knowt logo

Chapter 23: Digital Evidence

23.1: Digital Evidence

  • Digital Evidence – any stored or transmitted data in a binary format that may be useful in a criminal or civil investigation.

  • Some crimes are solely committed within the digital realm and involve information that is illegal or illegal through transmission or creation, such as:

    • Child exploitation material

    • Computer intrusion

    • Counterfeiting

    • Domestic violence, threats, and extortion

    • Email threats, harassment, and stalking

    • Gambling

    • Identity and intellectual property theft

    • Narcotics

    • Online or economic fraud

    • Prostitution

    • Telecommunication fraud

    • Terrorism

23.2: Computerized Devices

A computer consists of hardware and software that process data.

A computer typically includes:

  • A case that contains circuit boards, storage media, and interface connections,

  • A display device,

  • A keyboard, and

  • A pointing device.

Some examples of forensically valuable data include:

  • Hardware

  • Software and apps

  • Documents, photos, financial information

  • Email and attachments

  • Databases

  • Browsing history

  • Social media data and activity

  • Contact lists, and

  • Maintenance error or event logs.


  • Hard drives – data storage devices that have an external logic board. connections to external sources of information and power, and some form of storage media.

  • Thumb Drives – small removable data storage devices with USB connections.

  • Memory cards – very small storage devices used in digital cameras, but can be also used in tablets, computers, phones, game consoles, and more.

  • SIM Card – integrated circuits that store the international mobile subscriber identification identity and the identification and network information required to authenticate with a mobile carrier network.


  • Mobile devices – handheld, portable data storage that provide communication, digital photography, navigation systems, entertainment, data storage, and personal information management.

    • Smartphones – can hold enormous amounts of data and metadata, including software applications (or apps), documents, e-mail, Internet browsing history, contacts, photographs, passwords, and location information that may be of value for investigations or alibis.

  • Cell phones can be excellent evidence for several reasons:

    • They are typically single-user devices and tend to have glass touch screens that make it easier to collect DNA.

    • Their size relates to their mobility and is likely to be transported to, from, and during crimes.

    • They tend to have more probative information per unit of storage than a typical computer.

Network Devices

  • Networked devices are linked by physical (cables) or wireless connections that potentially share resources and data.

  • Computer networks typically include a wide range of peripherals, like printers, and data routing devices such as hubs, switches, and routers.

  • Each device on a network should be identified and its functions listed along with other components of the computer system, connections, IP, and local area network addresses associated with the computers and devices.

  • Computers can also be connected directly to other computers without the need for servers or network hosts in a peer-to-peer (P2P) network.


23.3: Other types of Devices

  • Motor vehicles are now heavily computerized, and electronic control units (ECUs) help to monitor and control systems and subsystems.

  • ECUs store data for use in diagnostics, status inputs, and malfunctions; other types of information stored or controlled by ECUs include:

    • Vehicle data, such as VIN, odometer reading, fuel levels,

    • Door and door lock status

    • Passenger occupancy

    • Data from the entertainment system, for example, muting the audio during telephone calls, etc.

    • Diagnostics trouble codes to inform the service garage about a nonscheduled problem with the vehicle,

    • Crash data during an accident, ranging from noting that a crash has occurred to the location of the crash, where the vehicle has been damaged (front, rear, side, rollover, etc.), and even the severity of the impact.

  • Event data recorder – records real-time data from the vehicle, including braking, acceleration, speed, and other data that can provide investigators with objective data about the vehicle and its status.


23.4: Processing Digital Evidence

Identification

The key concepts to identification would be to:

  • Identify the types of devices visible/discoverable at the scene that contain digital evidence that may be probative.

  • Be able to identify the type of digital evidence that is stored on the physical evidence item and their relevance to the matter.

Collection/Acquisition

  • If it is necessary to move a device during collection and documentation, the device should be hibernated or powered off first.

  • Modern operating systems can hibernate to disk. It may be prudent to preserve volatile data by hibernating to disk instead of powering off the device. This may potentially overwrite deleted data.

  • Record any network and wireless access points that may be present and capable of linking computers and other devices to each other and the Internet.

  • If multiple computers and devices are to be collected, all devices, cables, and connections should be labeled clearly and individually.

  • Digital evidence is sensitive to extreme temperatures, humidity, physical shock, static electricity, and magnetic fields.

  • Digital evidence should be packaged to prevent bending, scratching, damage, or other physical hazards.

