Unit IV

Digital Evidence

Total Marks: 08

Prepared By:
Mr. A. A. Patel Khan
 Definition Digital Evidence
• Digital evidence is information stored or transmitted in
binary form that may be relied on in court.
• Digital evidence or electronic evidence is any probative
information stored or transmitted digitally and a party to a
judicial dispute in court can use the same during the trial.

Best Rule of Digital Evidence

The "Best Evidence Rule" says that an original writing must
be offered as evidence unless it is unavailable, in which case
other evidence, like copies, notes, or other testimony can be
used
 There are five rules of collecting
electronic evidence.

These relate to five properties that evidence

must have to be useful.
• Admissible: Admissible is the most basic rule
(the evidence must be able to be used) in court or
otherwise.
• Authentic :You must be able to show that the
evidence relates to the incident in a relevant way.
• Complete : You must be able to show that the
evidence relates to the incident in a relevant way.
• Reliable :The evidence you collect must be reliable. Your
evidence collection and analysis procedures must not cast
doubt on the evidences authenticity and veracity.
• Believable :The evidence you present should be clearly
understandable and believable by a jury. There’s no point
presenting a binary dump of process memory if the jury
has no idea what it all means. Similarly, if you present
them with a formatted, human-understandable version,
you must be able to show the relationship to the original
binary, otherwise there’s no way for the jury to know
whether you’ve faked it.
 Locard`s Exchange Principle
• Locard’s exchange principle says that, in the
physical world, whenever perpetrators enter or
leave a crime scene, they will leave something
behind and take something with them. Examples
include DNA,latent prints, hair, and fibers
(Saferstein, 2006).
• The same holds true in digital forensics. Registry
keys and log files can serve as the digital
equivalent to hair and fiber (Carvey, 2005). As
with DNA, our ability to detect and analyze these
artifacts relies heavily on the technology
available at the time. Look at the numerous cold
cases that are being solved now as a result of
the significant advances in DNA science.
Viewing a device or incident through the “lens”
• "Wherever he steps, whatever he touches,
whatever he leaves, even unconsciously, will serve
as a silent witness against him. Not only his
fingerprints or his footprints, but his hair, the
fibres from his clothes, the glass he breaks, the
tool mark he leaves, the paint he scratches, the
blood or semen he deposits or collects. All of
these and more, bear mute witness against him.
This is evidence that does not forget. It is not
confused by the excitement of the moment. It is
not absent because human witnesses are. It is
factual evidence. Physical evidence cannot be
wrong, it cannot perjure itself, it cannot be wholly
absent. Only human failure to find it, study and
understand it, can diminish its value."
 Digital Stream of bits
• A bit-stream image is a sector-by-sector / bit-by-bit
copy of a hard drive. A bit-stream image is actually
a set of files that can be used to create an exact
copy of a hard drive, preserving all latent data in
addition to the files and directory structures. A
bit-stream image can be read by the majority of the
tools used by the Computer Forensics Examiner to
analyze the hard drive such as Encase, FTK,
ProDiscover and many others. By utilizing the bit-
stream image, the Computer Forensics Examiner
takes no risk of contaminating the original
evidence.
• The Computer Forensics Examiner creates the bit-
stream image by attaching the original computer
media to a write protection device that ensures no
writes can take place to the original media while
 Types of Digital Evidence
• Illustrative: Illustrative evidence refers to evidence that illustrates testimony but does
not by itself prove anything. For example, a computer animation used to illustrate a
witness’s testimony is offered to support the related substantive evidence (the testimony
) rather than as proof of something itself.
• Electronics: Digital Evidence, also known as electronic evidence, is data or information
that exists in digital format, that 'can prove' or 'reveal the truth' about a crime and can
be relied upon and used in a court of law.
• Documented: Documentary evidence is any evidence that is, or can be, introduced at a
trial in the form of documents, as distinguished from oral testimony. Documentary
evidence is most widely understood to refer to writings on paper (such as an invoice, a
contract or a will), but the term can also apply to any media by which information can be
preserved, such as photographs; a medium that needs a mechanical device to be viewed,
such as a tape recording or film; and a printed form of digital evidence, such as emails
or spreadsheets.
• Explainable:
• Substantial: Substantial Evidence refers to evidence that a reasonable mind could
accept as adequate to support a conclusion. It also refers to the product of adequately
controlled investigations, including clinical studies, carried out by qualified experts that
establish the effectiveness of a drug under FSA regulations
• Testimonial: Testimonial Evidence is a person's testimony offered to prove the truth
of the matter asserted. Especially, evidence elicited from a witness. This is also termed
communicative evidence.
• Testimonial evidence is viewed by the court to be the simplest type of evidence. It does
not require any other piece of evidence to support it or make it legitimate. Testimonial
evidence is typically that of any statement made by a witness or other person during the
course of the trial.
Challenges In Digital Evidence Handling
Technical Challenges

