Digital Evidence

Digital evidence can take the form of photographs, videos, text, programs, and internet activities such as email, instant messaging, or surfing. Digital evidence is any form of electronic data that is stored in bits and bytes on a magnetic media. This evidence can be found on a number of devices including but not limited to personal computers, CDs, DVDs, Zip drives, memory sticks, thumb drives, PDA's, cell phones, Blackberries, pagers, etc. (Knetzger & Muraski, 2008)

Some problems with the recovery of digital evidence is that it is very fragile and easily lost or destroyed. Data can be lost due to heat, magnetic fields, moisture, physical damage due to a drop, static electricity, etc. Even the radio signals of a police radio can damage evidence. There is also the risk that the suspect has set up a program to destroy or move evidence while law enforcement is examining it. Plus different devices work on their own technology which can sometimes require law enforcement to get programs from manufacturers to even examine the device. Finally, as with pagers some data can be destroyed and replaced very quickly so law enforcement must be careful to document everything right away. (Knetzger & Muraski, 2008)

When the officer first arrives he/she should photograph the scene. They should start outside the house and work up to tight images of the various components of the system. It is important that the suspect be kept away from the computer because there are one key programs designed to destroy data. (Knetzger & Muraski, 2008)

Next the officer wants to check the system for internet or network connection. This connection should be documented, the wired tagged, and then disconnected. This will prevent the moving of data to a different system. (Knetzger & Muraski, 2008)

Labels should be applied to all components of the system as well as devices and photographs taken of the system with the labels present. All empty ports should be labeled as empty or not in use. (Knetzger & Muraski, 2008)

Once the computer has been photographed, documented, and labeled you should unplug the power from the back of the tower. Then you should begin to dismantle the system. All parts of the system should be placed in antistatic bubble wrap or plastic film bags. Serial numbers of the individual parts should be recorded and each part should be recorded as separate evidence exhibits. (Knetzger & Muraski, 2008)

Once this is done the system is ready for transport. When placing the system in a patrol car it should be placed as far away from the police radio and radio equipment as possible. If available a separate van should be used and perhaps dedicated to the moving of such equipment. (Knetzger & Muraski, 2008)

The system should be stored in a dry, cool locked room. Due to chain of evidence the room should only be available to required personal. (Knetzger & Muraski, 2008)

The forensic team will then make clones of the hard drives after placing a block on them that will prevent writing data to the drive. The clones and the original will then be compared to determine if they are really exact copies. This is done by examining the MD5 values. The original is kept safe and all work is done on clones. (Knetzger & Muraski, 2008)

The specialist will then run forensic software on the drive that will index and analyze the data. This allows for easier examination by the specialist. This pretty much ends the process of seizure, transport, and examination. (Knetzger & Muraski, 2008)

References

Knetzger, M & Muraski, J. (2008) Investigating High-Tech Crime. New Jersey, US: Prentice Hall