  • Leave cell phones in the power state (on or off) in which they were found. Importantly, remember to collect all power supplies and adapters for all digital devices seized; they will be needed eventually.

Transportation

  • Digital evidence must be packaged for safe transportation back to the laboratory.

  • Digital devices are still fragile and, if broken, maybe useless as evidence.

  • It is a good practice to place digital devices into antistatic bags and then place these into shock-resistant and water-resistant containers.

  • Digital devices should be stored in rooms insulated against stray radio and electrical fields; proper packaging that blocks light and water is necessary for longer-term storage.

Analysis

Analysis can generally be broken down, however, into one or more of the following categories:

  • Physical media: The analysis of the storage media itself through a standard interface; the recovery of overwritten or deleted data is an example.

  • Media management: The analysis of the organization of the storage media; determining the file structure or subsections of a storage device.

  • File system: The analysis of the infrastructure of files (folders, directories) and recovering deleted files.

  • Application: The analysis of applications and their files, like documents, images, logs, configurations, and others.

  • Network: The analysis of information systems, networks, connections, and traffic on them.

  • Memory: The analysis of system memory media, like RAM, and system data.


23.5: Routine Types of Digital Evidence

  • E-mails are an excellent type of evidence, given the volume sent daily for personal and professional purposes. E-mails also contain good metadata about the sender and recipient.

  • Browsers keep a detailed history of the sites visited, downloads, search terms, and more. Search terms may be useful in indicating criminal intent or action.

  • Social media programs log these data and telecommunications providers store this information on their corporate servers. These links between people, places, and activities can be important evidence in an investigation, providing leads or alibis.

  • Deleted files still exist, but the operating system has flagged their location on the storage media as being available for reuse. Deleted files whose location has not been overwritten are still recoverable.

  • Cell phone tracking has been used in several cases, but is not without its critics; the use of a single tower should be avoided, and the system was never intended to be used like a GPS.

  • Messages that are hidden “inside” another message (steganography) can be extremely difficult to detect.

  • Other types of analysis include sorting out attempts to gain sensitive information, like passwords or account numbers, or access to computer systems by masquerading as a trusted source (phishing), like a bank, or as another entity by falsifying information (spoofing) in electronic communications; header metadata identifying the sender and address may be stripped out and replaced.


MA

Chapter 23: Digital Evidence

23.1: Digital Evidence

  • Digital Evidence – any stored or transmitted data in a binary format that may be useful in a criminal or civil investigation.

  • Some crimes are solely committed within the digital realm and involve information that is illegal or illegal through transmission or creation, such as:

    • Child exploitation material

    • Computer intrusion

    • Counterfeiting

    • Domestic violence, threats, and extortion

    • Email threats, harassment, and stalking

    • Gambling

    • Identity and intellectual property theft

    • Narcotics

    • Online or economic fraud

    • Prostitution

    • Telecommunication fraud

    • Terrorism

23.2: Computerized Devices

A computer consists of hardware and software that process data.

A computer typically includes:

  • A case that contains circuit boards, storage media, and interface connections,

  • A display device,

  • A keyboard, and

  • A pointing device.

Some examples of forensically valuable data include:

  • Hardware

  • Software and apps

  • Documents, photos, financial information

  • Email and attachments

  • Databases

  • Browsing history

  • Social media data and activity

  • Contact lists, and

  • Maintenance error or event logs.


  • Hard drives – data storage devices that have an external logic board. connections to external sources of information and power, and some form of storage media.

  • Thumb Drives – small removable data storage devices with USB connections.

  • Memory cards – very small storage devices used in digital cameras, but can be also used in tablets, computers, phones, game consoles, and more.

  • SIM Card – integrated circuits that store the international mobile subscriber identification identity and the identification and network information required to authenticate with a mobile carrier network.


  • Mobile devices – handheld, portable data storage that provide communication, digital photography, navigation systems, entertainment, data storage, and personal information management.

    • Smartphones – can hold enormous amounts of data and metadata, including software applications (or apps), documents, e-mail, Internet browsing history, contacts, photographs, passwords, and location information that may be of value for investigations or alibis.

  • Cell phones can be excellent evidence for several reasons:

    • They are typically single-user devices and tend to have glass touch screens that make it easier to collect DNA.

    • Their size relates to their mobility and is likely to be transported to, from, and during crimes.

    • They tend to have more probative information per unit of storage than a typical computer.

Network Devices

  • Networked devices are linked by physical (cables) or wireless connections that potentially share resources and data.

