What Is Digital Evidence?

Admissibility of Digital Evidence

Every legal jurisdiction has its own rules for the admissibility of digital evidence, and it is imperative that you comply with those rules. In the United States, for example, The Federal Rules of Evidence (FRE) and Federal Rules of Procedure (FRCP) describe the rules of evidence admissibility, and many states have adopted these rules with slight changes. In the light of FRE and FRCP rules, the following are the two conditions for evidence to be admissible.

Relevant

The evidence must be relevant to any party’s claim or defense, which means that it should make a particular fact of importance either certain or clearer. It is worthwhile to remember that evidence is relevant if it leads to the discovery of other admissible evidence, even if the evidence itself does not make facts certain or clearer.

Relevant but Inadmissible

Evidence obtained through illegal means and privileged evidence is not admissible in the court of law even if it is relevant. Thus, make sure to follow all legal requirements to seize the digital evidence.
Privileged evidence is usually not admissible unless a court order or exception regard it as admissible Following are some examples of privileged evidence.(Palazzetti Import/Export, Inc. v. Morson, 2000)

• Communication between a husband and wife
• Communication between attorney and client
• Communication between a doctor and patient
• Communication between clergy and parishioners
• Other protected relationships

Authentic

Evidence is only admissible if its authenticity can be proved. In the case of digital evidence, the authenticity of digital evidence often depends on the opinion of digital forensics experts. It is often important to preserve the original evidence without changes. If the original evidence cannot be produced in the court, the expert must explain technical limitations and the changes that occurred due to these limitations.

Keeping the Inadmissible Digital Evidence
It is highly advisable to keep the digital evidence even if it does not seem to be admissible in the court of law as this evidence might lead to other admissible evidence.

Digital Evidence Handling Guidelines

It is the duty of the investigator in charge to follow forensically sound practices to handle digital evidence and protect its integrity so that it remains admissible in the court of law.

Laws and guidelines regarding the handling of digital evidence are evolving and digital forensics investigators must stay updated. As a rule, performing the actions that are within your technical abilities and processing your investigation cooperated with a digital forensics lab in your department could not only improve the efficiency and accuracy but avoid the evidence inadmissibility.

The following process to handle digital evidence in a forensically sound manner will help you keep its integrity and admissibility. (Please note that if there are any particular digital evidence handling guidelines by your department or the courts in your jurisdiction, you must follow them as well.)

Preparation: Planning to Collect

Since digital devices retain the digital footprints of their users, it is highly advisable for today’s investigators to be prepared to handle digital evidence at all times.

• Think about the possible availability of digital evidence
• Make preparations beforehand to handle the evidence
• Obtain the evidence in a lawful manner

In most cases, a court order is sufficient to obtain digital evidence, but make sure that the court order mentions all devices and data needed to aid the investigation. The lack of mention risks important evidence to be termed as inadmissible. In cases where digital evidence is likely to play a key role, you might consider covert entry or property interference, and you need to obtain legal authorization for that as well.

Moreover, the investigation team should hold a preparatory meeting and the members from different specialties should discuss the case and their roles.Therefore, you could obtain as much information about the case as possible since understanding the background of the investigation is going to help you not only foresee the types of digital devices you are likely to find, but make pre-search preparations to handle the evidence.

Following are some items to include in your digital forensic kit.

• Authorization to seize all relevant devices
• Faraday bag to store mobile digital devices and block their network access
• A laptop with required digital forensic tools installed
• Storage devices like portable hard disks
• Bootable media (USB drive or CD/DVD)
• Mobile phone signal jammers
• Digital cameras to take pictures of the digital devices and their set-up
• Notebook, pen, and color markers to note down the details and label the evidence
• Evidence boxes, envelops, and labels
• Screwdriver set

Identification: Possible Sources

There are a myriad of digital devices and growing technologies such as IoT (Internet of Things) promises to enable almost all devices capable of storing digital evidence. Thus, it is important for an investigator to stay updated with the possible sources of digital evidence.

Following are some common devices that might contain relevant digital evidence.

