Digital Evidence – Comprehensive Bullet-Point Study Notes

Introduction & Context

Digital evidence analysis is in its forensic infancy, despite the omnipresence of technology.
Forensic standards, methods, and validation remain critical and must match other sciences.
Core challenge: the knowledge base expands with every new device, app, operating‐system patch, or software update.
Digital evidence bridges the technical–social, physical–virtual, licit–illicit spectra; its relevance grows in parallel with society’s dependence on digital devices.

Key Terms (Exam “Must-Know”)

Bit – smallest unit of digital information (binary 0 or 1).
Partition – logically defined portion of a storage medium.
Hashing – cryptographic algorithm producing a unique “fingerprint” of data; used to validate forensic images.
Metadata – “data about data” (author, timestamps, GPS tags, device model, etc.).
Data carving – reconstructing files when file-system metadata is missing/corrupted.
P2P (peer-to-peer) – direct device interconnection without centralized servers.
SIM card – integrated circuit storing $\text{IMSI}$ + network authentication data.
SID (System Identification Code) – $5$ -digit carrier code broadcast by cell towers.
ECU / EDR – vehicle modules storing diagnostic & crash data (vehicle “black box”).
Phishing / Spoofing – social-engineering attacks via impersonation or header falsification.
Steganography – hiding one message or file inside another (e.g., an image within an image).
Work copy – forensic duplicate used for examination; original remains untouched.

Device & Data Explosion

Worldwide mobile subscriptions per 100 people continue to rise (Figure 23.1).
Computing power doubles ≈ every $2$ years (Moore’s Law) while memory cost plummets.
$\text{Transistors}(t)=\text{Transistors}_0\times2^{t/2\,\text{yrs}}$
$90\%$ of all digital data was generated in the last $2$ years (SINTEF, 2013).
Average social separation has shrunk from $6$ to $3.4$ connections due to digital networks.
Thousands of distinct cell-phone models exist; > $8{,}000$ models sold in China alone.

What Is Digital Evidence?

Any binary-formatted data (stored or transmitted) with potential investigative value.
Appears on hard drives, mobiles, removable media, networks, cloud servers, IoT devices.
Roles in crime:
• Provide intent, alibi/location, or relationships.
• Enable purely digital crimes (child exploitation, intrusion, fraud, etc.).

Categories of Devices Containing Evidence

Computerized Devices

Hardware + software performing data processing (desktops, laptops, tablets, mainframes).
Internals/peripherals (motherboards, GPUs, printers, scanners) all store logs or metadata.
Typical artefacts: documents, images, e-mails, chat logs, databases, browser history, OS event logs.

Storage Media

Hard drives – magnetic/ceramic/glass platters + logic board. Can hold terabytes.
Thumb/Flash/USB drives – small, concealable, customizable; often hidden in novelty items.
Memory cards (SD, microSD) – widely used in cameras, phones, game consoles.
SIM cards – tiny yet store subscriber identity plus contact/SMS data.

Mobile Devices & Cell Phones

Smartphone = phone + computer + GPS + camera + personal organiser.
Hold dense, highly personal data (contacts, apps, geolocation, passwords).
Single-user nature aids DNA recovery (touch screens).
Mobile device sales now exceed desktops; tablet market rising → forensic focus shifts.

Networked Devices

Nodes linked via cable or wireless: hubs, switches, routers, access points.
P2P networks share resources without servers; frequently used for contraband distribution.
Existence of a network can itself be probative (e.g., hidden Wi-Fi used for intrusion).

Other Digital/IoT Devices

Everyday appliances now networked (smart fridges, TVs, speakers).
Vehicles contain >30 ECUs controlling traction, airbags, entertainment; EDR captures pre-crash telemetry (speed, braking, impact severity).
Future trend: virtually any consumer good may log user interactions.

How Cell Phones Work (Detailed Mechanics)

Essentially point-to-point two-way radios.
Coverage divided into hexagonal “cells” (~ $10$ sq mi) serviced by towers.
On startup, phone registers nearest tower’s $SID$ and broadcasts its own IDs.
During movement, network orders frequency hand-off between towers; triangulation needs $\ge3$ towers for reliable location (single tower ≈ poor accuracy ⇒ avoid in court).

