Introduction in Handling Digital Evidence

Digital evidence such as cell phones, computers, gaming consoles, flash drives, CDs, and anything else that is capable of storing data are used by law enforcement and prosecutors to help prove guilt of an individual in court or even used to locate missing persons and deter crimes. Digital evidence contains an incredible amount of information; computers can show an individual’s involvement in a crime even when it seems like all information has been deleted. However many law enforcement officials are not properly trained to collect digital evidence which can result in the damaging of evidence or more commonly excluded as admissible evidence in court. (Goodison, “Digital Evidence”)

The first thing an investigator has to establish when they have a digital device in their hands is if they can legally search it which comes in the form of a search warrant. If an officer makes an arrest and confiscates an individual’s phone they are allowed to search the physical aspects of the phone, meaning the case and other parts of the device without actually turning on the device’s screen.

In the case of a search warrant that allows for the seizing of a specified form of digital evidence such as a laptop, the investigator has to make sure that the search warrant also allows for the digital contents of the computer to be searched. In Massachusetts a second warrant is required to actually search the digital contents of a computer.

If all search warrants are in place the investigator should photograph the evidence in the way they arrived to the scene and if the monitor is on they should make sure to photograph whatever is displayed without actually touching anything. After this the digital evidence should have fingerprints lifted from it if any are legible. This can be helpful evidence if a suspect claims they have never touched the computer before. (US Justice Dept., “Searching and Seizing Computers”)

The hardest part of handling digital evidence is the next step of transporting the evidence. Computers and other electronic devices have what is known as Random Access Memory (RAM) installed in them which is a temporary storage place that can contain valuable information such as saved passwords, encryption keys, open programs, etc. but is only accessible when the computer is on and is wiped when the computer is turned off. In the old days of DDR2 RAM it was possible to save this RAM state by actually freezing it with compressed air and then transporting the computer to a lab, but todays DDR3 and DDR4 RAM have addressed this security vulnerability so it is no longer possible. Due to this electronic devices should remain on if possible using a portable power supply. (Roger, “Cold Boot Attacks”)

Leaving devices powered on presents new issues in protecting digital evidence which is the possibility of a person remotely accessing the device and wiping or changing its contents. To avoid this an investigator should turn on airplane mode if it is a mobile device or place it in a faraday bag when in doubt, which blocks any digital signal from getting to the device. The device then should only be removed when in a lab environment that has safeguards in place to make sure no electronic signals are able to reach the lab room.

During this whole process the chain of custody should be maintained and well documented. This is especially important with digital evidence since it is very easy for someone to alter the data; if the chain of custody is broken then it is almost certain the evidence will be excluded in a court case.

There are lab procedures in place to make sure lab examiners to not alter the data, one of which is the use of a write blocker. A write blocker only allows an examiner to view the data on the computer but physically prevents any changes to the disk. This helps prove to the court that the integrity of the evidence is solid.

The single most difficult part of examining digital evidence is when encryption is involved. Encryption scrambles the data on the device so it is not readable without a long key (password) to unscramble the data. To break this encryption it can take hypothetically hundreds of years to crack with law enforcement’s current resources so what generally happens is the case is dismissed. This is extremely frustrating for law enforcement to come very close to taking down someone like a pedophile or an internet drug kingpin only to not be able to sentence them.

Unencrypted computers are relatively easy to get into and examine due to law enforcement tools such as EnCase, SANS Investigative Forensics Toolkit, and Oxygen Forensic Suite. These tools are sold as licenses to law enforcement and private sector companies for anywhere between $300-$25,000. That does not include training, equipment, and lab building costs, so digital forensic labs cost a substantial amount of money that some departments just do not have. (Shankdhar, “22 Popular Computer Forensics Tools”)

Another common issue that happens during a forensic examination is evidence of a different crime beyond the scope of the warrant will be found. When this happens a new search warrant is needed or else the evidence is considered illegally obtained and is not admissible in court. Legal issues often happen during an investigation when digital evidence is involved because the laws for it are relatively new and changing constantly so examiners who are not up to date with the laws can jeopardize a whole case.

In conclusion handling digital evidence must be done with extreme caution to avoid legal issues and prevent the evidence from being altered. Training is also one of the most important aspects of handling digital evidence because for a non-technical individual, electronic devices can be confusing. The future of processing digital evidence is constantly evolving for the better with the creation of easy to use tools and department specific policies regarding the handling of digital evidence, fewer mistakes should occur so justice can be served.

Sources:

Goodison, Sean E., Robert C. Davis, and Brian A. Jackson. Digital Evidence and the U.S. Criminal Justice System: Identifying Technology and Other Needs to More Effectively Acquire and Utilize Digital Evidence. Santa Monica, CA: RAND Corporation, 2015. Web.

Roger, Jolly. “Cold Boot Attacks.” Deep Dot Web. N.p., n.d. Web. 07 Dec. 2016. <https://www.deepdotweb.com/jolly-rogers-security-guide-for-beginners/cold-boot-attacks-unencrypted-ram-extraction/>.

Shankdhar, Patriva. “22 Popular Computer Forensics Tools.” InfoSec Resources 22 Popular Computer Forensics Tools Comments. N.p., n.d. Web. 07 Dec. 2016. <http://resources.infosecinstitute.com/computer-forensics-tools/>.

US Justice Dept. Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. Washington, D.C.: U.S. Dept. of Justice, 2002. Web.