Digital Evidence
Computers and mobile devices have now become an integral part of our lives. We now depend on mobile devices and computer systems which store large amounts of data such as email addresses, contact details, pictures, financial details, videos and Internet history and phone numbers. All of this can give information about people’s habits and interests, and can be considered as a digital evidence.
Digital Evidence refers to any useful information that is collected from any electronic device that can reveal the truth about a crime and can be used in the court of law. It can be collected from the computer used for committing crime.
During investigations, we need to collect, preserve and analyze the computer hard drives, media drives such as USB and also mobile devices if needed. Apart from data stored on disks and media devices, all running computers are a storehouse of data located in the computer’s main memory or Random Access Memory. Some data which cannot be found on the disks of computer systems can be found in the Random Access Memory, but this can be only achieved when the system is running i.e. the system is not turned off after completion of a task or storing of files because the RAM is volatile and holds the data only till the system is in power on state – once the system is powered off the data on Random Access Memory is erased. The information that is found in the memory may include username and passwords, encryption keys, unencrypted data, unsaved documents, other critical evidence. This information can provide details about user’s activity. The process of capturing data from Random Access Memory while the system is in power on state is termed as Live acquisition of Data.
Sources of Digital Evidence:
- Internet
Evidence obtained from the internet includes information collected from website communications, emails, message boards, chat rooms, file sharing networks and intercepted communications. Message boards and chat rooms contain mountains of information both in real time as well as in archives. Though sources may easily be tracked and identified, there are many more problems posed by the internet today. The culprits may be outside the jurisdiction of the courts. Also, some websites are designed for user anonymity making identification of culprits more difficult. - Computers
Computers are a repository of information with evidence obtained using special extraction methods. Though information may overlap with Internet sources, computers provide many unique and notable pieces of evidence including time stamps, IP addresses, information about VPNs and MAC addresses. - Portable Devices
These include information sourced from cell phones, tablets and other handheld devices or gadgets. Because of the dependency society has on portable devices, these have become the lead source of digital evidence in many court cases.
Some other sources of Digital Evidence are:
- Smartphones / Tablets
- Laptops
- CCTV & Surveillance systems
- GPS devices
- Media devices – Pen drive, CD, DVD, External Hard Disks.
Importance of Digital Evidence:
Digital evidence is now used to prosecute all types of crimes, not just e-crime. For example, suspects’ e-mail or mobile phone files might contain critical evidence regarding their intent, their whereabouts at the time of a crime and their relationship with other suspects. In 2005, for example, a floppy disk led investigators to the BTK serial killer who had eluded police capture since 1974 and claimed the lives of at least 10 victims. In an effort to fight e-crime and to collect relevant digital evidence for all crimes, law enforcement agencies are incorporating the collection and analysis of digital evidence, also known as computer forensics, into their infrastructure. Law enforcement agencies are challenged by the need to train officers to collect digital evidence and keep up with rapidly evolving technologies such as computer operating systems.
Properties of Digital Evidence:
- Admissible – The evidence must be able to be used in court or otherwise. Failure to comply with this rule is equivalent to not collecting the evidence in the first place, except the cost is higher.
- Authentic – If you can’t tie the evidence positively with the incident, you can’t use it to prove anything. You must be able to show that the evidence relates to the incident in a relevant way.
- Complete – It’s not enough to collect evidence that just shows one perspective of the incident. Not only should you collect evidence that can prove the attacker’s actions, but also evidence that could prove their innocence. For instance, if you can show the attacker was logged in at the time of the incident, you also need to show who else was logged in, and why you think they didn’t do it.
- Reliable – The evidence you collect must be reliable. Your evidence collection and analysis procedures must not cast doubt on the evidences authenticity and veracity.
- Believable – The evidence you present should be clearly understandable and believable by a jury. There’s no point presenting a binary dump of process memory if the jury has no idea what it all means. Similarly, if you present them with a formatted, human-understandable version, you must be able to show the relationship to the original binary, otherwise there’s no way for the jury to know whether you’ve faked it.
Pros of Digital Evidence:
- A copy of Original Evidence can be created without tampering the Original Evidence using secure software.
- Digital Integrity of evidence should be maintained.
Cons of Digital Evidence:
- Digital Evidence can be manipulated or changed easily, if not preserved correctly and adeptly.
- Privacy Invasion – While scanning system, all data of user is available and can be misused.
Conclusion:
The domain of computer forensics has grown considerably in the last decade. Electronic devices are being used majorly, which increases the potential of finding digital evidence in any device whenever needed. Several tools and techniques are used to search and analyze devices because of which Digital Evidence is helpful to a great extent in solving cybercrimes.