In the last 15 years, significant challenges have arisen in the field formerly known as "computer forensics." Among these challenges are the dramatic increase in the volume of digital evidence, the rise in use of effective encryption, the creation of new technologies that cause digital evidence to become increasingly evanescent (e.g., ephemeral), and an increased expectation amongst jurists that prosecutors not only prove that evidence was on the defendant's computer, but attribute the evidence to the defendant. This article discusses some of these challenges and identifies techniques that prosecutors, agents, and analysts can consider to effectively respond to these challenges.

Introduction
The Cybercrime Lab is a group of highly trained digital investigative analysts located in the Computer Crime and Intellectual Property Section of the Criminal Division in Washington, DC. The Cybercrime Lab provides support to prosecutors through advanced digital investigative analysis, technical and investigative consultations, and research and training to support Department of Justice initiatives. Digital Investigative Analysis (DIA) is the evolution of what was previously referred to as "computer forensics." It is important for prosecutors to appreciate the three aspects of the profession that caused this evolution:

Digital. Digital Investigative Analysts (analysists) no longer limit their analysis to standard computer systems. Today, analysts examine everything "digital," including desktop computers, laptops, mobile devices (cell phones and tablets), GPS navigation devices, vehicle computer systems, Internet of Things (IoT) devices, and much more. We are still in the infancy of the digital age, but developers of many products-from shoes and sports bras to lightbulbs and doorbells-are already incorporating technology into their products to collect, store, and transmit information about the user that they can analyze and hopefully monetize.

Investigative. While technology progresses at lightning speed, the legal system and those who uphold our laws are just beginning to appreciate the need for analysts to conduct deeper "investigative" analysis on digital devices to obtain a better understanding of issues being investigated. Each year we are generating or replicating eight zettabytes of information. That is equivalent to a stack of paper 1.6 trillion miles high. To manage the high volume of data that needs to be analyzed, some organizations have employed a raw data extraction process to digital evidence. This non-analytical approach blindly identifies types of files (e.g. pictures, documents, spreadsheets, etc.) in the storage media, without further analysis, to determine if the user opened the file or even knew the file was there. This raw data extraction process allows an organization to quickly process a large volume of data and may be an excellent first step in the simplest cases.

< read the complete article >