To bring the guilty to justice, correctly collecting, analyzing, and presenting the right evidence is quintessential. Before proceeding with the investigation, however, you’re going to need to know where and how to look for certain digital evidence.
After all, collecting different types of digital evidence requires different tools and methodologies to be used in the process.
When it comes to digital evidence, in essence, it can be anything from logs and all the way to video footage, images, archives, temporary files, replicant data, residual data, metadata, active data, and even data that’s stored inside a device’s RAM (otherwise known as volatile data), as long as they are regarded as part of clue for a digital investigation.
To get a better understanding of handling essential types of digital evidence during an investigation, we’re going to go through each of these and cover any intricacies that might be involved.
Logs belong in the visible data type category, which can be anything from:
OS logs
Examples include events pertaining to system access, security alerts, the duration of a user’s login session, when the device was shut down, etc.
Typically, OS logs are stored in a particular system directory (the exact location depends on the operating system in use).
Database logs
Since they mostly reveal what changes were made to a particular database, these can be a vital source of crime evidence as well as a useful approach for debugging and troubleshooting in the unfortunate event of any technical issues with the database in question.
At any rate, professional industry-grade tools like DBF by SalvationDATA will help you waltz through any kind of database encryption like it’s nothing, all while giving you an insight into a wide array of digital crime without requiring expertise whatsoever.
Email logs
Often presented in a CSV format, email logs can reveal certain details about the sender and content, which includes their email address, time and date of delivery, delivery status, cc, bcc, subject, content type, and error codes (if applicable), while mostly stored in the email’s header.
As we’ve elaborated in our latest email forensics guide, many cyber criminals use email as their go-to communication channel for the purposes of extortion, financial crime, and distributing illegal materials.
Alongside email logs, any file attachments also count as one of the evidence types, so they should be closely examined, right along with the server logs through which the email was sent.
Software logs
Just like the OS logs, so too do certain software logs count as one of the most important sources of digital evidence.
Among other things, they contain details regarding what action was performed while the program was running as well as indicate any errors or crashes that can be used for debugging purposes.
Every software can store these in its own pre-defined location, which may or may not be the installation directory.
Network logs
These can be viewed as different types of evidence because they also contain clues about what an individual was doing on the internet, including what websites that person has visited, what messages were exchanged with another party, and what the content of the messages was.
A digital forensics examiner should let evidence reveal the truth, so be on the lookout for timestamps and IP addresses – two crucial evidence types that will serve as proof in a court of law.
Door access records
In case the investigation involves analyzing smart home or corporate security and finding out who accessed the premises and at what time, door access records are good crime scene evidence examples of digital nature that will help you solve complex property-related cases like burglary.
Phone logs
A phone’s infrastructure encompasses various kinds of evidence, including photos taken, videos recorded, system logs, app logs, and call logs, the latter of which contain crucial details such as the duration of a call, inbound and outbound numbers, etc.
Mobile forensics experts also analyze and examine other types of digital evidence that can be found on a mobile device, including geo indicators (where the device has traveled) and EXIF data the photos may store.
IP logs
Since everyone who browses the internet gets assigned a unique IP address, knowing this crucial detail allows a digital forensics investigator to trace their real identity and physical location by cooperating with ISPs.
IP logs are often a crucial source of evidence when trying to hunt down a cyber-criminal.
Server logs
These kinds of logs are like digital journal that records the events taking place on a server. Examples include IP addresses that connected to the server at any point in time and also the duration of each session, any error logs, usernames that were used during the time of access, etc.
Drilling further down into sub-categories of server logs, these can be error logs, availability logs, resource logs, event logs, change logs, authorization logs, system logs, and threat logs…
Device fingerprints
There are many forensic categories of devices where evidence can be found, and each device can generate a unique fingerprint that consists of its hardware specs, the OS it’s running (down to the exact version), and even other odd bits and pieces such as the graphics drivers it’s running or what fonts are installed.
Therefore, even if a cybercriminal attempts to mask their IP when connecting to a server, the device fingerprint can be collected regardless.
To effectively conduct log forensics, the key thing a log forensics investigator should know about logs of any kind is that they are automatically placed on the device, either by some kind of software that is installed or by the operating system itself.
Their primary purpose is not only to record the events that happened within the scope of the user’s actions but also automated processes such as updates and maintenance and other system events.
At the same time, software and system logs also contain a wealth of information about access or security errors as well as warnings and notifications.
2. Video Footage and Images
Out of all the types of digital evidence, video footage and images can be classified as the visible data type, just like the logs we discussed earlier.
There are many types of digital evidence that fall into this category, including CCTV footage, videos recorded on a mobile device, digital camera footage, voice recordings, etc.
However, unlike your typical logs, multimedia files may require specialized tools to investigate that go beyond typical multimedia players.
Retrieving video evidence – a practical example
To give you a practical example, let’s suppose your law enforcement department is tasked with having to retrieve CCTV footage from a no-name brand surveillance system. Even if you manage to dismantle the device and retrieve the files in a forensically sound manner, you’re still going to need to find a way to open them somehow to examine their contents.
Therein lies the first problem.
Since surveillance systems are known to use their own file systems that often go outside of the scope of the ordinary (you’ll rarely see beyond MPG, MP4, or AVI files), your department could find itself spending hours on end trying to find the right playback software to access them and also run into a wide array of video file errors.
Therefore, the only solution that is viable in practice is employing a professional video forensics tool like VIP 2.0 by SalvationDATA.
