Digital devices surround our world in 2021. The immediate thought we get of a digital device is a computer, mobile phone, or internet. But the rise of IoT has made every electronic device a source of digital evidence. For instance, a built-in TV can be used to store, view, and share illegal images. Digital forensics experts, who are the first responders in this case, need to recognize and be able to properly seize every potential digital device for evidence.
If you are keen on a career as a forensic investigator to serve your community and help solve crimes, this blog will serve as your introduction to collecting digital evidence, along with the best path forward to pursue a calling in this exciting field.
What Is Digital Evidence?
Digital evidence can be defined as the information or valuable data stored on a computer or a mobile device that was seized by a law enforcement organization as part of a criminal investigation.
Digital evidence is commonly associated with e-crime (Electronic Crime), such as credit card fraud or child pornography. The information stored or transmitted in binary form on a computer hard drive, a mobile phone, or any other electronic device can be used as digital evidence by the forensic responders in a court of law. This evidence can include files on emails or mobile phones of the suspects, which could be critical to track their intent and location at the time of the crime and the searches they made on search platforms like Google or YouTube.
The types of evidences that a digital forensic examiner must consider are:
- Analogical Evidence
This kind of evidence can only be useful for increasing credibility by drawing parallels when there isn’t enough information to prove something in a workplace investigation, but it cannot be produced as evidence in a court of law.
- Anecdotal Evidence
This type of evidence can only be used to get a better picture of an issue and to support a particular conclusion, but cannot be used in court as evidence.
- Circumstantial Evidence
This type of evidence is used to infer something based on a series of facts. It can be used in criminal investigations to separate facts from other facts that can be proven when no strong evidence is considered.
- Character Evidence
This is a document or testimony that can help prove that the actions were taken in a particular way based on another person’s character. It can be used to prove intent, motive, or opportunity.
- Digital Evidence
Digital evidence can be any sort of digital file from an electronic source. This includes email, text messages, instant messages, files and documents extracted from hard drives, electronic financial transactions, audio files, and video files.
- Demonstrative Evidence
A document or an object which demonstrates a fact can be considered as demonstrative evidence.
- Documentary Evidence
Written forms of evidence such as letters or wills, documentary forms of media evidence such as images, audio recordings, or video formats.
- Direct Evidence
The testimony of a witness who can give a first-hand account of the incident is the most powerful type of evidence.
- Exculpatory Evidence
A law enforcement personnel can disclose any exculpatory evidence to the defendant that they think can help the case get dismissed.
- Forensic Evidence
Scientific evidence such as DNA, fingerprints, trace evidence, and ballistic reports comes under forensic evidence, providing solid proof for a person’s guilt or innocence.
- Testimonial Evidence
Spoken or written evidence given by a witness forms the most common type of evidence.
What Are the Types of Digital Evidence?
There are basically two types of digital evidence:
- Volatile, which is non-persistent: Memory that loses its content once the power is turned off like data stored in RAM (semiconductor storage).
- Non-volatile, which is persistent: No change in content even if the power is turned off. For example, data stored in a tape, hard drive, CD/DVD, and ROM.
Digital evidence can be found on any server or device that stores data, including some new home gadgets such as video game consoles, GPS sports watches, and internet-enabled devices used in home automation. Digital evidence is often found through internet searches using open-source intelligence (OSINT).
Digital evidence encompass any sort of digital file from an electronic device. This includes email, text messages, instant messages, files, and documents extracted from hard drives, electronic financial transactions, audio files, video files.
The five rules while gathering digital evidence are admissible, authentic, complete, reliable, and believable.
How to Perform Digital Evidence Acquisition and Analysis?
Digital evidence collection essentially involves a 3-step sequential process:
- Seizing the available electronic media.
- Acquiring and creating a forensic image of the electronic media for examination.
- Analyzing the forensic image of the original media. This ensures that the original media is not modified during analysis and helps preserve the probative value of the evidence.
Large-capacity electronic devices seized as evidence in a criminal investigation, such as computer hard drives and external drives, may be 1 terabyte (TB) or larger. This is equivalent to about 17,000 hours of compressed recorded audio. Today, media can be acquired forensically at approximately 1.5 gigabytes (GB) per minute. The forensically acquired media is stored in a RAW image format, which results in a bit-for-bit copy of the data contained in the original media without any additions or deletions, even for the portions of the media that do not contain data.
Examples of Digital Evidence
These are the digital evidences that a court of law considers and allows the use of:
- Digital photographs
- ATM transaction logs
- Word processing documents
- Instant messages history
- Accounting files
- Internet browser history
- Contents in a computer memory
- Computer backups & printouts
- GPS Tracks
- Digital video
- Audio files
Challenges of Digital Evidence
Collecting digital evidence requires a different kind of skill set than those required for gathering physical evidence. There are many methods for extracting digital evidence from various devices, and these methods, as well as the devices on which the evidence is stored, change rapidly. Investigators need to either develop specific technical expertise or rely on experts to do the extraction for them.
Preserving digital evidence is also challenging because, unlike physical evidence, it can be altered or deleted remotely. Investigators need to be able to authenticate the evidence and provide documentation to prove its integrity.
How to Get Certified in Forensic Science
Now that you’ve explored the intriguing facets of digital evidence, you might be itching to join the digital forensics industry and start solving crimes. While there are many paths that can help you arrive at your destination, a sure-shot one is EC-Council’s Computer Hacking Forensic Investigator (CHFI) certification, which emphasizes the various stages of collecting digital evidence — identification, collection, acquisition, and preservation. The training program takes you through the various tools, analytical techniques, and procedures involved in the process. Visit EC-Council today to learn more!