Digital Evidence

If evidence collection and analysis is conducted properly, examiners can secure information that can support criminal activity claims through dialog or message exchange, images and documents. The examiner will generally provide all the supporting documentation, highlighting relevant information, but also a report detailing what was done to extract the data. As with evidence of other types, chain of custody and proper collection and extraction techniques are critical to the credibility of evidence and must be thoroughly documented.

Investigative limitations are primarily due to encryption and proprietary systems that require decoding before data can even be accessed. Unlike what is portrayed on popular television crime shows, decoding an encrypted password can take a very long time, even with sophisticated software.

There are both legal and technical limitations in this area of investigation. Laws governing processing and prosecution are different from state to state. Digital crime can easily cross jurisdictions, making standardization an increasingly critical law enforcement issue.

Data ownership can be an issue as well. In a recent ruling in Colorado, the holder of a password was compelled to divulge the password, but in doing so did not have to admit knowledge or ownership of the data protected by the password¹. This is akin to a landlord being able to unlock a rental apartment with no responsibility for what might be inside the unit. In this case, it would still be up to the investigator to tie the two together.

Wiretapping laws can also come into play particularly with regard to mobile phone seizure. Intercepting a call without a court order violates an expectation of privacy. Even after a phone has been seized, any calls or messages received by that phone cannot be used as the holders of the phone (law enforcement) are not the intended recipient.

Privacy laws and issues are the most limiting areas of search. Without proper authority to search or seize electronics, the information contained on the device may not be used. Internet and personal device privacy laws can be confusing. In addition, people’s understanding of privacy tends to be generational: younger people tend to believe they should have access to information freely but that their movements and communications are inherently private; older users tend to understand that their movements and communications can be tracked and have a lesser expectation of privacy. Today there has been no major case law to clearly define new limits in the United States.

In the United Kingdom examiners usually follow guidelines issued by the Association of Chief Police Officers (ACPO) for the authentication and integrity of evidence. The guidelines consist of four principles:

1. No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
2. In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
3. An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
4. The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

These guidelines are widely accepted in courts of England and Scotland, but they do not constitute a legal requirement and their use is voluntary.

¹ United States vs. V. Fricosu, 247 10 (Colorado 2012)

Quality control and assurance is similar to other forensic specialties in that the laboratory must have and follow guidelines in addition to the responders and analysts. SWGDE brings together organizations actively engaged in the field of digital and multimedia evidence in the U.S. and other countries to foster communication and cooperation as well as to ensure quality and consistency within the forensic community. Practices have been cited by the European Network Forensic Science Institute - Forensic Information Technology Working Group (ENFSI-FITWG) and in publications.

According to SWGDE’s Minimum Requirements for Quality Assurance in the Processing of Digital and Multimedia Evidence, Digital Evidence Laboratories (DEL) must have and follow a written Quality Management System (QMS) that is documented in a Quality Manual (QM). The QMS is similar to those in other types of forensic laboratories in that it defines structure, responsibilities, procedures, processes, and resources sound and error-free work and documentation.

To ensure the most accurate analysis of evidence, the management of forensic laboratories puts in place policies and procedures that govern facilities and equipment, methods and procedures, and analyst qualifications and training. Depending on the state in which it operates, a crime laboratory may be required to achieve accreditation to verify that it meets quality standards. There are two internationally recognized accrediting programs focused on forensic laboratories: The American Society of Crime Laboratory Directors Laboratory Accreditation Board and ANSI-ASQ National Accreditation Board / FQS

Like other forms of evidence, digital evidence must remain pristine and unaltered. In a courtroom, text messages would most likely be shared on the actual phone or digital device, but other evidence might be printed out, such as a string of emails or email headers.

This can show a track record of information exchange, and the “hash value”, also referred to as a checksum, hash code or hashes, is the mark of authenticity and must be present and explained to courtroom participants.

A hash value is the result of a calculation (hash algorithm) performed on a string of text, electronic file or entire hard drive contents. Hash values are used to identify and filter duplicate files (i.e. email, attachments, and loose files) from a given source and verify that a forensic image or clone was captured successfully. For example, a hash function performed on a suspect’s hard drive should generate a hash value report that exactly match the report generated by using the same algorithm on the hard drive’s image, typically created by the laboratory for use in the investigation.

Hash values calculated for the text string “forensic science”. Each line contains the search term value calculated using the unique algorithm in the left hand column. Click image to view larger.

Hash values are a reliable, fast, and a secure way to compare the contents of individual files and media. Whether it is a single text file containing a phone number or five terabytes of data on a server, calculating hash values is an invaluable process for evidence verification in electronic discovery and computer forensics.

Once verified, the information pulled from the files can be shown in the courtroom, such as photos or emails. In addition, email headers, showing the path and timing emails took to get from source to destination could be displayed.

There are a number of common misperceptions about the retrieval and usefulness of digital evidence, including:

Anything on a hard drive or other electronic media can always be retrieved. This is incorrect as over-written or damaged files, or physical damage to the media can render it unreadable. Highly specialized laboratories with clean rooms may be able to examine hard drive components and reconstruct data, but this process is very laborious and extremely expensive.

Decrypting a password is quick and easy, with the right software. With the increasing complexity of passwords including capitals, numbers, symbols and password length, there are billions of potential passwords. Decryption can take a great deal of time, up to a year in some cases, using system resources and holding up investigations. Gathering passwords from those involved in a case is much more efficient and should be done whenever possible.

Any digital image can be refined to high definition quality. Images can be very useful for investigations, but a low resolution image is made by capturing fewer bits of data (pixels) than higher resolution photos. Pixels that are not there in the first place cannot be refined. Learn more about Audio/Video Analysis ▸

Investigators can look at digital evidence at the crime scene or any time. Just looking at a file list does not damage the evidence. It is crucial to note that opening, viewing or clicking on files can severely damage forensic information because it can change the last access date of a file or a piece of hardware. This changes the profile and can be considered tampering with evidence or even render it completely inadmissible. Only investigators with the proper tools and training should be viewing and retrieving evidence.

First responder training lags behind advancements in electronics. Without regular updates to their training, responders may not be aware of what new digital devices might be in use and subject to collection. For example, there should be an awareness that thumb drives and SD cards can be easily removed and discarded by a suspect in the course of an encounter with law enforcement.