Digital Evidence

ISM09204

Dr. Nicodemus M. M.
 Digital Evidence
De nition

• Digital evidence is information stored or transmitted in binary form that may

be relied on in court.

• Before accepting digital evidence a court will determine if the evidence is

relevant, whether it is authentic, whether a copy is acceptable or the original
is required.

• Some of the popular electronic devices which are potential digital evidence
are: HDD, CD/DVD media, USB drive, biometric scanner, digital camera,
smart phone, smart card, PDA, etc.
fi
Digital Evidence
The Importance

• The digital evidence are used to establish a credible link between the
attacker, victim, and the crime scene.

• Digital evidence can serve as direct evidence by "establish[ing] a fact"

or circumstantial evidence by"infer[ing] the truth of a given fact”.

• Consider the following hypothetical incident: a racist tweet was posted from a
Twitter account (Account A).

• The direct evidence is that Account A was used to post the racist tweet.
• The circumstantial evidence is that the account holder posted the tweet.
Locard’s Principle

• Locard's principle, formulated by Dr. Edmond Locard, is a fundamental

concept in forensic science that states: "Every contact leaves a trace.”

• Wherever a criminal steps, whatever he touches, whatever he leaves, even

unconsciously, will serve as a silent witness against him.

• Only human failure to nd it, study and understand it, can diminish its value.
fi
Digital Footprint

• In the eld of computer forensics, digital traces are left behind as the result of
individuals' use of information and communication technology (ICT).

• Particularly, a person utilizing ICT can leave a digital footprint, which refers to
the data left behind by ICT users.

• Digital footprint can reveal information about them, including age, gender,
race, ethnicity, nationality, sexual orientation, thoughts, preferences, habits,
hobbies, medical history and concerns, psychological disorders, employment
status, a liations, relationships, geolocation, routines, and other activities.

• This digital footprint can be active or passive.

fi
ffi
Digital Footprint

• An active digital footprint is created by data provided by the user, such as

personal information, videos, images, and comments posted on apps,
websites, bulletin boards, social media, and other online forums.

• A passive digital footprint is data that is obtained and unintentionally left

behind by the users of the Internet and digital technology (e.g., Internet
browsing history).

• This data can also be used to prove or disprove a matter being asserted;
refute or support the testimony of a victim, witness, or suspect; and/or
implicate or exculpate a suspect of a crime.
Read this One

💡 Discover what evidence they

collected to incriminate him
Best Evidence Rule

• The rule states that “the court prefers the original evidence at the trial rather than a copy”
• The rule was established to deter any alteration of evidence either intentionally or
unintentionally

• However, the court will accept a duplicate under these conditions:

• The original was lost or destroyed by re, ood, or other act of God.
• The original was destroyed in the normal course of business.
• The original is in the possession of a third party who is beyond the court’s subpoena power
• This rule has been relaxed to allow duplicates unless there is a genuine question as the
original’s authenticity
fi
fl
Characteristics of Digital Evidence
Admissibility

• It must be in conformity with common law and legislative rules

• Digital evidence is often ruled inadmissible by courts because it was
obtained without authorization.

• In most jurisdictions a warrant is required to seize and investigate digital

devices

• In a digital investigation this can present problems where, for example,

evidence of other crimes are identi ed while investigating another
fi
Characteristics of Digital Evidence
Reliability, Completeness and Convincing to Judges

• The digital evidence is reliable if acquired from undisputed origin

• The digital evidence is complete if it proves the culprits actions and help to
reach a conclusion

• The digital evidence must be convincing and understandable by the judges

Characteristics of Digital Evidence
Authentication

• The investigator must be able to prove to the authenticity of the digital

evidence by explaining:

• The reliability of the computer equipment

• The manner in which the basic data was initially entered
• The measures taken to ensure the accuracy of the data as entered
• The method of storing the data and the precautions taken to prevent its loss
• The reliability of the computer programs used to the process of data, and
• The measures taken to verify the accuracy of the programs.
Authentication Challenges

• When compared to traditional evidence (e.g., paper documents, weapons,

controlled substances, etc.), digital evidence poses unique authentication
challenges because of:
- the volume of available data,
- its velocity (i.e., the speed with which it is created and transferred),
- its volatility (i.e., it can quickly disappear by being overwritten or deleted),
- its fragility (i.e., it can easily be manipulated, altered or damaged).
Handling of Digital Evidence

• Because of its volatility and fragility, protocols need to be followed to ensure

that data is not modi ed during its handling (i.e., during its access, collection,
packaging, transfer, and storage).
• These protocols delineate the steps to be followed when handling digital
evidence.

• Each country has its own criminal investigations rules, regulations, and
procedures on how to process a crime scene.
fi
International Standards

• The Scienti c Working Group on Digital Evidence (SWGDE) proposed a set of

international standards on how to recover, preserve, and even examine digital
evidence scenes.

• ISO/IEC 27037:2012 also provides Guidelines for identi cation, collection,

acquisition and preservation of digital evidence
fi
fi
Processing Digital Evidence
General Guidelines

• List all digital assets of a crime scene

• Systematically gather digital information from di erent available
resources
• Reduce the risk of losing evidence by documenting it.
• Make a deep analysis to identify and organize digital evidence.
• Regenerate the case circumstances.

ff
Collecting Volatile Evidence

• Volatile evidence should be collected based on the order of volatility; that is, the
most volatile evidence should be collected rst, and the least volatile should be
collected last.
- registers, cache
- routing table, ...[address resolution protocol or ARP] cache, process table,
kernel statistics, memory
- temporary le systems
- disk
- remote logging and monitoring data that is relevant to the system in question
- physical con guration, network topology
- archival media
Protocol: Guideline for Evidence Collection and Archiving
fi
fi
fi
 Categories of Digital Evidence

• The rst type can be de ned as an any type of data that can be maintained
by the system and its components
• They are generated from computer processes or algorithms without user
intervention such as log les and noti cations triggered by management systems.

• Another type are, computer-stored records store electronic data on a

computer main memory or an external digital device such as a USB drive.

• Some records may contain both types, such as Microsoft Excel sheets
that contain computer-generated records such as a mathematical formula in a
spreadsheet and computer-stored records generated by the user.
fi
fi
fi
fi
 First Responder

• First responders are the individuals who are rst on the scene of a digital
incident or crime.

• First responder must be prepared to collect the evidences from the crime
scene in a manner that is accepted by court.

• Therefore, availability of trusted digital forensics toolkit is necessary for the

rst responder.
fi
fi
Common Mistakes FR Should Avoid

• Do not shut-o or reboot the machine. This will erase all the valuable data
present in the volatile devices.

• Do not assume that any parts of the victim/suspicious computer are reliable.
• Take precautions and follow procedures otherwise may accidentally trigger
malware which will e ect/change/delete volatile data.
ff
ff