• Phones
• Tablet devices
• Computers (Desktop & Laptops) – Data & Database
• Digital cameras
• Gaming consoles
• Security and other cameras and their storage(CCTV – DVR / NVR)
• Wearables, televisions, and other IoT devices
• Network equipment including modems and adapters
• Printers
• Network storage devices
• Non-digital evidence related to the digital evidence (notebooks, sticky notes, pieces of paper, printouts)

Hidden Cameras
Some criminals use hidden cameras to record their illicit activities, and that can prove a deciding factor in front of a jury. Always make a thorough search for hidden cameras, mics, and other such devices.

Collection and Acquisition

Forensically sound evidence collection methods that apply to non-digital evidence apply to digital devices as well. Digital devices can contain fingerprints, bloodstains, or DNA. However, there are additional considerations to collect digital evidence. When collecting digital evidence, pay close attention to the following points.

• If the device is turned on, do not turn it off. Check it for the presence of local or remote data deletion and encryption programs.
• If the device is unlocked, disable the screen and any other locking mechanisms. If appropriate, obtain passwords of the devices and applications.
• In most cases, it is advisable to disconnect the device from the network. Depending on the nature of the evidence, however, you might need to preserve the network connections or take notes before disconnecting.
• If the device is turned off, do not turn it on. If appropriate, obtain passwords of the devices and applications.
• Document the original state of the devices and all actions taken during the collection process.

Storage and Preservation

In most aspects, the storage of digital devices is similar to other objects, but digital devices have some additional storage considerations.

The following is a list of major considerations associated with digital evidence storage.

• Label all digital evidence and make an inventory
• Use Faraday bags to block radio signals and disconnect mobile devices from the network without powering them off
• Use chargers for powered on devices to preserve their power state
• Do not expose digital devices to the magnetic field. Keep the devices away from any equipment that might affect the device in any way

Handling and Analysis

Keeping integrity should be your prime objective while handling digital evidence. Whenever possible, data analysis should not be performed on the original device. Instead, a copy, also called an image, should be created and analyzed by using digital forensics analysis tools while keeping the original device as unchanged as possible.

The United Nations Office on Drugs and Crime (UNODC) has described four broad types of analyses that can be performed on digital devices.

• Time-frame analysis to create a timeline of actions and events
• Ownership analysis to determine the ownerships of devices as well as the data in the devices
• File and app analysis to determine the apps installed on the device and contents of files
• Data hiding analysis to find out if there is hidden data on the device

Reporting

Depending on your role in the investigation, you might need to defend what you write in your report. Thus, you must describe your interaction with the digital evidence.

• Document the chain of custody with details like custody, control, and transfer of digital evidence
• Details of every step taken to preserve the integrity of the digital evidence
• Describe the method and tools used to acquire the digital evidence
• Include notes, pictures, videos, and other material that prove that the digital evidence has been handled in a forensically sound manner
• The results and findings of your digital evidence analysis

1. Do not take any action that changes digital evidence on the source device.
2. Only a trained persons should access the digital evidence from the source device and they should be able to justify the relevance and implication of their actions
3. An audit trail should be maintained with the rocord of all applied processes. An independent third party should be able to examine those processes and produce the same results

(APCO’s three principles of digital evidence)

Cloud Computing and Digital Evidence

Most modern digital devices are connected to the internet and store some of their data in the cloud. Cloud is an infrastructure of computers that offer storage and other computing services to its customers. Apple and Google are two popular and relevant examples of cloud storage. Almost all Apple mobile devices store some of their data on Apple’s cloud servers while Android devices store some of their data on Google’s cloud servers.

Cloud computing offers extra challenges as well as opportunities to digital forensic investigators.

On the one hand, it is considerably harder, and often impossible, to take physical possession of cloud storage. On the other hand, it is often harder to erase data and activity tracks from the cloud as compared to the local storage. Thus, an experienced and resourceful digital forensics investigator might be able to retrieve data from the cloud that has been deleted from the device.

Today’s digital forensics investigators must be aware of the cloud computing options and use them to their advantage wherever possible.

Anyways, for this regard, it might be interesting for you to obtain a basic concept about database forensics before you dive deep into the cloud computing field of digital evidence.

Summary

Information stored on digital devices that can help uncover the truth and established facts is considered digital evidence. Digital evidence is abundant and powerful, but the ease of change makes it fragile and vulnerable to claims of errors, alteration, and fabrication.

Thus, it is necessary to handle digital evidence in a forensically sound manner to keep it admissible in the court of law and to get the most weight.