The first thing I’d like to cover in this chapter is an understanding of digital forensics and its proper practices and procedures. At some point, you may have come across several books, blogs, and even videos demonstrating various aspects of digital forensics and different tools used. It is of great importance to understand that forensics itself is a science, involving very well documented best practices and methods in an effort to reveal whether something exists or does not.

Digital forensics involves the preservation, acquisition, documentation, analysis, and interpretation of evidence from various storage media types found. It is not only limited to laptops, desktops, tablets, and mobile devices, but also extends to data in transit which is transmitted across public or private networks.

In most cases, digital forensics involves the discovery and/or recovery of data using various methods and tools available to the investigator. Digital forensics investigations include, but are not limited to:

• Data recovery: Investigating and recovering data that may have been deleted, changed to different file extensions, and even hidden.
• Identity theft: Many fraudulent activities ranging from stolen credit card usage to fake social media profiles usually involve some sort of identity theft.
• Malware and ransomware investigations: To date, ransomware spread by Trojans and worms across networks and the internet are some of the biggest threats to companies, military organizations, and individuals. Malware can also be spread to and by mobile devices and smart devices.
• Network and internet investigations: Investigating DoS (known as Denial-of-Service) and DDoS (known as Distributed DoS) attacks and tracking down accessed devices including printers and files.
• Email investigations: Investigating the source and IP origins, attached content, and geo-location information can all be investigated.
• Corporate espionage: Many companies are moving away from print copies and toward cloud and traditional disk media. As such, a digital footprint is always left behind; should sensitive information be accessed or transmitted?
• Child pornography investigations: Sadly, the reality is that children are widely exploited on the internet and within the Deep Web. With the use of technology and highly-skilled forensic analysts, investigations can be carried out in bringing down exploitation rings by analyzing internet traffic, browser history, payment transactions, email records, and images.

Keeping in mind that forensics is a science, digital forensics requires that one follow appropriate best practices and procedures in an effort to produce the same results time and time again providing proof of evidence, preservation, and integrity which can be replicated ;if called upon to do so.

Although many people may not be performing digital forensics to be used as evidence in a court of law, it is best to practice in such a way as can be accepted and presented in a court of law. The main purpose of adhering to best-practices set by organizations specializing in digital forensics and incident response is to maintain the integrity of the evidence for the duration of the investigation. In the event that the investigator's work must be scrutinized and critiqued by another or an opposing party, the results found by the investigator must be able to be recreated, thereby proving the integrity of the investigation. The purpose of this is to ensure that your methods can be repeated and, if dissected or scrutinized, produce the same results time and again. The methodology used, including the procedures and findings of your investigation, should always allow for the maintenance of the data’s integrity, regardless of what tools are used.

The best practices demonstrated in this book, ensure that the original evidence is not tampered with, or in cases of investigating devices and data in a live or production environment, show well-documented proof that necessary steps were taken during the investigation to avoid unnecessary tampering of the evidence, thereby preserving the integrity of the evidence. For those completely new to investigations, I recommend familiarizing yourself with some of the various practices and methodologies available and widely practiced by the professional community.

As such, there exist several guidelines and methodologies that one should adopt, or at least follow, to ensure that examinations and investigations are forensically sound.

The 2 best-practices documents mentioned in this chapter are:

• the ACPO's Good Practice Guide for Digital Evidence
• the SWGDE's Best Practices for Computer Forensics.

Although written in 2012, the Association of Chief Police Officers, known as the ACPO, and now functioning as the National Police Chiefs' Council, or NPCO, put forth a document in a PDF file called The ACPO Good Practice Guide for Digital Evidence in best practices when carrying out digital forensics investigations, particularly focusing on evidence acquisition. The ACPO Good Practice Guide for Digital Evidence was then adopted and adhered to by Law Enforcement agencies in England, Wales, and Northern Ireland and can be downloaded in its entirety at https://www.7safe.com/docs/default-source/default-document-library/acpo_guidelines_computer_evidence_v4_web.pdf.

Another useful and more recent document, produced in September 2014, on best practices in digital forensics was issued by the Scientific Working Group on Digital Evidence (SWGDE). The SWGDE was founded in 1998 by the Federal Crime Laboratory Directors Group with major members and contributors including the FBI, DEA, NASA, and the Department of Defense Computer Forensics Laboratory. Though this document details procedures and practices within a formal computer forensics laboratory setting, the practices can still be applied to non-laboratory investigations by those not currently in or with access to such an environment.

The SWGDE Best Practices for Computer Forensics sheds light on many of the topics covered in the following chapters, including:

• Evidence collection and acquisition
• Investigating devices that are powered on and powered off
• Evidence handling
• Analysis and reporting

 Although forensic science itself (including the first recorded fingerprints) has been around for over 100 years, digital forensics is a much younger field as it relates to the digital world, which mainly gained popularity after the introduction of personal computers in the 1980s.

For comparative purposes in trying to grasp the concept of digital forensics as still being relatively new, consider that the first actual forensic sciences lab was developed by the FBI in 1932.

Some of the first tools used in digital forensic investigations were developed in FBI labs circa 1984, with forensic investigations being spearheaded by the FBI’s specialized CART (Computer Analysis and Response Team) which was responsible for aiding in digital investigations.

Digital forensics as its own field grew substantially in the 1990s, with the collaboration of several law enforcement agencies and heads of divisions working together and even meeting regularly to bring their expertise to the table.

One of the earliest formal conferences was hosted by the FBI in 1993. The main focus of the event, called the International Law Enforcement Conference on Computer Evidence, was to address the need for formal standards and procedures with digital forensics and evidence acquisition.

Many of these conferences resulted in the formation of bodies that deal with digital forensics standards and best practices. For example, the SWGDE was formed by the Federal Crime Laboratory Directors in 1998. The SWGDE was responsible for producing the widely adopted best practices for computer evidence (discussed later in this chapter). The SWGDE also collaborated with other organizations, such as the very popular American Society of Crime Laboratory Directors (ASCLDs), which was formed in 1973 and has since been instrumental in the ongoing development of best practices, procedures, and training as it relates to forensic science.

It wasn’t until the early 2000s, however, that a formal Regional Computer Forensic Laboratory (RCFL) was established by the FBI. In 2002, the National Program Office (NPO) was established and acts as a central body, essentially coordinating and supporting efforts between RCFL’s law enforcement.

Since then, we've seen several agencies, such as the FBI, CIA, NSA, and GCHQ, each with their own full cyber crime divisions, full digital forensics labs, dedicated onsite and field agents, collaborating assiduously in an effort to take on tasks that may be nothing short of Sisyphean, when considering the rapid growth of technology and easier access to the internet and even the Dark Web.

With the advancement of technology, the tools for digital forensics must be regularly updated, not only in the fight against cyber crime, but in the ability to provide accountability and for the retrieval of lost data. We've come a long way since the days of floppy disks, magnetic drives, and dial-up internet access, and are now presented with  SD cards, solid-state drives, and fiber-optic internet connections at Gigabit speeds.