Learn

Digital Evidence

Digital Exchanges

Recall Locard's Exchange Principle — that when two things come in contact with one another there will be an exchange. The same is true in digital forensics. Everywhere a person visits on a computer, mobile device, or the internet will leave a trace. The key is knowing how to find it.

Digital Evidence

Digital evidence (or information and data stored on, received, or transmitted by an electronic device for use in an investigation) may come from a variety of sources. The table below from The Law Enforcement Cyber Center (LECC) lists some of those sources and the types of evidence that may be found on them.

Device Types of Potential Evidence
Digital/Video Camera
  • Pictures
  • Videos
  • Files stored locally or on media card
Cell Phone
  • Text messages
  • Call logs
  • Applications used
  • Social media accounts
  • Computer files
Computer/Laptop
  • Computer files
  • Social media accounts
  • Internet search history
  • Documents
  • Email (non-web-based)
Mobile Device
  • Computer files
  • Applications used
  • Social media accounts
Game Consoles
  • Pictures
  • Videos
  • Documents
File Storage (Hard Drive, Thumb Drive, Optical Media)
  • Computer files
Internet of Things (IoT)
Wearables
  • Location
  • Apps used

Law Enforcement-Generated Digital Evidence

According to the The LECC, law enforcement agencies also generate digital evidence.

Device Types of Potential Evidence
Automated License Plate Readers (LPR)
  • License plate images
  • Pictures of cars
  • Geolocation
  • Metadata
In-Car/Body-Worn Cameras
  • Videos
Unmanned Aerial Systems (Drones)
  • Videos
Interview Room Recording Systems
  • Videos
  • Audio recordings
Closed Circuit Television (CCTV)
  • Videos
TASERs
  • Data files

Knowledge Check #1

According to The Law Enforcement Cyber Center, what type of data could be found on a game console?

  1. call logs
  2. videos
  3. location
  4. emails

Answer: b. videos

Knowledge Check #2

According to The Law Enforcement Cyber Center, which device could be used to retrieve audio recording of police?

  1. Interview room recording systems
  2. Drones
  3. TASERs
  4. Body cameras

Answer: a. Interview room recording systems.

Binary

Digital information has been broken down into binary digits (ones and zeros) which are stored and retrieved using software a set of instructions . Each 1 or 0 is called a bit, and a collection of eight bits is called a byte. Software on computers or devices translates these bytes into something readable.

This information could be stored (and found) on the internet or on a computer or mobile device.

Digital Information Considerations

Finding and uncovering evidence saved in any of these locations is a growing area of forensics that constantly changes as the technology evolves. While the way in which evidence is gathered, processed, and analyzed from each of these sources may vary, these considerations apply to all three:

  • Digital information is latent (hidden) like fingerprints or DNA evidence and must be uncovered prior to analysis.
  • Digital information crosses jurisdictional borders quickly and easily.
  • Digital information can be altered or destroyed with little effort.
  • Digital information can be time sensitive.
  • Digital information from the days and hours leading up to and following the crime is typically most relevant to the investigation.

Computers

Knowledge of the inner workings of a computer is essential for a digital forensic scientist. Without this foundational knowledge, they cannot examine the evidence, nor can they explain the evidence in their role as an expert witness.

Computers are made of a central processing unit (CPU), memory, and devices for input and output.

Central Processing Unit

The central processing unit is the brains of the computer, made of intricate circuits with millions of tiny electrical parts. Computer programs tell the CPU what data to process and how to process it.

Memory

The CPU is in constant communication with the memory, a storage location that houses everything the processor may be working on at that time (open websites and applications and their contents).

Data Storage

Data is stored on a computer in one of two places—the memory or the storage.

  • Memory: Random access memory (RAM) holds everything a person is working on at that moment. This type of memory is short term and available only if the device is powered on. RAM is a type of volatile storage.
  • Storage: The hard drive is the place where saved files are kept. This type of memory is nonvolatile and can be retrieved even if the power is cut off. USB drives and SD cards are other storage locations.

Methods of Storage

  • Magnetic Disk: Hard drive contain a magnetic disk. Data is physically written on the disk (in the form of bits) by a head attached to the actuator arm (the pointy arm on top of the disk in the picture).

    A hard drive with its casing removed, revealing the magnetic disk and actuator arm inside.

  • Flash Memory: Devices such as flash drives and SD Cards use a series of transistors that are either on (1) or off (0) to store data. Flash memory has no moving parts, is faster and uses less power than magnetic disks.
  • Optical Storage: Data is written on CDs, DVDs, and Blu-Ray Disks using a laser. Users may employ this type of storage to back-up files, which can become evidence in an investigation.

Devices Demonstration

Open Cybersecurity: Devices Demonstration in a new window

Note: The presentation may take a moment to load.

Hidden Data

If a person person is running a lot of applications, the RAM may become full. In that case the computer will move information from the RAM to an area of the hard drive known as swap space. This area of the hard drive could contain a variety of information useful to investigators, including passwords in their unencrypted form.

The computer designates space on the hard drive or other storage device as allocated or unallocated space—space that is, or is not, currently being used. Deleted items and files “swapped” from the memory may be house in the “unallocated space.” Information remains in the unallocated space until it is overwritten. Considering the size of most hard drives, this may never occur. While information in the unallocated space is not readily available to the user, digital forensic scientists can use techniques to retrieve it.

Types of Data

  • Active Data: located in the allocated space of the hard drive and easily retrieved.
  • Latent Data: hidden data (like latent fingerprints), partially overwritten or located in the unallocated space of the hard drive.
  • Archival Data: data that has been backed up, usually on external hard drives, DVDs, or tapes. Depending on when they were archived, these can be difficult to retrieve. If, for example, they were archived on tapes that require outdated equipment to read.

Knowledge Check #3

Which of the following translates binary information into a form that can be understood such as text, pictures, and sound?

  1. software
  2. hard drive
  3. swap space
  4. flash drive

Answer: a. software

Knowledge Check #4

Information on which of the following is most volatile?

  1. random access memory
  2. magnetic disk
  3. flash drive
  4. DVD

Answer: a. random access memory

Knowledge Check #5

Which type of data may be found in unallocated space?

  1. archival data
  2. active data
  3. latent data

Answer: c. latent data

Knowledge Check #6

True or false. Deleted files are removed completely from the hard drive.

  1. True
  2. False

Answer: b. False

Knowledge Check #7

When a computer is turned off, information in which of the following locations will be deleted?

  1. magnetic disk
  2. flash drive
  3. DVD
  4. random access memory

Answer: d. random access memory