies in most cases here. In reality, law enforcement officers need subpoena, court orders, search warrants, or all of them to conduct a retroactive investigation.
At this time, the research of this center focuses on network forensics and laws. Visit Favorite Links for references to related work in digital forensics.