Module 02 — Digital Forensics
Digital Forensics: From Collection to Report
A digital file can be copied billions of times without losing its appearance. What distinguishes it from a tampered copy is not the image you see, but the data you cannot see: hashes, metadata, signatures and custody records. This module dives deep into the technical tools that make digital evidence reliable in court.
What is digital forensics
Digital forensics is the discipline that applies the scientific method to the collection, preservation, analysis and presentation of evidence on electronic devices. The subject matter can be a seized smartphone, a corporate email, a suspicious PDF or a phishing link. What unites all these cases is the same work cycle.
The five phases of forensic examination
- Identification: determine which devices and files are relevant to the investigation. A forensic examiner who collects everything indiscriminately wastes time and creates risk of cross-contamination between cases.
- Acquisition: obtain a forensic copy of the material without altering the original. For hard drives this means a bit-by-bit copy with a write-blocker; for digital files it means computing the hash before any processing.
- Preservation: ensure that the obtained copy remains intact throughout the investigation. The hash computed at acquisition is the reference standard for any future verification.
- Analysis: examine the content using documented tools and methods. This includes metadata extraction, pixel consistency analysis, digital signature verification and record comparison.
- Report: document the method, findings and conclusions in a reproducible technical document. Any other forensic examiner, starting from the same forensic copy, must be able to repeat the examination and verify the results.
Why each phase matters
The order is not bureaucracy: it is technical protection. A file opened carelessly before acquisition will have its access metadata altered. An analysis performed without a record of method cannot be challenged in adversarial proceedings. A report that skips steps may be challenged even if the conclusion is correct.
In the digital world, the forensic examiner deals with evidence that changes on its own over time: logs that expire, platforms that automatically delete data, files that accumulate system modifications each time they are opened. Recognising this fragility is the first step in acting before the evidence is lost.
The 5 phases of a forensic examination
The order is not bureaucracy: each phase protects the validity of the next.
Identification
Defining which devices and files are relevant to the investigation.
In the digital worldCollecting everything indiscriminately risks cross-contamination.
Acquisition
Obtaining a forensic copy of the material without altering the original.
In the digital worldCompute the hash before any processing.
Preservation
Ensuring the copy stays intact throughout the entire investigation.
In the digital worldThe acquisition hash is the reference for any future verification.
Analysis
Examining the content with documented tools and methods.
In the digital worldMetadata, pixel consistency, signatures and record cross-checking.
Report
Recording method, findings and conclusions in a reproducible technical document.
In the digital worldAnother examiner, with the same copy, must reach the same result.
Cryptographic hash in depth
A hash is a mathematical function that transforms any input — a 20-character tweet or a 4 GB video — into a fixed-length sequence. Content goes in; a digital fingerprint comes out. This fingerprint is deterministic (the same input always produces the same output) and irreversible (it is not possible to reconstruct the file from the hash).
What "256 bits" means
SHA-256 produces a 256-bit output. Since each bit can be 0 or 1, the number of possible hashes is 2²⁵⁶ — a number with 77 digits:
115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936
For scale: the estimated number of atoms in the observable universe is around 10⁸⁰. The number of possible SHA-256 hashes is in the same order of magnitude. Finding two files that produce the same SHA-256 hash by brute force would be computationally equivalent to enumerating every atom in the universe — several times over.
Diagram: file → hash
```
Original file (any size)
│
▼
┌───────────────────────────────┐
│ SHA-256 function │
│ (compression, 64 rounds) │
└───────────────────────────────┘
│
▼
e3b0c44298fc1c149afb... (always 64 hex characters)
```
The avalanche effect
A fundamental property of SHA-256 is that any minimal change to the file radically changes the hash. A real-world example:
| Input | SHA-256 hash |
|---|---|
contract.pdf original | a3f8...d291 |
contract.pdf with 1 comma changed | f7c2...b104 |
contract.pdf with 1 extra space | 9e41...77ad |
There is no subtle variation and no proportional change. The hash changes entirely, regardless of how small the alteration is. This is what makes hash comparison the most direct way to detect tampering.
Algorithm comparison
| Algorithm | Year | Bits | Status in forensics |
|---|---|---|---|
| MD5 | 1992 | 128 | Collisions demonstrated in 2004. Do not use. |
| SHA-1 | 1995 | 160 | Practical collision in 2017 (SHAttered). Avoid. |
| SHA-256 | 2001 | 256 | Current standard. No known collisions. |
| SHA-3 | 2015 | 256+ | Different architecture (Keccak). Complementary. |
Practical verification
Anyone can compute the SHA-256 hash of a file. One way is through the computer's terminal — a text window where commands are typed:
certutil -hashfile file.pdf SHA256 (Windows)sha256sum file.pdf (Linux and macOS)
If that looks intimidating, it is. The terminal is an interface for technical users. The good news is that friendlier platforms do the same calculation with a few clicks, no installation required. MetaScope's Digital Guardian is one of them: drag a file in, and it instantly displays the SHA-256 hash, already formatted as an integrity record.
