Digital Forensics

February 27, 2018

The field of digital forensics has risen rapidly in recent years due to the growing use and dependency of our society on electronics and new technologies. Identity theft and cyber-attacks are common occurrences on individuals, companies and even government agencies. Electronic crimes have created new challenges for law enforcement, and information technology specialists are being called upon to lend their expertise in the field of computer forensics. Electronic evidence is both difficult to detect and quite fragile, which is why special investigative techniques must be employed by those who are skilled in this area.

Many crime scenes contain some type of electronic evidence these days, even if it is not obvious at first. Most people have a cell phone, tablet or some type of Global Positioning System (GPS) device. These types of devices can have valuable evidence about an individual’s whereabouts or recent movements leading up to a crime. Additionally, computers, emails and a person’s Internet search history can be very useful for investigators. When law enforcement or first responders arrive at a crime scene, this type of potential electronic evidence must be preserved just like actual physical evidence as it could prove to be just as important. Digital evidence can be missed or destroyed before computer forensics experts can process it if it is not handled properly from the initial discovery and collection.

Electronic equipment and the information it contains can be very valuable to a criminal investigation, and there are some special procedures and handling techniques that should be used in order to ensure the information is not compromised. First, searching and seizing of electronic evidence must be done with a valid search warrant, as expected when recovering other types of physical evidence as well. The evidence should also be protected by ensuring that any devices carried by law enforcement that transmit data via Wi-Fi or Bluetooth are disabled. Before the electronic equipment is transferred to a lab for forensic processing, photographs should be taken of the setup in order to replicate it in the lab. Any tests or searches of the electronic evidence should be performed on a duplicate of the hard drive to preserve the original evidence. This will also help to prevent any data integrity questions that could be raised in court by the defense team.

Additionally, fingerprint or DNA collection should be done after the duplicate has been created, and the electronic equipment should be stored in a cool environment without magnetic or electrical interference to ensure data is not lost in storage.

Since electronic evidence is still relatively new, there are some legal issues about its use in court that have been raised in re-cent years. Specifically, as digital evidence is used more frequently, the courts have been more critical of the data’s integrity. A review of recent cases involving digital forensic evidence showed that 24 of 100 cases had the decision reversed in light of appeals due to issues surrounding the search and seizure or data analysis of electronic evidence (Cole, Gupta, Gurugubelli, and Rogers, 2015).

In order to avoid some of these potential legal issues, it is important that search warrants are written to include electronic evidence to avoid a defendant claiming that his or her privacy as guaranteed by the Fourth Amendment was violated. Secondly, forensic experts must be able to establish a clear chain of custody for digital evidence and ensure it is well document-ed. The chain of custody should include a description of the evidence, how it was collected, and who was in possession of it at all times from collection to presentation in court. They should also be able to prove that the data has not been com-promised in any way during collection, transport, processing or storage of the materials. Information technology experts are frequently used to attest to the integrity of the data for the court.

In addition to electronic evidence collected at physical crime scenes, some crimes are strictly digital in nature and all of the evidence is electronic. Computers can be used as an instrument in many criminal activities, including the following: soft-ware piracy, fraud, stalking or harassment, identity theft, extortion, theft of intellectual property, malicious code or viral attacks and terrorism. The terrorist group ISIS has been known to use websites and social media to recruit new members, and these activities all leave a digital footprint that can be used to track down terrorists or prevent an attack of some kind.

Cybercrimes present many unique challenges for law enforcement. There is usually not a traditional crime scene, and it can be very difficult to determine where the attack originated as there is some degree of anonymity guaranteed to cyber criminals, especially those who are very skilled in coding, encryption and steganography. Many federal and state law enforcement agencies have had to hire information technology experts and create specialized cyber divisions in recent years. Computer forensic scientists will continue to be in high demand as our world becomes increasingly digitized, and the collection of electronic data and the preservation of its information are of critical value to many criminal investigations.

-Contributed by Robin Turner


Cole, K.A., Gupta, S., Gurugubelli, D., & Rogers, M.K. (2015). A review of recent case law related to digital forensics: The current issues. Annual ADFSL Conference on Digital Forensics, Security and Law, 2, 95-104.