Digital Evidence Collection Notes

Digital (Data) Evidence Collection Overview

Terminal Performance Objective

The student will be able to identify potential items of evidence and properly collect and preserve the evidence commonly encountered during investigations.

Enabling Performance Objectives

  • EPO #1: Identify and discuss digital data evidence and common terms for different types of digital data evidence.

  • EPO #2: Discuss common locations where digital data evidence is stored.

Digital Footprints and Evidence

  • Every action on digital devices (e.g., connecting to the internet, sending emails, texts, or making calls) leaves a digital footprint.

  • Knowing what to look for can help in tracing the source of digital evidence.

EPO #1: Overview of Digital Evidence

Types of Digital Evidence

  • Electronic Serial Number (ESN): A unique identification number embedded in wireless devices; crucial for tracking phone calls.

  • Mobile Identification Number (MIN): Globally unique identification number for CDMA equipment.

  • Subscriber Identity Module (SIM) Card: Contains subscriber-related data such as phonebook, call logs, and SMS.

    • International Mobile Subscriber Identifier (IMSI): A unique number stored on the SIM card identifying the account holder.

    • International Mobile Equipment Identifier (IMEI): A unique 15-digit number associated with mobile devices, helps track stolen phones.

Components of Cellular Records

Cellular data records (CDR) may include:

  • Call detail logs demonstrating:

    • Originating and terminating cell sites (latitude and longitude)

    • Call durations, data usage

    • SMS information

    • Tower dump data

    • Subscriber information

EPO #2: Sources of Digital Data Evidence

Electronic Devices

  • Phones contain vital information such as the ESN, which helps link specific devices to calls.

  • The device itself holds subscriber identifiers like IMSI, stored on the SIM card.

The Cloud

  • Defined as a network of servers globally that store data securely.

  • Important platforms for investigation include Facebook, Google, Apple, and various cellular providers.

  • Data can be accessed through consent, cloud interfaces, or warrants.

Techniques for Gathering Cloud Evidence

  • Tower Dump:A large volume of mobile phone data from a specific geographical area for a specific period

  • Use of cloud analyzers (e.g., Oxygen Forensics Cloud Extractor) or obtaining consent/warrants.

  • Essential data to obtain includes:

    • Subscriber information, communication logs (calls, SMS), tower locations, and historical data.

EPO #3: Importance of Detailed Reporting

  • A detailed report should contain documentation that is clear for judges and jurors.

  • Reports should include:

    • Screenshots

    • Evidence details such as IMEI, timestamps, routes, and other relevant records.

Key Terms for Investigators

  • Understanding geographical terms such as latitude, longitude, azimuth, and beam width is essential for clarity in reports.

  • It’s crucial to write reports using common terminology to ensure understanding by all parties involved in the legal process.

Summary of Key Points

  • EPO #1: Identify and discuss digital data evidence and its associated terms.

  • EPO #2: Recognize common locations for data storage, focusing on devices and cloud.

  • EPO #3: Identify the necessary tools for evidence collection.

  • EPO #4: Discuss techniques for securing and documenting digital evidence effectively.