Regardless of how the hash is computed, the result is always a 64-character hexadecimal sequence — a combination of digits 0–9 and letters a–f. Two identical hashes, generated on different machines at different times, are technical evidence that the files are exact bit-for-bit copies.
Digital metadata: EXIF, IPTC and XMP
Every digital file carries two types of content: what you see and what the file knows about itself. This second type is metadata: data about data. In a photograph, metadata records camera, lens, date, time, GPS coordinates and exposure settings. In a document, it records author, software, company and revision history.
The three standards
- EXIF (Exchangeable Image File Format): a standard from the Japanese photography industry (1990s), embedded directly in the image file. Records technical capture data: device make and model, internal-clock date/time, GPS coordinates when active, exposure time, aperture, ISO and resolution.
- IPTC (International Press Telecommunications Council): created for journalism. Records editorial information — author credit, caption, title, keywords and coverage location — in a block separate from EXIF within the same file.
- XMP (Extensible Metadata Platform): an open Adobe standard based on XML. Extensible by any application. Photoshop, Lightroom and Acrobat write edit history, colour adjustments and session identifiers here.
Real example: metadata from a smartphone photo
The table below shows fields extracted from a .jpg photo taken with an iPhone 14 and sent directly (not through a social network):
| EXIF field | Value |
|---|---|
| Make | Apple |
| Model | iPhone 14 |
| Software | 16.5 |
| DateTime | 2024:03:15 14:32:07 |
| DateTimeOriginal | 2024:03:15 14:32:07 |
| GPSLatitude | 21°13'45.6" S |
| GPSLongitude | 44°59'18.3" W |
| GPSAltitude | 912 m |
| ExposureTime | 1/120 s |
| FNumber | f/1.8 |
| ISO | 64 |
| FocalLength | 5.7 mm |
| ColorSpace | sRGB |
| PixelXDimension | 4032 |
| PixelYDimension | 3024 |
These 15 fields tell a complete story: who took it (device), when (dual timestamp: DateTime and DateTimeOriginal), where (GPS with altitude) and how (optical settings). In a forensic examination, each field can be cross-referenced against other sources — carrier records, app logs, nearby security cameras.
What the absence of metadata means
Platforms like Instagram and WhatsApp automatically strip metadata when receiving and re-sharing images. This is a privacy policy, not tampering. The absence of EXIF in an image downloaded from a social network is expected and is not, by itself, evidence of manipulation.
What matters in forensics is internal consistency: metadata that should exist given the declared device and context, but is absent or contradictory.
```
Expected scenario:
Photo said to be from iPhone 14, sent via WhatsApp
→ Expected: no EXIF (WhatsApp strips it)
→ OK.
Scenario to investigate:
Photo claimed to be original from iPhone 14, sent directly
→ Expected: full EXIF present
→ EXIF absent: why?
Objective inconsistency:
EXIF DateTime: 2021:08:10
Declared context: photo from a March 2024 event
→ 2.5-year discrepancy. Technical evidence.
```
These geolocation fields extracted from EXIF are the foundation of specialised crime scene reconstruction tools. [Locus — Forensic Dynamics](https://www.investigacaoforense.com/aplicacoes/locus) is one of them: it reads GPS coordinates from geotagged photographs, generates animated trails over satellite imagery and exports a self-contained report that works offline. All processing runs in the browser, with no photo uploads to any server.
Digital signatures and certificates
A digital signature is not an image of a handwritten signature applied to a PDF. It is a mathematical operation that binds a specific content to a verifiable identity. To understand what it proves, you need to understand the infrastructure that supports it.
PKI and ICP-Brasil
PKI (Public Key Infrastructure) is the set of technologies, policies and entities that manage cryptographic key pairs and digital certificates. In Brazil, the official infrastructure is ICP-Brasil (Brazilian Public Key Infrastructure), established by Provisional Measure 2.200-2/2001 and managed by the National Institute of Information Technology (ITI). An ICP-Brasil digital certificate carries a legal presumption of validity equivalent to a handwritten signature with notarised recognition.
The X.509 standard
Digital certificates follow the X.509 standard, defined by ITU-T. The certificate binds a public key to an identity (name, individual taxpayer number, corporate taxpayer number or domain) and is signed by a trusted Certificate Authority (CA). The browser, operating system or signing software verifies the chain of trust: from the signer's certificate up to the root of the ICP-Brasil hierarchy.
What a digital signature proves
- Authenticity: the signer is who they claim to be, because only they hold the private key corresponding to the certificate.
- Integrity: the document was not altered after signing. The signature is computed over the hash of the content, and any alteration invalidates the verification.
- Non-repudiation: the signer cannot deny having signed, because the operation requires the private key that only they hold.
What a digital signature does not prove
A valid signature does not prove that the content is truthful, that the signer read the document before signing, or that they signed voluntarily. A contract with a valid digital signature may contain abusive clauses or have been signed under duress. The technical validity of the signature is one layer of the analysis, not the conclusion.
Digital signature vs. simple electronic signature
A simple electronic signature includes mechanisms such as click-to-accept, SMS or email confirmation, and password-based access. It has legal validity in many contexts, but does not offer the same technical guarantees of non-repudiation and integrity as a digital signature with an ICP-Brasil certificate.
