The main function of the Digital Forensics Unit (DFU) is the identification, preservation, collection, analysis and presentation of data from digital media. Most commonly, this data is acquired physically from hard drives within computers and laptops but the number and types of sources of digital data are continually expanding. Sources include, but are not at all limited to the following: desktop computers, laptops, notebooks, net-books, external hard drives, USB thumb drives, mobile phones, PDAs, watches, satellite navigation systems, digital cameras, video cameras, games consoles, televisions, even fridges and dishwashers have operating systems.
The DFU is capable of acquiring digital media within the lab or on site, minimising disruption and time overhead.
The size and amount of data stored on digital media has grown exponentially over the last 5-10 years with terabytes of data being commonly encountered within each investigation. The way in which the DFU has dealt with data has had to change to reflect these increases in volume.
Historically, it was possible to run numerous searches across the entire data set as there was far less data to search. As volumes have grown, it has become increasingly common to process and index the data prior to any searches being run. This approach requires dedicated powerful hardware and specifically designed software to allow accurate and timely processing and indexing of the data.
The DFU have invested heavily in such infrastructure over the last few years and are now in a position to perform such pre-analysis work on all cases. This pre-analysis means that keyword searches, the main investigative step post processing, can be carried out almost instantaneously. Following the keyword searches, files of potential relevance are made available to the investigator to establish the relevance, or otherwise, of those files.
The forensic software is capable of making this data available to the case investigator, whether they are in house or external, via a secure web site, allowing the investigator to review documents from the comfort of their desk or alternative work location. For large scale investigations, there can be a number of 'reviewers' all accessing the same case, assessing the relevance of the data made available to them.