How the Police Uses Digital Forensics


Most people from all over the world, of different ages utilize a computer every day. This could either be at home or work. Sadly, this rise in usage and the vast accessibility of the internet has facilitated the increase in the number of criminal activities which are connected to computers.


Nowadays, the police can study computers impounded when investigations are going on, to gain access to files and important information which could assist in their investigations on crime.

This procedure is called a digital forensic investigation.

About Digital Forensics


  • Digital forensics, referred to as mobile phone or computer forensics is a discipline founded on science whose goal is to assist criminal investigations by unveiling important data and files inside computers.


  • In the UK, there are private firms which are able to assist the investigation procedure. Their specialized services can help to discover criminal acts like laundering of money, vulgar pictures, hacking, and drug dealing.


  • Normal services provided by companies for Digital forensics also include recovery of data previously erased, e-discovery, forensics for mobile phone, cell site examination and secure information destruction.


  • The digital forensic companies work together with the police closely and other customers and give them information on whatever evidence they discover.
  • This plays a very important part in connecting a defendant to an offence, thereby helping the prosecution. Police use digital evidence to help them to prosecute a number of people who have abused computer technology.


  • These individuals might include hackers, conmen, terrorists or pedophiles. A few sectors in which digital forensics can assist is law enforcement, criminal defense, the corporate sector, public sector and legal aid.


  • Depending on client’s needs, the process which is implemented can be tailored. Some recommended proceedures can be found at the department of justice’s web site.

Benefits of Digital Forensics to the Police


Cases of Adultery

Online chats or text messages (SMS) are normally used to organize meetings and provide secret interactions to escape suspicion from the spouse.


Fraud Cases

  • It is normally possible to find out whether a document was changed and when this happened. There is always an electronic copy available, unless a typewriter was used to produce the document.


  • Additionally, Microsoft Word, which is the most popular word processor which is a section of the Microsoft office suit, embeds Meta Information in every document.


  • This Meta information can avail important data like the author’s identity and the computer used to compose the document. This also applies to applications for Microsoft Excel spreadsheet.

Following a Suspect

When a suspect is being tailed it would be a big advantage to know before embarking on the assignment, where the suspect visited previously. This may sound a bit far- fetched, but is possible.

This is made more possible if the suspect traveled by car and utilized a GPS (Global Positioning System). Some latest enhancements in Digital Forensics enable the retrieval of data from GPS systems.


Cases of Harassment

In case a client is being harassed through the phone or email, a Forensic Examiner can keep records of incoming phone calls from mobile phones and produce them as evidence.

Each email sent from a particular source to a particular destination leaves data embedded in this mail. This data is known as the email header which the forensic examiner studies and finds out the origin from the IP address from which it has come from.



For more investigation data on digital forensics, these firms have many case studies and resources which are found on their website.

People who require the services of computer forensics can communicate with a team member by filling out a contact form online. They can also call one of their skilled staff members.

Mac OS X File system details

HFS Plus is a volume format for the Mac operating system.  It was first introduces with MAC OS 8.1.  The structure of the older HFS and the new HFS Plus are very similar, although there are several changed and improvements. First the old file system used 16 bit block allocations and the new file system utilizes 32 but. The old file system was limited to only 31 characters per file name. We can now use up to 255 characters. Among other things this significantly improves cross platform compatibility.

The file name encoding has changed from the proprietary MacRoman to the universal Unicode format. The actual node size per catalog entry has increased significantly from 512 bytes to 4 KB (Kilobytes).


The fundamental goals which had been planned and achieved with the development of the new HPS Plus file system have been:

  1. Efficient use of disk space
  2. International-friendly file names
  3. Ease booting and cross platform compatibility
  4. Future support for named forks


HFS+ divides the total space on a volume into equal chunks called allocation blocks. These allocation blocks are 32 bit in size.  All of the volume’s structures, including the volume header, are part of one or more allocation blocks. Every volume must have a volume header, it contains the volume creation date and time as well the amount of files stored on the volume and a pointer to the other key structures on the volume.  The volume header is always located at 1024 bytes from the start of the volume.  An alternative volume header also exists. It is a copy of the actual volume header and is stored on the last 1024 bytes at the end of the volume.


There are 5 specific metadata files in an HFS Plus volume:

  1. The Catalog file
  2. The extents overflow file
  3. The allocation file
  4. The attribute file
  5. The startup file


The catalog file:

The Catalog file contains the file and folder hierarchy on a volume.  This information is stored in a B-tree.


The attribute file:

Contains additional data for the file and folders such as access control lists. It is also stored in a B-tree format.






The extents overflow file:

An extend is a continuous range of allocation blocks allocated to some fork. The first 8 extents are stored in the catalog file any additional extents after that are stored in the extents overflow file. The extents overflow file is also stored in a B-tree format. This is somewhat similar to how some small file allocation references are stored in the MFT when we examine an NTFS file system, but any large files references are stored in data runs.