Forensic acquisition: how to collect without contaminating
Acquisition is the most critical phase of forensic examination: a mistake here compromises all subsequent steps. The fundamental principle is simple: never work on the original. In practice, this requires specific procedures depending on the type of media.
Write-blockers: protecting the original
A write-blocker is a hardware device (or software equivalent) that allows reading a disk or storage device without writing anything to it — not even the metadata that an operating system writes automatically when mounting a device. Without a write-blocker, connecting a suspect flash drive to the examiner's computer can alter access timestamps, mount records and temporary files, contaminating the evidence.
Bit-by-bit copy vs. logical copy
- Bit-by-bit copy (forensic image): copies every bit of the original media, including unallocated space, deleted files and system areas. The result is an image file (common formats: dd, E01, AFF4) representing the entire disk. This is the gold standard for hard drives, SSDs and flash drives in criminal investigations.
- Logical copy: copies only the files and directory structures visible to the operating system. Faster and smaller, but loses deleted files and low-level metadata. Acceptable for initial triage or when the media cannot be removed (a production server, for example).
Hashing before and after
The mandatory sequence in any forensic acquisition is: compute the hash of the original before copying, make the copy, compute the hash of the copy and compare the two. Identical hashes prove the copy is exact. Any discrepancy indicates a problem in the acquisition and requires repeating the process.
Why opening the original file contaminates it
Opening a file in the default operating system modifies access timestamps (atime on Unix systems, last accessed on Windows). In some formats, such as PDF and Word, the software itself may add data when opening the file. Any modification, even unintentional, invalidates the original hash and weakens the chain of custody. The rule is clear: the original is never opened directly; work is always done on the verified forensic copy.
Digital chain of custody in practice
The law defines what the chain of custody must record. Technology defines how to do it in a verifiable way. This lesson shows how the two connect in day-to-day practice.
The integrity manifest
Every serious forensic examination begins with an integrity manifest: a record that documents, at a minimum:
- File identification (name, size, MIME type)
- SHA-256 hash computed before any processing
- Date, time (with time zone) and identification of the person responsible for the record
- Declared origin of the file (from whom it came, through which channel)
- Any subsequent transfer or processing, with new verification hashes
This manifest can be a plain text file, a digitally signed PDF or a record in a specialised system. What matters is that it exists and that any modification to it is detectable.
Preventive vs. reactive preservation
Chain of custody is often thought of after the problem already exists: someone suspects tampering and needs to prove that the original file differs from the version presented. The more robust approach is preventive preservation: recording the integrity of the file before sharing it, before sending it by email, before uploading it to any platform.
If the hash was recorded before sending, any later version can be compared to that record. If the hash was not recorded beforehand, the only evidence of integrity is the word of the sender.
MetaScope's Digital Guardian
The Digital Guardian is MetaScope's tool for preventive integrity preservation. It computes the SHA-256 hash of each file locally, in the browser, without the file content being sent to the server. The generated record includes the hash, the date and time, the file name and a unique session identifier.
This record can be downloaded as a receipt, presented in court as the starting point of a chain of custody, and compared against any future version of the file. For anyone who needs to share sensitive documents — such as medical reports, contracts, chat screenshots or incident records — the Guardian creates the documentary starting point before any transmission.
The absence of server upload is not a limitation: it is a security choice. The privacy of the content is preserved; only the hash, which cannot be used to reconstruct the file, is recorded.
Frequently asked questions
Does a file with intact metadata prove it has not been tampered with?
Not directly. Metadata can be edited with widely available tools. The presence of coherent metadata is a favourable indication of authenticity, but not conclusive proof. Forensic examination considers metadata together with pixel consistency, compression analysis, transmission history and case context. Likewise, the absence of metadata — common in files shared through social networks — is not in itself an indication of tampering.
What is the difference between a digital signature and a timestamp?
A digital signature binds content to an identity. A timestamp (from a trusted timestamping authority) binds a hash to a point in time, proving that the content existed at that moment. The two are complementary: the signature proves who; the timestamp proves when. For long-lived documents, such as contracts and expert reports, the timestamp is important because the cryptographic algorithms used in signatures age and may be considered insecure in the future.
Can I use the SHA-256 hash computed by MetaScope as evidence in legal proceedings?
The hash computed by MetaScope is technically identical to the hash that any other tool would compute for the same file. The procedural question is not which tool computed it, but how the computation was documented and when it was performed relative to the emergence of the dispute. A hash recorded before any dispute about the file carries far more weight than one computed after suspicion of tampering has already been raised.
What is the difference between a forensic copy and a backup?
A backup prioritises availability: it ensures that files can be recovered. A forensic copy prioritises verifiable integrity: it ensures that the copy is identical to the original bit by bit, with a hash that proves it. Backups may omit deleted files, compress data or alter metadata. Forensic copies preserve everything, including unallocated space, and are produced with a write-blocker to avoid altering the original. In an investigation, presenting a backup as a forensic copy is a serious methodological error.