Module 4

Digital Evidence
Definition
Digital evidence is defined as information
or data of value to an investigation that is
stored on, received or transmitted by an
electronic device.

This evidence can be acquired when

electronic devices are seized and secured
for examination.
 Importance of Digital evidence
• Digital evidence is very important in any criminal
investigation such as murder, stalking, car-jacking, burglary,
child abuse or exploitation, counterfeiting, extortion,
gambling, piracy, property crimes and terrorism.

• Pre- and post-crime information is most relevant, for

example, if a criminal was using an online program like
Google Maps or street view to case a property before a
crime; or posting stolen items for sale, for example E-Bay; or
communicating via text-message with accomplices to plan a
crime or threaten a person.

• Some crimes can be committed entirely through digital

means, such as computer hacking, economic fraud or
identity theft.
 Importance of Digital evidence

• In any of these situations, an electronic trail of

information is left behind for the investigation team to
recognize, seize and exploit.

• As with any evidence-gathering, following proper

procedures is crucial and will yield the most valuable
data.

• Not following proper procedures can result in lost or

damaged evidence, or rendering it inadmissible in court.
Digital evidence gathering
Evidence that can be Gathered Digitally

• Computer documents, emails, text and instant messages, transactions, images and
Internet histories are examples of information that can be gathered from electronic
devices and used very effectively as evidence.

• Mobile devices use online-based based backup systems, also known as the “cloud”,
that provide forensic investigators with access to text messages and pictures taken
from a particular phone. These systems keep an average of 1,000–1,500 or more of
the last text messages sent to and received from that phone.

• Many mobile devices store information about the locations where the device traveled
and when it was there. To gain this knowledge, investigators can access an average
of the last 200 cell locations accessed by a mobile device. Satellite navigation systems
and satellite radios in cars can provide similar information.

• Even photos posted to social media such as Facebook may contain location
information. Photos taken with a Global Positioning System (GPS)-enabled device
contain file data that shows when and exactly where a photo was taken. By gaining a
subpoena for a particular mobile device account, investigators can collect a great deal
of history related to a device and the person using it.
 Digital evidence gathering

• There are many sources of digital evidence.

Generally, there are three major forensic
categories of devices where evidence can be
found:
➢ Internet-based
➢ Stand-alone computers or devices
➢ Mobile devices.

• These areas tend to have different evidence-

gathering processes, tools and concerns, and
different types of crimes tend to lend themselves to
one device or the other.
 Digital evidence gathering
Internet

• Any computer that connects to an Internet Service Provider (ISP)

becomes part of the ISP’s network, whether it is a single computer or part
of a local area network (LAN) at a work place.

• Each ISP connects to another network. This global collection of networks

has no “owner” or overall controlling network, so it operates like a
community with all the pros and cons.

• Because of the global access to information and to other computers,

criminals are able to use this access to hack into financial and
communications systems, major corporations and government networks to
steal money, identities and information, or to sabotage systems.

• One of the biggest challenges in Internet crime is for investigators,

laboratory and technical personnel to understand how the process works
and to stay closely engaged with advances in software and tracking
technologies.
Digital evidence gathering

Stand-alone computers or devices

• Computer crimes continue to be a growing problem in both the

public and private sector.

• A single computer can contain evidence of criminal activity

carried out on the web, or the criminal use can be contained in
the computer itself, such as pornography, copyright
infringement, extortion, counterfeiting and much more.

• Digital evidence is located on the computer’s hard drive and

peripheral equipment, including removable media such as
thumb drives and CD-ROM discs.
 Digital evidence gathering

Mobile devices

• Cellular phone (or now known as smart phone) and wireless

technology has expanded to include many types of mobile devices
such as tablet computers and hand-held video games.

• Once used only for voice communications, today’s cell phones are
also used to take digital photos and movies, send instant
messages, browse the web and perform many of the same tasks
as a computer.

