Thanks to many TV shows, such as CSI, NCIS, Criminal Minds, etc, people have a common misconception about digital forensics. I’ve been approached by a number of people asking why I can’t do the work that is done on TV…”if Abby can do it, why can’t you?” Here’s why:
Most of the times you might see Abby on NCIS start processing the evidence from the original. This is a huge no-no. When processing cases, you always want to work from a backup copy. Usually analyst will image a drive, sector-by-sector, to a backup storage device and process the case from the backup. This is extremely important for many reasons. The most important thing is so you don’t tamper the original evidence. If you’re processing a case, and by chance something happens and your hardware-write blocker fails, you don’t want to have to testify in court that you botched the original evidence…that being the case, all the evidence that you processed during that case will be thrown out and chances are you will be discredited.
Time to process a case
One thing that is commonly porttrayed in these hit TV shows is the amount of time to process and find information. For the sake of time, the shows preceive that this work can all be done in a matter of minutes or hours. The truth of the matter is that cases in digital forensics can take days, weeks or months. The ever growing storage potential of hard drives means that there is a growing timeline for processing cases. To initialize a terabyte of storage in any forensic software could take upwards of 72 hours. Granted this time can vary depending on the software suite and the speed of the computer. But keep in mind, initializing a case is just the computers way of indexing every bit and every byte to make sense to our eyes. After initialization is completed, the analyst still has numerous things to do before it’s finished. Here’s a quick outline of the processes that digital forensics analyst might take for a case:
- Gather evidence
- Record information on all pieces of evidence
- Prepare forensics workstation
- Image evidence to another storage device
- Initialize case in forensic software
- Mine through data for information
- Write a report on procedure and findings
Granted this is a simple, vague list of things they may do, but it’s a standard operating procedure for processing a case. All of this takes time….a lot of time.
Some of these shows actually have computers and hard drives that have been burnt to a crisp, yet they’re still able to extract data from them. This is every digital forensics analyst’ wet dream, but it’s just not probable. Hard drive read and write data from platters. These platters are extremely fragile. The smallest, minuet piece of dust can destroy a set of platters. The concept of extracting said platters from a burnt hard drive and then reading the data is extremely difficult and rare. Here’s my thought process on this….If a computer is in a fire or a building that exploded, chances are the computer and components reached extreme amount of heat. If the jostling of the head on the hard drive didn’t explode or destroy data, the heat of the fire would surely warp the platters. Don’t get me wrong, if you were able to grab the computer or hard drive before it was exposed to such temperatures, you’d have a much better chance of extracting data…..9 out 10 times, it’s not feasible, but it makes for great TV!
Pictures and videos
This is probably the biggest issue with these shows. I’ll give you an example: the detectives find surveillance video with their suspect. The video detective/digital forensics analyst pops in the video to his software and can instantly enlarge a screen shot from the video. He takes it a step further and rectifies the image to get a clearer picture and is able to define features. It doesn’t happen like that in real-life. Software can do some of this, but it’s not as clear cut and simple as they show you. First things first, you can’t blow up these screenshots and videos with perfect clarity. Anything that is digitized is converted into pixels; when you enlarge a picture or video with a set amount of pixels, those pixels become more visible when you enlarge. As a result the image becomes blocky, or pixelated. Some of the best software on the market can help feather out the blockyness, however it’s nothing like on these shows. If only it were that easy!