How It’s Done
Evidence that May be Gathered Digitally
Computer documents, emails, text and instant messages, transactions, images and Internet histories are examples of information that can be gathered from electronic devices and used very effectively as evidence. For example, mobile devices use online-based based backup systems, also known as the “cloud”, that provide forensic investigators with access to text messages and pictures taken from a particular phone. These systems keep an average of 1,000–1,500 or more of the last text messages sent to and received from that phone.
In addition, many mobile devices store information about the locations where the device traveled and when it was there. To gain this knowledge, investigators can access an average of the last 200 cell locations accessed by a mobile device. Satellite navigation systems and satellite radios in cars can provide similar information. Even photos posted to social media such as Facebook may contain location information. Photos taken with a Global Positioning System (GPS)-enabled device contain file data that shows when and exactly where a photo was taken. By gaining a subpoena for a particular mobile device account, investigators can collect a great deal of history related to a device and the person using it.
Who Conducts the Analysis
According to the National Institute of Justice, “Digital evidence should be examined only by those trained specifically for that purpose.” With the wide variety of electronic devices in use today and the speed with which they change, keeping up can be very difficult for local law enforcement. Many agencies do not have a digital evidence expert on hand and, if they do, the officer might be a specialist in cell phones but not social media or bank fraud. A detective may be able to log onto e-Bay® and look for stolen property but may be unable to capture cell phone text message histories and could destroy evidence just by trying. Many take an interest in the area and learn what they can, but there is no single path to digital evidence expertise—qualifications and certifications are not standardized across the country. Incorporation of digital seizure techniques is becoming more widespread in first responder training.
Certified Digital Media Examiners are investigators who have the education, training and experience to properly exploit this sensitive evidence. That said, there is no single certifying body, and certification programs can contain different courses of study. Generally speaking, these professionals have demonstrated core competencies in pre-examination procedures and legal issues, media assessment and analysis, data recovery, specific analysis of recovered data, documentation and reporting, and presentation of findings. While certification of examiners is not required in most agencies, it is becoming a widely valued asset and the numbers of certified examiners will increase. Vendor-neutral (not software based, but theory- and process-based) certification is offered through the Digital Forensics Certification Board (DFCB), an independent certifying organization for digital evidence examiners, the National Computer Forensics Academy at the High Tech Crime Institute and some colleges.
Most states have at least one laboratory or section for digital forensics and a variety of task forces including Internet Crimes Against Children (ICAC), Joint Terrorism Task Force (JTTF), and Narcotics and Property Crimes. These forces comprise officers with specialized training, including search, seizure and exploitation of digital evidence as it pertains to their area of expertise. Agencies and investigators must work together to ensure the highest level of security and evidence handling is used. In the United States, the FBI can provide assistance in some specialty areas.
How Digital Devices are Collected
On the scene: As anyone who has dropped a cell phone in a lake or had their computer damaged in a move or a thunderstorm knows, digitally stored information is very sensitive and easily lost. There are general best practices, developed by organizations like SWGDE and NIJ, to properly seize devices and computers. Once the scene has been secured and legal authority to seize the evidence has been confirmed, devices can be collected. Any passwords, codes or PINs should be gathered from the individuals involved, if possible, and associated chargers, cables, peripherals, and manuals should be collected. Thumb drives, cell phones, hard drives and the like are examined using different tools and techniques, and this is most often done in a specialized laboratory.
First responders need to take special care with digital devices in addition to normal evidence collection procedures to prevent exposure to things like extreme temperatures, static electricity and moisture.
Seizing Mobile Devices
• Devices should be turned off immediately and batteries removed, if possible. Turning off the phone preserves cell tower location information and call logs, and prevents the phone from being used, which could change the data on the phone. In addition, if the device remains on, remote destruction commands could be used without the investigator’s knowledge. Some phones have an automatic timer to turn on the phone for updates, which could compromise data, so battery removal is optimal.
• If the device cannot be turned off, then it must be isolated from its cell tower by placing it in a Faraday bag or other blocking material, set to airplane mode, or the Wi-Fi, Bluetooth or other communications system must be disabled. Digital devices should be placed in antistatic packaging such as paper bags or envelopes and cardboard boxes. Plastic should be avoided as it can convey static electricity or allow a buildup of condensation or humidity.