• Mobile devices allow criminals to engage in an ever-growing variety

of activities and the devices keep track of every move and
message. It is this tracking capability that turns mobile devices into
key evidence in many cases
Handling Digital Evidence
• Admissibility of Evidence
o Legal rules which determine whether potential evidence can be
considered by a court
o Must be obtained in a manner which ensures the authenticity
and validity and that no tampering had taken place

• No possible evidence is damaged, destroyed, or

otherwise compromised by the procedures used to
search the computer

• Preventing viruses from being introduced to a computer

during the analysis process

• Extracted / relevant evidence is properly handled and

protected from later mechanical
or electromagnetic damage
Handling Digital Evidence
• Establishing and maintaining a continuing
chain of custody

• Limiting the amount of time business

operations are affected

• Not divulging and respecting any ethically and

legally client-attorney information that is
inadvertently acquired during a forensic
exploration
Digital Evidence Processing Guidelines

It is recommended to follow 16 steps in

digital evidence processing.

– Step 1: Shut down the computer

⚫ Considerations must be given to volatile information
⚫ Prevents remote access to machine and destruction of
evidence (manual or ant-forensic software)

– Step 2: Document the Hardware Configuration

of The System
⚫ Note everything about the computer configuration
prior to re-locating
Digital Evidence Processing Guidelines
– Step 3: Transport the Computer System to A Secure Location
⚫ Do not leave the computer unattended unless it is locked
in a secure location

– Step 4: Make Bit Stream Backups of Hard Disks and Floppy

Disks

– Step 5: Mathematically Authenticate Data on All Storage

Devices
⚫ Must be able to prove that you did not alter
any of the evidence after the computer
came into your possession
– Step 6: Document the System Date and Time
– Step 7: Make a List of Key Search Words
– Step 8: Evaluate the Windows Swap File
Digital Evidence Processing Guidelines

– Step 9: Evaluate File Slack

⚫ File slack is a data storage area of which most computer
users are unaware; a source of significant security
leakage.

– Step 10: Evaluate Unallocated Space (Erased Files)

– Step 11: Search Files, File Slack and Unallocated Space for
Key Words

– Step 12: Document File Names, Dates and Times

– Step 13: Identify File, Program and Storage Anomalies
– Step 14: Evaluate Program Functionality
– Step 15: Document all Findings
– Step 16: Retain Copies of Software Used
 Digital evidence
Chain of custody
• The chain of custody in digital forensics can be
referred to as the forensic link, the paper trail, or
the chronological documentation of electronic
evidence.

• It indicates the collection, sequence of control,

transfer, and analysis. It also documents each
person who handled the evidence, the date/time it
was collected or transferred, and the purpose for
the transfer.
Importance of Chain of custody
It is important to maintain the chain of custody to preserve the
integrity of the evidence and prevent it from contamination, which can
alter the state of the evidence. If not preserved, the evidence
presented in court might be challenged and ruled inadmissible.

• Importance to the Examiner

When the examiner obtain metadata for a piece of evidence, the
chain of custody helps to show where the possible evidence might lie,
where it came from, who created it, and the type of equipment that
was used.

• Importance to the Court

It is possible to have the evidence presented in court dismissed if
there is a missing link in the chain of custody. It is therefore important
to ensure that a wholesome and meaningful chain of custody is
presented along with the evidence at the court.
Chain of custody procedures
A clear, well-documented chain of custody should be established through
a process that includes the following:

• Taking notes, including documentation of the recovery location, the

time and date recovered or received, description of the item, condition
of the item and any unusual markings on or alterations to the item.

• Marking and packaging the evidence.

• Sealing the evidence.

• Preparing the chain-of-custody record.

• The chain-of-custody record for all items collected from the scene must
include the following:
o Unique identifier.
o Item description.
o Identity of the person who collected the item.
o Time and date of collection.
Location where item was found.
Chain of custody sample form