All Courses

Python Digital Forensics - Introduction

Neha Kumawat

3 years ago

Python Digital Forensics | insideAIML 
Table of Contents
  • Introduction
  • What is Digital Forensics?
  • Brief Historical Review of Digital Forensics
  • 1970s-1980s: First Computer Crime
  • 1980s-1990s: Development Decade
  • 2000s-2010s: Decade of Standardization
  • Process of Digital Forensics
  • Phase 1: Acquisition or Imaging of Exhibits
  • Phase 2: Analysis
  • Phase 3: Presentation or Reporting
  • Applications of Digital Forensics
  • Criminal Law
  • Private Investigation
  • Branches of Digital Forensics
  • Computer Forensics
  • Mobile Forensics
  • Network Forensics
  • Database Forensics
  • Skills Required for Digital Forensics Investigation
  • Outstanding Thinking Capabilities
  • Technical Skills
  • Passionate about Cyber Security
  • Communication Skills
  • Skillful in Report Making
  • Limitations
  • Need to produce convincing evidences
  • Investigating Tools
  • Lack of technical knowledge among the audience
  • Cost


          This chapter will give you an introduction to what digital forensics is all about, and its historical review. You will also understand where you can apply digital forensics in real life and its limitations.

What is Digital Forensics?

          Digital forensics may be defined as the branch of forensic science that analyzes, examines, identifies and recovers the digital evidences residing on electronic devices. It is commonly used for criminal law and private investigations.
For example, you can rely on digital forensics extract evidences in case somebody steals some data on an electronic device.

Brief Historical Review of Digital Forensics

          The history of computer crimes and the historical review of digital forensics is explained in this section as given below −

1970s-1980s: First Computer Crime

          Prior to this decade, no computer crime has been recognized. However, if it is supposed to happen, the then existing laws dealt with them. Later, in 1978 the first computer crime was recognized in Florida Computer Crime Act, which included legislation against unauthorized modification or deletion of data on a computer system. But over the time, due to the advancement of technology, the range of computer crimes being committed also increased. To deal with crimes related to copyright, privacy and child pornography, various other laws were passed.

1980s-1990s: Development Decade

          This decade was the development decade for digital forensics, all because of the first ever investigation (1986) in which Cliff Stoll tracked the hacker named Markus Hess. During this period, two kind of digital forensics disciplines developed – first was with the help of ad-hoc tools and techniques developed by practitioners who took it as a hobby, while the second being developed by scientific community. In 1992, the term “Computer Forensics”was used in academic literature.

2000s-2010s: Decade of Standardization

         After the development of digital forensics to a certain level, there was a need of making some specific standards that can be followed while performing investigations. Accordingly, various scientific agencies and bodies have published guidelines for digital forensics. In 2002, Scientific Working Group on Digital Evidence (SWGDE) published a paper named “Best practices for Computer Forensics”. Another feather in the cap was a European led international treaty namely “The Convention on Cybercrime” was signed by 43 nations and ratified by 16 nations. Even after such standards, still there is a need to resolve some issues which has been identified by researchers.

Process of Digital Forensics

          Since first ever computer crime in 1978, there is a huge increment in digital criminal activities. Due to this increment, there is a need for structured manner to deal with them. In 1984, a formalized process has been introduced and after that a great number of new and improved computer forensics investigation processes have been developed.
A computer forensics investigation process involves three major phases as explained below −

Phase 1: Acquisition or Imaging of Exhibits

          The first phase of digital forensics involves saving the state of the digital system so that it can be analyzed later. It is very much similar to taking photographs, blood samples etc. from a crime scene. For example, it involves capturing an image of allocated and unallocated areas of a hard disk or RAM.

Phase 2: Analysis

          The input of this phase is the data acquired in the acquisition phase. Here, this data was examined to identify evidences. This phase gives three kinds of evidences as follows −
  • Inculpatory evidences − These evidences support a given history.
Inculpatory evidences − These evidences support a given history.
  • Exculpatory evidences − These evidences contradict a given history.
Exculpatory evidences − These evidences contradict a given history.
  • Evidence of tampering − These evidences show that the system was tempered to avoid identification. It includes examining the files and directory content for recovering the deleted files.
Evidence of tampering − These evidences show that the system was tempered to avoid identification. It includes examining the files and directory content for recovering the deleted files.