Since it supports all the formats used by almost any DVR and NVR device in existence, you will be able to crack the case in record time by accessing a wide array of file formats without issues, all while preserving the integrity of the files, built-in reporting, and 24/7 access to customer support.
Also, VIP 2.0 comes with integrated recognition features such as motion detection, thus allowing you to automatically find the exact section of the video footage that contains valuable digital evidence for your case.
3. Archives
Since archives are regular files accessible straight from the file explorer, they fall into the visible data type group.
Various types of evidence can come in the form of an archive, whether it be:
Zip/Rar/similar files
Databases
Backups
Software-specific archives
etc.
Technically, since they can contain all sorts of extractable file formats, archives can be regarded as a wildcard source of evidence, which contains anything from:
Images
Text files
Documents
Source codes
Videos
or even other archives.
The main purpose of archives is to prevent data loss in the unfortunate event that the original files get damaged, deleted, or corrupted, thus serving as a source of backup to restore them to their prior functional state.
At the same time, these can serve as a vital source of evidence that could contain data that is in one or more ways relevant to cracking the case at hand.
However, what makes working with this type of digital evidence particularly challenging is the fact that a lot of times these archives can be password protected, thus results in rendering their contents inaccessible.
In cases like these, the only reliable way to get past such defenses is by using industry-grade digital forensics tools like DRS by SalvationDATA. Moreover, this digital forensics tool lets you extract data from the archive even if it’s corrupted, and all that with a single click.
Have you ever noticed how popular content editors and word processors like Microsoft Word often create temporary files on your hard drive while you’re in the midst of typing and working on a document?
This is what’s referred to as active data and it’s a visible data type.
In fact, many operating systems and applications can create this type of file, including:
Email clients
Image viewers
Word processors
Scanners
Archives
etc.
The key thing to realize about active data is that cyber criminals are often smart enough to delete the originals, but they sometimes forget to wipe the temporary files that get left behind by various software and operating systems.
These can contain residual data and traces of digital evidence that can be extracted and analyzed later on.
5. Metadata
Unlike the previous types of digital evidence we’ve discussed, metadata falls into the invisible data type category because it typically requires special software to be able to view it.
For instance, a photo file on a hard drive or storage media can contain additional data regarding the file’s creation such as where the photo was taken, otherwise known as EXIF data.
This data is attached to the file and reveals details such as:
Where the photo was taken
The time and date the photo was taken
What lens was used during the process
The camera’s model and brand
Color profile and space
and more.
Certain operating systems may provide a direct view of it simply by right-clicking on it, but in general, special software will be required to examine it.
The reason why any kind of metadata is such a valuable source of evidence is that not only does it contain information regarding when the data was created and last accessed (down to the exact second), but it also reveals who its owner is.
In a court of law, you can use this digital evidence to prove that a file was created on someone’s device and, if the context is right, that a certain individual is linked to or otherwise involved in a crime.
6. Residual Data
Residual data is deleted or overwritten data that may contain digital evidence if successfully recovered. Since it’s not typically visible through a file browser, it’s classified as an invisible data type.
To understand the concept, you have to keep in mind that when someone deletes a file from a device, the data is still there – it’s just unlinked from the file structure itself so it doesn’t show up in a search or when viewing the contents of a hard drive or storage device through a file browser.
Note that every deleted file has the risk of being overwritten by other data, which is particularly true if the hard drive space is running out. That’s why it’s of paramount importance to act swiftly if you want to recover data that was deleted.
When it comes to recovering problematic data, DRS by SalvationDATA will not only detect all deleted, corrupted, or overwritten files on a device or HDD, or storage unit but also employ cutting-edge retrieval techniques in a manner that is forensically sound and thus admissible in court. Since it works on every operating system, it’s every law enforcement’s go-to tool for locating and retrieving various sources of digital evidence.
7. Volatile Data
Volatile data is the kind of data that is not being written to the disk itself, hence belonging to the invisible data type category. Some viruses, for example, don’t write themselves to the hard drive to leave minimal traces behind and avoid detection by antivirus software.
For obvious reasons, volatile data needs to be checked before the device is powered off, otherwise, it can be lost forever. To add additional complexity to the challenge, even the very act of launching a digital forensics tool and loading it into the device’s RAM can change the RAM’s contents, the very same thing we’re trying to analyze.
This is why analyzing volatile data can be especially tricky and often requires forensic ram imaging to preserve its contents in their original state.
8. Replicant Data
For the final entry on our digital evidence list, we have replicant data, another invisible data type.
On some occasions, various types of software or system processes will leave temporary backup files or directories behind to prevent the unfortunate scenario of losing data (for example, if the user forgets to save whatever they were working on and closes the program).
An example of this would be Photoshop files and even temporary web cache files.
In a digital forensics investigation, examining replicant data can reveal crucial details such as what the suspect was most recently doing on a device.
In case the suspect tries to hide incriminating evidence by deleting the relevant files, replicant data can be retrieved and used as a source of evidence to prove their guilt.
Conclusion
Digital evidence comes in many shapes and forms. By knowing where to look for it and being able to present it in court, strong evidence can turn the legal tides of battle and either prove or disprove a suspect’s involvement in criminal activities.
With the right digital forensics tools, it’s possible to retrieve most if not all types of files, even if they have been overwritten, corrupted, or intentionally deleted, so be sure to have one on hand at all times.