• Encryption
• Steganography
• Covert Channel
• Data hiding in storage space
• Residual Data Wiping
• Tail Obfuscation
• Attacking the tools
• Attacking the investigators
• Resource Challenges
• Depending on the scenario, the volume of data involved in the case might be
large. In that case the investigator has to go through all the collected data in
order to gather evidence. It may take more time for the investigation. Since
time is a limiting factor, it becomes another major challenge in the field of
digital forensics.
• In volatile memory forensics, since the data stored in the volatile memory is
ephemeral, user activities are overwritten in the volatile memory. Therefore
investigators can analyze only recent information that is stored on the
volatile memory. This reduces the forensic value of the data for the
investigation.
• When collecting data from the source, an investigator must make sure that
none of the data is modified or missed during the investigation, and the data
must be well secured.
• Data sources which are damaged cannot be easily used in investigations. So
it is a major issue when an investigator finds a valuable source that is not
usable.

• Legal Challenges
• Privacy is also important to any organization or victim. In many cases it may
be required that the computer forensics expert share the data or
compromise privacy to get to the truth. A private company or an individual
user might generate lots of private information in their day to day usage. So
asking an investigator to examine their data might risk their privacy being
revealed.
 Authentication of evidence.

• Authentication, in the law of evidence, is the

process by which documentary evidence and
other physical evidence is proven to be genuine,
and not a forgery. Generally, authentication can
be shown in one of two ways. First, a witness can
testify as to the chain of custody through which
the evidence passed from the time of the
discovery up until the trial. Second, the evidence
can be authenticated by the opinion of an
expert witness examining the evidence to
determine if it has all of the properties that it
would be expected to have if it were authentic.
 Chain of Custody

• Chain of custody (CoC), in legal contexts, is the

chronological documentation or paper trail that records the
sequence of custody, control, transfer, analysis, and
disposition of physical or electronic evidence. Of particular
importance in criminal cases, the concept is also applied in
civil litigation—and sometimes more broadly in drug testing
of athletes, and in supply chain management, e.g. to improve
the traceability of food products, or to provide assurances
that wood products originate from
sustainably managed forests. It is often a tedious process
that has been required for evidence to be shown legally in
court. Now however, with new portable technology that
allows accurate laboratory quality results from the scene of
the crime, the chain of custody is often much shorter which
means evidence can be processed for court much faster.
Evidence Validation

• Validation is intended to ensure a product, service,

or system (or portion thereof, or set thereof) results
in a product, service, or system (or portion thereof, or
set thereof) that meets the operational needs of the
user.
• Validation is the process of establishing
documentary evidence demonstrating that a
procedure, process, or activity carried out in testing
and then production maintains the desired level of
compliance at all stages. ... Facilities validation.
HVAC system validation. Cleaning validation.
Process Validation
Volatile Evidence

• The computer forensic investigator must

trace, filter, and extract hidden data
during the process.
Some evidence cannot stay for long.
Such evidence is called volatile
evidence because it needs consistent
power supply for storage. There is
also evidence that contains the
information that keeps changing.