• 1
  • 2
  • 3
  • 4


1. What is Digital Forensics?

Digital forensics is a branch of forensic science concerned with the use of digital information as source of evidence in investigations and legal proceedings. It is defined by Digital Forensic Research Workshop(DFRWS)as “The use of scientifically derived and proven methods toward the preservation, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations."

2. What is digital evidence?

“Digital evidence is information of probative value that is stored or transmitted in a binary form”, (SWGDE). It is about all the digital devices or all storage media that hold binary information about the things that has been done by them. It can be a computer, a camera, a cell phone or a smart phone, a CD-R, a DVD, a flash drive, a removable disk, a magnetic tape etc.

3. Who, when and why do I need digital forensics?

Simply stated, by anyone and at anytime… Digital forensics is needed by anyone who thinks a crime or a wrong has been done. This can be someone or a company or an advocate who is defending or protecting themselves or their customers, or someone who is trying to prove or disprove of the commitment of a crime.
It is an inevitable fact that technology invaded even our very existence, became a part of our lives, and it is already an integral part of almost every case from simple disputes to complicated litigations. Technological devices, mainly computers, became the focal means of today’s crimes. It is estimated that over 90% of all crimes and infractions committed today, in some way or another,contain digital evidences. Today, it is almost impossible to think of a life without technological devices. If technology is here for us to ease our life, it is also here for criminal minds to abuse it. So, it will be appropriate to say that very human being MAY or MAY NOT need digital forensics in some day. It is best to know that DIFOSE will be at our disposal when we need it.

4. What type of devices can you examine?

Anything that holds binary information including computers, networks, cell phones, smart phones, PDAs, tablets, CD-Rs, DVDs, flash drives, removable disks, magnetic tapes, etc.

5. How does the process of digital forensics work?

Forensics starts with the Locard’s exchange principle. “Every contact leaves a trace" Dr. Edmond Locard was a pioneer in forensic science, and he formulated the basic principle of forensic science. Every trace left at the crime scene will serve as a silent witness of what happened there, and forensics deals with those silent witnesses. It concerns the application of a methodical investigation technique in order to reconstruct a sequence of events. Digital forensics is also performed with the aim of figuring out what happened, when it happened, how it happened, and who was involved.
First thing done by the certified digital forensics expert is to clearly understand the purpose and objective of the investigation. Then, he continues with preservation, validation, identification, analysis, interpretation, documentation and presentation of digital evidence with several careful and scientific steps. The main aim of these steps is the admissibility at the court of law. If those steps are not taken by determined and accepted scientific methods, evidence and all the hard-working will be futile at the end. With the assumption that every case may end up in court of law, during forensic examinations, our experts carefully work on legally acceptable images (copies-duplicates) of the original media in order to prevent any alteration, damage, virus introduction, or corruption of the original data. They carefully examine, analyze, and report their work.

6. How do you ensure the originality of the evidence?

When working on images, we must be able to say that it is certainly the exact duplicate of the original media. In digital forensics, we use mathematical algorithm called hash value to demonstrate it. A hash value can be regarded as a digital fingerprint. Every piece of information, every zero and every one, simply every bit on a drive is assigned a value when the hash value is calculated. If you change even a single bit, or let’s say even a single letter, on the entire drive, the value will be totally different from the one calculated before. By using hash value before, during, and after the analysis, we can surely say that the information in the image file is identical to the original data. It is almost impossible to calculate the same hash value with two different images. We can simply say that the odds of having same hash value for two different images is like finding two people with identical fingerprints or DNAs. In conclusion, hash value is really very reliable method for evidence verification, and it is a must for admissibility the court of law.

7. What should I do if I think I need a digital forensic expert?

The first thing you need to do is to call us. If you have devices such as computers, cell phones, smart phones, PDAs, tablets, CD-Rs, DVDs, flash drives, removable disks, or magnetic tapes, stop using them right away, turn them off, and do not turn them on until DIFOSE experts arrive the crime scene. Just leaving an electronic device on, that has an operating system running on it, may change the existing data.
If you happen to have IT staff in your organization, do not use them for forensic examination or incident response. Incident response must be performed in forensically sound manner with proper chain of custody, and with special software and hardware. Data will be missed, or will be changed by mistake. As a result, your whole evidence will end up with being nothing more than garbage at the court of law.

8. What makes the incident response process forensically sound?

In order for electronically stored information to be accepted by the court of law, it must be collected in forensically sound manner. Simply stated, the phrase “forensically sound collection” often refers to bit-by-bit copy of the storage media at hand. Bit-by-bit copy of electronically stored information does not totally ensure the forensically sound collection of evidence, though. Files that have been collected must be exact copies of what was on the source, including associated metadata. In addition to that, some way of ensuring non-alteration of the evidence during and after collection is also needed. This is provided by taking fingerprint of the evidence in the form of hash value which can be used later to verify that the document is still exactly like it was at the time of collection.
Shortly, forensically sound can be explained by this simple definition; Procedures used for acquiring electronic information in a manner that ensures it is "as originally discovered" and is reliable enough to be admitted into evidence at the court of law.

9. What if all data in our electronic devices are deleted?

It is really difficult to totally delete data in a computer, in a tablet, or in a smart phone. Everything one does on them leaves a trace. In most cases, deleted data can also be recovered. When data is deleted on those devices, in most cases, only the pointer to that data is deleted. The device stores data until it is overwritten by new data. You may not see it, but be sure it is still there. For that reason, deleted data can be recovered in most of the times.

10. What if the media that stores the data is damaged? Is it still possible to recover data?

Yes and no. It depends on the severity of damage. Even each case is unique; there is always a chance for the recovery of data. As DIFOSE experts, we make a detailed assessment to determine the appropriate steps for data recovery.

11. I am not a big target, why should I worry about security?

Are you sure? Are you sure that you don’t have any private data you want to keep it only for yourself?

Difose Bilişim Bilgisayar Eğitim Danışmanlık İthalat İhracat Ticaret Ltd. Şti.
Ümit Mah. 2481. Sok. No:6 Ümitköy
06810 Çankaya-Ankara
Tel : +90 312 219 56 16 (pbx)
Fax : +90 312 219 46 05
Gsm : +90 532 786 43 99
E-mail : info@difose.com
Web Site : www.difose.com
Blog : www.difose.com/blog