Phase 3: Presentation or Reporting

          As the name suggests, this phase presents the conclusion and corresponding evidences from the investigation.

Applications of Digital Forensics

          Digital forensics deals with gathering, analyzing and preserving the evidences that are contained in any digital device. The use of digital forensics depends on the application. As mentioned earlier, it is used mainly in the following two applications −

Criminal Law

          In criminal law, the evidence is collected to support or oppose a hypothesis in the court. Forensics procedures are very much similar to those used in criminal investigations but with different legal requirements and limitations.

Private Investigation

          Mainly corporate world uses digital forensics for private investigation. It is used when companies are suspicious that employees may be performing an illegal activity on their computers that is against company policy. Digital forensics provides one of the best routes for company or person to take when investigating someone for digital misconduct.

Branches of Digital Forensics

          The digital crime is not restricted to computers alone, however hackers and criminals are using small digital devices such as tablets, smart-phones etc. at a very large scale too. Some of the devices have volatile memory, while others have non-volatile memory. Hence depending upon type of devices, digital forensics has the following branches −

Computer Forensics

        This branch of digital forensics deals with computers, embedded systems and static memories such as USB drives. Wide range of information from logs to actual files on drive can be investigated in computer forensics.

Mobile Forensics

          This deals with investigation of data from mobile devices. This branch is different from computer forensics in the sense that mobile devices have an inbuilt communication system which is useful for providing useful information related to location.

Network Forensics

          This deals with the monitoring and analysis of computer network traffic, both local and WAN(wide area network) for the purposes of information gathering, evidence collection, or intrusion detection.

Database Forensics

          This branch of digital forensics deals with forensics study of databases and their metadata.

Skills Required for Digital Forensics Investigation

          Digital forensics examiners help to track hackers, recover stolen data, follow computer attacks back to their source, and aid in other types of investigations involving computers. Some of the key skills required to become digital forensics examiner as discussed below −

Outstanding Thinking Capabilities

          A digital forensics investigator must be an outstanding thinker and should be capable of applying different tools and methodologies on a particular assignment for obtaining the output. He/she must be able to find different patterns and make correlations among them.

Technical Skills

          A digital forensics examiner must have good technological skills because this field requires the knowledge of network, how digital system interacts.

Passionate about Cyber Security

          Because the field of digital forensics is all about solving cyber-crimes and this is a tedious task, it needs lot of passion for someone to become an ace digital forensic investigator.

Communication Skills

          Good communication skills are a must to coordinate with various teams and to extract any missing data or information.

Skillful in Report Making

          After successful implementation of acquisition and analysis, a digital forensic examiner must mention all the findings the final report and presentation. Hence he/she must have good skills of report making and an attention to detail.


          Digital forensic investigation offers certain limitations as discussed here −

Need to produce convincing evidences

         One of the major setbacks of digital forensics investigation is that the examiner must have to comply with standards that are required for the evidence in the court of law, as the data can be easily tampered. On the other hand, computer forensic investigator must have complete knowledge of legal requirements, evidence handling and documentation procedures to present convincing evidences in the court of law.

Investigating Tools

          The effectiveness of digital investigation entirely lies on the expertise of digital forensics examiner and the selection of proper investigation tool. If the tool used is not according to specified standards then in the court of law, the evidences can be denied by the judge.

Lack of technical knowledge among the audience

          Another limitation is that some individuals are not completely familiar with computer forensics; therefore, many people do not understand this field. Investigators have to be sure to communicate their findings with the courts in such a way to help everyone understand the results.


          Producing digital evidences and preserving them is very costly. Hence this process may not be chosen by many people who cannot afford the cost.
Liked what you read? Then don’t break the spree. Visit our insideAIML blog page to read more awesome articles. 
Or if you are into videos, then we have an amazing Youtube channel as well. Visit our InsideAIML Youtube Page to learn all about Artificial Intelligence, Deep Learning, Data Science and Machine Learning. 
Keep Learning. Keep Growing. 

Submit Review