The allocation file:

Is a file that specifies if an allocation block is freely available, or if it has been used.  It performs the same function as the HFS volume bitmap, but since it is a file, it has more flexibility to work with. This would be equivalent to a bitmap on an NTFS file system.


The startup file:

It has been designed for non-Mac OS systems that don not have HFS or HFS Plus support. It is similar to the Boot Block of an HFS volume.



What Is Electronic Discovery (E-Discovery)

Electronic discovery is the finding out of government investigations which works with exchange of information electronically; this is normally referred to as the Electronically Stored Information, the data is reviewed before it is passed to the opposing counsel.

The attorneys look at the data and identify them as relevant to the case and then they are placed on legal hold. From there the evidence is dug up and analyzed through the use of digital forensic procedures, then reviewed as either PDF or native files or even TIFF form.

The e-discovery is considered to be more reliable and different from paper information because of its volume, persistence, transience and intangible form. They come with metadata that is not found on paper documents, and can be used as vital evidence; these are things like the time and date the documents were written which can be used in a copyright case.

Professionals in the field of e-discovery refer to the field as litigation support. When the documents are found they have to go through a process of identification which involves review and analysis. Those who hold the information are also identified, so as to have full records of the source of data, and there can also be data mapping. The identification documents are organized and arranged according to the needs of the case, hence leaving out what is not necessary for the case.

Once the data has been identified, the information that is relevant to the case is placed on legal hold, so as to ensure that the data is not destroyed. Once they have been preserved, there will be a collection carried out. This process involves transferring of data from company to their legal counsel. The counsel determines the importance and relevance of data. There are companies that prefer to use the digital forensics experts so as to prevent damage on data.


Once the data is ready the native files are then set up and loaded into a document review platform, here there is extraction of metadata and text from the files. The files can be converted to PDF or TIFF so as to make it easy to carry out redaction.

From there the documents are reviewed for responsiveness as per the e-discovery request. There are review tools that are used and make it easy to review cases. Once the review is complete the document is ready for production. This is done by the opposing counsel as per the agreed specifications.

Data that is kept as an electronic form is subject to production under common e-discovery rules. The data can be in any form either videos, photos, databases and many others, but they can also be office documents or even emails.

When the data is found, it is always known as raw data before it goes through the processes of review and collection and all the other stages, before it is reviewed by forensics for hidden evidence. The ‘native’ format refers to the original file format.  The e-discovery can be reviewed any preferred format either PDF, printed paper, TIFF images or any other preferred form.

Is Computer Forensics a Good Career Opportunity?


There are many opportunities when it comes to dealing and learning about computers, but being a computer forensic is probably the best option,because there is a growing demand for these professionals.

Computer forensics is a new form of investigative method in which a professional puts together information that has been kept electronically or written on digital media. The media that contains this information can be either flash disk, personal or work computers or even portable media players. The data that is taken from these Medias can be used as evidence in a court case or can also be used to add to the ongoing investigation.

There are a number of applications in computer forensics. This therefore means that those who practice to be computer forensics can have many areas to work. These forensics are used by law enforcements to put together evidence and get more information about a suspect or a criminal that has already been charged.

Because of many challenges in large corporations, this method of computer forensics can be used to monitor computer activities of employees. This will ensure that rogue employees are rooted out so that they do not leak out company secrets and company plans.

Professionals in computer forensics have different titles that they can be referred to with; these include names like digital forensics detectives, digital media analysts and computer forensics investigators, all these names refer to this one career, though names are different.

This is therefore a good career opportunity since you will be in a position to easily get work. There are few requirements when it comes to getting education in computer forensics, the requirements are however minimal. Many skills are however acquired on the job but there are online degree programs, certificate programs and formal education and many others which are some of the common requirements in getting a job in this field.

Once the trainee has experience in law enforcement and also computer security, this is enough openers for a career in computer forensics. Many of those who get opportunities in this field start of as security guards or law enforcement officers who eventually opt to have a career in a less risky position. Once they have a certificate in computer forensics, they expand on their professional knowledge and get information on computer forensics methods and tools.

This career is therefore a good career choice since it does not really require a lot and getting a job is slightly easy since it is just starting though there is a growing demand. The earlier one can get education on this area, the better because you will have priority over those who are just starting.

This is also a good career choice because it is currently well paying and therefore one can survive comfortably with the salary. As a computer forensics you are regarded as an important person in law enforcement since you will be in charge of gathering information that is available electronically. They determine information that can be crucial for ongoing investigations and also for the case.

Computer forensics is therefore a good career opportunity for those who are willing or have interest in this field. One can start by having education, so either go for certificate or even degree in this field which is slowly becoming an important field.