The 4 stages of a digital forensic investigation

In South Africa, the digital divide is often used to refer to sections of society that lack access to the Internet. However, in the corporate world, there is another digital divide between those who understand the technology they are using and those who only know enough to complete their daily tasks. While most employees have become proficient in using devices, applications and various software platforms and digital collaboration tools, this does not always relate to knowing exactly what to do when things do not work as expected, when changes are made to their technology, or when an employee is being targeted by a cybercriminal through phishing attacks or malware.

This is one of the reasons why cybercriminals who breach networks can often go undetected – employees in networks accessing data, platforms and apps do not recognise the small signs that a breach has occurred. They also inadvertently create vulnerabilities that cybercriminals can slip through. This, coupled with the sophistication of cyberattacks, means that often a digital forensic investigation is the only way to uncover what is happening, if a breach has occurred, where vulnerabilities lie, and to help individuals and organisations understand their systems and how to use them properly.

A computer forensic investigation is a complex process that requires a great deal of knowledge, experience, expertise, and diligence. There are various specialist areas within the field, but the process is similar for all of them and involves four key steps.


1. Collecting information and observations 

The digital forensic investigator collects information and makes observations. This includes forensic data collection and examination, verifying the integrity and authenticity of the evidence, and determining the most effective approach. It may also include tasks such as restoring deleted data, decrypting protected files, and filtering out irrelevant data.

Top tip: When choosing a digital forensics expert, look for a firm who has experience in the specific area of investigation and has a track record of success. It’s also important to consider their certifications and qualifications, as well as their knowledge of relevant laws and regulations.


2. Forming a hypothesis

A hypothesis must be formed to explain key observations, based on facts rather than any preconceived notions or personal prejudices.

Top tip: A good digital forensics expert should have the ability to identify key patterns and trends in the data and develop a hypothesis that is based on facts and evidence, rather than personal bias. 


3. Evaluating the hypothesis

This stage involves testing the initial assumption and considering other plausible explanations. If experiments and observations do not support the initial premise, it gets revised, and further tests need to be performed.

Top tip: Choose a digital forensics expert who is thorough and detail-oriented, and who is willing to consider multiple explanations for the evidence. They should also be transparent about their methods and able to provide a clear and concise report on their findings.


4. Communicating the findings

The final stage is to draw conclusions and communicate the findings of the investigation. This involves tailoring the information to the intended audience via appropriate use of language, visualisations, charts, and other means.

Top tip: Look for someone who is responsive to questions and feedback, and who is willing to work with the client to develop a plan of action based on the results of the investigation. As digital forensics are often used in legal cases, it is important to select a partner who has legal experience and can provide evidence to insurance companies that all vulnerabilities have been addressed if a breach occurs.