The Digital Forensics expert is one of the most promising professions today. Whoever chooses this function has the mission of taking care of the evidence, preserving it, keeping it, and registering it to lead the authorities to the truth. Just as for a DNA or papilloscopic examination, for a digital examination, there are also rites and procedures that help the specialist to acquire data and evidence in a cybernetic investigation.
"An expert in information technology is a professional who has a good experience and undergoes constant training to keep up to date on the techniques employed, to restore data that is in digital form, always observing legal requirements and best practices", he explains Marcelo Caiado, professor of postgraduate Cyber Threat Intelligence at Instituto Daryus de Ensino Superior Paulista (IDESP).
ISO / IEC 27037 (Information Technology - Security Techniques - Guidelines for identification, collection, acquisition and preservation of digital evidence) is the standard that guides best practices both in the field and in the laboratory. “In 2019, there was an amendment to the penal procedure code, in which it determines the role of the expert and law enforcement agents to deal with the apprehension of traces at the crime scene”, comments Dr. Emerson Wendt, police chief and professor at IDESP. "With this, only the trained professional is authorized to enter systems to investigate crimes, thus avoiding possible manipulation of information", he adds.
According to Ana Moura, digital forensics analyst and professor at IDESP's Digital Forensics graduate program, the expert must follow some steps to ensure the integrity of the evidence. "The path begins with the collection and preservation, going through the validation, identification, analysis, interpretation and presentation of the final report, having throughout the process, the presence of the documentation recording the actions carried out and their authors", he comments.
During the investigation process, the professional in digital forensics is able to recover data deleted from the devices. “Currently, there are tools that make it possible, in addition to knowing what is on the device, to know the content that the author, or supposed author, would have destroyed to frustrate the forces of the law”, explains Moura.
The success of a police investigation goes through the chain of custody, in which not respecting the rules can impact all the work of an investigation. “It is very important for professionals who work with investigations and forensics to have, as a rule, that investigation and forensic procedures should not be public, even if information can be searchable, as it is not convenient to facilitate the work of the criminal”, concludes Caiado .