In emergency or life threatening situations, information from the phone can be removed and saved at the scene, but great care must be taken in the documentation of the action and the preservation of the data.
• When sending digital devices to the laboratory, the investigator must indicate the type of information being sought, for instance phone numbers and call histories from a cell phone, emails, documents and messages from a computer, or images on a tablet.
Seizing Stand Alone Computers and Equipment: To prevent the alteration of digital evidence during collection, first responders should first document any activity on the computer, components, or devices by taking a photograph and recording any information on the screen. Responders may move a mouse (without pressing buttons or moving the wheel) to determine if something is on the screen. If the computer is on, calling on a computer forensic expert is highly recommended as connections to criminal activity may be lost by turning off the computer. If a computer is on but is running destructive software (formatting, deleting, removing or wiping information), power to the computer should be disconnected immediately to preserve whatever is left on the machine.
Office environments provide a challenging collection situation due to networking, potential loss of evidence and liabilities to the agency outside of the criminal investigation. For instance, if a server is turned off during seizure that is providing a service to outside customers, the loss of service to the customer may be very damaging. In addition, office equipment that could contain evidence such as copiers, scanners, security cameras, facsimile machines, pagers and caller ID units should be collected.
Computers that are off may be collected into evidence as per usual agency digital evidence procedures.
How and Where the Analysis is Performed
Exploiting data in the laboratory: Once the digital evidence has been sent to the laboratory, a qualified analyst will take the following steps to retrieve and analyze data:
1. Prevent contamination: It is easy to understand cross contamination in a DNA laboratory or at the crime scene, but digital evidence has similar issues which must be prevented by the collection officer. Prior to analyzing digital evidence, an image or work copy of the original storage device is created. When collecting data from a suspect device, the copy must be stored on another form of media to keep the original pristine. Analysts must use “clean” storage media to prevent contamination or the introduction of data from another source. For example, if the analyst was to put a copy of the suspect device on a CD that already contained information, that information might be analyzed as though it had been on the suspect device. Although digital storage media such as thumb drives and data cards are reusable, simply erasing the data and replacing it with new evidence is not sufficient. The destination storage unit must be new or, if reused, it must be forensically “wiped” prior to use. This removes all content, known and unknown, from the media.
2. Isolate Wireless Devices: Cell phones and other wireless devices should be initially examined in an isolation chamber, if available. This prevents connection to any networks and keeps evidence as pristine as possible. The Faraday bag can be opened inside the chamber and the device can be exploited, including phone information, Federal Communications Commission (FCC) information, SIM cards, etc. The device can be connected to analysis software from within the chamber. If an agency does not have an isolation chamber, investigators will typically place the device in a Faraday bag and switch the phone to airplane mode to prevent reception.
3. Install write-blocking software: To prevent any change to the data on the device or media, the analyst will install a block on the working copy so that data may be viewed but nothing can be changed or added.
4. Select extraction methods: Once the working copy is created, the analyst will determine the make and model of the device and select extraction software designed to most completely “parse the data,” or view its contents.
5. Submit device or original media for traditional evidence examination: When the data has been removed, the device is sent back into evidence. There may be DNA, trace, fingerprint, or other evidence that may be obtained from it and the digital analyst can now work without it. Learn more about DNA, trace evidence, or fingerprints ▸
6. Proceed with investigation: At this point, the analyst will use the selected software to view data. The analyst will be able to see all the files on the drive, can see if areas are hidden and may even be able to restore organization of files allowing hidden areas to be viewed. Deleted files are also visible, as long as they haven’t been over-written by new data. Partially deleted files can be of value as well.
Files on a computer or other device are not the only evidence that can be gathered. The analyst may have to work beyond the hardware to find evidence that resides on the Internet including chat rooms, instant messaging, websites and other networks of participants or information. By using the system of Internet addresses, email header information, time stamps on messaging and other encrypted data, the analyst can piece together strings of interactions that provide a picture of activity.