  • Computer networks typically include a wide range of peripherals, like printers, and data routing devices such as hubs, switches, and routers.

  • Each device on a network should be identified and its functions listed along with other components of the computer system, connections, IP, and local area network addresses associated with the computers and devices.

  • Computers can also be connected directly to other computers without the need for servers or network hosts in a peer-to-peer (P2P) network.


23.3: Other types of Devices

  • Motor vehicles are now heavily computerized, and electronic control units (ECUs) help to monitor and control systems and subsystems.

  • ECUs store data for use in diagnostics, status inputs, and malfunctions; other types of information stored or controlled by ECUs include:

    • Vehicle data, such as VIN, odometer reading, fuel levels,

    • Door and door lock status

    • Passenger occupancy

    • Data from the entertainment system, for example, muting the audio during telephone calls, etc.

    • Diagnostics trouble codes to inform the service garage about a nonscheduled problem with the vehicle,

    • Crash data during an accident, ranging from noting that a crash has occurred to the location of the crash, where the vehicle has been damaged (front, rear, side, rollover, etc.), and even the severity of the impact.

  • Event data recorder – records real-time data from the vehicle, including braking, acceleration, speed, and other data that can provide investigators with objective data about the vehicle and its status.


23.4: Processing Digital Evidence

Identification

The key concepts to identification would be to:

  • Identify the types of devices visible/discoverable at the scene that contain digital evidence that may be probative.

  • Be able to identify the type of digital evidence that is stored on the physical evidence item and their relevance to the matter.

Collection/Acquisition

  • If it is necessary to move a device during collection and documentation, the device should be hibernated or powered off first.

  • Modern operating systems can hibernate to disk. It may be prudent to preserve volatile data by hibernating to disk instead of powering off the device. This may potentially overwrite deleted data.

  • Record any network and wireless access points that may be present and capable of linking computers and other devices to each other and the Internet.

  • If multiple computers and devices are to be collected, all devices, cables, and connections should be labeled clearly and individually.

  • Digital evidence is sensitive to extreme temperatures, humidity, physical shock, static electricity, and magnetic fields.

  • Digital evidence should be packaged to prevent bending, scratching, damage, or other physical hazards.

  • Leave cell phones in the power state (on or off) in which they were found. Importantly, remember to collect all power supplies and adapters for all digital devices seized; they will be needed eventually.

Transportation

  • Digital evidence must be packaged for safe transportation back to the laboratory.

  • Digital devices are still fragile and, if broken, maybe useless as evidence.

  • It is a good practice to place digital devices into antistatic bags and then place these into shock-resistant and water-resistant containers.

  • Digital devices should be stored in rooms insulated against stray radio and electrical fields; proper packaging that blocks light and water is necessary for longer-term storage.

Analysis

Analysis can generally be broken down, however, into one or more of the following categories:

  • Physical media: The analysis of the storage media itself through a standard interface; the recovery of overwritten or deleted data is an example.

  • Media management: The analysis of the organization of the storage media; determining the file structure or subsections of a storage device.

  • File system: The analysis of the infrastructure of files (folders, directories) and recovering deleted files.

  • Application: The analysis of applications and their files, like documents, images, logs, configurations, and others.

  • Network: The analysis of information systems, networks, connections, and traffic on them.

  • Memory: The analysis of system memory media, like RAM, and system data.


23.5: Routine Types of Digital Evidence

  • E-mails are an excellent type of evidence, given the volume sent daily for personal and professional purposes. E-mails also contain good metadata about the sender and recipient.

  • Browsers keep a detailed history of the sites visited, downloads, search terms, and more. Search terms may be useful in indicating criminal intent or action.

  • Social media programs log these data and telecommunications providers store this information on their corporate servers. These links between people, places, and activities can be important evidence in an investigation, providing leads or alibis.

  • Deleted files still exist, but the operating system has flagged their location on the storage media as being available for reuse. Deleted files whose location has not been overwritten are still recoverable.

  • Cell phone tracking has been used in several cases, but is not without its critics; the use of a single tower should be avoided, and the system was never intended to be used like a GPS.

  • Messages that are hidden “inside” another message (steganography) can be extremely difficult to detect.

  • Other types of analysis include sorting out attempts to gain sensitive information, like passwords or account numbers, or access to computer systems by masquerading as a trusted source (phishing), like a bank, or as another entity by falsifying information (spoofing) in electronic communications; header metadata identifying the sender and address may be stripped out and replaced.