Processing Digital Evidence

1 Identification

Digital data is latent; must locate every potential container (USB hidden in toy, DVR, smart‐TV memory, etc.).
Determine both physical device and logical data types likely stored.

2 Collection / Acquisition

Power considerations:
• Desktops – may power-off safely after capturing volatile data.
• Mobiles – risk of remote wipe; isolate in airplane mode or wrap in 3-layer aluminium foil.
Label every device + cable ("Computer A", "Cable A-1"…), photograph connections.
Preserve volatile RAM on live systems via external write-blocked tools before shutdown.

3 Transportation & Storage

Use antistatic bags + shock/temperature-resistant cases.
Shield from magnets, RF, UV; CDs/DVDs subject to “disk rot,” HDDs may lose integrity after ≈ $5$ years.
Store in RF-insulated evidence rooms where possible.

4 Analysis & Examination

Live vs Dead Approaches

Live system – powered on; first capture RAM, network sessions, active chats; unavoidable slight data alteration.
Dead system – powered off; remove media → create forensic image.

Imaging & Hashing Workflow

Create physical or logical image of storage device using write-blockers.
Calculate hash (e.g., $\text{MD5}$ / $\text{SHA-256}$ ) → verify against original.
Preserve original; work only on validated copies.

Six Analysis Categories

Physical media (bit-level recovery, overwritten sectors).
Media management (partitions, volumes).
File system (folder structure, deleted file recovery).
Application layer (documents, app logs, configuration files).
Network (traffic captures, connection artefacts).
Memory (volatile RAM, process lists, injected code).

5 Reporting

Present clear, lay-audience explanations; document tools, procedures, chain-of-custody, and hash values.

Routine Evidence Types & Illustrative Cases

E-mails – headers reveal IP path, software, timestamps.
Browser artefacts – history, cached pages, search terms (e.g., Scott Peterson case: boat purchase + tide research).
Social media – chats, posts, friend graphs; criminals have self-incriminated online (Rodney Knight Jr bragged on victim’s Facebook).
Deleted files – marked free yet recoverable until overwritten.
Location timelines – carrier cell-tower logs & handset GPS reconstruct movements (alibi or guilt).
Steganography – image‐in‐image spy messages (2010 Russian spy ring, child-porn rings circa 2007).
Phishing/Spoofing artefacts – forged headers, credential harvest pages.

Analytical Challenges

Quantity Problem

Massive storage sizes ⇒ impossible to manually review every artefact (e.g., $30{,}000$ images on a single 120-GB drive).
Requires prioritization, keyword searches, hash‐set filtering, AI triage.

Complexity Problem

Data in low-level formats requires specialist tools and expertise for decoding.
Rapidly changing hardware/OS/app landscape; labs must archive legacy knowledge while upgrading for new tech.

Legal, Ethical & Practical Considerations

Courts oscillate between techno-philia (“digital = truth”) and techno-phobia (“junk science”).
Digital evidence must satisfy same admissibility standards (Daubert/Frye, validation, documented methodology).
Preservation of privacy vs investigative need (remote phone wipe, encryption, ‘kill-switch’ legislation).
Chain-of-custody extends to hash validation and tool certification.

Summary & Future Outlook

Digital forensics must expand standards, validation, and cross-disciplinary training.
Growth areas: cloud forensics, IoT forensics, AI-driven triage, anti-forensics detection.
Societal ubiquity of tech ensures digital artefacts will underpin most future investigations.

Numerical & Statistical References

Moore’s Law: transistor count $\times2$ every $\approx2$ yrs.
$90\%$ of global data generated within last $2$ yrs (2013 SINTEF report).
Average social separation $3.4$ links vs historical “six degrees.”
>8{,}000 cell-phone models in Chinese market alone.
Typical cell size ≈ $10\,\text{mi}^2$ ; triangulation needs $\ge3$ towers.