Digital Evidence: The Key to Successful Investigations & Prosecutions

1. Introduction

Almost all crimes nowadays have some form of digital evidence associated to them. Digital evidence by its nature is very fluid and transient but the digital investigation takes a lot of time to complete. One small change in digital evidence can make the exhibit inadmissible in court and a case can be easily lost if digital evidence is not handled properly. Digital forensics investigators often face challenges to maintain the authenticity of the evidence. This paper will discuss about tools and techniques used to carry out digital investigations and highlight the problems and the importance of evidence preservation.

2. Digital evidence

(Casey 2004) defines digital evidence as any data stored or transmitted using a computer that supports or refutes a theory of how an offense occurred or that addresses critical elements of the offense such as intent or alibi. Essentially, digital evidence is any relevant information stored or processed by any digital media which helps to understand facts and reconstruct actions. In today’s world, digital evidence has become a needle in a haystack due to the amount of data people work with. The vastness of data however also means it is harder to destroy as there may be copies or associated information saved elsewhere, especially with cloud backups and IoT. Digital evidence can be categorized into two types according to its data retention characteristics when the power source is turned off; volatile and non-volatile. Volatile memory loses information when power is turned off whereas non-volatile memory does not. Volatile memory provides immediate information about the suspect’s actions. Examples of volatile and non-volatile memories are open ports, running programs, network connections, etc and registry data, login history, event logs, etc respectively.

3. Evidence collection

The evidence-collection process is crucial. Exhibition handling and data collection must be done in a legal manner for it to be admissible as evidence. ACPO's good practice guide explains that digital devices and media should not be seized just because they are present at the scene. There must be a warrant and a justifiable reason for the seizure. Digital devices that can have evidence include computers, laptops, hard disks, PCMCIA cards, USB memory sticks, PDAs, CDs/DVDs, mobile phones, sim cards, etc. The digital data evidence must be authentic and should be acquired with minimal cross-contamination. Data contamination may be unavoidable when capturing volatile data. When doing so, only trusted programs should be used, and the investigator must know its effect on the authenticity of data. The investigator should consider any unintentional changes to data prior to his/her arrival, whether it's natural like fire, rain, lightning, etc, or human-instigated by emergency personnel, victims, bystanders, etc. The investigator must be very careful when collecting digital evidence and should record as much details as possible. In order to aid the examiner during the collection phase items like labels, tapes, screwdrivers, cable ties, cameras, torches, latex gloves, tamperproof evidence bags, etc are helpful.

4. Evidence preservation

Evidence preservation is an intricate operation. The accuracy, authenticity, reliability, and completeness of exhibits are subject to expert scrutiny. According to the newspaper ‘The Guardian’ multiple cases were collapsed in 2018 due to the mishandling of digital evidence by Police in the UK. The evidence preservation starts at the crime scene and lasts until it is formally submitted.

4.1 Crime scene

Digital evidence must be immediately identified in the crime scene and should be protected from any form of modification. Then all connected devices, network connections, and other evidence should be labeled, documented, and photographed. Any volatile data may also be transferred it into non-volatile memory. Do not turn on devices, if devices are already on the record screen activity and turn it off following SOP. All evidence must be labeled, sealed, and carried in an appropriate medium such as; an isolation box for mobile phones.

4.2 Laboratory

The exhibits should be checked thoroughly before accepting. The data to be analyzed should be copied with write protect to a clean forensically wiped drive and hashing should be used for verification. The originals must be stored safely in a fireproof controlled environment. The access of the exhibits must meet British Forensics Regulator requirements, and every movement needs to be recorded. The hardware and software must be tested before the exhibits are connected.

4.3 Evidence preservation issues

Preservation of digital evidence and crime scene handling is a contentious problem. The authenticity of evidence may be questioned if volatile data is collected. Unintentional alteration might happen from human or natural factors involved. The vast amount of data can be difficult to store in forensic labs. Storage media can deteriorate over time and cause data to be corrupted. Cloud data are difficult to investigate.

5. Evidence analysis

The analysis of evidence is what uncovers facts. In this phase, data is extracted and artifacts are interpreted to create a report that proves or disproves allegations. Examining and analyzing digital evidence can be very difficult especially if the criminal is technically competent. Criminals often try to cover tracks after conducting a crime. An investigator’s job is to analyze evidence and expose any inculpatory and exculpatory facts. The investigator must also check for the authenticity of evidence and any signs of tampering. Analysis helps to identify, locate, extract hidden evidence, and create a timeline of events through that evidence. Every action taken must be detailly documented in order to survive expert scrutiny. One of the biggest problems for analysis is the amount of evidence to analyze. Criminals often use steganography, file carving, encryption, and passwords to hide information. Other problems such as time zone/clock drift an dynamic IP addresses also make it difficult to investigate.

5.1 Tools

The digital evidence is normally collected in raw format, the investigators require various software applications to be able to identify and locate evidence. Low-level data formats such as ASCII, HTML files, Network packets, source codes, windows registry, etc can be abstracted using software tools. There are many commercial and open-source tools available for digital evidence analysis however only legally approved and generally accepted tools should be used. A tool must be usable, accurate, comprehensive, deterministic, and verifiable. Some of the tools available for forensic analysis are the following:

1. EnCase; mostly used for recovering evidence
2. FTK; developed by AccessData, is used for imaging and analysis
3. Autopsy; opensource forensic tool with various features
4. memfetch; used to acquire RAM
5. mboxgrep; used for Linux systems
6. Rootkit Hunter; finds backdoors, rootkits, and sniffers
7. Pasco; analyses browsing history
8. Write Protect; changes the data to read-only
9. Foremost; recovers files with tampered extensions

Other similar tools include; The Sleuth kit, Volatility, HxD, CAINE, SIFT, Plain Sight, DEFT, etc.

6. Conclusion and recommendation

Digital forensics investigation is a delicate process. All steps during a digital forensic investigation process are equally important and they must be performed conscientiously. Every effort should be made to retain the authenticity of the evidence throughout the process. The investigator should only carry out an examination on backup data and original data must be stored safely. When analyzing exhibits the investigator should look for inculpatory and exculpatory evidence with an open mind. Any tools used should be legally approved and no errors should be introduced by bugs in the tools.